VMware Workspace ONE SaaS achieves FedRAMP Authorization to include the Intelligence Service
Overview
Introduction
We are proud to reveal the VMware Workspace ONE Intelligence service is now included in VMware’s Workspace ONE FedRAMP Moderate Authorized, IL2 Software-as-a-Service (SaaS) offering; joining the rest of the Workspace ONE suite of Unified Endpoint Management (UEM), Access & Hub Services to further enable VMware’s Federal End-User Computing (EUC) capabilities!
Audience
This document is intended for IT administrators and product evaluators who are familiar with VMware's Anywhere Workspace powered by EUC and VMware Workspace ONE. Familiarity with the End-User Computing environment and modern management that include device, app and identity management is assumed. Knowledge of other technologies, such as VMware Horizon, Security, Secure Access Service Edge (SASE), and Zero Trust Architecture (ZTA) is also helpful.
Integration Options
[UEM] [Access] [Hub Services] [Intelligence] + [Horizon]
With the addition of VMware Workspace ONE Intelligence into the Workspace ONE FedRAMP environment, government customers will have two options for integration:
- On-prem UEM deployment through the use of the ‘Intelligence Connector’ in order to facilitate the data transfer from the on-prem UEM to the hosted Intelligence tenant or natively via an existing/new FedRAMP cloud-hosted UEM tenant.
- After deployment, customers can leverage a secure, cloud-hosted environment to provide a service for their Workspace ONE platform that delivers insights, analytics and automation for the digital workspace and gain deep insights into device, user and app posture that enable data-driven decisions across an agency or branch’s entire environment via Intelligence.
Building on the industry-leading device and user management capabilities of Workspace ONE UEM, Identity Management via Access, and User/Device app and experience management through Hub Services, Intelligence additionally can provide the following benefits.
Figure 1: Workspace ONE Intelligence Connector Examples
Workspace ONE Intelligence Benefits
Integrated Insights
Get complete visibility into your digital workspace and gain deep insights into device, user and app posture that enable data-driven decisions across your entire environment.
Powerful Automation
Increase agility and quickly respond to changing business needs with a robust orchestration and automation engine. Extend and integrate with third-party IT tools such as ServiceNow or Slack for complete end-to-end automation of business processes.
Enhanced UX
Improve employee experience, productivity, and engagement with Digital Employee Experience Management. Monitor workspace KPIs impacting employee experience with a rich set of insights and analytics including an employee experience score. Proactively identify issues, perform root cause analysis, and remediate with automation, drastically reducing the number of issues and time to resolution and improving employee experience and productivity.
Risk-based Security
Leverage machine learning to deliver continuous verification with risk analytics based on user behavior and device context. Enable a VMware Zero Trust framework with the inherent security capabilities of the intelligence-driven Workspace ONE Platform and Trust Network, which comprises a rich ecosystem of integrated partner solutions e.g., Security Information & Event Management (SIEM).
Cross-Platform insights into the State of the Digital Workspace
Get complete visibility into security posture, user experience, device health, OS adoption and app analytics, including monitor app performance and engagement for your custom mobile applications, such as app crashes, monthly active users (MAU), daily active users (DAU), app launch, network details, app usage details.
Unified Security Strategy
Break the silos between IT and InfoSec teams with a consistent and common tool for discovering and responding to new threats, and continuous verification of risk based on user behavior and device context across the digital workspace with a Trust Network partner e.g., 3rd party FedRAMP’d Mobile Threat Defense (MTD).
Improved UX & Productivity
Understand how digital workspace KPIs impacting employee experience perform. Proactively identify issues, troubleshoot, and quickly provide a fix.
Increased IT efficiency & agility
Make data-driven decisions and take actions faster with automation and orchestration workflows.
Workspace ONE Intelligence Features
Unified Visibility
Workspace ONE Intelligence aggregates and correlates device, application, and user data together from multiple data sources in one place to give you a complete view of your entire digital workspace environment.
Digital Employee Experience Management
Track a wide range of digital workspace metrics such as device health, OS and app performance, users, and network to gain visibility into the digital employee experience in your organization with user experience, app, and device scores. Proactively identify issues, troubleshoot, and remediate with automation.
Rich Visualization
Keep an eye on the data that matters to you most with preset dashboards and reports that can be customized to meet your unique needs. Visualize the evolution of your environment’s security risks, app deployments, device management, app engagement and patch rollouts while incorporating Vulnerabilities (CVEs) Management, as Workspace ONE Intelligence ingests CVE data from public sources, such as NIST and delivers in context visibility into the security posture of the organization with automated patching and progress reports.
Automation Engine
Orchestrate and automate IT Ops and SecOps processes by defining rules that take actions based on a rich set of parameters from your entire environment. Build contextual policies that fit your unique environment by automating workflows that extend to your favorite 3rd party tools via RESTful API and through ‘Custom Connectors’ create integration. Workspace ONE now includes out-of-the-box tools for ServiceNow & Slack.
App Analytics
Understand app performance and adoption with comprehensive app analytics. Analyze critical user flows and network insights to quickly identify and resolve issues, reduce escalations, and improve user experience. Optimize app development and deployment to improve user engagement and reduce churn. Improve app performance and user experience for your consumer-facing apps with Workspace ONE Intelligence for Consumer Apps.
Workspace ONE Intelligence is arranged into 4 core service Categories that manage multiple service Features contained within each which are detailed in the following table:
| Category | Feature |
|---|---|
| Digital Employee Experience Mgt. (DEEM) |
Employee Experience score Device Health App stability OS stability Device performance *Mobile app analytics (Intelligence SDK) Not including VMware Productivity Apps |
| Reports & Dashboards |
Report customization and scheduling (Ensure existing deployments provide 'Opt-in' for service enablement) My Dashboards - dashboard customization Desktop devices dashboard Mobile devices dashboard Desktop app dashboard Mobile app dashboard Device asset information |
| Security |
Sensors for desktop OS OS updates tracking for desktop Vulnerability management with CVE tracking Automated patching Threat and compliance data for desktop and mobile (Source data: UEM, Access) OS updates tracking for Mobile |
| Automation | Automation and custom connectors for desktop and mobile workflows |
Table: FedRAMP Phase I Feature Matrix
At its core, Workspace ONE Intelligence is designed to simplify user experience without compromising security. The intelligence service aggregates and correlates data from multiple sources to give complete visibility into the entire environment. It produces the insights and data that will allow you to make the right decisions for your Workspace ONE deployment. Intelligence has a built-in automation engine that can create rules to take automatic action on security issues.
Figure 2: Data Sources for Workspace ONE Intelligence
The complete Workspace ONE Intelligence Reference Architecture Guide (see Figure 1 for architecture flow overview) provides a framework and guidance on architecture, design considerations, and deployment of the Workspace ONE suite, as well as Horizon VDI solutions and integration and architecting Workspace ONE Intelligence into them.
Figure 3: Workspace ONE Intelligence Architecture Flow
Note: For those agencies/branches that want to evaluate the platform, the GSA FedRAMP marketplace provides a submission portal to request the System Security Plan for the VMware solution that is available on all FedRAMP XaaS Authorized solutions). This information provides the agency’s ‘Authorizing Officer (AO) the resources to review and provide authorization for the service’s use.
Zero Trust Architecture & Network Access (ZTA / ZTNA)
Organizations can also further enable and implement a Zero Trust approach to security. Leverage machine learning to deliver continuous verification with risk analytics based on user behavior and device context. Agencies can enable a Zero Trust security framework with the inherent security capabilities of the intelligence-driven Workspace ONE platform and Workspace ONE Trust Network, as shown in Figure 3. This rich ecosystem of integrated partner solutions is enhanced with what Intelligence provides. This integrated solution helps agencies successfully empower the ‘anywhere organization’ and:
- Provide a Digital Employee Experience Management, as a part of Workspace ONE Intelligence, deliver a set of capabilities to help IT admins monitor digital workspace KPIs impacting a user’s experience, while proactively discovering issues and quickly remediating them with automation.
- Aggregate, correlate and analyze data from multiple sources to deliver integrated insights, analytics, and automation for the digital workspace to help provide for risks from threats and feed actions to secure the ZTA model as represented in Figures 4&5.
- IT teams can proactively improve digital employee experience, strengthen security, and optimize IT operations.
- Application of single sign-on (SSO) to SaaS, Web, and virtualized desktops and applications.
Figure 4 & 5: Consolidated Threat View Example - Reported by Trust Network Solutions Over Time & CVE Metrics
Platform Privacy and Security
VMware is committed to supporting the government’s security and privacy management and policies. Intelligence provides IT managers the flexibility for data collection and storage configuration parameters, as Intelligence aggregates data from multiple sources that can be opted in or out of including deauthorizing those connections from the other Workspace ONE suite components including:
- UEM – Device ID (UDID, IMEI, IP, MAC, Serial Number), first name, last name, email, managed apps list, telecom, and network information, apps usage data, security health of devices.
- Access – User login details including successful and failed attempts, app launch data.
- Intelligence SDK – App crash details, monthly active users (MAU), daily active users (DAU), app launch, network details, app usage details.
- Common Vulnerabilities and Exposures (CVEs) – Doesn’t contain any PII data. Workspace ONE simply ingests CVE data from public sources such as NIST.
Additionally, customers have control over all personally identifiable information (PII) sent to the cloud, such as phone number, username, email, and private app information. Raw data is stored for 3 months and trend data for 12 respectively.
Lastly, VMware takes pride in the assurance of its Cloud-Hosted solutions providing industry-leading security. The system has gone through penetration testing by a team of VMware InfoSec professionals. Customer data collected from the Workspace ONE production environment is encrypted using HTTPS (TLS 1.2), based on AES for uploading to Amazon Web Services (AWS) and to ensure confidentiality during transfer.
Only customers can access their data through a unique Workspace ONE login, including the Workspace ONE console interface. VMware will not access a customer’s data without their consent. Various levels of Multi-factor Authentication (MFA) access controls are used to lock down the system to only show data at the request of the customer.
VMware Compliance
VMware takes great pride in participating and complying with regulatory programs worldwide and continues to expand our compliance programs to meet the requirements of the most demanding missions. More information on VMware compliance can be found in the VMware Cloud Trust Center.
Additional Resources
For more information on configuring or enabling Workspace ONE, Workspace ONE Intelligence and UEM, as well as Access, and Hub Services:
Workspace ONE Intelligence Resources
- VMware Tech Zone: WSO-Intelligence-Architecture-Guide
- VMware Tech Zone: Getting-Started-WS1-Intelligence-Reports-&-Dashboards
- VMware Tech Zone: WSO-Intelligence-Platform-Integration
- VMware Tech Zone: Intro-to-Zero-Trust-Arch-with-Intelligence
- VMware Tech Zone: Getting-Started-WS1-Intelligence-APIs
- VMware WSO Intelligence products documentation portal
Workspace ONE Release Notes
Workspace ONE Documentation
- VMware Tech Zone: WSO Reference Architecture - Suite Catalog
- VMware Workspace-ONE documentation
- VMware WSO Intelligence products documentation portal
Workspace ONE Intelligence Videos & Labs
- VMware Tech Zone: Workspace ONE Intelligence Tech Intro Video
- VMware Tech Zone: WSO Intelligence > What's New Video
- VMware Hands-on Labs: Intelligence
Changelog
The following updates were made to this guide:
|
Date |
Description of Changes |
|
2021/07/01 |
|
About the Author
Andrew Osborn is serving in a role at VMware as a dedicated ‘Staff Technical Marketing Architect’ for all things End-User Computing (EUC) compliance / regulatory. He has over 20 years’ experience in the IT Industry, including the last 8 years within Public Sector, with roles spanning Cybersecurity, Networking, Enterprise Ops, Mobility & Telco solutions, encompassing numerous technologies and architectures. Andrew received an MIS degree from University of Oklahoma with certs from ISC2 CISSP & GIAC GSLC and is based out of San Antonio, TX. He'll be contributing to VMware’s Tech Zone to provide more tailored messaging for Federal, State, Local & Education (SLED) solutions from VMware EUC.
Feedback
Your feedback is valuable.
To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.