Workspace ONE Cloud Services Security

Introduction

This document provides a general overview of the security controls implemented in VMware Workspace ONE® commercial cloud offerings[1] and includes information on the following services: 

  • Workspace ONE Unified Endpoint Management (UEM) 
  • Workspace ONE Access and Hub Services 
  • Workspace ONE Intelligence 

Purpose

The intent of this document is to provide readers with an understanding of how Workspace ONE cloud services approach security, the key mechanisms, and processes that VMware uses to manage information security, as well as describing shared responsibilities for providing security in a modern cloud computing environment. 

Audience

This document is intended for Workspace ONE commercial cloud administrators. It assumes at least intermediate knowledge of Workspace ONE cloud services, and focuses on the policies, processes, and controls supporting the cloud-delivered services. Federal Risk and Authorization Management Program (FedRAMP) [2], on-premises, and third-party offerings are not in-scope for this document.

Shared Responsibilities

The end-to-end security of the Workspace ONE cloud delivered service offerings is shared between VMware and our customers. VMware provides security for the aspects of the Workspace ONE service offerings over which we have sole physical, logical, and administrative level control. Customers are responsible for the aspects of the service offerings over which they have administrative level access or control. The primary areas of responsibility between VMware and customers are outlined in the VMware Cloud Services Guide available for download from the VMware ONE Contract Center. 

VMware leverages co-located data center facilities and Infrastructure-as-a-Service (IaaS) providers to support the Workspace ONE service offerings. These providers maintain physical and environmental security controls for the cloud-delivered service. For more information, see Data Center Locations below. 

Compliance Reports

Workspace ONE cloud services have achieved the Service Organization Control (SOC) 2 Type 2 and International Standards Organization (ISO) 27001, ISO 27017, and ISO 27018 certifications. Additionally, Workspace ONE Access and Workspace ONE Intelligence have achieved PCI-DSS certification. VMware can provide copies of the SOC 2 Type 2 report under a non-disclosure agreement (NDA); contact your VMware account representative to request these reports.

Refer to the VMware Cloud Trust Center to download the ISO certificate, PCI Attestation of Compliance (AOC), and to see the latest list of industry certifications. Note that, although some Workspace ONE services are PCI-DSS certified, these services do not store, process, or transmit cardholder data. 

Data Center Locations 

Workspace ONE service offerings are available in the US, Canada, the European Economic Area (EEA), Asia-Pacific (APAC) regions. Refer to the Workspace ONE Sub-processors Lists available on the VMware ONE Contract Center for a comprehensive list of primary and disaster recovery locations. Data center partner hosting facilities’ physical addresses are confidential and on-site visits are prohibited. U.S.-based Workspace ONE UEM deployments are located in either co-located data centers and Amazon Web Services (AWS) or VMware Cloud on AWS (VMC on AWS) depending on deployment size.[3]

Software Development Lifecycle

VMware’s Security Development Lifecycle (SDL) program is designed to identify and mitigate security risk during the development phase of VMware software products. The development of VMware’s SDL has been heavily influenced by industry best practices and organizations such as the Software Assurance Forum for Excellence in Code (SAFECode) and Building Security in Maturity Model (BSIMM).

VMware Security Evangelism team works to actively cultivate relationships in the security community. VMware has been an active participant in the broader software industry security community and became an early BSIMM member in 2009: We have completed several reviews by BSIMM of our SDL. Findings are incorporated into our SDL to drive continuous improvements. VMware is a member of SAFECode, an organization driving security and integrity in software products and solutions. VMware also works closely with Industry Organizations, Security Analysts and Researchers, and more, to stay current on the industry threat landscape and security best practices. VMware Product Security VMware SDL is continuously assessed for its effectiveness at identifying risk and new techniques are added to SDL activities as they are developed and mature.

SDLC Best Practices

We follow a defined Software Development Lifecycle (SDLC) which incorporates security into each phase (such as requirements, design, implementation, verification) of development. VMware’s programs and practices focus on:

  • Building secure software 
  • Protecting the intellectual property related to software products 
  • Managing software security supply chain risks 
  • Managing technology and partner ecosystem risks 
  • Delivering secure product support 

Our SDLC is based on industry-recognized best practices and standards, including PCI-DSS common coding vulnerabilities, OWASP, Open Source Security Testing Methodology Manual (OSSTMM), SANS/CWE, and SCRUM methodologies. Code undergoes rigorous review by our Engineering and Development Security teams. We consider attacker-centric categorizations (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE)) and defensive-centric perspective (ASF) for threat modeling. Additionally, VMware cloud services undergo multiple tests prior to release, including static and dynamic code reviews, penetration tests, fuzz and unit testing, attack surface reviews, and so on. 

In alignment with PCI-DSS requirements, VMware encourages continuous employee training through annual training in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities. VMware also subsidizes certification attempts (such as Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP)), relevant conference passes, training classes, and subscriptions to leading online training platforms for enhancing technical and business acumen. Additionally, employees can participate in job rotation programs designed to reignite and broaden employee work experience. Refer to the VMware Product Security Whitepaper for additional information.

Diagram

Description automatically generated

Figure 1: VMware Security Development Cycle

Security Engineering Processes

The VMware Security Engineering, Communications & Response (vSECR) team develops Product Security Requirements (PSR) to establish a security baseline for our products. These requirements are intended to guide teams through all stages of the SDL, from product inception through development and product testing to release. It also serves as a tool for senior management to benchmark product security against market expectations. VMware SDL activities include:

  • Security Training – vSECR works with R&D Education to create and maintain training programs about product security. Managers, developers, and quality engineers can make use of these courses early in the lifecycle of their product.
  • Security Planning – Good security starts with early planning, at the genesis of the SDL process. The SDL planning template forms the basis of the Security Review activity. VMware builds milestones and security reviews for the product so that security is continuously evaluated.
  • Serviceability and Response Planning – vSECR works with product teams to help build security into their products’ servicing model, which includes planning for:
    • Secure patching
    • Open-source and third-party software licensing
    • End-of-life support
    • Security and management contacts for security response.
  • Product Security Requirements (PSR) Assessment – This activity examines how a product adheres to VMware PSR, which includes standards for:
    • Authentication
    • Authorization
    • Encryption
    • Certificates
    • Network security
    • Virtualization
    • Accountability
    • Software packaging and delivery
  • Threat Modeling – This activity identifies security flaws and incorrect design assumptions present in the VMware Product Security architecture of a product.
  • Open Source and Third-Party Software Validation (OSS/TP) – This activity validates that OSS/TP software with known vulnerabilities are fixed before being included in a product release.
  • Static Code Analysis – This activity uses automated tools to detect defects and security flaws in code.
  • Vulnerability Scanning – This activity uses automated tools to detect security vulnerabilities in running systems.
  • Penetration Testing – This activity uses internal and external security teams to try to compromise systems in isolated environments.
  • Security Review – This activity examines the output and completion of all the other activities.

Open-Source Software

VMware uses some third-party and/or open-source code in our solution offerings, and we perform open-source and third-party (OSS/TP) software validation to safeguard against known vulnerabilities prior to being included in a VMware product release. Refer to the publicly available Open-Source Disclosure page for additional information on OSS/TP components.

VMware Information Security Program

Maintaining hosted services and securing data confidentiality, integrity, and availability requires a wide array of tools and processes that must all be expertly designed to comply with laws and regulations while balancing customer satisfaction, business needs, product development, and shareholder expectations. VMware balances these needs with a set of controls and management processes designed to both mitigate risk and enhance our product and service offerings. Overarching principles include:

  • Risk – Managing risk by understanding the threat landscape, building a solid platform, and leveraging all decision makers when calculating risk.
  • Controls – Establishing a balance of effectiveness and efficiency by implementing the appropriate controls for the associated risk.
  • Security – Providing preventative and protective capabilities to ensure a secure service.

The VMware Information Security Program leverages guidance from industry best practices and regulatory standards, including National Institute of Standards and Technology (NIST) SP 800-53, PCI-DSS, and International Standards Organization (ISO) 27001. We maintain a written Information Security Program and Policies to protect customer data hosted in our systems, and we perform annual reviews and audits of our program to help ensure the integrity of our hosted offerings.

VMware has an Information Security Governance Committee (ISGC) that is chaired by members of senior management and representatives from our Information Security, IT Operations, HR, Marketing, Facilities and Legal teams. Our CISO is ultimately responsible for our Information Security program.

Figure 2: Comprehensive Security Framework

VMware’s Information Security Management System 

VMware has implemented various information security policies and procedures that are in line with its overall corporate objectives, which demonstrate a commitment to the management of a formal Information Security Management System (ISMS) and that fulfils VMware’s obligations to its customers regarding information confidentiality, integrity, and availability. Our ISMS includes, but is not limited to, the following considerations and objectives:

  • The threats, vulnerabilities and the likelihood of occurrences identified by risk assessments relative to the overall business strategy and objectives.
  • The legal, statutory, regulatory, and contractual requirements with which VMware and relevant applicable partners, contractors, and service providers must comply.
  • The principles, objectives, and business requirements for information handling, processing, storing, and archiving data developed by VMware to support its business operations.

VMware personnel are obligated to comply with VMware ISMS data protection requirements in their respective roles, process, projects, and programs. Failure to adhere to these policies and procedures may result in disciplinary action, including possible termination, and civil and/or criminal liability.

Asset Management

VMware maintains an asset management program as part of our ISMS to categorize both physical and logical assets. The Asset Management policy is reviewed at least annually, and all changes are approved by our Information Security Governance Committee.

Data Center Operations teams maintain an inventory of all production assets, including but not limited to, software license information, software version numbers, component owners, machine names and network addresses. Inventory specifications may include device type, model, serial number, and physical location. The asset inventory is regularly reviewed in accordance with PCI-DSS requirements.

Data Classification and Handling

Data classification is one of the foundational elements of the VMware ISMS. As such, VMware has a comprehensive data classification policy and data handling and protection standards for all electronic and paper media. Data controls and protections are implemented according to their classification.

Our data classification policy provides a matrix of controls arranged by the data lifecycle, from creation of the data to its destruction, and covers all forms of media while in use, in transit, or archived. The policy focuses on data classification sources, status, risks, and categories associated with the normal data lifecycle. Assets are classified in terms of their value, legal requirements, sensitivity, and criticality to VMware and to our customers. Customer-owned information is classified as “Restricted” which is the most stringent data classification at VMware. Data classification and handling policies are audited at least annually by independent third-party auditors.

Physical Security

VMware physical security policy governs security for our offices, data centers, support centers, and other global business locations to safeguard information systems and staff.

Key elements of this policy include controls around: physical security perimeters, physical entry controls, physical access, securing offices, rooms and facilities, visitors to facilities, records, preventing the misuse of facilities, protecting against external and environmental threats, working in secure areas, access to restricted areas, delivery and loading areas, equipment siting and protection, supporting utilities, equipment maintenance, removal of assets, security of equipment and assets off-premises, secure disposal or reuse of equipment, unattended user equipment and clear desk and clear screen.

VMware leverages co-located data center facilities in the U.S. and IaaS providers (in the U.S. and globally) to support the Workspace ONE service offerings. These providers maintain physical and environmental security controls for the cloud-delivered services.

Data Center Security

Workspace ONE co-location and cloud-hosting partners are at least Tier III, have undergone SOC 2 Type 2 audits, and have achieved at least ISO 27001 and PCI-DSS certifications. Physical addresses for Workspace ONE hosting locations are confidential and on-site visits are forbidden.

While each facility is unique, our data center providers are required to follow the same minimum requirements for redundancy and physical access control, including:

  • Ingress and egress points are secured with devices that require individuals to provide multi-factor authentication before granting entry or exit through a minimum combination of badge access, biometrics, and mantraps.
  • Physical access is controlled at building ingress points by 24x7 on-site professional security staff using surveillance, detection systems, and other electronic means.
  • Door alarming devices are configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication.
  • Physical access points to data centers are recorded by Closed Circuit Television Camera (CCTV). Recordings are retained according to legal and compliance requirements.
  • Environmental control systems are equipped minimally with N+1 power, cooling, and fire suppression measures to ensure continuous operations.
  • Data center partners are required to maintain certifications that are minimally in alignment with ISO 27001 and PCI-DSS standards.

VMware Offices

All VMware offices deploy physical and environment security measures to safeguard VMware facilities, staff, and assets. VMware uses a combination of building design, environmental controls, security systems, and designated security personnel, in conjunction with corresponding procedures, physical and environmental controls to restrict access to information services and information assets. Controls include, but are not limited to:

  • Implementing entry controls to secure VMware facilities.
  • Maintaining and monitoring an audit trail of all access to the site through badge and visitor logs.
  • Requiring visitor sign in with date and time of entry and departure, and supervising visitation.
  • Performing regular access right reviews to secure areas and updating or revoking these rights as necessary.
  • Revoking all access rights to VMware facilities and restricted areas immediately and deactivating access codes known by the staff upon staff termination.

Human Resources and Personnel Security 

Human Resource considerations include processes for background screening, employment agreements, training, and employee termination.

Employee Background Screening

Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors, and involved third parties are subject to background verification. VMware conducts criminal background checks, commensurate with the employee position and level of access to the service.

Confidentiality Agreements

VMware employees and alternative workforce (AWF) are required to sign confidentiality agreements. Additionally, upon hire, personnel are required to read and accept the Acceptable Use Policy and the VMware Business Conduct Guidelines. Personnel who violate VMware standards or protocols are subject to appropriate disciplinary action.

Employee Training

In alignment with the ISO 27001 standard, all VMware personnel are required to complete annual business conduct and security awareness training. Personnel with access to cloud production environments receive additional training as they assume job roles and responsibilities. VMware periodically validates those employees understand and follow the established policies through compliance audits.

VMware uses an enterprise Learning Management System (LMS) to deliver required onboarding and annual security awareness training. The LMS records successful completion and reports are reviewed during ISMS review meetings. This training must be completed before authorizing access to production systems.

  • Awareness training topics include, but are not limited to:
  • Secure system configuration
  • User account management policies
  • Environmental control implementation and operation procedures
  • Incident Response plans and procedures
  • Disaster Recovery plans and procedures
  • Physical Security controls

Employee Termination

VMware terminates access privileges to systems when an employee leaves the company. An employee who changes roles within the organization will have access privileges modified according to their new position. Terminated employees are required to return assets.

Business Continuity

This program implements appropriate security controls to protect its employees and assets against natural or man-made disasters. As a part of the program, a runbook system automates policy review, and policy updates made available to appropriate individuals. Additionally, these policies and procedures include defined roles and responsibilities supported by regular workforce training. VMware determines the impact of any disruption to the organization through identifying dependencies, critical products, and services.

Starting in March 2020, VMware executed our business continuity plan in response to the global COVID-19 pandemic. Our global teams are located around the globe, giving us strong geographic resilience in terms of our ability to provide continuity of service for our customers. While our offices are open at present, we are following international best practice guidelines and have seamlessly transitioned our global teams to a “work from anywhere” policy that allows them to work from their homes, utilizing our own industry-leading technology, and best-in-class collaboration tools.

VMware Global Support Services continues to operate 24x7 and, given the current environment, have put extra measures in place to help ensure continued smooth operations. Our Professional Services organization, including our Consulting, Technical Account Management, and Education Services are also fully operational; all team members are fully equipped to efficiently and effectively work from home. We have also added capacity to our worldwide consulting centers and collaborated with our Product teams to offer rapidly deployable solutions to expand infrastructure capacity as well as enable secure remote productivity for our customers’ employees. The VMware Crisis Management Team, comprised of leaders from across the company, meets regularly and stays up to date with evolving global changes and developments in relation to ongoing world events.

Our business continuity plans are reviewed annually to determine which business processes are most critical and what resources – people, equipment, records, computer systems, and office facilities – are required for operation. All documented plans follow an annual standard maintenance, assessment, and testing schedule. Workspace ONE operations teams also maintain service-specific business continuity plans to address the unique needs of each cloud application.

Risk Management

In alignment with the ISO 27001 and PCI-DSS standards, VMware maintains a Risk Management program to mitigate and manage risk companywide. We perform risk assessments at least annually to ensure appropriate controls implementation to reduce the risk related to the confidentiality, integrity, and availability of sensitive information.

VMware cloud management has a strategic business plan to mitigate and manage risks that requires management to identify risks within its areas of responsibility and to implement appropriate measures designed to address those risks. VMware cloud management re-evaluates the strategic business plan at least two times per year.

VMware’s Risk Management Program includes:

  • Identifying and characterizing threats
  • Assessing the vulnerability of critical assets to specific threats
  • Determining the risk (such as the expected likelihood and consequences of specific types of attacks on specific assets)
  • Identifying ways to reduce those risks
  • Prioritizing risk reduction measures based on a strategy

Vendor Risk Management

VMware has a comprehensive vendor procurement and risk management program to choose providers that meet identified security baseline requirements. Supplier agreements require that providers comply with applicable laws, security, and privacy obligations.

VMware has a formal process to document and to track non-conformance as a part of our ISMS. To assure reasonable information security across our information supply chain, VMware reviews compliance documentation for service sub-processors at least annually to help ensure appropriate controls are in place to reduce risks to the confidentiality, integrity, and availability of sensitive information.

Sub-processors

VMware leverages sub-processors to provide certain services on our behalf. Refer to the Workspace ONE lists available on the VMware ONE Contract Center for a list of sub-processors used globally. VMware is responsible for any acts, errors, or omissions of our sub-processors that cause us to breach any of our obligations. VMware enters into an agreement with each sub-processor that obligates the sub-processor to process the Personal Data in a manner substantially similar to the standards set forth in the VMware Cloud Services Exhibit, and at a minimum, at the level of data protection required by applicable Data Protection Laws. Refer to the VMware Data Processing Addendum for additional information.

Customers can sign up to receive updates to service sub-processors, go to the Cloud Services Preference Center, and enable notifications for updates to this sub-processor list.

Change Management

VMware maintains a detailed Change Management policy that defines controlled changes to production environments. Changes are processed through a formal program that includes approval, testing, implementation, and rollback plans.

Third-party and internal audits of these processes are performed at least annually under the VMware ISMS program and are essential to the VMware continuous improvement programs.

Configuration Management

VMware maintains a detailed Configuration Management policy based on industry best practices to harden the cloud environment; revisions and exceptions to the Configuration Management policy are processed through the Change Management policy to help ensure the confidentiality, integrity, and availability of our hosted offering.

Baseline configuration standards include, but are not limited to:

  • Disabling unnecessary ports, services, protocols, and physical connections
  • Reviewing server builds for gaps prior to image configuration
  • Hardening server configurations

Baseline configurations are documented for all software and hardware (where applicable – such as U.S.-based co-located data centers) installed in the production environment. Baseline configurations include the following information about system components:

  • Standard software packages installed on servers and network components
  • Current version numbers and patch information on operating systems and applications
  • Logical placement of all components within the system architecture

System Hardening

VMware disables unnecessary ports, protocols, and services as part of baseline hardening standards. We follow industry best practices in applying secure configurations to managed servers.

For Workspace ONE UEM servers that use Windows operating systems, the team hardens server configurations using Group Policy Object (GPO) policies (such as account policies, user rights, security options, event log settings, app restrictions). Workspace ONE UEM, Workspace ONE Access, and Workspace ONE Intelligence Linux-based servers use Amazon Linux Amazon Machine Images (AMI) for system hardening. The Amazon Linux AMI includes default security configurations, such as: limited remote access using SSH key pairs, remote root login disablement, reducing non-critical package installation, and automatic security related updates.

Time Synchronization

All cloud service components are time synchronized with a common centralized time source per ISO 27001 and PCI-DSS requirements.

Vulnerability and Patch Management

VMware employs a rigorous Vulnerability Management program as part of the VMware ISMS. Risk analysis and acceptance activities are performed on vulnerabilities to confirm the vulnerability and to determine the appropriate means of addressing the vulnerability.

System Monitoring

VMware Cloud Operations is staffed 7x24x365 and the team deploys several commercial and custom purpose-built tools to monitor the performance and availability of all hosted solution components. Components include the underlying infrastructure servers, storage, networks, portals, services, and information systems used in the delivery of Workspace ONE services.

Patch Management

VMware maintains the systems it uses to deliver Workspace ONE services, including the application of patches deemed critical for the target systems. Our policy is to patch or upgrade network, utility, and security equipment after analyzing the severity and impact of potential vulnerabilities. Critical vulnerabilities are addressed in a timely manner, and changes are made using industry best practices. Testing is conducted by the QE department to ensure compatibility with the production environment. If required, rollback procedures are conducted by the QE team.

For Workspace ONE Intelligence, base images receive patches and reboots as part of the bootstrap process. Containers are generated on a weekly basis with all patches included. As instances are terminated, new instances are deployed: No instances live more than seven days.

Vulnerability Scanning

Vulnerability scans are performed at least monthly on internal and external systems. In alignment with PCI-DSS, system and application owners are required to address critical and high vulnerabilities with a plan of corrective action after vulnerability discovery. Rescans are used to verify remediation of high-risk vulnerabilities. Other vulnerabilities are addressed with a plan of corrective action within a reasonable period.

Note that VMware does not provide the results of vulnerability scans to customers. We do not feel these isolated pieces of information are of use to our customers in protecting their security objectives. Results are not in context, often generate a large volume of false-positives and do not accurately represent the current security posture of a product or service.

Penetration Testing

Penetration testing includes testing of VMware and third parties and customer penetration testing.

VMware and Third-Party Testing

In alignment with PCI-DSS, VMware performs extensive internal and external penetration tests on Workspace ONE services using both third-party vendors and the VMware Red Team at least annually. The penetration tests are generally divided in three different phases that focus on identifying high impact vulnerabilities that could lead to exploitation, theft of data, and/or overall privilege escalation. Tests follow a method intended to simulate real-word attack scenarios and threats that could critically impact the data privacy, integrity, and overall business reputation. VMware does not provide results of our pen testing activities for Workspace ONE services; however, executive summaries of our pen tests and third-party attestation letters are available by request. Further evidence of our annual penetration tests can be found in our SOC 2 Type 2 audit reports.

Pen Test Scoring and Remediation Timelines

The VMware Red Team uses the industry standard Common Vulnerability Scoring System (CVSS) 3 Scoring system, which takes the base score of the vulnerability and applies environmental and other considerations unique to VMware to arrive at a true risk score appropriate for our environment. VMware remediation timelines are dependent upon several factors such as severity, complexity, impact, product life cycle, and location of finding (internal versus external resource). Findings from third-party testing are remediated according to a risk-based approach. Each finding is evaluated for probability and impact and is remediated accordingly. We believe this is an important step towards reducing VMware’s exposure to risk from vulnerabilities and protecting the availability of our infrastructure.

Customer Penetration Testing

Customer-initiated penetration testing, port and vulnerability scanning, spoofing, web application scanning, protocol flooding, denial of service attacks, installation of malware, attempts to decompile source code, or any other action that may cause a disruption in the cloud-hosted production environment are explicitly forbidden in the VMware Cloud Services Exhibit (see Acceptable Use).

For Workspace ONE UEM only: With prior approval and under certain circumstances, customers can perform penetration tests in a simulated environment. All results must be made available to VMware for analysis and remediation (if necessary). Reach out to your VMware representative for more information.

VMware Security Response Center (VSRC)

The VMware Security Response Center (VSRC) leads the analysis and remediation of software security issues in VMware products. VSRC works with customers and the security research community to achieve our goals of addressing these issues and providing customers with actionable security information in a timely manner.

VSRC receives reports directly, and proactively monitors the security landscape and receives direct reports concerning security issues in VMware products. After validating a report, VSRC works with VMware Research and Development to develop a solution and schedule releases that address the issue. Meanwhile, VSRC keeps the reporter informed on progress. Upon remediating the issue, VSRC releases a VMware Security Advisory.

Security Advisories

VMware Security Advisories document remediation for security vulnerabilities that are reported in VMware products. Optionally, sign up to receive new and updated advisories via e-mail.

Customer Security Contact

VMware encourages users who become aware of a security vulnerability in our products or services to contact VMware with details of the vulnerability.

Partner with your Technical Account Manager, Professional Services, or Sales representative to open a support request on VMware Customer Connect, or you may file a support request directly to notify the appropriate support channels.

When raising a support request, provide as much detail as possible, including CVE identifiers, VMware product version and build number, and any details regarding which vulnerability scanner was used, and so on, as applicable.

Note: VMware does not permit direct vulnerability scans of VMware-hosted production environments.

We encourage use of encrypted email. Our public Pretty Good Privacy (PGP) key is found at kb.vmware.com/kb/1055.

Cloud Environment Monitoring

VMware Cloud Operations is staffed 7x24x365 and deploys several commercial and custom purpose-built tools to monitor the performance and availability of all hosted solution components. Components include the underlying infrastructure servers, storage, networks, portals, services, and information systems used in the delivery of Workspace ONE services.

Intrusion Detection & Prevention

VMware deploys several mechanisms to detect intrusions and help protect against distributed denial of service (DDoS) attacks. These mechanisms range from real-time Intrusion Detection System (IDS) technologies, internal logs and tools, and external intelligence (OSINT) data sources. VMware monitors for security events involving the underlying infrastructure servers, storage, networks, information systems, and upstream providers used in service delivery. As part of VMware’s SDLC, Workspace ONE applications are also assessed against the Open Web Application Security Project (OWASP) Top Ten to identify potential application code to identify and remediate potential errors that could lead to unauthorized access and DDoS. In alignment with PCI-DSS Workspace ONE services use file integrity monitoring to detect malicious behavior or changes in system files or libraries. In addition, Workspace ONE Access and Workspace ONE Intelligence use a web application firewall (WAF) which provides application layer protection against common web exploits.

Antivirus and Antimalware

VMware implements industry best practices for both administrative and technical controls to prevent, detect, and respond to viruses and malware, including ransomware. As part of our annual security training programs, VMware operates a quarterly Phishing Prevention Program to help train our employees to recognize threats. Social engineering topics (such as tailgating, badge access, and vishing) are also covered in our annual security training. Additionally, VMware hosts annual Security & Resilience Fairs for our employees to educate them on keeping VMware information systems secure and resilient. As our employees moved to a remote work model during the global pandemic, VMware created a Working from Home security guide that covers topics such as mobile device security, securing home Wi-Fi, phone/email scams, and securing homes for natural disasters.

In alignment with PCI-DSS, VMware has deployed and centrally manages Carbon Black antivirus and endpoint protection on all employee workstations which is configured to scan for updates to antivirus definitions and update clients continuously. Additionally, the software performs on-demand virus scans of any attachments or content introduced into the workstation. Systems settings prohibit end users from disabling endpoint protection software. All corporate-owned and personal devices are also enrolled in a VMware-managed instance of Workspace ONE UEM. Note that employees are prohibited from accessing Workspace ONE production environments using personal devices.

Our cloud services also implement strong technical controls, including encrypted backups, network segmentation, firewalls, and access control lists (ACLs) to mitigate or contain and remediate from potential attacks. For systems commonly susceptible to malicious attack, such as Windows OS, VMware deploys enterprise grade antivirus software. Antivirus software is automatically updated with logging enabled; files are scanned on access. Workspace ONE Access and Workspace ONE Intelligence production systems are Linux-based and are hardened using Amazon AMIs.

Log Management

Log management includes both infrastructure and application event logs.

Infrastructure Logs

Workspace ONE services leverage a robust centralized SIEM infrastructure. Critical systems and privileged access to Workspace ONE infrastructure, firewall and IDS logs, and Domain Name System (DNS) Queries are logged and monitored. Auditable events are in alignment with PCI-DSS requirements and include user identification, type of event, data and time, success or failure indication, and origination of event. Access to the audit trail is protected, and logs are stored separately and securely. Note: VMware does not provide Software-as-a-Service (SaaS) infrastructure logs to customers. See Application Event Logs for customer-accessible logging options.

VMware System Security logs and events are centrally aggregated and monitored in real-time 7x24x365 by the VMware Security Operations Center (VMware SOC). Logs forwarded to the VMware SOC are retained at least one year, in alignment with PCI-DSS requirements, with up to five years of archive storage.

Application Event Logs

Customers can access application-level logs within Workspace ONE UEM and Workspace ONE Access that record administrator and end user device events. Workspace ONE UEM event logs include:

  • Device events show the commands sent from the console to devices, device responses, and device user actions.
  • Console events show actions taken from the Workspace ONE UEM console including login sessions, failed login attempts, admin actions, system settings changes, and user preferences.
  • The audit events report in the Workspace ONE Access service that lists the events related to a user, including:
    • The type of action within a specific date with criteria such as user, type, action, object, and date range

These logs can be exported as CSV for storage offline to meet regulatory or business requirements. Workspace ONE UEM event logs can also be integrated with a customer’s existing SIEM solution using syslog.

Incident Management & Response

The VMware Incident Response program, plans, and procedures are developed in alignment with the ISO 27001 and PCI-DSS standards. VMware maintains contacts with industry bodies, risk and compliance organizations, local authorities, and regulatory bodies. Points of contact are regularly updated to ensure direct compliance liaisons have been established and prepared for a forensic investigation requiring rapid engagement with law enforcement. Under the VMware ISMS program, the incident response plan is tested at least once annually, regardless of whether a security incident has occurred.

Graphical user interface

Description automatically generated with low confidence

Figure 3: Incident Response Cycle

VMware Security Operations Center (SOC)

The VMware SOC is staffed and monitors alerts on security anomalies 7x24x365. The VMware SOC leverages multiple log capture, security monitoring technologies, and intrusion detection tools to look for unauthorized access attempts, monitor for incoming threats, and detect activity from malicious insiders.

Incident Reporting

All staff are responsible for reporting information security events as quickly as possible. At a minimum, these scenarios include:

  • Ineffective security controls or access violations
  • Breach of information integrity, confidentiality, or availability expectations
  • Human errors
  • Non-compliances with policies or guidelines
  • Breach of physical security arrangements
  • Uncontrolled system changes
  • Malfunction of software or hardware

Breach Notification

In the case of a confirmed data breach, VMware shall without undue delay notify affected customers of the breach in accordance with applicable laws, regulations, or governmental requests.

Identity and Access Management

Managing identity and access includes access of both customers and VMware to production environments, as well as VMware access to customer networks.

Customer Access to Production Environment

As Workspace ONE services are SaaS-based offerings, customer administrators do not directly manage access to the production environment, but rather, access Workspace ONE services through web-based consoles. Granular role-based access controls (RBAC) restrict the depth of device management information and features available to each Workspace ONE console user. All Workspace ONE administrator changes are retained for review within the console event log. Customer administrators also manage access and entitlements for end user devices.

VMware Access to Production Environments

Access privileges are enforced using role-based access control, separation of duties, and the principle of least privileges. Production environment access is secured through a combination of VPN, IP address allow listing or jump servers using Multi-factor Authentication (MFA) N+1 and Active Directory credentials. In accordance with ISO 27001 and PCI-DSS, access is restricted to authorized members of applicable teams, and system sessions are set to an idle timeout of 15 minutes. Logs are in place to review support staff access to all systems and environments. Quarterly User Access Reviews are conducted to review privileged access and to remove/deactivate accounts with 90 days of inactivity.

VMware Access to Customer Networks

Workspace ONE services integrate with customer resources using optional customer-managed on-premises connectors. Workspace ONE services, therefore, do not require direct access to internal customer networks, and VMware support personnel do not have access to customer internal networks. For more information on the optional on-premises components, see the Common Components section of the Workspace ONE Reference Architecture.

Session Controls

Session controls includes production environment sessions, the use of Workspace ONE UEM and Workspace ONE Access management consoles, Hub services, as well as the Workspace ONE Intelligence administrative panel.

VMware Production Environment Sessions

Workspace ONE SaaS production environment administrative sessions are set to time out after 15 minutes of inactivity.

Workspace ONE UEM Management Console

The cloud-hosted Workspace ONE UEM console has a session timeout maximum of 60 minutes for customer administrators based on the load balancer persistence settings. Workspace ONE administrators can also configure an authentication timeout for end-user applications using the Workspace ONE Software Development Kit (SDK).

  • Workspace ONE UEM console sessions include the following security controls:
  • HTTP sessions are secured using state and sessions tokens created and validated by the server.
  • Session control tokens are present on every HTTP transaction.
  • Authenticated sessions do not tie identity and authentication to anti-CSRF (cross-site request forgery) tokens.

Workspace ONE Access Management Console

Customer administrators set Workspace ONE single sign-on (SSO) session and per app re-authentication policies to force users to authenticate again after a configurable length of time.

The Workspace ONE Access Administrative Console and Workspace ONE app catalog include the following security controls:

  • HTTP sessions are secured using state and sessions tokens created and validated by the server.
  • The solution uses HTTP Strict Transport Security (HSTS) headers.
  • Session control tokens are present on every HTTP transaction.
  • XSRF-TOKEN cookie is used to help prevent cross-site request forgery (XSRF or CSRF) attacks.

The Workspace ONE mobile app for end users leverages OAuth tokens which are stored encrypted within the app tokens using standard device-level encryption supported by each mobile operating system. All mobile Workspace ONE apps require a device-level or app-level passcodes input by the end user to access the app. Expiry of these tokens are controlled by the server. The admin gets to choose how long the session is valid and how frequently it needs to be renewed. These tokens cannot be removed from the device and used elsewhere.

Workspace ONE Hub Services

Workspace ONE Hub Services is configured from the Workspace ONE Access and Workspace ONE UEM administrator consoles. Workspace ONE Access management console security is outlined above.

Workspace ONE Intelligence Administrative Panel

Generally, customers enable Workspace ONE Intelligence administrative panel through the Workspace ONE UEM console or through the Workspace ONE Intelligence console via the Workspace ONE Cloud Admin Hub on cloud.vmware.com.

Workspace ONE Intelligence administrative panel sessions include the following controls:

  • JSON Web Tokens use certificates for authentication.
  • Access tokens expire.
  • Certificate downgrade is not possible.
  • CSRF tokens and security headers are configured to mitigate XSS.

Cloud Security Architecture

Workspace ONE cloud services leverage robust perimeter defenses, including, access control mechanisms, perimeter firewalls, malware controls, auditing mechanisms, network controls, disablement of unnecessary services, and maintaining defined configuration settings.

On-premises components are required to support certain solution features. VMware does not have, nor do we require access to customer internal networks. Customers manage on-premises connectors for the solution. Documentation on connectors is available on VMware Tech Zone.

Workspace ONE UEM

Unless specified, policies, procedures and controls as outlined in the Workspace ONE Cloud Service Specific Controls section are applicable to both the next generation Workspace ONE UEM Control Plane and Workspace ONE UEM Classic architectures. As of the publishing of this whitepaper, the Workspace ONE UEM Control Plane architecture is available in our Shared SaaS environments. The Control Plane architecture is available in limited release in our Managed Hosting environments; a wider release to all Managed Hosting environments is currently under evaluation.

Disaster Recovery

Workspace ONE UEM is supported by defined enterprise resiliency programs which includes business continuity and disaster recovery mechanisms. The Workspace ONE UEM cloud infrastructure is designed with high availability and resiliency by design. Redundancy helps ensure that customers will typically not notice a disruption during a component or system failure inside a VMC on AWS Availability Zone (AZ) or primary co-located data center.

  • VMC on AWS locations: VMware uses stretched cluster SDDC for high availability in an active-active configuration: SDDC hosts are evenly split between two AZs within an AWS Region with an additional witness host in a third AZ to automatically protect against host failures or failures within the region.
  • U.S.-based co-locations: In the unlikely event that a primary data center fails in a co-located data center, a manual process is implemented to switch the primary database to the secondary database at the backup data center. Device and console front-end connectivity is migrated to the backup data center. Settings are manually updated to promote failover DNS from secondary to primary on the Global Load Balancer, this process changes IP address references to the backup data center.

Disaster Recovery (DR) plans are rigorously tested against various disaster scenarios and include tabletop and service restoration exercises. Additional DR strategies include:

  • Daily backups are stored for 30 days.
  • Monthly backups are retained for 60 days.
  • Backups are encrypted in-transit and backups are encrypted at-rest (Advanced Encryption Standard (AES) 256), and support staff regularly review backup processes to help ensure data integrity. 

Recovery Time Objective

  • RTO – 72 Hours

Recovery Point Objective

  • RPO – 24 hours

Workspace ONE UEM Cloud Control Plane Architecture

Workspace ONE UEM has a multi-tiered architecture: Front-facing web and app servers are isolated in a restricted Demilitarized Zone (DMZ) behind L7 traffic management/SSL acceleration appliances that proxy all connections to the web and app layer. Workspace ONE UEM also contains an orchestration layer called the Control Plane that uses containerized services for performance and high availability.

The UEM Control Plane ecosystem contains an application workloads cluster, core services cluster and a management cluster that spans across the web and app, state, and management services tiers. The core services cluster includes Kafka (for messaging), Postgres database, logging, and telemetry. The boundaries of the Control Plane are completely internal, and it communicates only to the Workspace ONE UEM instance. The Photon-based Linux Control Plane is scanned as a part of the deployment pipeline. The Workspace ONE UEM Control Plane also uses HashiCorp Vault for secrets lifecycle management. Secrets are used for encrypted communication between the Control Plane services.

A picture containing calendar

Description automatically generated

Figure 4: Workspace ONE UEM Control Plane Architecture

Workspace ONE UEM Classic Architecture

Workspace ONE UEM Classic Architecture has a three-tiered architecture. The front facing web and app servers are isolated in a restricted Demilitarized Zone (DMZ) behind L7 traffic management/SSL acceleration appliances that proxy all connections to the web and app layer.

A picture containing diagram

Description automatically generated

Figure 5: Workspace ONE UEM Classic Architecture

Workspace ONE Access

Workspace ONE cloud services leverage Workspace ONE Access, which includes disaster recovery mechanisms based on a three-tiered architecture application.

Disaster Recovery

Workspace ONE Access is supported by defined enterprise resiliency programs which include business continuity and disaster recovery mechanisms. The Workspace ONE Access service employs a highly redundant design with multiple best-in-class redundancy technologies combined with data replication strategies. The infrastructure is designed to ensure that customers will typically not notice a disruption during a component or system failure inside a primary data center.

DR plans are rigorously tested against various disaster scenarios and include tabletop and service restoration exercises. DR strategies include, but are not limited to:

  • The use of multiple Amazon Web Services (AWS) Availability Zones and auto-scaling for capacity adjustments.
  • Daily database snapshots and datastore backups to support service RPO and RTO. 
  • Database snapshots are stored for 14 days.
  • Backups are encrypted in-transit and backups are encrypted at-rest (AES-256), and support staff regularly review backup processes to help ensure data integrity. 
  • Disaster recovery plans are tested and reviewed annually.

Recovery Time Objective 

  • RTO – 4 hours 

Recovery Point Objective 

  • RPO – 4 hours 

Workspace ONE Access Architecture

Workspace ONE Access is a three-tiered architecture application hosted in a blue-green deployment in multiple Availability Zones (AZs) in AWS Regions globally. The front facing web and app servers are isolated in a restricted Demilitarized Zone (DMZ) behind L7 traffic management/SSL acceleration appliances that proxy all connections to the web and app layer. Workspace ONE Access uses a micro-segmentation approach for the cloud network, and each instance or server belongs to a function-specific security group.

Diagram

Description automatically generated

Figure 6: Workspace ONE Access Production Environment Architecture

AWS CloudFront Content Delivery Network (CDN) is used for delivery of some of the VMware Workspace ONE Access service content (static JavaScript, CSS, and images) for the admin console and end-user experience (login screen, Catalog, and so on) on HTTPS 443. On-premises connectors and third-party Identity Providers do not require any access to AWS CloudFront CDN. The CDN does not store customer Personally Identifiable Information (PII).

Workspace ONE Intelligence

Workspace ONE cloud services leverage Workspace ONE Intelligence, which includes disaster recovery mechanisms based on a multi-tiered application.

Disaster Recovery

Workspace ONE Intelligence is supported by defined enterprise resiliency programs which includes business continuity and disaster recovery mechanisms. The Workspace ONE Intelligence service leverages multiple availability zones in each deployment region and databases are configured with daily point-in-time backups going back 30 days for resiliency. Additionally, Workspace ONE Intelligence infrastructure deployment is automated and can be quickly orchestrated as required. The infrastructure is designed to ensure that customers will typically not notice a disruption during a component or system failure inside a primary site.

DR plans are rigorously tested against various disaster scenarios and include tabletop exercises. DR strategies include but are not limited to:

  • The use of multiple AWS Availability Zones.
  • Daily point-in-time backups are stored for 30 days. System audit log data is retained for 90 days.  
  • Backups are encrypted in-transit and at-rest, and support staff review backup processes to help ensure data integrity. 
  • Disaster recovery plans are tested and reviewed annually.

Recovery Time Objective 

  • 4 hours 

Recovery Point Objective 

  • 4 hours  

Workspace ONE Intelligence Architecture

Workspace ONE Intelligence is multi-tiered application comprised of microservices application which is built on the Spring framework. All containerized services in the Workspace ONE Intelligence application are running in multiple Availability Zones to help minimize downtime and automate scaling. Workspace ONE Intelligence further limits downtime risk through a blue-green deployment architecture and a continuous integration, continuous deployment (CI/CD) pipeline. Services in the state tier are deployed with failover in multiple Availability Zones.

External traffic is routed through web application firewalls (WAF) and external load balancers; all internal microservices are deployed behind internal load balancers in private subnets. Daily snapshots are taken and replicated in region.

Diagram

Description automatically generated

Figure 7: Workspace ONE Intelligence Production Environment Architecture

For Workspace ONE UEM SaaS customers, VMware hosts the ETL server (in the Workspace ONE UEM cloud environment). The hosted ETL server transmits data from your Workspace ONE UEM cloud deployment to the Workspace ONE Intelligence cloud environment. On-premises Workspace ONE UEM customers must install an ETL server to connect their on-premises Workspace ONE UEM deployment to the Workspace ONE Intelligence cloud environment.

Customers can optionally leverage the Workspace ONE Trust Network to aggregate threat intelligence using existing security tools, including VMware Carbon Black and Lookout, through secure Application programming interface (API) connections. For more information, refer to the VMware Solutions Exchange, and service documentation on connectors on VMware Tech Zone.

Workspace ONE Data Handling

Data handling includes data collection, segmentation, and encryption, as well as key and certificate management.

Data Collection

Workspace ONE UEM

Workspace ONE UEM collects limited personal data used for user activation and management. Customers can enable AES-256 encryption at rest of these fields via the Workspace ONE UEM Administrative Console: User first, last name, username, email address, and phone number. Note: Workspace ONE UEM does not store user credentials derived from customer Active Directory (AD) integration.

VMware publishes a Workspace ONE UEM Privacy Disclosure to inform customers who purchase the software to perform unified endpoint management and those individuals whose devices are being managed by the software regarding the types of information collected by the software about users and their devices.

Limiting Data Collection

Customers can also configure privacy settings to enable or disable the collection and display of user and device information in the Workspace ONE UEM console according to device ownership type.

Privacy control types include:

 

 

  • Collect and Display
  • Collect - Do Not Display
  • Do Not Collect

For the following fields:

 

 

  • GPS Data
  • Carrier/Country Code
  • Roaming Status
  • Cellular Usage Data
  • Call Usage
  • SMS Usage
  • Device Phone Number
  • Personal Applications
  • Unmanaged Profiles
  • Public IP Address

Workspace ONE Access & Hub Services

Workspace ONE Access combines the User’s identity with factors such as device and network information to make intelligence driven, conditional access decisions for applications delivered by Workspace ONE. Access acts as a broker to other identity stores and providers (such as Active Directory (AD), Active Directory Federation Services (ADFS), Azure AD, Okta and Ping Identity) that Customers may already be using to enable authentication across on-premises, SaaS, web and native applications without the need to rearchitect the identity environment. Workspace ONE Access and Hub Services collect data such as authentication, user data, and logging data. For a complete list, see the Workspace ONE Privacy Disclosure.

Workspace ONE Intelligence

Workspace ONE Intelligence consumes data from various sources as configured by customer administrators from Workspace ONE UEM, Workspace ONE Access, Workspace ONE Intelligence SDK, and the VMware Trust Network. Data is aggregated from multiple sources to provide actionable security insights across devices and users. Refer to Supported Data Categories by Integration for a complete list of data collection points on VMware Docs.

For additional information regarding data collection and use, refer to the documents referenced in the Standard Hosting Agreements and Service Resources section of this whitepaper.

Data Segmentation

Customer data is segmented in all Workspace ONE services. The data segmentation mechanism varies by service and is detailed by service below.

Workspace ONE UEM

Workspace ONE UEM is available in both Shared and Managed Hosting environments. Workspace ONE Access and Workspace ONE Intelligence are available in Shared Hosting environments only.

Workspace ONE UEM Shared Environment

Shared virtual machines are assigned to the Shared SaaS environment to host the Workspace ONE UEM application. Data is isolated at the application layer using unique identifiers. The database resides on a shared SQL cluster with shared infrastructure that contains data for multiple customers. Customers in the shared environment can only access data from their tenant.

(Applicable to Control Plane Architecture deployments.) Shared environments use shared Control Plane services such as Consul, Nomad, and Vault for security service communication, orchestration and scheduling, secrets management, and enforcing access control lists. The Postgres database cluster used by the Control Plane also resides on a shared infrastructure that contains data for multiple customers. Customers can only access data from their tenant.

Workspace ONE UEM Managed Hosting

Workspace ONE Managed Hosting Service provides version upgrade flexibility by leveraging a single-tenant instance of various components, such as the databases described below, within the multitenant logical service. There is no guarantee of, or design for, dedicated systems or components.

  • SQL and Control Plane Postgres databases containing customer data are isolated and not shared; note that the databases do reside on shared SQL and Postgres clusters. For the Control Plane, managed services customers will also receive dedicated Kafka topics (such as groups that hold messages and events).

Workspace ONE Access and Workspace ONE Intelligence Shared Environments

Customer data is segmented at the application level using unique customer identifiers. Customers cannot access data from another customer’s tenant.

Data Encryption

Each service within the Workspace ONE platform leverages encryption to help protect data both in transit and at rest. Workspace ONE UEM, Workspace ONE Access, and Workspace ONE Intelligence collect varying data points intended to achieve different outcomes in the delivery of the service. Due to these differences in functionality, the specific encryption approach varies to align with the intended function of each service.

Encryption In-Transit

A variety of types of encryption in-transit are available.

Workspace ONE UEM

All traffic traversing public networks and any sensitive interactions between Workspace ONE nodes (Workspace ONE and its integration components) and the device agents are done using message-level encryption. These message-level interactions are encrypted with 2048-bit RSA asymmetric keys using digital certificates. In alignment with PCI-DSS, Workspace ONE UEM SaaS environments support TLS 1.2+. Note: Managed hosting customers can restrict the TLS protocols communicating with their environment (such as, customers can allowlist only TLS 1.2).

Note: REST API calls take place over HTTPS with a certificate signed by a publicly trusted CA.

Customers can also enable LDAPS to encrypt the directory services connection to on-premises solution components such as the AirWatch Cloud Connector. The AirWatch Cloud Connector leverages HTTPS communication to the cloud. Refer to the Workspace ONE Reference Architecture for additional information on on-premises solution components.

Workspace ONE Access

Communications for Workspace ONE Access is encrypted in transit via HTTPS (TLS) over public networks. In alignment with PCI-DSS, Workspace ONE Access SaaS environments only support TLS 1.2+.

Each customer tenant is assigned unique private/public key pair. The keys are randomly generated at the time of tenant creation. Private keys are encrypted at rest with AES-256.

Workspace ONE Intelligence

Communications for Workspace ONE Intelligence are encrypted in transit via HTTPS (TLS) over public networks. In alignment with PCI-DSS, Workspace ONE Intelligence SaaS environments only support TLS 1.2+.

Encryption At-Rest

A variety of types of encryption at-rest are available.

Workspace ONE UEM

All user data stored within Workspace ONE UEM is encrypted at rest via a combination of both hardware-based array-level encryption and/or volume-level encryption with a minimum level of AES-256 symmetric encryption.

Additional data-level encryption is implemented for customer content and sensitive fields as described in the Data Security – Data Collection section of this document. All locally defined passwords, certificate private keys, client cookie data, tokens, and AD Bind Account are stored within the database and are protected with 256-bit AES symmetric encryption algorithm. Stored credentials use Password Based Key Derivation Function 2 (PBKDF2) with a salt of at least 256 bits and a sufficiently large number of iterations.

Note: Workspace ONE UEM does not store user credentials derived from customer Active Directory (AD) integration.

Workspace ONE Access & Hub Services

Locally defined Workspace ONE Access passwords are secured with AES-256 and PBKDF2 and a randomly generated salt. The service does not store user credentials derived from customer Active Directory (AD) integration. The AD Bind Account is stored in the Workspace ONE Access database and is encrypted (AES-256). Data considered sensitive by the application is encrypted (AES-256) with a per-tenant key that is generated by Workspace ONE Access. Amazon S3 instances used for Workspace ONE Access and Workspace ONE Hub Services are encrypted. Encryption is applied at the database level for Workspace ONE Hub Services.

Workspace ONE Intelligence

Workspace ONE Intelligence is a cloud service that provides deep insights, analytics, and automation for the entire digital workspace. As such, Workspace ONE Intelligence was built as a cloud-native service and uses a combination of AWS-managed and VMware-managed Key Management Service (KMS) keys for all encryption at rest across the solution datastores. Data is encrypted at rest using AES-256 with GCM.

Key Management

Note that Workspace ONE services do not currently support a bring your own key (BYOK) model. To help ensure the security and integrity of the cryptography used in the cloud-hosted environments, only authorized VMware support personnel have access to encryption keys, and keys are managed in line with Payment Card Industry Data Security Standard (PCI-DSS). Customers can manage their own encryption keys for on-premises hosted resources, such as establishing and managing the X.509 certificates for on-premises integration connectors (such as AirWatch Cloud Connector).

Workspace ONE UEM

Data in Workspace ONE UEM is encrypted at rest with a VMware data encryption key (DEK) that is stored in the database. The Workspace ONE UEM database is encrypted at rest with array- or volume-level encryption. Access to the DEK requires direct Root privileges to the Workspace ONE UEM database where the DEK is stored. Those permissions are only granted to a small subset senior VMware Database Administrators with documented business need. All interactive root access to the Workspace ONE UEM database and DEK is logged and audited. Workspace ONE UEM server keys are stored in an enterprise grade key management tool.

Workspace ONE Access

Workspace ONE Access uses AWS Key Management Service (KMS) to manage encryption keys. Sensitive customer data is encrypted with a per-tenant key and stored encrypted using a separate master key. The master key encrypts all per-tenant keys and is stored encrypted. The key used to encrypt the master key and database snapshots is an AWS KMS key generated and stored by KMS. The private key does not leave KMS, we do not use a customer supplied key that allows us to hold a copy of the private key outside of KMS. We double encrypt the master key using the KMS in an alternate AWS region in case the primary region is down, and we need to restore the service in the alternate region.

Workspace ONE Intelligence

Workspace ONE Intelligence uses AWS KMS to manage encryption keys. Sensitive customer data is encrypted with per-region keys and stored encrypted in the database. The keys used to encrypt database snapshots are also AWS KMS keys generated and stored by KMS. The private keys do not leave KMS, and we do not use a customer-supplied keys that allow us to hold a copy of the private key outside of KMS.

Certificate Management

Certificate management is handled in Workspace ONE UEM and Workspace ONE Access.

Workspace ONE UEM

Customer certificates uploaded via the Workspace ONE UEM console are encrypted before upload and are password protected in the PKCS12 format. The passwords are additionally encrypted at-rest using AES-256 encryption utilizing the application encryption key. These certificates can include:

  • Registration Authority (RA) Certificates
  • TLS Mutual Authentication Certificates (for connecting to a customer's on-premises enterprise CA)
  • Gateway SSL Certificates

For certificates issued via integration with a customer’s on-premises Enterprise CA (including S/MIME), VMWare will collect the certificate from the Enterprise CA and securely forward to the device. The certificate may be stored in volatile cache memory for up to 4 hours but is never stored or written to non-volatile storage.

For S/MIME certificates uploaded via the Self-Service Portal (SSP), the certificates are automatically purged after 48 hours, and the customer can configure that retention period down to as low as 60 Minutes via the SSP.

Workspace ONE Access

Workspace ONE Access uses SAML signing certificates to help ensure that messages are coming from the expected identity and service providers. The SAML certificate is used to sign SAML requests, responses, and assertions from the service to relying applications, such as WebEx or Google Apps. A self-signed certificate is automatically created in the Workspace ONE Access service for SAML signing. These SAML certificates are encrypted using tenant-specific keys that are encrypted using Amazon KMS.

Backup Retention & Data Destruction

Backup includes retention and destruction.

Retention

Retention is handled in Workspace ONE UEM, Workspace ONE Access, and Workspace ONE Intelligence.

Workspace ONE UEM

Daily backups are stored for 30 days, and monthly backups are stored for 60 days[4].

Workspace ONE Access

Daily backups are stored for 14 days, and monthly backups are stored for 60 days.

Workspace ONE Intelligence

Workspace ONE Intelligence stores data to offer historical analysis. The system stores raw data for three months and stores trend data for 12 months. Examples of raw data can include battery information and operating system versions. Some trend data examples include application installs and application adoption, device category data, enrollment, and OS versions over time.

Destruction

The backup process include destruction of data, both logical and physical.

Logical Destruction

Refer to the VMware Cloud Services Guide for our obligations regarding data retention and deletion at termination.

Physical Destruction

VMware adheres to U.S. Department of Defense (DoD) Mandate 5220-22M, where applicable (U.S.-based co-located data centers only). Note that VMware partners with IaaS and managed service providers to support Workspace ONE cloud-delivered environments globally; these providers manage physical media destruction processes according to ISO 27001 and PCI-DSS requirements.

Privacy and Compliance

Privacy and compliance include data sovereignty and service sub-processors, the EU General Data Protection Regulation (GDPR), binding corporate rules, UK data protection regulations, and data transfer strategies, as well as requests for data protection and for content access.

Data Sovereignty and Service Sub-Processors

All Workspace ONE customer production data is replicated to disaster recovery locations in region. For data processing locations, refer to the Workspace ONE UEM and Workspace ONE Access sub-processors lists available on the VMware ONE Contract Center. VMware affiliates may also process Content. As set forth in the VMware Data Processing Addendum, VMware has adequate data transfer mechanisms in place with each sub-processor. Refer to the VMware Data Processing Addendum and service sub-processor lists for additional information.

VMware creates microservices in discrete cloud environments to extend the core platform functionality. Processing locations for product functionality delivered via microservices are also outlined in the service sub-processor lists. For more information, refer to the Microservices Appendix.

Privacy and the EU General Data Protection Regulation (GDPR)

Workspace ONE customers are responsible for using and configuring the service in a manner that enables the customer to comply with applicable Data Protection Laws, including the GDPR, as a data controller or as a data processor with respect to Personal Data. VMware complies with applicable data processor obligations. For additional information regarding customer and VMware responsibilities refer to the VMware Data Processing Addendum and Workspace ONE Privacy Disclosure.

Workspace ONE customer administrators can configure some of the data is managed, collected, and stored across managed devices. For example, device phone numbers can be collected for corporate-owned iOS devices, but not for employee-owned Android devices. Privacy controls can be set up with role-based access, restricting customer IT staff that do not have the appropriate privileges from modifying policies that do not adhere to company policy.

VMware has no direct relationship with the Users whose data it processes in connection with providing the Software and any related services. A User who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to the Customer. If the Customer requests VMware to modify or remove the data, we will respond to the Customer’s request in accordance with our agreement with the applicable Customer or as may otherwise be required by applicable law.

At any time, an appropriately provisioned Workspace ONE administrator can take the following actions to help comply with applicable data protection laws:

  • Access, upload, update or remove data directly from the console at any time.
  • Require Terms of Use (TOU) acceptance prior to end users accessing the service during enrollment. Users must accept the TOU before proceeding with enrollment, installing apps, or accessing the console. The console allows administrators to customize fully and assign a unique TOU to each organization group and child organization group. TOU acceptance can be reviewed in the administrative console or within the end-user VMware Intelligent Hub at any time.
  • Export solution data at any time, including user reports, via CSV, PDF, and XLS formats.

Binding Corporate Rules

Coincident with the EU General Data Protection Regulation (GDPR), VMware has completed the EU approval process for its global Binding Corporate Rules (BCR) as a data processor: This significant regulatory approval allows VMware to use this transfer mechanism to protect the personal data of our customers when acting as their data processor. The BCRs apply to our customer data processing relationships. VMware is listed as a company for which the EU BCR cooperation procedure is closed. VMware also publishes BCR frequently asked questions (FAQs) for customer and partner review.

UK Data Protection Regulation

VMware has prepared an FAQ Brexit and International Data Transfers to address concerns from customers regarding VMware's data transfer strategy in light of Brexit, and specifically the use of binding corporate rules (BCRs) and standard contractual clauses (SCCs).

For additional information regarding the mechanisms VMware has implemented to ensure appropriate safeguards for the transfer of personal data, see the Data Transfer Strategy section below.

Data Transfer Strategy

In connection with the provision of VMware services to a customer, VMware may transfer Personal Data included in Customer Content (as such terms are defined in the VMware Data Processing Addendum from the European Economic Area (EEA), Switzerland and UK to third countries in its capacity as a processor. The General Data Protection Regulation (GDPR) has been incorporated into UK's domestic legislation, and therefore the data transfer mechanism permitted under the GDPR for transfers of personal data outside the EEA will also apply to transfers from the UK. Regarding Switzerland, the Federal Act on Data Protection (FADP) follows a similar framework as the GDPR and therefore, the same data transfer mechanisms apply to transfers from Switzerland (with the necessary amendments to account for any differences).

Recipients or importers of customer's Personal Data include the entities in the VMware Group and select third-party vendors we engage who process Personal Data on our behalf to provide our services (“Sub-Processors”). A list of the entities in the VMware Group and Sub-Processors we use to process our customers’ Personal Data in connection with our service offerings and customer support, along with details of their location, are available here.

Intra-Group Transfers: Whenever VMware, acting as a processor, shares Personal Data originating in the EEA, it will do so on the basis of its Irish Data Protection Commissioner and peer approved binding corporate rules known as the VMware Binding Corporate Rules (VMware's EEA BCRs) which establish adequate protection of such Personal Data and are legally binding on the VMware Group.

VMware's BCRs were approved by the European Data Protection Authorities on May 23, 2018. You can review confirmation that this review has now been completed here. For additional information on VMware’s Binding Corporate Rules and to access VMware's EEA BCRs Processor Policy, see VMware's Processor Binding Corporate Rules. To see a listing of the VMware affiliates that have signed an Intra-Group Agreement for VMware's EEA BCRs, click here.

VMware’s application for Binding Corporate Rules in the UK (VMware's UK BCR’s) is currently pending, and VMware’s Data Processing Addendum will be updated when the UK BCRs take effect.

Transfers to Third-Party Sub-Processors: VMware has in place Data Processing Agreements (DPAs) with its Sub-Processors which incorporate the current version of the Controller to Processor SCCs to ensure safe, secure, and legal data transfers from the EEA, Switzerland and UK and to protect any subsequent onward transfers. The European Commission has published a new draft version of the SCCs available here. Once the new SCCs are approved and take effect, VMware will take such necessary steps to implement such new SCCs with its Sub-Processors in accordance with any new requirements established by the European Commission.

Data Protection Requests

If VMware receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data within Workspace ONE services, including requests from individuals seeking to exercise their rights under Data Protection Law, VMware will promptly redirect the request to the customer. VMware will not respond to such communication directly without the customer's prior authorization, unless legally compelled to do so. If VMware is required to respond to such a request, VMware will promptly notify the customer and provide a copy of the request, unless legally prohibited from doing so.

VMware will reasonably cooperate with customers to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data to the extent that customer is unable to access the relevant personal data in their use of the service. Refer to the VMware Data Processing Addendum for definitions and standard hosting terms.

Government Requests to Access Customer Content

VMware may on occasion receive a request from a government agency or law enforcement authority seeking access to content belonging to a customer. Regardless of where a request comes from or who the customer is, VMware is vigilant about protecting Customer Content. VMware will not disclose Customer Content unless required to do so to comply with a legally valid and binding obligation or order. VMware reviews each request to determine that it complies with applicable laws.

The following sets forth the steps VMware takes when responding to a request for Customer Content, as further set forth in the Terms of Service (“Required Disclosures” section): Where Customer Notification is Not Legally Prohibited: VMware will:

  • Notify the Customer: Notify its customers of any demand for disclosure of Customer Content pursuant to valid legal process unless prohibited or otherwise restricted by law.
  • Refer Government Agency to the Customer: Inform the relevant government authority, to the extent possible, that VMware is a service provider acting on the customer’s behalf and all requests for access to Customer Content should be directed in writing to the contact person the customer has identified to us. If the customer does not provide a contact, we will direct the government agency generally to the customer’s legal department.
  • Limit Access: Only provide access to Customer Content with your authorization. If the customer requests, we will, at the customer’s expense, take reasonable steps to contest any required disclosure.

For more information, see our FAQ.

Audit Reports and Trust Assurance

Assurance of trust includes use of ISO and PCI-DSS certifications, audit reports, and questionnaires.

ISO Certifications

Workspace ONE services have achieved ISO 27001, ISO 27017, and ISO 27018 certification. Refer to the VMware Trust Center to view our certificate.

PCI-DSS Certification

Workspace ONE Access and Workspace ONE Intelligence have achieved PCI-DSS certification. The PCI-DSS Attestation of Compliance (AOC) can be downloaded from VMware Trust Center. Note that, although these Workspace ONE services are PCI-DSS certified, they do not store, process, or transmit cardholder data.

SOC 2 Type 2 Audit Reports

Workspace ONE cloud-delivered environments have undergone SOC 2 Type 2 audits; SOC 2 Type 2 reports are available under an NDA with VMware.

Cloud Security Alliance (CSA) Cloud Alliance Initiative Questionnaire (CAIQ)

VMware has completed and published a response to the CAIQ to provide transparency into technologies and processes that vendors implement to manage risks for cloud-delivered environments.

Standard Hosting Agreements and Service Resources

Resources for hosting and service agreements include the VMware Cloud Services Guide, service level agreements (SLA), and terms of service agreements.

VMware Cloud Services Guide

Refer to the Workspace ONE and Workspace ONE Access Service sections available in the VMware Cloud Services Guide for an overview of the hosted service, including roles and responsibilities shared between VMware and the customer.

Service Level Agreement

Workspace ONE services will maintain a monthly availability measurement of 99.9% as defined in the Workspace ONE service SLAs available on the VMware ONE Contract Center.

Terms of Service

The VMware Cloud Services Exhibit and the Cloud Services Guide govern VMware cloud delivered services in addition to the VMware Data Processing Addendum.

Release Management and Maintenance

Workspace ONE services have a 99.9% uptime SLA as defined in the Workspace ONE service SLAs available for download on the VMware ONE Contract Center. As part of the cloud offering, VMware manages and updates the Workspace ONE SaaS applications and scoped hosting systems on behalf of our customers.

Release Schedules

VMware communicates feature releases and service announcements through VMware Docs, VMware Blogs, My Workspace ONE, and by email. Our frequent release schedule demonstrates our commitment to continuous innovation. New software features and operating systems are released daily, and we aim to provide same-day support for new major operating system updates and APIs:

  • Workspace ONE shared cloud environments receive updates automatically.
  • Workspace ONE UEM Managed Hosting Service schedule upgrades to their environment via a user-friendly update scheduling tool.

Scheduled Maintenance

VMware schedules pre-defined maintenance windows to limit the potential to impact the environment availability. These standing windows are scheduled annually and available on the My Workspace ONE support portal and in this publicly available KB article: 2022 VMware Workspace ONE UEM Maintenance (81448).

Routine Maintenance

Occasionally, it is necessary for VMware to perform maintenance that has the potential to impact the availability of customer environments outside of scheduled maintenance windows, and VMware reserves the right to do so. A minimum of five days’ advance notice is given for routine maintenance.

Emergency Maintenance

Emergency maintenance is defined as potentially impactful maintenance activity that must be executed quickly due to an immediate, material threat to the security, performance, or availability of the Service Offerings. Every attempt will be made to provide as much advance notice as possible, but notice depends on the severity and critical nature of the emergency maintenance.

Customer Support Services 

VMware’s Global Customer Support Services teams are strategically placed around the world operating in a follow-the-sun model from locations in the US, Costa Rica, Ireland and the UK, India, Japan, Australia, and Singapore, as well as local support in China. Each center is staffed with engineers that provide industry-leading expertise in mobility and have experience supporting real-world mobile environments. Support is available in seventeen languages. Support may be provided from other offices as our support team continues to expand to meet customer requirements. 

Map

Description automatically generated 

Figure 8: Global Support Locations

VMware U.S. Export/Re-Export Laws and Regulations

VMware, Inc. is committed to complying with all applicable U.S. export/re-export laws and regulations. We observe applicable restrictions on the export and re-export of our products, services, or technical data.

 If you are exporting or re-exporting VMware products, services, or technical data, U.S. export control applies to you, and you are required to ascertain your compliance obligations. Contact the VMware Trade Compliance Legal Team with any questions regarding export compliance for our products, services, or technical data at export@vmware.com.

Additional information on VMware’s Export Control Policies can be found on vmware.com:

Export Restrictions

The U.S. Department of Commerce and the U.S. Department of Treasury administer and maintain exclusion lists. VMware does not ship products to any entity or individual, whether in the U.S. or abroad, specified on these lists.

Summary and Additional Resources

Introduction

This document provides a general overview of the security controls implemented in VMware Workspace ONE commercial cloud offerings. The intent is to provide readers with an understanding of how Workspace ONE cloud services approach security, the key mechanisms, and processes that VMware uses to manage information security, as well as describing shared responsibilities for providing security in a modern cloud computing environment.

Additional Resources

For more information about Workspace ONE Cloud Services, you can explore the following resources:

Changelog

The following updates were made to this guide:

Date

Description of Changes

2022/11/15

  • Guide was published.

About the Author and Contributors

Andrea Smith

Program Manager, EUC Security and Compliance Assurance. Andrea has over 17 years of experience working in technology and technical communications, including six years working in the areas of cloud security, privacy, and compliance. In her role as Program Manager, she collaborates with EUC cloud operations, engineering, cloud compliance and the VMware legal team to build programs that align cloud security processes with compliance, audit and privacy requirements. Andrea has completed hundreds of customer risk assessments, and she routinely contributes to cloud security whitepapers and blog posts for EUC. She has also participated as a subject matter expert for the ISC2 Certified Cloud Security Professional (CCSP) standard setting workshop and has written assessment items for the CCSP exam.

  • Kevin Shaw, Program Manager, EUC Security and Compliance Assurance, VMware
  • Stephanie Specht, Program Manager, EUC Security and Compliance Assurance, VMware
  • Subha Ramachandran, Program Manager, EUC Security and Compliance Assurance, VMware

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Footnotes



[1] Information on the Workspace ONE Assist add-on cloud service is provided in a separate cloud security whitepaper.

[2] You can find the definitions for acronyms used throughout this document in: Acronyms used in the Workspace ONE Security Series.

[3] U.S.-based deployments of over 250,000 devices are located in co-located data centers.

[4] Exception: Workspace ONE UEM web console administrator login history which is purged, by default, every 730 days—unless the customer configures an Admin Terms of Use (TOU) prompt for users—to support customers’ security and auditing purposes. If the TOU prompt is configured, the admin login history is not automatically purged to store a timestamp and admin record corresponding to the TOU acceptance.

 

Filter Tags

Workspace ONE Workspace ONE Access Workspace ONE Intelligence Workspace ONE UEM Document Deployment Considerations Intermediate