Horizon Cloud Service next-gen Alignment with the ACSC ISM

Introduction

This document addresses the security for VMware Horizon Cloud Service next-gen in relation to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM). The purpose of the ISM is to outline a cyber security framework that organizations can apply, using their risk management framework, to protect their information and systems from cyber threats.

Note: You can find the definitions for acronyms used throughout this document in: Acronyms used in the Workspace ONE Security Series.

Purpose

This whitepaper summarizes VMware’s alignment with the Cyber Security Principles and Cyber Security Guidelines within the ISM.

Audience

This document is intended for Australian government commercial cloud customers to evaluate Horizon Cloud Service next-gen security and any potential risks against the ACSC ISM. It assumes at least intermediate knowledge of Horizon Cloud Service next-gen, and focuses on the policies, processes, and controls supporting the cloud-delivered services. Federal Risk and Authorization Management Program (FedRAMP), on-premises, and third-party offerings are not in-scope for this document.

Horizon Cloud Service next-gen Security Compliance

Horizon Cloud Service next-gen has completed a SOC 2 Type 1 audit. For the most up-to-date list of product audits and certifications, navigate to the VMware Trust Center. SOC 2 Type 1 reports are available under an NDA with VMware.

Note: The report is anticipated to be available for distribution in June 2023.

VMware also publishes extensive documentation to familiarize organizations with our products and services through VMware Docs and Tech Zone. See the Cloud Services Guide from the VMware ONE Contract Center for detailed descriptions of service components, as well as shared service administration responsibilities between VMware and our customers.

Alignment with the ACSC Cyber Security Principles

The VMware Information Security Program leverages guidance from industry best practices and regulatory standards, including NIST SP 800-53 and ISO 27001. VMware has created controls and processes using a set of driving principles to provide the underlying general rules and guidelines for security within our cloud-delivered services. Overarching principles include:

  • Governance – Establishing a balance of effectiveness and efficiency by implementing the appropriate controls and managing risks by understanding the threat landscape and leveraging all decision makers during risk analysis.
  • Protection – Providing preventative and protective capabilities to ensure a secure service.
  • Detection – Implementing 24x7 proactive monitoring to detect and identify security incidents.
  • Response – Developing agile response procedures that address both individual security incidents and disaster recovery.

Alignment with the ISM Cyber Security Guidelines

Guidelines for Cyber Security Roles

VMware has developed controls and processes for two main cyber security roles: chief information security officer and systems owners.

Chief Information Security Officer

VMware has a Chief Security Officer who leads, oversees, and is ultimately responsible for VMware’s Information Security program.

VMware coordinates cyber security through the Information Security Governance Committee (ISGC) which includes members of senior management and representatives from our Information Security, IT Operations, HR, Marketing, Facilities, and Legal teams.

System Owners

Horizon Cloud Service next-gen uses numerous components and platform services. Horizon Cloud Service next-gen product management has overall system ownership responsibility for the cloud service, although some underlying components have their own product managers. Operational security responsibilities are assigned to applicable operations teams.

Guidelines for Cyber Security Incidents

To help maintain the confidentiality, availability, and security of our customer data, VMware has developed controls and processes for detecting, managing, and reporting cyber security incidents.

Detecting Cyber Security Incidents

The VMware Security Operations Center (SOC) enables rapid assessment and response to cyber security threats targeting VMware services through continuous collection, evaluation, and dissemination of cyber threat intelligence. The VMware SOC works with the Horizon Cloud Service next-gen teams to provide proactive monitoring of hosted services and to support incident response activities.

The VMware SOC is staffed 24x7 and monitors alerts on security anomalies. The SOC leverages multiple tools for log capture, security monitoring, and intrusion detection to look for unauthorized access attempts, monitor for incoming threats, and detect activity from malicious insiders.

Managing Cyber Security Incidents

The VMware Incident Response plans and procedures have been developed in alignment with the ISO 27001 standard. VMware follows a formal Incident Management Plan that is maintained as part of our overall Information Security Program. Incidents are reported to the appropriate Cloud Operations team for categorization and resolution, and issues are escalated to senior management according to a pre-defined protocol. VMware tracks alerts, responses, and resolutions through to completion: incident response teams prepare post-mortem reports to internal stakeholders and to the Information Security Governance Committee for review.

Reporting Cyber Security Incidents

In the case of a confirmed data breach, VMware shall notify affected customers of the breach without undue delay in accordance with applicable laws, regulations, or governmental requests.

Guidelines for Outsourcing

VMware has developed controls and processes for cyber security outsourcing, including supply chain risk management, managed services, and cloud services.

Cyber Supply Chain Risk Management

VMware has a comprehensive vendor procurement and risk management program to choose providers that meet identified security baseline requirements. Supplier agreements help ensure that providers comply with applicable laws, security, and privacy obligations.

VMware has a formal process to document and to track non-conformance as a part of our information security management system (ISMS). To help assure reasonable information security across our information supply chain, VMware also conducts risk assessments for service sub-processors at least annually to ensure appropriate controls are in place to reduce risks to the confidentiality, integrity, and availability of sensitive information.

Managed Services and Cloud Services

Horizon Cloud Service next-gen incorporates managed services and cloud services from various service providers. VMware’s standard supplier management processes are used to track and manage the use of these third-party services.

Guidelines for Security Documentation

VMware has developed controls and processes for cyber security documentation, including development and maintenance of both general and system-specific security documentation.

Development and Maintenance of Security Documentation

VMware maintains an organization-wide Information Security Program and Policies, and we perform annual reviews and audits of our program to keep the documentation up to date. Formal documentation, such as business continuity and disaster recovery plans, are reviewed at least annually or upon significant system change.

Security documentation for Horizon Cloud Service next-gen is the responsibility of applicable product managers and is maintained by the relevant operations and engineering teams. Changes to security for VMware cloud services have an approval process involving Information Security.

System-specific Security Documentation

Service-specific documentation such as data flow and network diagrams, risk registers, deployment procedures, and so on, are reviewed and updated regularly.

VMware applies consistent incident response plans across its cloud services, which are led by the VMware SOC.

Cloud services for VMware also apply a consistent continuous monitoring plan for proactively identifying, prioritizing and responding to security vulnerabilities. The VMware Security Response Center (VSRC) is responsible for managing and resolving security vulnerabilities in VMware products and services that are available to customers. VSRC has a mature process for investigating reports, coordinating disclosure activities with researchers and other vendors when appropriate, and communicating remediation to customers via security advisories, blog posts, and email notifications.

Guidelines for Physical Security

VMware and its cloud hosting partners have developed controls and processes for physical security, including facilities and systems, as well as ICT equipment and media.

Facilities and Systems

VMware leverages Microsoft Azure data centers within Australia to support the Horizon Cloud Service next-gen offering. Microsoft Azure maintains physical and environmental security controls for the cloud-delivered service and other related ICT equipment. Microsoft Azure environments have undergone IRAP certification (PROTECTED), SOC 2 Type 2 audits and have achieved at least ISO 27001 certification.

The VMware physical security policy governs security for our offices and other global business locations to safeguard information systems and staff.

Key elements of this policy include controls around: physical security perimeters, physical entry controls, physical access, securing offices, rooms and facilities, visitors to facilities, records, preventing the misuse of facilities, protecting against external and environmental threats, working in secure areas, access to restricted areas, delivery and loading areas, equipment siting and protection, supporting utilities, equipment maintenance, removal of assets, security of equipment and assets off-premises, secure disposal or reuse of equipment, unattended user equipment and clear desk and clear screen.

ICT Equipment and Media

VMware leverages Microsoft Azure data centers within Australia to support the Horizon Cloud Service next-gen offering. Microsoft Azure maintains suitable controls to restrict access to the underlying ICT equipment for the services. Microsoft Azure has completed an IRAP assessment (PROTECTED) which includes the ICT equipment for Microsoft Azure services within the assessment scope.

All user data stored within Horizon Cloud Service next-gen is encrypted at rest with a minimum level of AES-256 symmetric encryption. Customers manage encryption of their workload capacities, which include Virtual Desktop Image Virtual Machines (VDI VMs), Multi-session VMs, images, and user data. Customers can also optionally configure Horizon Cloud Service next-gen to communicate to an on-premises, corporate network through a VPN or ExpressRoute connection.

Guidelines for Personnel Security

VMware has developed controls and processes for personnel security, including awareness training, and access to systems and respective resources.

Cyber Security Awareness Training

In alignment with the ISO 27001 standard, all VMware personnel and alternative workforce are required to complete annual business conduct and security awareness training. Employees undergo annual data handling and privacy training that includes the secure handling of customer data.

Access to Systems and Their Resources

VMware HR applies policies and processes for background screening, employment, and confidentiality agreements, and employee termination procedures.

Access privileges to the Horizon Cloud Service next-gen hosted infrastructure are enforced using role-based access control, separation of duties, and the principle of least privileges. Production environment access requires secure VPN and jump server using MFA and directory credentials and is restricted to authorized members of applicable teams. Logs are in place to review support staff access to all systems and environments.

Australian customer data is stored in regional data shards located in Australia with backups of those data shards also located in Australia. However, VMware uses a 24x7 “Follow-the-Sun” support program. This means that outside business hours in Australia, support services may be staffed by employees in our global office locations (for example, United Kingdom, United States) and data may be accessed (or processed) outside of Australia. Remote access to the production environment, for the purposes of maintenance and support, may also be used by our global data center operations team.

Guidelines for Communications Infrastructure

Our cloud hosting partners have developed controls and processes for communications infrastructure, including cabling infrastructure.

Cabling Infrastructure

VMware partners with Microsoft Azure to support Horizon Cloud Service next-gen in Australia, and Microsoft Azure manages cabling infrastructure used to host the services. Microsoft Azure services are assessed under the PROTECTED classification of IRAP.

Emanation Security

Horizon Cloud Service next-gen will not be used for SECRET or TOP SECRET systems or information and so emanation security controls are not applicable.

Guidelines for Communications Systems

No controls and processes have been developed for communications systems, including telephone systems, video conferencing, Internet protocol telephony, fax machines, and multifunction devices as these systems are not applicable to Horizon Cloud Service next-gen.

Telephone Systems

Telephone services are not applicable for Horizon Cloud Service next-gen.

Video Conferencing and Internet Protocol Telephony

Video and voice over Internet Protocol (IP) services are not applicable for Horizon Cloud Service next-gen.

Fax Machines and Multifunction Devices

Fax and multi-function device services are not applicable for Horizon Cloud Service next-gen.

Guidelines for Enterprise Mobility

VMware has developed controls and processes for enterprise mobility and mobile device management.

Mobile Device Management

VMware secures all company workstations and mobile devices using a centrally managed corporate Workspace ONE UEM instance. Any device connecting to VMware corporate resources is required to be enrolled and managed. Systems settings prohibit end users from disabling endpoint protection software.

Staff are permitted to use personal devices to access a limited set of VMware corporate services and information. However, personal devices are prohibited from accessing production environments for VMware products and services. VMware managed laptops must be used to access production environments.

Guidelines for Evaluated Products

No controls and processes have been developed for evaluated products, as this activity is not applicable to Horizon Cloud Service next-gen.

Evaluated Product Acquisition and Usage

Evaluated products are not procured for the Horizon Cloud Service next-gen. VMware Horizon 7 v7.3.3, Horizon Client for Windows v4.6.1, and VMware Unified Access Gateway 3.1.1 are certified for Common Criteria. Unified Access Gateway 2209, Horizon Connection Server 8 2209 (Horizon 8.7), VMware Horizon Client 8 2209 (Horizon 8.7), VMware Horizon Agent 8 2209 (Horizon 8.7 are under evaluation for Common Criteria. However, the Horizon Cloud Service next-gen is not an evaluated product.

Guidelines for ICT Equipment

VMware’s cloud hosting partners have developed controls and processes for ICT equipment, including usage, maintenance, and repairs, as well as sanitation, destruction, and disposal.

ICT Equipment Usage, Maintenance and Repairs, Sanitation and Destruction, Disposal

VMware partners with Microsoft Azure to support Horizon Cloud Service next-gen in Australia, and Microsoft Azure manages the underlying ICT equipment used to host the services. Microsoft Azure services are assessed under the PROTECTED classification of IRAP.

Guidelines for Media

VMware’s cloud-hosting partners have developed controls and processes for cyber security media, including usage, sanitation, destruction, and disposal.

Media Usage, Sanitation, Destruction, Disposal

VMware partners with Microsoft Azure to support Horizon Cloud Service next-gen in Australia, and Microsoft Azure manages the physical media that is used for the services. Microsoft Azure services are assessed under the PROTECTED classification of IRAP.

Guidelines for System Hardening

VMware has developed controls and processes for system hardening, including processes for operating systems, applications, authentication, and virtualization.

Operating System Hardening

VMware disables unnecessary ports, protocols, and services as part of baseline hardening standards. We follow industry best practices in applying secure configurations to managed servers.

VMware disables unnecessary ports, protocols, and services as part of baseline hardening standards to protect customer data according to stringent requirements laid out by PCI-DSS. Quarterly ASV scans are run and remediated according to the requirements determined by PCI-DSS.

Application Hardening

VMware uses secure-by-design principles in developing its Horizon Cloud Service next-gen software and applies strong security management practices for the ongoing management of the cloud services.

Authentication Hardening

VMware applies authentication standards for all VMware products as part of the VMware Product Security Requirements (PSR) which are examined during the Security Development Lifecycle.

VMware applies industry best practice authentication for VMware personnel with access to all VMware code, software pipelines or cloud service environments. Industry best practice authentication is also applied for service accounts in cloud service environments. Authentication requirements are verified by our third-party auditors during our annual compliance activities.

Virtualization Hardening

VMware leverages host virtualization capabilities from Microsoft Azure. We follow industry best practices in applying secure configurations to virtualization and container platforms.

Guidelines for System Management

VMware has developed controls and processes for system management, including system administration, patching, data backup, and restoration.

System Administration

VMware applies robust processes for administration of all systems that are involved in providing Horizon Cloud Service next-gen. These systems and associated administrative infrastructure are strictly isolated from the VMware corporate network.

System Patching

VMware maintains the systems it uses to deliver Horizon Cloud Service next-gen, including the application of patches deemed critical for the target systems. Our policy is to patch or upgrade network, utility, and security equipment after analyzing the severity and impact of potential vulnerabilities. Critical vulnerabilities are addressed in a timely manner, and changes are made using industry best practices.

Vulnerability scanning and remediation is in line with PCI-DSS. Scans are performed at least monthly, and system and application owners are required to address critical and high vulnerabilities with a plan of corrective action after vulnerability discovery. Other vulnerabilities are addressed with a plan of corrective action within a reasonable period.

Data Backup and Restoration

Horizon Cloud Service next-gen is supported by defined enterprise resiliency programs which include business continuity and disaster recovery mechanisms for VMware-managed components per PCI-DSS requirements. We have a defined applicable recovery time objective (RTO) and recovery point objective (RPO). VMware does not provide disaster recovery and backup processes for customer-hosted infrastructure and customer-managed data.

Guidelines for System Monitoring

VMware has developed controls and processes for system monitoring, including event logging and monitoring.

Event Logging and Monitoring

VMware Cloud Operations is staffed 7x24x365 and the team deploys several commercial and custom purpose-built tools to monitor the performance and availability of all hosted solution components. Components include the VMware-managed Horizon Cloud Service next-gen underlying infrastructure servers, storage, networks, portals, services, and information systems.

VMware-managed Horizon Cloud Service next-gen infrastructure leverages a robust, centralized SIEM infrastructure per PCI-DSS requirements. All critical systems and privileged access, firewall, and IDS logs are logged and monitored. VMware System Security logs and events are centrally aggregated and monitored in real-time 7x24x365 by the VMware SOC. Logs forwarded to the VMware SOC are retained for one year and up to five years in archive.

Guidelines for Software Development

VMware has developed controls and processes for software development, including both application and web application development.

Application Development

VMware follows a defined Software Development Lifecycle (SDLC) which incorporates security into each phase (that is, requirements, design, implementation, verification) of development. VMware’s SDLC is based on industry-recognized best practices and standards, including PCI-DSS common coding vulnerabilities, OWASP, OSSTMM, SANS/CWE, and SCRUM methodologies. For more information on the VMware SDLC, see the VMware Product Security Whitepaper.

Web Application Development

VMware’s Security Development Lifecycle applies industry best practices for secure application development, including secure web application development practices.

Guidelines for Database Systems

VMware has developed controls and processes for database systems, including database servers, DBMS, and databases.

Database Servers, DBMS, Databases

Horizon Cloud Service next-gen databases are implemented using industry best practices, including hardening by disabling unnecessary services and accounts, applying the principles of least privilege and separation of duty, enforcing network segmentation, executing parameterized queries, and full logging and monitoring capabilities. Horizon Cloud Service next-gen also makes use of MongoDB Atlas, a managed service database solution. MongoDB implements the same stringent industry best practices for hardening of databases.

Guidelines for Email

No controls and processes have been developed for cyber security emails, including usage, gateways, and servers as these systems are not applicable to Horizon Cloud Service next-gen.

Email Usage, Gateways, and Servers

Email management and email gateways and servers are not applicable for Horizon Cloud Service next-gen.

Guidelines for Networking

VMware has developed controls and processes for networking, including network design and configuration, and service continuity for online services. No controls have been developed for wireless networks, as these are not applicable to Horizon Cloud Service next-gen.

Network Design and Configuration

To reduce the management footprint and deliver a true desktop virtualization service, Horizon Cloud Service next-gen leverages a “thin edge” architecture. Horizon Cloud Service next-gen service infrastructure components, such as the connection servers, applications volumes manager, pod managers, and databases that are typically deployed in customer environments have been moved into the VMware-managed Horizon Control Plane. This new environment, called the Horizon Edge, reduces the footprint within customer environments, translating to increased scalability, reduced management, simplified updates, and more stability. It also separates the management infrastructure and functionality, which is delivered as cloud services from the Horizon Control Plane, from the resource capacity, which is delivered by supported capacity providers.

The VMware-managed Horizon Control Plane is hosted in Microsoft Azure data centers and is a multi-tenant Software-as-a-Service (SaaS) offering. Customers data is separated at the application level and each tenant is encrypted with a per-tenant key. Firewalls are configured to restrict inbound traffic to the Microsoft Azure infrastructure environment, as well as MongoDB. Customers determine where Horizon Edge components reside, including the Horizon Edge Gateway, Unified Access Gateway, and virtual desktops and specify the primary provider in a selected site. Customers may choose to leverage Microsoft Azure as a primary provider for their selected site or use an alternate software-defined data center (SDDC).

image 153

Figure 1: Horizon Cloud Service next-gen expanded Horizon Control Plane functionality

Edge Networking Components

Horizon Cloud Service next-gen deployed Edges require three subnets for the delivery of the service:

  1. DMZ – Enables inbound traffic from the Internet to the external Unified Access Gateways. Network Security Groups (NSGs) that are a feature of Microsoft Azure are used to control inbound access and allow only the required ports and protocols to the external Unified Access Gateways.
  2. Management – An internal management network, allowing the Azure Kubernetes Service (AKS) clusters on the Horizon Edge to update the Unified Access Gateways and providing an outbound Internet channel for connection to the Horizon Control Plane and the Azure API.
  3. Desktop – Customer-controlled network for the VDI desktops and Remote Desktop Session Host (RDSH) Farms (supporting both multi-session desktops and applications), and internal Unified Access Gateways.

Visit the networking section of Horizon Cloud Service next-gen Architecture for additional insight into how the subnets can be used in the implementation of the service.

Wireless Networks

Wireless networks are not applicable for Horizon Cloud Service next-gen.

Service Continuity for Online Services

Horizon Cloud Service next-gen employs a highly redundant design with multiple best-in-class redundancy technologies combined with data replication strategies deployed at the data layer. The infrastructure is designed to ensure that customers will typically not notice a disruption during a component or system failure inside a primary data center.

Disaster recovery strategies include:

  • The use of Microsoft Azure Availability Zones in active-active configurations for applicable locations
  • Multi-region (in country) failover in the event of a regional outage
  • Database replication
  • Encryption of backups in-Transit and at-Rest (AES-256)

Disaster Recovery is a shared responsibility between VMware and customers for the Horizon Cloud Service next-gen Cloud service. Customers fully manage the data, such as routine backups and content, stored or accessed through the Horizon Cloud Service next-gen service on Microsoft Azure solution. VMware provides disaster avoidance and recovery for top-layer and user-management interfaces which are owned and operated by VMware.

Guidelines for Cryptography

Horizon Cloud Service next-gen aligns cryptographic to Payment Card Industry-Data Security Standard (PCI-DSS) standards, including AES-256 for encrypting Data-at-Rest (DaR) and TLS 1.2 for encrypting Data-in-Transit (DiT). VMware manages Edge appliances and relevant security updates and patches while customers determine the level of encryption configured for their desktops.

Horizon Cloud Service next-gen enforces strong TLS 1.2 encryption in-Transit to and from the VMware cloud environments over the public Internet to protect data against Machine-in-the-Middle (MitM) attacks. In transit encryption includes traffic between end-user devices and the service, between the service and other services (such as Horizon Edge appliances and customer systems), and internally within the service, where applicable. Firewalls, managed perimeter devices, and strong physical and logical access controls provide layered security within the Horizon Control Plane hosted environments.

Customers manage encryption of their workload capacities, which include VDI Desktop VMs, Multi-session VMs, images and user data. Customers can also optionally configure the Horizon Cloud Service next-gen to communicate to the on-premises, corporate network via a VPN or ExpressRoute connection.

Guidelines for Gateways

VMware has developed controls and processes for gateways, including firewalls, web proxies, web content filters and filtering. No controls have been developed for cross-domain solutions, diodes, and peripheral switches as Horizon Cloud Service next-gen will only contain PROTECTED data and these controls are not applicable.

Gateways, Firewalls, Web Proxies, Web Content Filters, Content filtering

VMware-managed Horizon Cloud Service next-gen leverages a robust, centralized SIEM infrastructure per PCI-DSS requirements. All critical systems and privileged access, firewall, and IDS logs are logged and monitored. VMware System Security logs and events are centrally aggregated and monitored in real-time 7x24x365 by the VMware SOC. Logs forwarded to the VMware SOC are retained for one year, and up to five years in archive.

Importantly, VMware and customers share ownership of, and responsibility for, various aspects of the service, which are outlined in the VMware Cloud Services Guide. VMware will protect the information systems used to deliver Horizon Cloud Service next-gen over which VMware (as between VMware and a customer) has sole administrative level control. Customers are responsible for the security of the networks over which they have administrative level control. This includes, but is not limited to, maintaining effective firewall rules in all software-defined data centers (“SDDCs”) that a customer deploys when using Horizon Cloud Service next-gen.

Cross Domain Solutions, Diodes, Peripheral Switches

Horizon Cloud Service next-gen is offered as a public cloud service and so it will only be used for unclassified information or for information classified PROTECTED. Cross Domain Solutions and Diodes are not applicable. Controls related to peripheral switches are only applicable for Microsoft Azure as part of the shared responsibility model.

Guidelines for Data Transfers

VMware has developed controls and processes for data transfers and the protection of data exports.

Data Transfers

VMware employees are prohibited from manually transferring customer data from the production environment (for example, removal and storage of customer data on removable media). To help ensure accountability, full auditing capabilities are enabled on all VMware cloud environments.

Customers can import and export their data using manual techniques and are responsible for developing and implementing data transfer policies and procedures, including accountability, scanning, auditing, and logging.

Summary and Additional Resources

Introduction


This document addresses the security for VMware Horizon Cloud Service next-gen in relation to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM). Information contained in this document is solely for the use of evaluating Horizon Cloud Service next-gen software and services and does not represent an official Infosec Registered Assessors Program (IRAP) certification or endorsement of Horizon Cloud Service next-gen by the ACSC.

Additional Resources

For more information about the ACSC ISM or Horizon Cloud Service next-gen you can explore the following resources:

Changelog

The following updates were made to this guide:

Date

Description of Changes

2023/05/09

  • Guide was published.

About the Author and Contributors

This guide was authored by:

  • Andrea Smith, Program Manager, EUC Security and Compliance Assurance, VMware

The following individual(s) also contributed to the creation of this guide:

  • Kevin Shaw, Program Manager, EUC Security and Compliance Assurance, VMware
  • Andrew Osborn, Staff Technical Marketing Architect, EUC Technical Marketing, VMware

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.


Filter Tags

Horizon Horizon Horizon Cloud Service Unified Access Gateway Document WhitePaper Intermediate Zero Trust Public Sector DEX