The proposed environment has two separate Active Directory domains (A and B where A is the vCAC "owner") and separate hardware (phase 1 - with eventual sharing of hardware). Can the IaaS admin work magic via vCAC and get to a point where he/she could pull an ovf file from Active Directory domain B (vCenter) to A? Once you have a ovf you can hack it and pull data off (just like a physical server).....IaaS admin will have the required agent on the "B" domain vCenter - but not the password.
The concern is that an IaaS admin could bypass all of Active Directory file/server/logon ACLs, copy the VM completely and do whatever they want.
Once the hardware is shared - this becomes even more of a concern depending on the type of storage connections used. But that bridge can be crossed later.
Thank you for any and all comments - this has been bugging me for a while and I need to get some firm answers.
