Embed Size (px)
Citation preview
VMware Cloud On Dell EMC Security Overview Guide
VMware Cloud on Dell EMC
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
Copyright © 2019-2020 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 2
Contents
1 Overview 5
2 VMware Cloud Services Security Framework 6Driving Principles 7
Shared Responsibility 7
3 Physical and Management Layer Security 8Physical Security 8
Management Layer Security 8
4 Code Security 9Application and Interface Security 9
Change Control and Configuration Management 9
5 Data Security 11Internal Standards and Policies 11
Interoperability and Portability 12
Data Classification, Handling, and Labeling 12
Production and Non-Production Environments 12
Customer Data Access by VMware 12
Data Location 13
Data Protection 13
Hardware Monitoring 13
Data Integrity 13
Backups 14
Secure Disposal 14
6 Network Security 15Segmentation 15
7 Identity and Access Management 17Customer Access Requirements 17
Users, Groups, and Roles 17
User Access, Reviews, and Revocation 18
User ID Credentials 18
Key Management 19
8 Vulnerability and Patch Management 20
VMware, Inc. 3
Antivirus and Malicious Software 20
9 Operations Management 21Security, Logging, Monitoring, and Intrusion Detection 21
Security Incident Management 21
Incident Reporting 22
Integrity 22
10 Security Support Processes 23Background Screening 23
Employment Agreements, Training, and Termination 23
Workspace 24
Policy 25
Asset Management 25
11 Governance, Risk, and Compliance 26Risk Assessments, Program Management, and Policy 26
Supply Chain Management, Transparency, and Accountability 27
Audit Assurance and Compliance 27
12 Enterprise Resilience 28Business Continuity 28
Disaster Recovery 28
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 4
Overview 1VMware Security Overview Guide provides information about the security controls implemented in various VMware Cloud services that run on Dell EMC on-premises rack.
Intended AudienceThe information is intended for anyone who wants to learn about the security services of VMware Cloud. It helps you understand the key mechanisms and processes that VMware uses to manage the information security in the cloud computing environment.
Note This guide covers only those VMware Cloud Services that run on Dell EMC on-premises rack.
VMware, Inc. 5
VMware Cloud Services Security Framework 2The security framework comprises security implementations and control elements, and categorizes the control elements in a meaningful order.
Figure 2-1. VMware Security Framework
Security Support Process Governance
Risk and Compliance
Operations Management
Enterprise Resilience
Vulnerability and Patch
Management
Physical and Management Layer Security
Identity and Access
Management
Code Security
Network Security
Data Security
This chapter includes the following topics:
n Driving Principles
n Shared Responsibility
VMware, Inc. 6
Driving PrinciplesTo ensure the security of VMware Cloud services and customer data, VMware implements a set of controls and management processes designed to mitigate risks and enhance its product services.
The controls and processes are created using the following driving principles, which provide the underlying general rules and guidelines for security within VMware Cloud services:
n Risk - Managing risk by understanding the potential threats and calculating the risk by leveraging all decision-makers
n Control - Establishing a balance between effectiveness and efficiency by implementing appropriate controls for the associated risk
n Security - Providing preventative and protective capabilities to ensure a secure service
Shared ResponsibilityVMware Cloud services use a shared responsibility model for security. This model achieves trusted security through the partnership of shared responsibilities between customers, VMware, and the infrastructure as a service (IaaS) providers. This matrix of responsibility ensures a higher security model and eliminates failure.
The IaaS providers ensure that there is security for the underlying physical infrastructure of the data center across all regions and availability zones that runs the management layer. VMware also ensures security of the management layer. As a customer, you can continue to own and operate the security and compliance of the actual workloads by extending your policies and controls to VMware Cloud on Dell EMC installations. Also, you are responsible for the physical security of the VMware Cloud on Dell EMC on-premises rack.
Figure 2-2. Shared Responsibility Security Model
VM VM
VMware Cloud on Dell EMC Rack
Customer Data
Customer Platform, Applications, Content Access Layers
Customer Operating System and Network Configuration
Customer Virtual Machines
Customer Virtual Machines
Customer
Compute Storage Database NetworkingVMware
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 7
Physical and Management Layer Security 3The physical infrastructure used by VMware Cloud services varies depending on the service provided. As a VMware Cloud on Dell EMC customer, you are responsible for the physical security of the on-premises rack. You must report any physical security breaches to VMware.
This chapter includes the following topics:
n Physical Security
n Management Layer Security
Physical SecurityIn a cloud environment, the compute, storage, and network security is only as effective as the physical environment used to house the infrastructure. The VMware Cloud services run on physical infrastructure built and maintained by IaaS cloud service providers such as, Amazon Web Services, Microsoft Azure, Google Cloud Platform, and SoftLayer.
This infrastructure leverages data centers that have physical security controls including, but not limited to the following:
n Physical perimeter controls such as fencing, wall, security staff, video surveillance, intrusion detection system
n Electronic controls such as two-factor authentications to access data center floors
Management Layer SecurityThe management layer provides the controls for operating the cloud service infrastructure used to deliver VMware Cloud services.
VMware uses dedicated secure networks to access the management software used to operate the infrastructure. For VMware Cloud on Dell EMC, VMware uses an encrypted VeloCloud SD-WAN connection to extend the management network to the customer location. Only authorized personnel involved in the operation and maintenance of VMware Cloud services can access this management network. Even these authorized personnel go through multiple levels of access controls before accessing the VMware Cloud services infrastructure.
VMware, Inc. 8
Code Security 4VMware has established controls to protect all applications, object source code, and also ensure that the applications and source code are restricted to authorized personnel only.
This chapter includes the following topics:
n Application and Interface Security
n Change Control and Configuration Management
Application and Interface SecurityThe security development life cycle program of VMware identifies and mitigates the security risk during the development phase and ensures that software is safe for release to the customers. A thorough code review is performed to ensure security and quality. This helps in remediating the security issues in the early stages of software development lifecycle.
The security development life cycle includes both manual and automated source code analysis tools to detect security defects in code and security vulnerabilities in applications prior to production. Critical vulnerabilities are addressed prior to deployment.
The comprehensive vendor risk management process ensures that all software suppliers adhere to industry standards for security development life cycle. The vendor risk management process includes review of vendor security controls, development processes, privacy controls, business conduct, and third-party audit reports and certifications.
Change Control and Configuration ManagementThe security development lifecycle and change management process guide personnel ensure that appropriate reviews and authorizations are implemented before accomplishing new technologies or changes within the production environment. The change management policies and processes guide the management about the authorization of changes applied to the production environment.
VMware Information Security Management System (ISMS) includes internal audits of these processes to ensure continuous improvement.
VMware, Inc. 9
VMware Cloud services include a comprehensive testing system that covers the entire life cycle of the release. VMware generates builds from approved components and runs them through the following tests:
n Basic Integration Tests (BITs)
n Product Validation Tests (PVTs)
n Feature Stress Lite (FSLite)
n Continuous Loop tests for deployment
n Upgrade and cluster expansion / reduction across all supported regions
The following performance tests are also done:
n Feature Stress Tests
n Security Scans Vulnerability Tests
n System Tests at scale for every cycle
There are standardized processes for capturing, investigating, developing, testing, approving changes, and implementing product bugs. Vulnerabilities are handled through the VMware Vulnerability Management procedures.
VMware Acceptable Use Policy prohibits the use of unauthorized software. The Infrastructure as Code software manages and provisions the production servers. The software can be installed on these systems only after multiple reviews and approvals. Also, the system monitoring tools of VMware Cloud services continuously monitor any unauthorized changes.
The known issues are captured in the VMware products and service release notes, which are publicly available.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 10
Data Security 5It is important to secure data and protect it from destruction, modification, or disclosure by implementing standards and technologies.
This chapter includes the following topics:
n Internal Standards and Policies
n Interoperability and Portability
n Data Classification, Handling, and Labeling
n Production and Non-Production Environments
n Customer Data Access by VMware
n Data Location
n Data Protection
n Hardware Monitoring
n Data Integrity
n Backups
n Secure Disposal
Internal Standards and PoliciesThe data handling and protection standards of VMware guide employees regarding appropriate labeling and handling of data for each classification level. Handling procedures include the classification, processing, storage, transmission, and destruction of data.
The Risk Management process defines controls that are implemented to mitigate the data security risks, which include:
n Use of separation of duties
n Role-based access control and least-privilege access for all personnel in the supply chain
n Accounting of supply-chain partner data quality errors
n Associated risks and appropriate corrective action policies
VMware, Inc. 11
Interoperability and PortabilityVMware maintains and publishes a comprehensive list of APIs. As a customer, you can use these APIs to verify the interoperability between components and migrate applications.
Data Classification, Handling, and LabelingVMware Cloud services include a data-labeling standard in addition to the data classification guidelines. It also has a data handling and protection standard to guide employees on appropriate labeling and handling for each data classification level. These handling procedures include secure processing, storage, transmission, declassification, and destruction of data. All the account information is processed according to these guidelines.
As a customer, you retain control and ownership of your content and can implement a structured data-labeling standard to meet your requirements.
Production and Non-Production EnvironmentsThe VMware software development and release processes contain mechanisms to ensure that the non-production code is removed or disabled before deploying into production.
The infrastructure is partitioned into production and non-production environments. The VMware Cloud services development is performed in non-production environments with documented procedures for testing and validation of updates before the release. The production environments contain the underlying infrastructure management software, customer data, and customer virtual machines.
Production and non-production environments are logically and physically segregated. The development, quality assurance, and production environments use separate equipment and environments, which are managed separately.
Production data is not replicated or used in non-production environments.
Customer Data Access by VMwareAs a customer, you retain control and ownership of your content and can secure your data as required.
VMware controls the access rights based on the principle of least privilege, which means only the minimum level of access required is granted. Access is provided according to the individual job functions and requirements. Appropriate levels of management authorize the access rights to computers and information systems and before the rights are granted. Managing access to information systems is implemented and controlled through centralized identity stores and directories.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 12
The VMware Security Operations Center uses log capture, security monitoring technologies, and intrusion detection tools to monitor VMware personnel accessing customer data. Only authorized VMware operators access the customer data. The authentication process uses a two-factor authentication process and generates a user-specific time-based temporary credential. This temporary credential is tied to a specific incident, and all activities performed by this user is logged. The log information is disclosed to the customer upon request.
The third parties do not have access to the production environment or customer content. If customers have questions about a specific individual accessing their environment, VMware investigates this activity.
Data LocationAs a customer, you choose the physical data center where you want your data deployed. To move data from the physical data center, you either have to perform the migration or purchase an offline data transfer service.
Only a person with the tenant administrator role can transfer the content. However, you need to implement your workloads.
You can see VMware documentation for information on migration and replication technologies.
Data Protection.
Communication of sensitive information such as authentications, administrative access, and customer information is encrypted with standard encryption mechanisms such as SSH, TLS, and Secure RDP.
VMware Cloud on Dell EMC protects data at rest by using vSAN encryption. Data is encrypted with a key that is unique to each SDDC and stored in the Trusted Platform Module (TPM).
Hardware MonitoringVMware monitors and logs certain aspects of the status and health of deployed hardware, and might share relevant hardware logs and data with Dell EMC for troubleshooting purposes.
Data IntegrityData input to VMware Cloud services is limited to the system configuration information that must match expected input formats.
The product interfaces and services ensure the integrity of information. Information validation is accomplished through real-time service execution, wherever possible. However, as a customer, you are responsible for all input and output processing of data.
Platform and application security standards are consistent with the industry guidance and standard such as, NIST, ISO, and CIS. VMware Cloud services have established an ISMS based on ISO 27001 standards for managing risks related to confidentiality, integrity, and availability of information.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 13
BackupsVMware does not back up or archive customer data.
Secure DisposalAs a customer, if the VMware service expires or you want to exit the service, be aware that you are responsible for removing the content from your system. However, VMware cooperates with you to delete or return all your content as provided in the customer agreement.
If VMware needs to retain some or all the personal data as applicable by law, VMware archives the data. In this case, VMware implements appropriate measures to prevent your data from further processing.
As a customer, if you exit the VMware service, before you return the hardware, VMware runs a procedure to ensure that all data on the hardware is inaccessible. VMware and Dell decommissions and recycles the hardware by following the industry best practices.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 14
Network Security 6VMware Cloud Services relies on layers of network security and builds on top of the base network security provided by IaaS providers. As a customer, for guidance on implementing a secure environment, you can access the documentation or contact the technical support team.
Network architecture diagrams that include data flows between security domains and zones are updated regularly. Policies, procedures, and configurations protect the VMware network environments. Wireless networks are not used to connect directly to the production environment.
Network diagrams and data flow clearly identify high-risk environments and systems that have legal compliance impacts. VMware has implemented technical measures and applies defense-in-depth techniques for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns and/or distributed denial-of-service (DDoS) attacks.
The security controls of VMware reduce the risk of unauthorized access to sensitive information in the production environment. VMware Cloud Services have several intrusion detection mechanisms, which continuously collects and monitors the environment logs correlated with both public and private threat feeds to spot suspicious and unusual activities.
For VMware Cloud on Dell EMC, VMware uses Velocloud SD-WAN to create an encrypted tunnel to each customer location for management access to the SDDC. Policies are applied to segment customer networks.
This chapter includes the following topics:
n Segmentation
SegmentationVMware Cloud service logically separates the network to restrict the customer access to their own private networks. The system and network environments are protected by a firewall to ensure business security, customer safety, and protection and isolation of sensitive data.
Firewalls restrict and control the network traffic and access to systems, data, and applications. VMware firewalls operate in compliance with the infrastructure security policy to support the protection of VMware information systems.
VMware, Inc. 15
The Terms of Service and Data Privacy Addendums for VMware Cloud services establish a clear demarcation between the responsibilities of the customer and VMware regarding data protection. As a customer, you are informed about how the responsibilities are separated between you and VMware for compliance programs or data privacy rules.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 16
Identity and Access Management 7The identity and access management controls within the VMware Cloud services restrict access to all hypervisor management functions or administrative consoles hosting virtualized systems.
These controls ensure that only authorized personnel have the appropriate levels of access. These controls are based on the principle of least privilege.
This chapter includes the following topics:
n Customer Access Requirements
n Users, Groups, and Roles
n User Access, Reviews, and Revocation
n User ID Credentials
n Key Management
Customer Access RequirementsAs a customer, you must agree to the terms of service before getting access to VMware Cloud services. The Terms of Service document is publically available and the prospective customers can also access it.
Users, Groups, and RolesThe organization’s audit tools monitor and restrict the misuse of log data. Strict access control, separation of duty, and other policies define which users have access to the management system of VMware.
The VMware Security Operations Center uses security information and event management (SIEM) tools to monitor logs and all the privileged access is captured in a centralized server. HR policies of VMware ensure that the terminated employees have no access. A quarterly access review audit is performed to ensure that the service access is appropriate. An employee who changes roles within the organization has access privileges modified according to their new position. Controls are applied to ensure that access to systems that are no longer required for business purposes is removed.
The third-party access to organization’s information systems and data is followed by coordinated application of resources to minimize and monitor the likelihood and impact of unauthorized access. Compensating controls derived from risk analyses are implemented before provisioning access. As a customer, you are responsible for managing access to the administrative console and end-user
VMware, Inc. 17
resources. You can also control the access to VMware Cloud services and virtual network. Access to diagnostic and configuration ports is restricted to authorized individuals and applications. VMware systems management access is performed over a dedicated network connection. Customer management access is performed over a dedicated management network connection established by VPN.
The Terms of Service document clearly defines the demarcation between responsibilities of VMware, segregation of duties within VMware, the responsibilities of Amazon Web Services, and customer responsibilities.
User Access, Reviews, and RevocationA quarterly access review audit is performed to ensure certification of entitlements for all VMware Cloud services, critical system users, and administrators.
All entitlement actions including remediations and certifications for inappropriate entitlements are recorded in the systems used to grant or revoke access.
The annual independent third-party assessments help in the audit and review of user access and user entitlement remediations and certifications. Reports are shared when these assessments are made available to our customers. Third-party auditors perform reviews against industry-standards including ISO 27001. VMware furnishes audit reports under non-disclosure agreement (NDA).
If there is a user access revocation or modification, a timely de-provisioning of the user access is made to the following:
n Organization systems
n Information assets
n Data implemented upon any change in status of employees
n Contractors
n Customers
n Business partners
n Third parties involved
VMware has HR systems, policies, and procedures to guide management during termination or change of the employment status. Access privileges to systems are removed with a status change. Employees or contractors who change roles within the organization are provided access according to their new position.
Any change in the user access status is intended to include termination of employment, contract, or agreement, change of employment, or transfer within the organization. A quarterly access review audit is performed to ensure that access is appropriate. Regular internal audits are conducted to confirm that access control changes are implemented on critical systems.
User ID CredentialsThe customer user account credentials are restricted to ensure that they have an appropriate identity, entitlement, access management, and are in accordance with the established policies and procedures.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 18
VMware supports integration with the existing customer-based single sign-on (SSO) solutions to its service.
There are mechanisms to unlock accounts. For system accounts, the VMware self-service password reset interface sends a time-bound, one-time password to the email address of the customer. However, for federated solutions, it is the customer's responsibility to reset the password.
Key ManagementThe key management policies and procedures guide users about managing the encryption keys. Access to cryptographic keys is restricted to specific users and all access is logged and monitored.
All the customer-specific keys used in VMware Cloud services are unique for each customer. An independent certificate authority generates customer-specific keys programmatically at the time of provisioning. These keys are associated with the unique URLs created for each customer.
VMware has key management controls and personnel for managing and securing the encryption certificates used to communicate with the VMware Cloud service consoles. VMware Cloud service operations provide information regarding the certificates installed, certificates about to expire, and certificates revoked through a certificate management dashboard.
VMware uses a commercial solution to secure, store, and control the access to tokens, passwords, certificates, API keys, and other confidential information. In addition, VMware certificate vendors have certificate management dashboards that can be used to monitor and manage the certificates for which VMware is responsible.
A VMware application monitors and automates the management of keys for both the key management controls and commercial solution encryption key management systems.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 19
Vulnerability and Patch Management 8The Vulnerability Management Program performs vulnerability scans on network, applications, and operating system layers and follows industry best practices. This program includes third-party vulnerability scanning and penetration testing. Results of vulnerability scans are not shared with customers as they do not participate in the vulnerability management program of the service. Because the results are not shared, it ensures confidentiality, integrity, and availability of the hosted VMware services. Vulnerability scans are reviewed during the annual audit and assessment program.
VMware analyzes the severity and impact of potential vulnerabilities, and upgrades all network, utility, and security equipment. VMware subscribes to vendor security and bug-tracking notification services. Remediation efforts are prioritized and applied against critical and high-risk issues. Critical patches are installed on time and non-critical patches are included in the pre-defined patch schedule and applied within reasonable timeframes. Changes are made according to industry best practices.
The QA department completes patch testing and rollback procedures and ensures compatibility with and minimal impact to the production environment. Third-party auditors perform reviews of the vulnerability and patch management process according to industry standards, including ISO 27001. VMware furnishes audit reports under an NDA.
This chapter includes the following topics:
n Antivirus and Malicious Software
Antivirus and Malicious SoftwareAnti-malware programs are installed when using components vulnerable to malware within the service. Security threat detection systems and anti-malware systems are configured and updated across all infrastructure components according to industry-accepted timeframes.
VMware, Inc. 20
Operations Management 9VMware follows industry best practices for the operation of VMware Cloud services. These include security monitoring, planning for security incident reporting and response, and maintaining infrastructure integrity.
This chapter includes the following topics:
n Security, Logging, Monitoring, and Intrusion Detection
n Security Incident Management
n Incident Reporting
n Integrity
Security, Logging, Monitoring, and Intrusion DetectionSystem audit logs are important and therefore, they are protected and retained. These logs adhere to the applicable legal and regulatory compliance obligations and ensure a unique user access accountability to detect potentially suspicious network behaviors, file integrity anomalies, and support forensic investigation if there is a security breach.
The service continuously collects and monitors environment logs, which are correlated with both public and private threat feeds to detect suspicious and unusual activities. Also, intrusion detection devices such as honeypots are used.
Audit logs are centrally stored and retained whenever required. The Information Security Management System (ISMS) tests these audit logs annually and the VMware Security Operations Center monitors and reviews them continuously..
VMware has an intrusion detection system and other tools to continuously monitor any deviations in production from the baseline configurations, and generate notifications.
Security Incident ManagementThe VMware Incident Response program plans and procedures are developed in accordance with the ISO 27001 standard. For security and incident management, VMware maintains contacts with industry bodies, risk and compliance organizations, local authorities, and regulatory bodies as required by the ISO
VMware, Inc. 21
27001 standard. List of contacts are regularly updated to ensure a direct compliance liaison and be prepared for a forensic investigation that requires a law enforcement.
Under the VMware ISMS program, the incident response plan is tested at least once annually, even if no security incident has occurred.
Incident ReportingThe logging and monitoring framework for VMware Cloud services allows VMware to identify the incidents of specific customers. The VMware Security Operations Center uses a SIEM system and merges data sources for a granular analysis and alerting.
VMware has a formal incident response group to cater to incident-response activities. Forensic data is made available for third-party forensic analyses, if required by law. VMware assesses the information security risk impact based on the internal mechanisms to quantify the types, volumes, and impacts on all information security incidents. VMware considers these policies and procedures as confidential and does not share specific details with customers. However, information pertaining to security breaches are shared with affected customers to support the contractual and legal obligations.
VMware notifies the customers through electronic methods, whenever feasible, for example, through portals. For more information, refer to the VMware Data Processing Addendum.
IntegrityVMware checks the integrity of managed virtual machine images and software binaries before use. VMware logs and monitors all infrastructure actions and raises alerts based on predefined rules. As a customer, implementation of integrity checking on your virtual machine images is your responsibility.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 22
Security Support Processes 10The business policies and procedures of VMware support the security processes. From the hiring process to ongoing personnel training, these procedures guide the development and operation of VMware Cloud services.
This chapter includes the following topics:
n Background Screening
n Employment Agreements, Training, and Termination
n Workspace
n Policy
n Asset Management
Background ScreeningEmployment candidates, contractors, and third parties are subject to background verification in accordance with the local laws, regulations, ethics, and contractual constraints. The pre-employment screening begins with the employee’s position and level of access to the service. The screening process also involves criminal background checks, as permitted by applicable law. Independent audit reports provide additional details regarding the controls applied for background verifications.
Employment Agreements, Training, and TerminationAccording to the ISO 27001 standard, all VMware personnel must complete the annual security awareness training. Personnel supporting VMware managed services must complete additional role-based security training to perform their job functions securely.. Compliance audits are periodically performed to ensure that employees understand and follow the established policies. All VMware employees must sign the confidentiality agreements at the time of onboarding. Also, after the candidates are hired, they must read and accept the Acceptable Use Policy and VMware Business Conduct Guidelines.
VMware, Inc. 23
An enterprise learning management system is used to facilitate the delivery of VMware training programs including the annual security awareness training, which is required for accessing sensitive systems, such as developer workstations and production deployment. All personnel with access to VMware services must complete the referenced annual security awareness training. The tools used for recording the successful completion of the required training and completion reports are reviewed during ISMS review meetings.
Personnel having access to the production environment receive additional training, which is completed before authorizing access to production systems. All VMware personnel are required to sign employment agreements to ensure that customer and tenant information is kept confidential. Applicable policies are reviewed at planned intervals by VMware. Access privileges to systems are removed when an employee leaves the company. Employees who changes roles within the organization have access privileges modified according to their new position. Terminated employees must return the assets.
Roles and responsibilities of contractors, employees, and third-party users are documented as they relate to information assets and security. The VMware Cloud services Terms of Service, service descriptions, privacy addendums, and service documentations define a clear demarcation between the responsibilities of the customer and VMware.
The VMware Data Processing Addendum, Privacy Policy, and Terms of Service provide information to the customers regarding the type of usage data collected during their use of the service. This includes data such as information on the amount of computing and storage resources purchased or consumed, named user counts, and third-party licenses consumed.
VMware does not provide an option for tenants to opt out of having their data or metadata accessed through inspection technologies. The type of data VMware collects is outlined in the Data Privacy agreement, and the methods by which VMware uses data is clearly mentioned and available publicly on the VMware website. The collection of the types of data specified is necessary for VMware to deliver the services mentioned in the service description.
WorkspaceA formal security awareness training program guides personnel on maintaining appropriate security for VMware services. Access control, separation of duties, and other policies define which users are provided access to VMware Cloud services management systems, and serve as an integrity function for unauthorized access to tenant data.
Access to customer environments where the customer data is stored can be accessed only by an authorized VMware operator. The authentication process uses a two-factor authentication process and generates a user-specific time-based temporary credential. This temporary credential is associated with a specific incident, and all activities performed by this user is logged.
The VMware Security Operations Center uses log capture, security monitoring technologies, and intrusion detection tools to monitor any unauthorized access attempts. All changes to the virtual machine configuration are logged, and as a customer, this information is made available to you, which helps you detect tampering and enable integrity checking.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 24
PolicyThe policies and procedures of VMware establish and maintain a safe and secure working environment. VMware personnel and the third parties involved receive VMware Business Conduct Guidelines and security awareness training regarding the policies, standards, and procedures.
Asset ManagementVMware maintains inventories of critical assets including asset ownership and critical supplier relationships.
When there is termination of employees or expiration of external business relationships, all assets owned by the organization are returned within a certain period. VMware monitors systems for privacy breaches and has a breach notification process to notify customers when there is a privacy breach.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 25
Governance, Risk, and Compliance 11VMware performs risk assessments and audits according to industry standards. The risk assessment includes review of operations of VMware Cloud services and supply chain of reliable vendors.
This chapter includes the following topics:
n Risk Assessments, Program Management, and Policy
n Supply Chain Management, Transparency, and Accountability
n Audit Assurance and Compliance
Risk Assessments, Program Management, and PolicyAccording to ISO 27001 standard, VMware Cloud services management has a strategic business plan that includes risk identification and implementation of controls to mitigate or manage risks. Risk assessments are performed annually to ensure that appropriate controls exist to reduce the risks related to the confidentiality, integrity, and availability of sensitive information.
VMware Cloud services management re-evaluates the strategic business plan biannually. This evaluation helps the management in identifying risks within its areas of responsibility and implements appropriate measures designed to mitigate the risks.
The information security and compliance teams together with management ensure that the security policies are complaint.
VMware Business Conduct Guidelines and security awareness trainings are mandatory for new employees. The existing employees complete this training annually.
VMware provides security policies and security training to employees to educate them about their roles and responsibilities concerning information security. VMware takes appropriate disciplinary action on employees violating VMware standards or protocols.
Applicable security provisions are added to supplier agreements to ensure that the providers are contractually obligated to maintain appropriate security provisions.
VMware audit and assessment program ensures that the third-party auditors review the policies according to industry standards including ISO 27001. VMware furnishes audit reports under an NDA.
VMware, Inc. 26
VMware has documented security baselines to guide personnel regarding appropriate configurations to protect any sensitive information. Baseline configurations for all software and hardware installed in the production environment are also documented and updated regularly. A defined change management policy governs any changes to these configurations. Baseline configurations are securely recorded. VMware notifies customers when changes are made to the service.
Supply Chain Management, Transparency, and AccountabilityAs a customer, you have control and ownership over the quality of your data and potential quality errors that might arise by using VMware Cloud services.
VMware controls the access rights based on the principle of least privilege, which means only the minimum level of access required is granted. Access is provided according to the individual job functions and requirements. Appropriate levels of management authorize the access rights to computers and information systems and before the rights are granted. Managing access to information systems is implemented and controlled through centralized identity stores and directories.
Internal audits are performed annually under the VMware ISMS program. VMware uses internal and external audits to measure the conformance and effectiveness of the controls applied to reduce risks associated with the information security, and identify areas of improvement. Audits are essential to the VMware continuous improvement program.
VMware has a comprehensive sourcing and vendor risk management process to select providers that meet VMware requirements including security provisions. Supplier agreements ensure that providers are in compliance with the applicable laws, security, and privacy obligations.
As a customer, you are responsible for using the VMware solution in compliance with relevant laws and regulations. The VMware ISMS process documents and tracks non-conformance, and also monitors supplier performance and escalates issues if necessary. To ensure information security across your information supply chain, VMware also conducts risk assessments annually to ensure that appropriate controls exist to reduce the risk related to the confidentiality, integrity, and availability of sensitive information.
The VMware audit and assessment program performs reviews on subprocessing agreements. VMware monitors audit reports and certifications to review risk management and governance processes, and effectiveness of applicable controls.
VMware has made Service Level Agreement (SLA), Terms of Service, Data Processing Addendums, and Privacy notices publicly available at vmware.com/download/eula.
Audit Assurance and ComplianceVMware engages independent third-party auditors to perform reviews against industry standards, and furnishes audit reports under an NDA.
For more information about compliance reports and other security and compliance information, see cloud.vmware.com/trust-center/compliance.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 27
Enterprise Resilience 12Business continuity and disaster recovery planning includes processes and designs to minimize the impact of any disasters on the VMware Cloud services operations.
This chapter includes the following topics:
n Business Continuity
n Disaster Recovery
Business ContinuityVMware has a defined information security program that includes business continuity and disaster recovery strategies for data and hardware redundancy, network configuration redundancy, backups, and regular testing exercises. This program implements appropriate security controls to protect its employees and assets against natural or man-made disasters. Also, an automated runbook system is implemented to ensure that policies and procedures are reviewed and made available to appropriate individuals. These policies and procedures include roles and responsibilities supported by regular workforce training.
VMware ensures that security mechanisms and redundancies are implemented to protect equipment from utility service outages. Risk assessment is completed regularly to identify natural and man-made threats based on a geography-specific business impact assessment. The change management triggers reviews of new projects and critical processes. The resulting security mechanisms and redundancies are reviewed through regular audits.
The real-time status of VMware Cloud services along with past incidents is publicly available at status.vmware-services.io.
Disaster RecoveryVMware Cloud services have multiple disaster recovery mechanisms to recover from multiple concurrent failures. Redundancy and blast isolation are built into the architecture to ensure a high availability of the VMware Cloud services including regional independence, separation of console availability, and customer service availability.
VMware monitors the infrastructure and services on which VMware Cloud services depend, and receives notifications if there is a failure.
VMware, Inc. 28
According to VMware business impact analysis, dependencies on third parties are documented to ensure that there are appropriate business continuity measures. As a customer, you can report a disaster using self-service or call the VMware global support team. VMware reviews the customer-reported events and determines whether the event meets the disaster criteria.
The VMware Enterprise-Independent Attestation process reviews the business continuity plans and documentation annually. The VMware ISMS is based on the ISO 27001 framework. VMware third-party auditors review the business continuity and redundancy plans in accordance with the industry standards including ISO 27001. VMware furnishes audit reports under an NDA.
VMware Cloud On Dell EMC Security Overview Guide
VMware, Inc. 29
