Horizon Cloud Service Compliance with 14 NCSC Cloud Security Principles
Introduction
The UK National Cyber Security Centre (NCSC) guidance for the 14 Cloud Security Principles describes a comprehensive cloud information security program to help enable organizations meet compliance and security obligations within the UK. VMware has also participated in the UK Government G-Cloud initiative to ease cloud computing procurement by public-sector entities within the UK government. Refer to the VMware Horizon Cloud Service listings on the UK Digital Marketplace for additional information.
Horizon Cloud Service is Payment Card Industry-Data Security Standard (PCI-DSS) certified, System and Organization Controls (SOC) 2 Type 2 audited, has achieved International Standards Organization (ISO) 27001, 27017, and 27018 certifications, and has also achieved the Cyber Essentials and Cyber Essentials Plus certifications. For the most up-to-date list of product audits and certifications, navigate to the VMware Trust Center. SOC 2 Type 2 reports are available under an NDA with VMware. VMware also publishes extensive documentation to familiarize organizations with our products and services on VMware Docs and VMware Tech Zone. Refer to the applicable details within the VMware Cloud Services Guide from the VMware ONE Contract Center for detailed descriptions of service components as well as shared service administration responsibilities between VMware and the customer.
Note: You can find the definitions for acronyms used in this document in Acronyms used in the Workspace ONE Security Series.
Purpose
This document addresses the VMware enterprise Information Security Program, as well as policies and procedures in relation to the NCSC guidance for the 14 Cloud Security Principles, for the following End-User Computing (EUC) cloud-hosted services: Horizon Cloud Control Plane, Horizon Cloud Service on Microsoft Azure, and Horizon Subscription. Within this whitepaper, these services are collectively referred to as “Horizon Cloud Service.” Horizon Cloud Next-Gen service is not covered in this whitepaper.
Audience
This document is intended for Horizon Cloud Service commercial cloud administrators. It assumes at least intermediate knowledge of Horizon Cloud Service, and focuses on the policies, processes, and controls supporting the cloud-delivered services. Federal Risk and Authorization Management Program (FedRAMP), on-premises, and third-party offerings are not in-scope for this document.
1. Data in transit protection
Table 1: NCSC Guidance for protection for Data-in-Transit (DiT)
| NCSC Guidance | |
| Principle | User data transiting networks should be adequately protected against tampering and eavesdropping. This should be achieved through a combination of:
|
| Goals | You should be sufficiently confident that:
|
Horizon Cloud Service enforces strong TLS 1.2 encryption in transit to and from the VMware cloud environments over the public Internet to protect data against man-in-the-middle attacks. In transit encryption includes traffic between end user devices and service, the service and other services (such as cloud connectors and customer systems), and internally within the service, where applicable. Firewalls, managed perimeter devices, and strong physical and logical access controls provide layered security within the Horizon Cloud Control Plane hosted environments.
Between Users and the Service
HTTP Strict Transport Security (HSTS) headers in the Horizon Cloud Service administrative consoles help ensure that clients connect to the application over TLS/SSL after initial connection. The connection between customer Horizon Pods and the VMware-managed Horizon Cloud Control Plane is encrypted using PCI-DSS compliant TLS 1.2. The level of encryption leveraged by the solution from end users is determined by how customer administrators have configured the solution.
In general, devices will connect via a VMware Horizon Client, installed on an endpoint or as a native mobile application (for example, iOS). Client software is available from public app stores or from VMware for iOS, Android, Chrome, Windows, Linux, and macOS so that users can access published applications from any device. An HTML access web client is also available, and it does not require installing any software on client devices.
When clients connect to a remote desktop or application with the PCoIP or Blast Extreme display protocol from VMware Horizon Client can connect through the applicable Secure Gateway component on a Horizon Connection Server instance or Unified Access Gateway appliance. This connection provides the required level of security and connectivity when accessing remote desktops and applications from the Internet.
Unified Access Gateway appliances include a PCoIP Secure Gateway component and a Blast Secure Gateway component, which offers the following advantages:
- The only remote desktop and application traffic that can enter the corporate data center is traffic on behalf of a strongly authenticated user.
- Users can access only the resources that they are authorized to access.
- The PCoIP Secure Gateway connection supports PCoIP, and the Blast Secure Gateway connection supports Blast Extreme. Both are advanced remote display protocols that make more efficient use of the network by encapsulating video display packets in UDP instead of TCP.
- PCoIP and Blast Extreme are secured by AES-128 encryption by default. Customers can, however, change the encryption to AES-256.
Between Service Components
Integration between Horizon Cloud Service components (Horizon Cloud Connector, Horizon Cloud Control Plane, and Unified Access Gateways) is performed securely through API integration and/or on-premises connectors. REST API calls take place over HTTPS with a certificate signed by a publicly trusted Certificate Authority (CA). The Service can securely integrate with on-premises services, such as Active Directory (AD), through connectors which proxy data to the cloud using HTTPS.
Horizon Client, or zero/thin hardware clients, communications through these sessions are established using either the Blast Extreme or PCoIP protocol which provides AES 256-bit encryption.
Internally Within the Service
To help ensure the availability of our services, VMware replicates the top-level management and configuration data to back up locations for quick service restoration in the unlikely event of a disaster. Data is encrypted in transit between primary and backup locations.
Note that customers are responsible for backing up the desktop and application data that is stored and managed in Horizon Pods.
VMware Access to Production Environments
VMware does not have access to the desktop images and applications stored within customer-managed Horizon Pods.
Access to VMware-managed Horizon Cloud Control Plane production environments requires a VPN with MFA and a jump server. Production environment access is monitored and logged per PCI-DSS requirements. Customers manage their desktop and application assignments from the web-based Horizon Cloud Service administration console.
2. Asset protection and resilience
Table 2: NCSC Guidance for asset protection and resilience
| NCSC Guidance | |
| Principle | User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage, or seizure. |
| Considerations | The aspects to consider are:
|
VMware models our Asset Management program after ISO 27001, NIST 800-53, and PCI-DSS standards, and Horizon Cloud Control Plane is hosted on Microsoft Azure globally. Microsoft Azure data centers have undergone PCI-DSS certification, SOC 2 Type 2 audits, and have achieved at least ISO 27001, in addition to ISO 27017 and 27018 certifications. As part of our vendor risk management program, VMware validates security controls in the SOC reports and certificates for our data centers partners; appropriate agreements and service level agreements (SLAs) are in place.
Note: Microsoft publishes compliance and security information for their services. Reports and attestations can be acquired directly from these providers.
Horizon Cloud Service has also been PCI-DSS certified, ISO 27001/ISO 27017/ISO 27018 certified, Cyber Essentials Plus certified, and SOC 2 Type 2 audited. For more details regarding the certifications and compliance standards achieved by Horizon Cloud Service, visit the VMware Cloud Trust Center.
2.1 Physical Location and Legal Jurisdiction
Table 3: NCSC Guidance for physical location and legal jurisdiction
| NCSC Guidance | |
| Principle | In order to understand the legal circumstances under which your data could be accessed without your consent, you must identify the locations at which it is stored, processed, and managed. You will also need to understand how data-handling controls within the service are enforced, relative to UK legislation. Inappropriate protection of user data could result in legal and regulatory sanction, or reputational damage. |
| Goals | You should understand:
|
Storage and Processing Locations
VMware clearly defines data storage, processing, and management locations for Horizon Cloud Service. The Horizon Cloud Control Plane is available in primary and backup locations hosted in the UK to meet our UK customers’ data sovereignty needs. Per standard terms in the VMware General Terms and other ancillary documents found on the VMware ONE Contract Center, the legal jurisdiction if the contracting entity is outside of the US is governed by the laws of Ireland.
Table 4: Data center locations by service
| Data Center Locations | |
| Horizon Cloud Control Plane | Primary – UK Backup – UK |
| Horizon Pod | Customer managed |
Additional processing locations for optional cloud-delivered features are defined in the service Sub-processors Addendums, such as the Brokering Service or Cloud Monitoring Service. Horizon Cloud Service sub-processors are outlined in the Horizon Cloud Service Sub-processors Addendum.
VMware Support Locations
VMware global Support Services team operates in a follow-the-sun model from locations in the UK, Ireland, US, Costa Rica, India, Japan, Australia, Singapore, and local support in China. Support may be provided from any of these global offices or other locations as our support team continues to expand to meet customer requirements.
Privacy, the General Data Protection Regulations (GDPR), and Brexit
VMware complies with applicable obligations as a Data Processor. VMware enables customers to use services in a manner which enables the Customer to comply with applicable Data Protection Laws, including GDPR, as a Data Controller or as a Processor with respect to personal data. VMware has no direct relationship with the Users whose data it processes in connection with providing the Software and any related services. A User who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct their query to the Customer. If the Customer requests VMware to modify or remove the data, we will respond to the Customer’s request in accordance with our agreement with the applicable Customer or as may otherwise be required by applicable law. As the Data Controller, Customers can export solution data at any time from the administrative console.
Note: Refer to the VMware Privacy Notice for additional information regarding data collection and use.
VMware has completed the EU-approval process for its global Binding Corporate Rules (BCRs) as a data processor. This significant regulatory approval allows VMware to use this transfer mechanism to protect the personal data of its customers when acting as their data processor. The BCRs apply to our customer data processing relationships. VMware’s application for Binding Corporate Rules in the UK ("VMware's UK BCR’s") is currently pending, and VMware’s Data Processing Addendum will be updated when the UK BCRs take effect. See this FAQ for more information and to address concerns regarding VMware's data transfer strategy in light of Brexit, and specifically the use of binding corporate rules (BCRs) and standard contractual clauses (SCCs).
Note: VMware is listed as a company for which the EU BCR cooperation procedure is closed. VMware also publishes BCR frequently asked questions (FAQs) for customer and partner review.
Horizon Cloud Service administration console enables administrators to manage the data from the web-based consoles to help organizations to simplify data protection and privacy within a wider GDPR/UK GDPR compliance program:
- Access, update, or remove data directly from the consoles at any time.
- Export solution data at any time via CSV, as well as PDF and XLS formats.
Scoped Data
Horizon Cloud Service gives customers data minimization, accuracy, and audit controls to help administrators protect end-user data. Customer administrators can deactivate the Horizon Cloud Monitoring service completely if they do not want any of the monitoring data to be stored in the service. For an overview of the data collected by the service, refer to the Horizon Service Cloud Security Whitepaper.
2.2 Data center security
Table 5: NCSC Guidance for data center security
| NCSC Guidance | |
| Principle | Locations used to provide cloud services need physical protection against unauthorized access, tampering, theft, or reconfiguration of systems. Inadequate protections may result in the disclosure, alteration, or loss of data |
| Goals | You should be confident that the physical security measures employed by the provider are sufficient for your intended use of the service. |
As part of our vendor risk management program, VMware reviews audit reports, such as ISO certificates for our data center partners; furthermore, appropriate agreements and service level agreements (SLAs) are in place. Microsoft Azure staff do not have logical access to the data hosted on the VMware-managed Horizon Cloud Control Plane.
Microsoft Azure has undergone various certifications and audits, including PCI-DSS certification, SOC 2 Type 2 audits, and ISO 27001/27017/27018 certifications. Microsoft Azure offers best-in-class physical security, including at ingress and egress points through 24/7/365 on-site monitoring, required badge access, mantraps, and so on.
Horizon Cloud Control Plane is hosted on multiple Availability Zones. Each data center facility is unique in its specific approach to the physical infrastructure, but Microsoft Azure follows the same general principles for power redundancy and physical access controls.
Various power, cooling, and fire suppression measures include redundant power to each component, with dual PDU and power in each cabinet: N+1 PDU and a generator fuel system for power, N+1 cooling and fire detection with early warning tools and dual interlock pre-action sprinkler systems.
2.3 Data at rest protection
Table 6: NCSC Guidance for Data-at-Rest protection
| NCSC Guidance | |
| Principle | To ensure data is not available to unauthorized parties with physical access to infrastructure, user data held within the service should be protected regardless of the storage media on which it’s held. Without appropriate measures in place, data may be inadvertently disclosed on discarded, lost, or stolen media. |
| Goals | You should have sufficient confidence that storage media containing your data are protected from unauthorized access. |
VMware leverages primary and disaster recovery sites for data resiliency. Each data center facility is unique in its specific approach to the physical infrastructure, but Azure follows the same general principles for power redundancy and physical access controls:
- Controlled access into the data center facility by a combination of badge access, biometrics, and mantraps
- 24/7 staffing and on-site security
- Monitored entry and exit points and key aisles via CCTV camera monitoring
- Various power, cooling, and fire suppression measures, including power to each component is redundant with dual PDU and power in each cabinet: N+1 PDU and a generator fuel system for power, N+1 cooling and fire detection with early warning tools and dual interlock pre-action sprinkler systems
VMware implements strong protection at rest for applicable data hosted within VMware cloud environments. See the Horizon Service Cloud Security Whitepaper for an overview of how data is protected within the service. The encryption leveraged by the solution depends on a customer’s specific implementation.
Horizon Cloud Control Plane collects data for service administration and licensing information; customer on-premises Horizon 8 desktop and associated app data is not stored in the Horizon Cloud Control Plane.
Customer administrators can view usage and activity reports for various user, administrative, and capacity-management activities within the Horizon Cloud Administration Console.
The Horizon Cloud Control Plane stores and handles different categories of data depending on how customers leverage the solution. Refer to the Horizon Service Cloud Security Whitepaper for applicable details.
2.4. Data sanitization
Table 7: NCSC Guidance for data sanitization
| NCSC Guidance | |
| Principle | The process of provisioning, migrating, and de-provisioning resources should not result in unauthorized access to user data. |
| Goals | You should be sufficiently confident that:
|
Microsoft Azure manages hardware sanitization for the underlying systems supporting VMware cloud environments. VMware environments regularly overwrite or delete hosted customer data according to a defined schedule. The VMware Data Processing Addendum (“Deletion of Data”) and the VMware General Terms including other ancillary documents found on the VMware ONE Contract Center govern data deletion for standard hosting agreements.
2.5 Equipment disposal
Table 8: NCSC Guidance for equipment disposal
| NCSC Guidance | |
| Principle | Once equipment used to deliver a service reaches the end of its useful life, it should be disposed of in a way which does not compromise the security of the service, or user data stored in the service. |
| Goals | You should be sufficiently confident that:
|
Horizon Cloud Control Plane is hosted on Microsoft Azure, and VMware has no access to the underlying hardware. Microsoft Azure manages physical security controls, including system maintenance and equipment disposal, as well as physical access credential lifecycles. Microsoft Azure revokes access credentials for the physical hosting spaces as required. Microsoft Azure media destruction and decommissioning procedures are NIST 800-88 Rev 1 compliant.
Note: Microsoft Azure publishes compliance and security information for their services. Reports and attestations can be acquired directly from Microsoft.
2.6 Physical resilience and availability
Table 9: NCSC Guidance for physical resilience and availability
| NCSC Guidance | |
| Principle | Services have varying levels of resilience, which will affect their ability to operate normally in the event of failures, incidents, or attacks. A service without guarantees of availability may become unavailable, potentially for prolonged periods, regardless of the impact on your business. |
| Goals | You should be sufficiently confident that the availability commitments of the service, including their ability to recover from outages, meets your business needs. |
VMware Business Continuity and Disaster Recovery strategies include data and hardware redundancy using Microsoft Azure Availability Zones, network configuration redundancy and backups, and regular testing exercises. VMware maintains inventories of critical assets including asset ownership, and VMware maintains an inventory of critical supplier relationships.
Horizon Cloud Control Plane environments meet strict requirements for high availability and redundancy. VMware eliminates any single point of failure through Microsoft Azure Availability Zones, network, power, and clustering of key components. Horizon Cloud Control Plane environments are hosted on geographically resilient Microsoft Azure Availability Zones.
- Horizon Cloud Service has guaranteed standard uptime SLAs of 99.9%.
Note: See the Service Level Agreement for VMware Workspace ONE® and VMware Horizon® Cloud Service for SLA definitions and coverage. - Horizon Cloud Service uptime status, planned maintenance, and historical incident data are displayed on a service status page.
3. Separation between users
Table 10: NCSC Guidance for separation between users
| NCSC Guidance | |
| Principle | A malicious or compromised user of the service should not be able to affect the service or data of another. |
| Goals | You:
|
Customer instances are isolated from each other using logical techniques.
Horizon Cloud Control Plane is hosted on Microsoft Azure in a public hosting model. Horizon Cloud Control Plane services enforce TLS data encryption between cloud environments and service clients (such as web consoles and user endpoints) over the public Internet. VMware uses subnets to connect systems in different security domains, and all traffic passes through firewalls before reaching proxy servers in the cloud environment.
Access privileges are enforced using role-based access control, separation of duties, and the principle of least privileges. Production environment access is secured through a combination of VPN and jump servers using MFA and directory credentials. In accordance with ISO 27001 and PCI-DSS, access is restricted to authorized members of applicable teams, and system sessions are set to an idle timeout of 15 minutes. Logs are in place to review support staff access to all systems and environments. Quarterly User Access Reviews are conducted to review privileged access and to remove or deactivate accounts with 90 days of inactivity.
4. Governance framework
Table 11: NCSC Guidance for governance framework
| NCSC Guidance | |
| Principle | The service provider should have a security governance framework which coordinates and directs its management of the service and information within it. Any technical controls deployed outside of this framework will be fundamentally undermined. |
| Goals | You should have sufficient confidence that the service has a governance framework and processes which are appropriate for your intended use. Good governance will typically provide:
|
Information Security Management System (ISMS) Governance
The VMware ISMS leverages guidance from industry best practices and regulatory standards, including NIST SP 800-53, ISO 27001, and PCI-DSS. We maintain written ISMS, and we perform annual reviews and audits of the program to ensure the integrity of our hosted offering. Our ISMS considers the following objectives:
- The threats, vulnerabilities, and likelihood of occurrence identified by assessment of risks relative to the overall business strategy and objectives
- The legal, statutory, regulatory, and contractual requirements that VMware and relevant and applicable partners, contractors, and service providers must comply with
- The principles, objectives, and business requirements for information handling, processing, storing, communicating, and archiving developed by VMware to support its business operations
VMware has designated the Chief Security Officer to oversee our ISMS. For comprehensive security through the organization, multiple groups within VMware have a role in establishing, maintaining, monitoring, and operating the security practices for the ISMS:
- Incident and Vulnerability Management
- Security Engineering and Security Operations
- Human Resource Security
- Legal
- Governance Risk and Compliance
Regulatory Governance
VMware continuously reviews laws and regulations to appropriately respond to the evolving legal and privacy landscapes. Our in-house legal department is involved in the establishment and review of privacy policies to review which privacy laws and regulations are applicable to the jurisdictions in which we operate.
VMware has appointed a Data Protection Officer (DPO) for purposes of the GDPR/UK GDPR. The DPO’s role is to assist a company to monitor internal compliance, to inform and advise on the company’s data protection obligations, to provide advice regarding data protection impact assessments and to act as a contact point for data subjects and the supervisory authority.
The VMware Board of Directors sets high standards for its employees, officers, and directors. Implicit in this philosophy is the importance of sound corporate governance. It is the duty of our Board of Directors to serve as a prudent fiduciary for shareholders and to oversee the management of the business. To fulfill its responsibilities and to discharge its duty, the VMware Board of Directors follows the procedures and standards that are set forth in these guidelines. These guidelines are subject to modification from time to time as the Board of Directors deems appropriate in the best interests of the business or as required by applicable laws and regulations.
5. Operational security
Table 12: NCSC Guidance for operational security
| NCSC Guidance | |
| Principle | The service needs to be operated and managed securely in order to impede, detect, or prevent attacks. Good operational security should not require complex, bureaucratic, time consuming, or expensive processes. |
| Considerations | There are four elements to consider:
|
We consider configuration and change management, vulnerability management, protective monitoring, and incident management procedures in our ISMS. VMware strives towards operating and managing all Horizon Cloud Service environments using a consistent ISMS framework. Horizon Cloud Service is PCI-DSS and ISO 27001/ISO 27017/ISO 27018 certified. Third-party and internal assessors validate these processes at least annually under the VMware ISMS program. These audits are essential to the VMware continuous improvement programs.
Horizon Cloud Service has also achieved the Cyber Essentials and Cyber Essentials Plus certifications. For the most up-to-date list of product audits and certifications, navigate to the VMware Trust Center. SOC 2 Type 2 reports are available under an NDA with VMware. VMware also publishes extensive documentation to familiarize organizations with our products and services on VMware Docs and VMware Tech Zone. Refer to the applicable details within the VMware Cloud Services Guide from the VMware ONE Contract Center for detailed descriptions of service components as well as shared service administration responsibilities between VMware and the customer.
5.1 Configuration and change management
Table 13: NCSC Guidance for configuration and change management
| NCSC Guidance | |
| Principle | You should have an accurate picture of the assets which make up the service, along with their configurations and dependencies. |
| Goals | You should have confidence that:
|
We maintain a formal configuration management policy based on industry best practices to harden the cloud environment; revisions and exceptions to the configuration management policy are processed through a documented change management policy to help ensure the confidentiality, integrity, and availability of our hosted offering.
Our change management policy defines controlled changes to configurations in our production environments; change processes include required approval, testing, implementation and contingency plans. Changes undergo standard testing and validation processes, and if for any reason a change is unsuccessful or does not pass the required testing phases, our teams execute a fallback plan. Horizon Cloud Service is PCI-DSS and ISO 27001, 27017, and 27018 certified.
Microsoft Azure manages the underlying hardware asset registers as well as configuration and change management procedures for VMware-managed Horizon Cloud Service environments according to PCI-DSS and ISO 27001, 27017, and 27018. Microsoft Azure media destruction and decommissioning procedures are NIST 800-88 Rev 1 compliant.
Note: Microsoft Azure publishes compliance and security information for their services. Reports and attestations can be acquired directly from Microsoft.
5.2 Vulnerability management
Table 14: NCSC Guidance for vulnerability management
| NCSC Guidance | |
| Principle | Service providers should have management processes in place to identify, triage, and mitigate vulnerabilities. Services which don’t, will quickly become vulnerable to attack using publicly known methods and tools. See our guide on vulnerability management for more detail. |
| Goals | You should have confidence that:
|
VMware employs a rigorous Vulnerability Management program as part of the VMware Information Security Program. We follow guidance established in NIST SP 800-30 and conduct regular risk and vulnerability assessments to identify, assess, and remediate emerging threats. When potential vulnerabilities are discovered, we follow a documented procedure to prioritize and deploy necessary patches within the cloud environment. Remediation efforts are prioritized and applied against critical and high-risk issues.
VMware identifies vulnerabilities and threat-sources through subscribing to relevant mailing lists, conducting interviews with various members of the Cloud community, attending conferences, and mapping data to the business landscape. VMware-managed scanning tools are regularly updated to ensure quick detection of emerging threats.
Defined change management procedure help ensure patches are compatible with the production environment. Rollback plans captured as part of change management processes in alignment with PCI-DSS standards.
5.3 Protective monitoring
Table 15: NCSC Guidance for protective monitoring
| NCSC Guidance | |
| Principle | A service which does not effectively monitor for attack, misuse, and malfunction will be unlikely to detect attacks (both successful and unsuccessful). As a result, it will be unable to quickly respond to potential compromises of your environments and data. |
| Goals | You should have confidence that:
|
VMware-managed cloud environments are secured with layered defenses, including but not limited to, access control mechanisms, firewalls, malware controls, auditing mechanisms, and network controls. Intrusion Detection Systems (IDS) monitor network traffic, log suspicious activity, and alert on suspicious network activity within VMware cloud environments.
VMware Cloud Operations monitor cloud environments 24/7 for alerts or suspicious activity. VMware follows the Fault, Configuration, Accounting, Performance, and Security (FCAPS) model to monitor the cloud environment and has configured the system to notify IT personnel if the central processing unit (CPU) utilization is too high, disk space limited, memory issues, key service failures, bandwidth utilization, power consumption, or other defined performance items. IaaS providers offer built-in security and monitoring controls.
In alignment with PCI-DSS standards, VMware has enabled full auditing capabilities on all environments to enable the reconstruction of security incidents and events. We have provided a description of incident response management for the following section, 5.4 Incident management, and audit capabilities in Principle 12. Audit information for users.
5.4 Incident management
Table 16: NCSC Guidance for incident management
| NCSC Guidance | |
| Principle | Unless carefully pre-planned incident management processes are in place, poor decisions are likely to be made when incidents do occur, potentially exacerbating the overall impact on users. |
| Goals | You should have confidence that:
|
The VMware Incident Response program plans and procedures are developed in alignment with ISO 27001 and PCI-DSS standards. For the purpose of security and incident management, VMware maintains contacts with industry bodies, risk and compliance organizations, local authorities, and regulatory bodies. Points of contact are regularly updated to ensure direct compliance liaisons have been established and to be prepared for a forensic investigation requiring rapid engagement with law enforcement.
VMware requires staff to report information security events as quickly as possible per corporate policies. At a minimum, these situations include:
- Ineffective security controls or access violations
- Breach of information integrity, confidentiality, or availability expectations
- Human errors
- Non-compliances with policies or guidelines
- Breach of physical security arrangements
- Uncontrolled system changes
- Malfunction of software or hardware
Incident Management Plan
VMware follows a formal Incident Management Plan that is maintained as part of our overall Information Security Program. Incidents are reported to the appropriate Cloud Operations team for categorization and resolution; issues are escalated to senior management according to a pre-defined protocol. VMware tracks issue alerts, responses, and resolutions throughout completion. Incident response teams prepare postmortem report to internal stakeholders and our Information Security Governance Committee for review. VMware will notify the appropriate customer IT stakeholders. VMware uses email announcements to maintain open lines of communication between support staff and customers regarding change management events, incident events, and problem events.
Figure 2: Incident Response Lifecycle
We periodically review incidents and update our incident response program as needed based on: Incident root cause and incident pattern analysis, as well as potential changes in the internal control environment and legislation. Incident response plans are tested at least once annually whether a security incident has occurred or not.
- Results of the quarterly review are reported to management.
- Key metrics are defined, tracked, and reported to senior management on a yearly basis or as needed.
6. Personnel security
Table 17: NCSC Guidance for personnel security
| NCSC Guidance | |
| Principle | Where service provider personnel have access to your data and systems, you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel. |
| Goals | You should be confident that:
|
We maintain formal personnel security procedures as part of our Information Security Program, which includes comprehensive background checks. All employees acknowledge company policies and sign a Non-Disclosure Agreement (NDA). Information security awareness training is mandatory; completion and end-of-course testing is recorded. Annual refreshers are required.
Background checks are performed in accordance with the VMware pre-employment background check protocols applicable to the region and are subject to local laws and regulations. As a general matter, VMware Human Resources (HR) Operations initiates and oversees the background check process. Results are treated as confidential personnel records, made available only to those outside HR Operations with a business reason to review or be consulted regarding the results.
Subject to applicable law, VMware, or its background check vendor, typically performs the following background checks:
- A verification of the applicant’s recent work history
- Confirmation of highest degree obtained, and professional qualifications required for the position
- Credit review for employees at the level of VP or higher in the Finance organization
- Review of certain criminal records, consistent with availability of records and limitations imposed by applicable law
All VMware employees are responsible for maintaining company sensitive information confidentiality, storing and managing passwords appropriately, being aware of customer privacy concerns, and remaining vigilant for security threats (such as social engineering and phone impersonations). Violations of VMware information security policies are subject to disciplinary proceedings, including termination and legal action, as necessary.
- VMware requires staff to report information security events as quickly as possible per corporate policies to help detect external threat actors or malicious insiders. At a minimum, these situations include:
- Ineffective security controls or access violations
- Breach of information integrity, confidentiality, or availability expectations
- Human errors
- Non-compliances with policies or guidelines
- Breach of physical security arrangements
- Uncontrolled system changes
- Malfunction of software or hardware
- Bring your own (BYO) devices are not used to maintain the VMware cloud environments. VMware corporate-issued mobile devices are subject to automatic compliance policies that require and specify approved OS, patch, and applications. BYO devices must be enrolled in Workspace ONE UEM to access VMware corporate information and are subject to additional corporate-mandated security controls.
- Access to VMware-managed production environments uses a combination of VPN with MFA and jump hosts for SSH. Production environment access is monitored and logged. Applicable logs are then forwarded to the VMware Security Operations Center. Note that customers manage Horizon Cloud Service through web-based consoles and do not directly manage cloud environments.
Initial and annual information security awareness is delivered through a Learning Management System (LMS). The LMS electronically records training proof of completion for employees. Cloud Operations personnel receive additional, specialized training as they assume job roles and responsibilities within 30 days of beginning work; training must be completed before authorizing access to VMware systems.
Topics include:
|
|
Note: Training completion tracking may differ depending on the training delivery type (such as instructor-led training or LMS).
Security Community
VMware has been an active participant in the broader software industry security community became an early BSIMM member in 2009 and has completed several reviews by BSIMM of our SDL. Findings are incorporated into our SDL to drive continuous improvements. VMware is a member of SAFECode and we work closely with Security Analysts and Researchers and security organizations to stay current on the industry threat landscape and security best practices. VMware Product Security VMware SDL is continuously assessed for its effectiveness at identifying risk and new techniques are added to SDL activities as they are developed and mature.
VMware is also active in the security research community and our security evangelism team works to actively cultivate relationships in the security community. VMware encourages continuous employee training programs which subsidize relevant conference tickets, such as BSides and BlackHat, training classes, and subscriptions to leading online training platforms for technical and business acumen. Additionally, VMware has job rotation programs designed to reignite and broaden employee work experience and retain top talent.
7. Secure development
Table 18: NCSC Guidance for secure development
| NCSC Guidance | |
| Principle | Services should be designed and developed to identify and mitigate threats to their security. Those which aren’t may be vulnerable to security issues which could compromise your data, cause loss of service or enable other malicious activity. |
| Goals | You should be confident that:
|
We have developed Product Security Requirements to establish a security baseline for our products. These requirements are intended to guide teams through all stages of the Secure Software Development Lifecycle, from product inception and development to product testing. It also serves as a tool for senior management to benchmark product security against market expectations. Software testing include manual and automated testing methods. VMware has embedded security Subject Matter Experts (SMEs) in our R&D organization, as well as within Cloud Operations. Employees hold certifications such as CISSP, CISM, CIPM, CIPP/E, CCSP, CCDA, VCP, ITILv3, CNA, CompTIA A+, ISSA, and CEH.
VMware follows a defined SDL which incorporates security into each phase (requirements, design, implementation, verification) of development. Our product security guidelines and security assessment framework incorporate multiple application frameworks and vulnerability sources, including the Open-Source Security Testing Methodology Manual (OSSTMM), the OWASP Testing Guide, OWASP Mobile Security Project, OWASP Top Ten, CWE/SANS Top 25. Code undergoes rigorous review by our Engineering and Development Security teams. The product suite undergoes multiple tests prior to release, including static and dynamic code reviews, penetration tests, fuzz and unit testing, attack surface reviews, and so on.
VMware uses some third-party and/or open-source code in our solution offerings. VMware performs open source and third-party (OSS/TP) software validation to safeguard against known vulnerabilities prior to being included in a VMware product release.
- VMware requires that its development teams use the latest, fixed versions of the OSS/TP software and publish the names and release levels of each OSS/TP product or library that the team uses in building VMware products or components.
- Code or products that VMware acquires undergo a formal testing and acquisition process. Contracts with suppliers’ address VMware information security requirements and any required risk remediation is evaluated prior to product acquisition.
- Unified Access Gateway (UAG) which provides secure remote access to on-premises virtual desktops is developed with security in mind. The UAG can be configured to automatically fetch and apply any available authorized Photon OS package to the Unified Access Gateway version which has been deployed in the customer environment.
Note: VMware publishes pertinent information on the VMware Open-Source Disclosure page.
To securely deliver continuous product improvements, VMware has incorporated DevOps processes into our SDL where applicable. Continuous Delivery (CD) pipelines have logging enabled. Development teams can push code as a check-in and this process requires multiple code reviews in parallel with unit and integration testing. After successful completion of pass/fail tests, code is deployed into the VMware internal environment and then to user acceptance testing and hosted production environments.
VMware performs extensive penetration tests against our applications and services. The penetration tests are generally divided in three different phases, focusing on identifying high impact vulnerabilities which could lead to exploitation, theft of data, and overall privilege escalation. The tests typically follow a method intended to simulate real-word attack scenarios and threats that could critically impact the data privacy, integrity, and overall business reputation. Our third-party penetration testers hold numerous certifications ranging from OCSP to SANS certifications.
In alignment with PCI-DSS requirements, VMware encourages continuous employee training through annual training in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities. VMware also subsidizes certification attempts (for example CISSP and CCSP), relevant conference passes, training classes, and subscriptions to leading online training platforms for enhancing technical and business acumen. Additionally, employees can participate in job rotation programs designed to reignite and broaden employee work experience. Refer to the VMware Product Security Whitepaper for additional information.
8. Supply chain security
Table 19: NCSC Guidance for supply chain security
| NCSC Guidance | |
| Principle | The service provider should ensure that its supply chain satisfactorily supports all the security principles which the service claims to implement. |
| Goals | You understand and accept:
|
VMware engages sub-processors to provide hosting services for the Horizon Cloud Service hosted environments. We enter into agreements with our sub-processors to meet baseline security requirements and to adhere to applicable data protection laws. We work with reputable service providers and perform software validation (where applicable) to safeguard against known vulnerabilities prior to incorporation within our products and services.
Horizon Cloud Service environments in the UK are deployed in Microsoft Azure data centers. Sub-processors are outlined per service in the Sub-processors Addendums. We have also established compliance standards and service expectations with our data center providers and regularly audit data center controls, procedures, and independent assessments to assess and minimize service provider risk:
- SLAs are in place with our data center providers that stipulate baseline compliance standard and security requirements.
- We also review published SOC reports and ISO certification, disaster recovery plans, and other applicable policies (such as access control policies, physical and environmental plans) of the processor.
- Additional information concerning data center sub-processors is outlined in Principle 2. Asset protection and resilience.
9. Secure user management
Table 20: NCSC Guidance for secure user management
| NCSC Guidance | |
| Principle | Your provider should make the tools available for you to securely manage your use of their service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorized access and alteration of your resources, applications, and data. |
| Considerations | The aspects to consider are:
|
VMware shares the responsibility for securing Horizon Cloud user management with customer or partner administrators.
- Horizon Cloud customer administrators manage end-user and administrator accounts through the web consoles. Customers can use their existing Active Directory infrastructure for user authentication and management. For added security, customers can integrate with two-factor authentication solutions, such as RSA SecurID and RADIUS, and smart card authentication solutions. Additionally, configure single sign-on using SAML, Kerberos, or True SSO. Using Horizon Cloud with the Unified Access Gateway also supports integration with Okta and Ping. VMware applications are subject to continuous testing to confirm control efficiency.
- VMware additionally implements strong access controls in accordance with role-based access control, separation of duties, and the principle of least privileges. Production environment access is secured through a combination of VPN and jump servers using MFA and directory credentials. In accordance with ISO 27001 and PCI-DSS, access is restricted to authorized members of applicable teams, and system sessions are set to an idle timeout of 15 minutes. Logs are in place to review support staff access to all systems and environments. Quarterly User Access Reviews are conducted to review privileged access and to remove/deactivate accounts with 90 days of inactivity.
9.1 Authentication of users to management interfaces and support channels
VMware Internal Support Channels
VMware employees use an internal web ticketing system, dedicated support line, or self-service password tool to reset credentials. Users are verified prior to credential reset or temporary password delivery. Where temporary credentials are issued, users will be required to change passwords upon initial login. Cloud environment privileged credentials are reset and fully tracked through an internal ticketing system.
Customer Support Channels
To validate customer support requests, VMware assigns a unique 10-digit numeric identifier (“Customer number”) to each customer contact for the purpose of technical support. The customer number is created for users either when users create a VMware or VMware Customer Connect profile themselves, or when a new order is placed for users that do not have a VMware or VMware Customer Connect profile. Customer numbers are unique to individuals (similar to a personal identification number).
- Users can use their customer number to log in to VMware Customer Connect, file support requests through the interactive voice response system (IVR), or when working directly with a customer service representative. The customer number is displayed in their VMware Customer Connect profile and in support request forms.
- Customer numbers are unique for each customer contact (each individual who creates an account with us) and should not be shared with others.
Note: Refer to the VMware Tech Support Guide for additional information. Note that support for products and services licensed through partners may differ depending on the purchasing model.
9.2 Separation and access control within management interfaces
Customer Managed Users – Overview
Horizon Cloud Service administrators can manage Horizon Cloud from any web browser, anywhere in the world by simply logging into secure consoles. These consoles do not need to be downloaded, installed or configured, saving their IT department time and resources. Horizon Cloud Service portals may include:
- Horizon Cloud Administrator Console
- Workspace ONE Access Administrator Console
Administrative and end-user portals fully encrypt data in transmission with TLS over the public Internet, in alignment with PCI-DSS standards.
Horizon Cloud and the associated administrative portals undergo rigorous internal and third-party penetration and vulnerability assessments as a crucial step of our SDL. Issues, where uncovered, are tracked through remediation and prioritized according to criticality.
Customer Managed Users – Creation
Horizon Cloud integrates with directory services to inherit existing identity permission structures and credentials. Horizon Cloud integrates with Workspace ONE Access to extend existing directory infrastructure and provide a seamless Single Sign-On (SSO) experience to web, mobile, cloud, and legacy applications.
Customer Managed Users – Role-based Access Controls
Each administrative console records activity and provides detailed application-level logs of the events or actions taking place. The solution maintains and displays this information to authorized users for auditing and reporting purposes. In the process of authenticating to the cloud-based administrative console, after authenticating to the initial login screen using a My VMware account, the individual from a customer organization enters their Active Directory user account credentials in the second login screen, according to the Active Directory domain they have registered with the environment. The system provides predefined roles that they can assign to the various Active Directory groups. These Active Directory domain-related roles control which areas of the console are viewable and enabled or viewable and deactivated, as the logged-in person navigates through the console.
Horizon Cloud Service Administrative Console includes role-based access controls with the following roles: Super administrators, Assignment administrator, Help Desk Administrator, Help Desk Read-only administrator, and Demo Administrator.
Workspace ONE Access management portal includes role-based access controls with the following roles: Super administrators, Directory administrators, and Read-only administrators.
Navigate to VMware Docs for full descriptions of available pre-configured and customizable administrator roles across the Horizon Cloud Service platform.
10. Identity and authentication
Table 21: NCSC Guidance for identity and authentication
| NCSC Guidance | |
| Principle | All access to service interfaces should be constrained to authenticated and authorized individuals. Weak authentication to these interfaces may enable unauthorized access to your systems, resulting in the theft or modification of your data, changes to your service, or a denial of service. |
| Goals | You should:
|
VMware Authentication Policies
Access privileges are enforced using role-based access control, separation of duties, and the principle of least privileges. Production environment access is secured through a combination of VPN and jump servers using MFA and directory credentials. In accordance with ISO 27001 and PCI-DSS, access is restricted to authorized members of applicable teams, and system sessions are set to an idle timeout of 15 minutes. Logs are in place to review support staff access to all systems and environments. Quarterly User Access Reviews are conducted to review privileged access and to remove/deactivate accounts with 90 days of inactivity. Passwords:
- Cannot be from a dictionary word
- Cannot be a name
- Cannot be repeated over a given period
Customer Managed Authentication Policies
Horizon Cloud integrates with directory services to inherit existing identity permission structures and existing credentials. Workspace ONE Access uses SAML 2.0 assertions to federate users with existing credentials. There are multiple authentication mechanisms available for customers to access their virtual desktops to include directory integration, MFA, and SSO with SAML via VMware Workspace ONE Access.
VMware Horizon provides a True SSO (single sign-on) feature that allows users log in with third-party identity provider credentials and access a virtual desktop or published application without having to supply their Active Directory credentials. With True SSO, a user can log in using a non-directory method (for example, RSA SecurID credentials) and once authenticated, the user is able to launch any entitled desktop or application without being prompted for a password. True SSO uses SAML (Security Assertion Markup Language) to send the User Principal Name to the identity provider’s authentication system to access Active Directory credentials. Horizon Cloud Service then generates a unique, short-lived certificate for the Windows login process.
11. External interface protection
Table 22: NCSC Guidance for external interface protection
| NCSC Guidance | |
| Principle | All external or less trusted interfaces of the service should be identified and appropriately defended. If some of the interfaces exposed are private (such as management interfaces) then the impact of compromise may be more significant. You can use different models to connect to cloud services which expose your enterprise systems to varying levels of risk. |
| Goals | You:
|
For customers using Workspace ONE Access to facilitate identity federation, Workspace ONE Access enforces TLS data encryption between cloud environments and service clients (such as web consoles and user endpoints) over the public Internet. To protect Workspace ONE Access, VMware uses AWS VPCs, security groups, and subnets to connect systems in different security domains. All external traffic passes through firewalls before reaching proxy servers. For more information on the security controls used by Workspace ONE Access cloud service, see the Workspace ONE Cloud Services Security Overview.
VMware Access to Production
Access privileges are enforced using role-based access control, separation of duties, and the principle of least privileges. Production environment access is secured through a combination of VPN and jump servers using MFA and directory credentials. In accordance with ISO 27001 and PCI-DSS, access is restricted to authorized members of applicable teams, and system sessions are set to an idle timeout of 15 minutes. Logs are in place to review support staff access to all systems and environments. Quarterly User Access Reviews are conducted to review privileged access and to remove/deactivate accounts with 90 days of inactivity.
Horizon Service Authentication
Horizon Cloud Service web interfaces and user endpoints are secured with TLS 1.2 for data in transit over the public Internet. See Principle 9 and Principle 10 for an overview of service components and security. Note that customer administrators access and manage the Horizon Cloud Service platform from web-based consoles and do not directly manage the cloud environment.
Continuous Testing
VMware performs extensive internal and external penetration tests at least annually. The penetration tests are generally divided in three different phases, focusing on identifying high impact vulnerabilities which could lead to exploitation, theft of data, and overall privilege escalation. The tests typically follow a method intended to simulate real-word attack scenarios and threats that could critically impact the data privacy, integrity, and overall business reputation.
12. Secure service administration
Table 23: NCSC Guidance for secure service administration
| NCSC Guidance | |
| Principle | Systems used for administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data. |
| Goals | You should:
|
VMware secures highly privileged access to the Horizon Cloud Service through a layered defense model that requires strong authentication prior to performing service management functions. Personnel must use VMware-owned equipment when accessing production environment systems. VMware centrally manages patching, antivirus, and data loss prevention (DLP) software on corporate endpoints through Workspace ONE UEM as our internal end user device management platform.
Access to VMware cloud environments is restricted to approved employees with MFA. Employees are prohibited from transferring customer data from the production environment. All access is logged and monitored. VMware Cloud Operations personnel use separate user accounts for administration and normal user activities. Note that customer administrators access and manage the Horizon Cloud Service platform from web-based consoles and do not directly manage the Cloud environment.
13. Audit information for users
Table 24: NCSC Guidance for audit information for users
| NCSC Guidance | |
| Principle | You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales. |
| Goals | You should be:
|
VMware Managed Systems
VMware has security controls in place to reduce the risk of unauthorized access to sensitive information in the production environment. Horizon Cloud Service environments have intrusion detection mechanisms in place. The service continuously collects and monitors the environment logs which are correlated with both public and private threat feeds to spot suspicious and unusual activities.
VMware has a formal Security Incident Response team that facilitates all Incident Response activities that complies with industry standards for legally admissible chain of custody management processes and controls. VMware has a formal Incident Response team that facilitates all Incident Response activities which uses legally admissible forensic data collection and analysis techniques. Customers can request access to restricted audit data through the VMware Customer Connect support ticketing systems.
Application Logging
Horizon Cloud Service and Workspace ONE Access application logs accessible by customers are retained for approximately 30 days.
- The Horizon Cloud Monitoring Service enables collection of user session information for service utilization, trending, and historical analysis. The data is used in charts on the Dashboard page and in reports on the Reports page. The data collected is regarding the end users’ usage of the system, for example, login times, application and desktop launches, VDI desktop and RDSH performance data, VDI and RDSH server hostnames, client IP address, and username. You can opt out of the monitoring service at any time.
- The Workspace ONE Access admin console provides audit event reports for resource entitlements for groups and users. Audit events include time, date, and identity of administrative changes to permissions and app access.
14. Secure use of the service
Table 25: NCSC Guidance for secure use of the service
| NCSC Guidance | |
| Principle | The security of cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected. |
| Goals | You:
|
Customers deployed in VMware cloud environments benefit from managed infrastructure. Customers manage users, data and configurations associated with the Horizon Cloud Service platform as well as on-premises connectors (for example, Horizon Cloud Connector) and integration points. VMware clearly outlines shared responsibilities with clients. Refer to the applicable details within the VMware Cloud Services Guide from the VMware ONE Contract Center .
Note: Roles and responsibilities for products and services licensed through partners may differ depending on the purchasing model.
Horizon Cloud Service includes a Getting Started Wizard which guides Administrators on what tasks they need to perform including the configuration steps that are needed before you can fully manage and use the environment, such as registering an Active Directory domain.
Privacy Controls
When the Enable User Session Information is disabled, the system will collect user session information for a limited period and will no longer store user identities for historical queries. Instead, the data is anonymized using hashing so that certain aggregated queries are still possible to enable real-time administration, but individual users cannot be identified. In addition, the historical and aggregated viewing of that user information will be disabled. Thus, the reports that would display historical and aggregated viewing of monitoring data, such as the Session History report, will not be available.
Note: When Enable User Session Information is disabled, user-identifying data is stored for up to 24 hours to provide real-time support of the service. Customer administrators can deactivate Horizon Cloud Monitoring service completely if they do not want any of the monitoring data to be stored in this service.
Documentation
Customers can access a comprehensive and easily accessible catalog of training resources on VMware Docs, VMware Customer Connect, and VMware Knowledgebase which provides varying levels of product knowledge and technical expertise, depending on the administrator role.
VMware publishes a Requirement checklist which includes guidance regarding key considerations and requirements for the delivery of the service. This checklist also provides guidance for optional components, such as the Universal Brokering Service, if an administrator wishes to implement them in their deployment
Training
After implementation, access self-guided training resources including product documents, instructional videos and our knowledge base – all available 24/7.
- Product Documents – Getting started articles, configuration guides, and technical whitepapers that cover key topics and address common challenges
- Instructional Videos – Our video library consists of succinct instructional videos organized by training curriculum, topic, and experience level to help you manage your own training schedule
- Knowledge Base – Access valuable tips and tricks written by product experts, product documents and the latest webinars and announcements
Customers can also leverage VMware Education Services for training and certification programs designed to grow our customers’ skills and validate their ability to leverage all the opportunities made possible by VMware solutions.
Summary and Additional Resources
Additional Resources
For more information about Horizon Cloud Services, you can explore the following resources:
- Horizon Service Cloud Security Whitepaper
- Horizon Reference Architecture
- Workspace ONE Cloud Services Security Overview
Changelog
The following updates were made to this guide:
| Date | Description of Changes |
| 2023/02/13 |
|
About the Author and Contributors
The following people contributed their knowledge and expertise with this document:
- Kevin Shaw, Program Manager, EUC Security and Compliance Assurance, VMware
- Andrea Smith, Program Manager, EUC Security and Compliance Assurance, VMware
Feedback
Your feedback is valuable.
To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.