VMware Workspace ONE SaaS achieves FedRAMP Authorization to include the Intelligence Service

Overview

Introduction

Screenshot 2021-07-01 at 11.46.30

We are proud to reveal the VMware Workspace ONE Intelligence service is now included in VMware’s Workspace ONE FedRAMP Moderate Authorized, IL2 Software-as-a-Service (SaaS) offering; joining the rest of the Workspace ONE suite of Unified Endpoint Management (UEM), Access & Hub Services to further enable VMware’s Federal End-User Computing (EUC) capabilities!

Audience

This document is intended for IT administrators and product evaluators who are familiar with VMware's Anywhere Workspace powered by EUC and VMware Workspace ONE. Familiarity with the End-User Computing environment and modern management that include device, app and identity management is assumed. Knowledge of other technologies, such as VMware Horizon, Security, Secure Access Service Edge (SASE), and Zero Trust Architecture (ZTA) is also helpful.

Integration Options

 EUC products 1

                [UEM]             [Access]      [Hub Services]   [Intelligence]    +       [Horizon]

With the addition of VMware Workspace ONE Intelligence into the Workspace ONE FedRAMP environment, government customers will have two options for integration:

  1. On-prem UEM deployment through the use of the ‘Intelligence Connector’ in order to facilitate the data transfer from the on-prem UEM to the hosted Intelligence tenant or natively via an existing/new FedRAMP cloud-hosted UEM tenant.
  2. After deployment, customers can leverage a secure, cloud-hosted environment to provide a service for their Workspace ONE platform that delivers insights, analytics and automation for the digital workspace and gain deep insights into device, user and app posture that enable data-driven decisions across an agency or branch’s entire environment via Intelligence.

Building on the industry-leading device and user management capabilities of Workspace ONE UEM, Identity Management via Access, and User/Device app and experience management through Hub Services, Intelligence additionally can provide the following benefits.

image 51

Figure 1: Workspace ONE Intelligence Connector Examples

Workspace ONE Intelligence Benefits

Picture 1 0Integrated Insights

Get complete visibility into your digital workspace and gain deep insights into device, user and app posture that enable data-driven decisions across your entire environment.

Picture 2Powerful Automation

Increase agility and quickly respond to changing business needs with a robust orchestration and automation engine. Extend and integrate with third-party IT tools such as ServiceNow or Slack for complete end-to-end automation of business processes.

Picture 3Enhanced UX

Improve employee experience, productivity, and engagement with Digital Employee Experience Management. Monitor workspace KPIs impacting employee experience with a rich set of insights and analytics including an employee experience score. Proactively identify issues, perform root cause analysis, and remediate with automation, drastically reducing the number of issues and time to resolution and improving employee experience and productivity.

Picture 4Risk-based Security

Leverage machine learning to deliver continuous verification with risk analytics based on user behavior and device context. Enable a VMware Zero Trust framework with the inherent security capabilities of the intelligence-driven Workspace ONE Platform and Trust Network, which comprises a rich ecosystem of integrated partner solutions e.g., Security Information & Event Management (SIEM).

Picture 5Cross-Platform insights into the State of the Digital Workspace

Get complete visibility into security posture, user experience, device health, OS adoption and app analytics, including monitor app performance and engagement for your custom mobile applications, such as app crashes, monthly active users (MAU), daily active users (DAU), app launch, network details, app usage details.

Picture 6Unified Security Strategy

Break the silos between IT and InfoSec teams with a consistent and common tool for discovering and responding to new threats, and continuous verification of risk based on user behavior and device context across the digital workspace with a Trust Network partner e.g., 3rd party FedRAMP’d Mobile Threat Defense (MTD).

Picture 7Improved UX & Productivity

Understand how digital workspace KPIs impacting employee experience perform. Proactively identify issues, troubleshoot, and quickly provide a fix.

Picture 8Increased IT efficiency & agility

Make data-driven decisions and take actions faster with automation and orchestration workflows.

Workspace ONE Intelligence Features

Picture 1 0Unified Visibility

Workspace ONE Intelligence aggregates and correlates device, application, and user data together from multiple data sources in one place to give you a complete view of your entire digital workspace environment.

Feature 2Digital Employee Experience Management

Track a wide range of digital workspace metrics such as device health, OS and app performance, users, and network to gain visibility into the digital employee experience in your organization with user experience, app, and device scores. Proactively identify issues, troubleshoot, and remediate with automation.

Feature 3Rich Visualization

Keep an eye on the data that matters to you most with preset dashboards and reports that can be customized to meet your unique needs. Visualize the evolution of your environment’s security risks, app deployments, device management, app engagement and patch rollouts while incorporating Vulnerabilities (CVEs) Management, as Workspace ONE Intelligence ingests CVE data from public sources, such as NIST and delivers in context visibility into the security posture of the organization with automated patching and progress reports.

Picture 2Automation Engine

Orchestrate and automate IT Ops and SecOps processes by defining rules that take actions based on a rich set of parameters from your entire environment. Build contextual policies that fit your unique environment by automating workflows that extend to your favorite 3rd party tools via RESTful API and through ‘Custom Connectors’ create integration. Workspace ONE now includes out-of-the-box tools for ServiceNow & Slack.

Feature 5App Analytics

Understand app performance and adoption with comprehensive app analytics. Analyze critical user flows and network insights to quickly identify and resolve issues, reduce escalations, and improve user experience. Optimize app development and deployment to improve user engagement and reduce churn. Improve app performance and user experience for your consumer-facing apps with Workspace ONE Intelligence for Consumer Apps.

Workspace ONE Intelligence is arranged into 4 core service Categories that manage multiple service Features contained within each which are detailed in the following table:

Table 1

Table: FedRAMP Phase I Feature Matrix

At its core, Workspace ONE Intelligence is designed to simplify user experience without compromising security. The intelligence service aggregates and correlates data from multiple sources to give complete visibility into the entire environment. It produces the insights and data that will allow you to make the right decisions for your Workspace ONE deployment. Intelligence has a built-in automation engine that can create rules to take automatic action on security issues.

image 55

Figure 2: Data Sources for Workspace ONE Intelligence

The complete Workspace ONE Intelligence Reference Architecture Guide (see Figure 1 for architecture flow overview) provides a framework and guidance on architecture, design considerations, and deployment of the Workspace ONE suite, as well as Horizon VDI solutions and integration and architecting Workspace ONE Intelligence into them.

image 54

Figure 3: Workspace ONE Intelligence Architecture Flow

Note: For those agencies/branches that want to evaluate the platform, the GSA FedRAMP marketplace provides a submission portal to request the System Security Plan for the VMware solution that is available on all FedRAMP XaaS Authorized solutions). This information provides the agency’s ‘Authorizing Officer (AO) the resources to review and provide authorization for the service’s use.

Zero Trust Architecture & Network Access (ZTA / ZTNA)

Organizations can also further enable and implement a Zero Trust approach to security. Leverage machine learning to deliver continuous verification with risk analytics based on user behavior and device context. Agencies can enable a Zero Trust security framework with the inherent security capabilities of the intelligence-driven Workspace ONE platform and Workspace ONE Trust Network, as shown in Figure 3. This rich ecosystem of integrated partner solutions is enhanced with what Intelligence provides. This integrated solution helps agencies successfully empower the ‘anywhere organization’ and:

  • Provide a Digital Employee Experience Management, as a part of Workspace ONE Intelligence, deliver a set of capabilities to help IT admins monitor digital workspace KPIs impacting a user’s experience, while proactively discovering issues and quickly remediating them with automation.
  • Aggregate, correlate and analyze data from multiple sources to deliver integrated insights, analytics, and automation for the digital workspace to help provide for risks from threats and feed actions to secure the ZTA model as represented in Figures 4&5.
  • IT teams can proactively improve digital employee experience, strengthen security, and optimize IT operations.
  • Application of single sign-on (SSO) to SaaS, Web, and virtualized desktops and applications.

Graphical user interface, application</p>
<p>Description automatically generated

Figure 4 & 5: Consolidated Threat View Example - Reported by Trust Network Solutions Over Time & CVE Metrics

Platform Privacy and Security

VMware is committed to supporting the government’s security and privacy management and policies. Intelligence provides IT managers the flexibility for data collection and storage configuration parameters, as Intelligence aggregates data from multiple sources that can be opted in or out of including deauthorizing those connections from the other Workspace ONE suite components including:

  • UEM – Device ID (UDID, IMEI, IP, MAC, Serial Number), first name, last name, email, managed apps list, telecom, and network information, apps usage data, security health of devices.
  • Access – User login details including successful and failed attempts, app launch data.
  • Intelligence SDK – App crash details, monthly active users (MAU), daily active users (DAU), app launch, network details, app usage details.
  • Common Vulnerabilities and Exposures (CVEs) – Doesn’t contain any PII data. Workspace ONE simply ingests CVE data from public sources such as NIST.

Additionally, customers have control over all personally identifiable information (PII) sent to the cloud, such as phone number, username, email, and private app information. Raw data is stored for 3 months and trend data for 12 respectively.

Lastly, VMware takes pride in the assurance of its Cloud-Hosted solutions providing industry-leading security. The system has gone through penetration testing by a team of VMware InfoSec professionals. Customer data collected from the Workspace ONE production environment is encrypted using HTTPS (TLS 1.2), based on AES for uploading to Amazon Web Services (AWS) and to ensure confidentiality during transfer.

Only customers can access their data through a unique Workspace ONE login, including the Workspace ONE console interface. VMware will not access a customer’s data without their consent. Various levels of Multi-factor Authentication (MFA) access controls are used to lock down the system to only show data at the request of the customer.

VMware Compliance

VMware takes great pride in participating and complying with regulatory programs worldwide and continues to expand our compliance programs to meet the requirements of the most demanding missions. More information on VMware compliance can be found in the VMware Cloud Trust Center.

Additional Resources

For more information on configuring or enabling Workspace ONE, Workspace ONE Intelligence and UEM, as well as Access, and Hub Services:

Workspace ONE Intelligence Resources

Workspace ONE Release Notes

Workspace ONE Documentation

Workspace ONE Intelligence Videos & Labs

Changelog

The following updates were made to this guide:

Date

Description of Changes

2021/07/01

  • Guide was published.

 

About the Author

Andrew Osborn is serving in a role at VMware as a dedicated ‘Staff Technical Marketing Architect’ for all things End-User Computing (EUC) compliance / regulatory. He has over 20 years’ experience in the IT Industry, including the last 8 years within Public Sector, with roles spanning Cybersecurity, Networking, Enterprise Ops, Mobility & Telco solutions, encompassing numerous technologies and architectures. Andrew received an MIS degree from University of Oklahoma with certs from ISC2 CISSP & GIAC GSLC and is based out of San Antonio, TX. He'll be contributing to VMware’s Tech Zone to provide more tailored messaging for Federal, State, Local & Education (SLED) solutions from VMware EUC.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

 

Filter Tags

Workspace ONE Workspace ONE Intelligence Workspace ONE UEM Document Overview Zero Trust Public Sector