Workspace ONE UEM Cloud Service Alignment with the ACSC Information Security Manual (ISM)
Introduction
This document addresses the security for VMware Workspace ONE Unified Endpoint Management (UEM) Cloud service in relation to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM). The purpose of the ISM is to outline a cyber security framework that organizations can apply, using their risk management framework, to protect their information and systems from cyber threats.
Note: You can find the definitions for acronyms used throughout this document in: Acronyms used in the Workspace ONE Security Series.
Purpose
This whitepaper summarizes VMware’s alignment with the Cyber Security Principles and Cyber Security Guidelines within the ISM.
Audience
This document is intended for Australian government commercial cloud customers to evaluate Workspace ONE cloud security and any potential risks against the ACSC ISM. It assumes at least intermediate knowledge of Workspace ONE cloud services, and focuses on the policies, processes, and controls supporting the cloud-delivered services. Federal Risk and Authorization Management Program (FedRAMP), on-premises, and third-party offerings are not in-scope for this document.
Workspace ONE UEM Cloud Security Compliance
Workspace ONE UEM Cloud has completed SOC 2 Type 2 audits and has achieved ISO 27001, 27017, and 27018 certifications. Workspace ONE UEM Cloud has also achieved the UK Government Information Assurance Framework: Cyber Essentials Plus certification. For the most up-to-date list of security audits and certifications for VMware cloud services, navigate to the VMware Trust Center. SOC 2 Type 2 reports are available under an NDA with VMware.
VMware also publishes extensive documentation to familiarize organizations with our products and services. Customers can review the Workspace ONE UEM Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) for a comprehensive overview of our security controls. Refer to the Cloud Services Guide found on the VMware ONE Contract Center for detailed descriptions of service components, as well as shared responsibilities between VMware and our customers.
Alignment with the ACSC Cyber Security Principles
The VMware Information Security Program leverages guidance from industry best practices and regulatory standards, including NIST SP 800-53 and ISO 27001. VMware has created controls and processes using a set of driving principles to provide the underlying general rules and guidelines for security within our cloud-delivered services. Overarching principles include:
- Governance – Establishing a balance of effectiveness and efficiency by implementing the appropriate controls and managing risks by understanding the threat landscape and leveraging all decision makers during risk analysis.
- Protection – Providing preventative and protective capabilities to ensure a secure service.
- Detection – Implementing 24x7 proactive monitoring to detect and identify security incidents.
- Response – Developing agile response procedures that address both individual security incidents and disaster recovery.
Alignment with the ISM Cyber Security Guidelines
To align with ISM Cyber Security Guidelines, VMware and our cloud hosting partners have developed controls and processes for every aspect of cyber security. This includes roles, incidents, outsourcing, documentation, physical and personnel security, communications infrastructure and systems, enterprise mobility, ICT equipment, media, system hardening, system management and monitoring, software development, database systems, email, networking, cryptography, gateways, and data transfer.
Guidelines for Cyber Security Roles
VMware has developed controls and processes for two main cyber security roles: chief information security officer and systems owners.
Chief Information Security Officer
VMware has a Chief Security Officer who leads, oversees, and is ultimately responsible for VMware’s Information Security program.
VMware coordinates cyber security through the Information Security Governance Committee (ISGC), which includes members of senior management and representatives from our Information Security, IT Operations, HR, Marketing, Facilities, and Legal teams.
System Owners
The Workspace ONE UEM Cloud service uses numerous components and platform services. Workspace ONE UEM product management have overall system ownership responsibility for the cloud service, although some underlying components have their own product managers. Operational security responsibilities are assigned to applicable operations teams.
Guidelines for Cyber Security Incidents
Detecting Cyber Security Incidents
The VMware Security Operations Center (SOC) enables rapid assessment and response to cyber security threats targeting VMware services through continuous collection, evaluation, and dissemination of cyber threat intelligence. The VMware SOC works with the Workspace ONE UEM Cloud service teams to provide proactive monitoring of hosted services and to support incident response activities.
The VMware SOC is staffed 24x7 and monitors alerts on security anomalies. The SOC leverages multiple tools for log capture, security monitoring, and intrusion detection to look for unauthorized access attempts, monitor for incoming threats, and detect activity from malicious insiders.
Managing Cyber Security Incidents
The VMware Incident Response plans and procedures have been developed in alignment with the ISO 27001 standard. VMware follows a formal Incident Management Plan that is maintained as part of our overall Information Security Program. Incidents are reported to the appropriate Cloud Operations team for categorization and resolution, and issues are escalated to senior management according to a pre-defined protocol. VMware tracks alerts, responses, and resolutions through to completion: incident response teams prepare post-mortem reports to internal stakeholders and to the Information Security Governance Committee for review.
Reporting Cyber Security Incidents
In the case of a confirmed data breach, VMware shall notify affected customers of the breach without undue delay in accordance with applicable laws, regulations, or governmental requests.
Guidelines for Outsourcing
VMware has developed controls and processes for cyber security outsourcing, including supply chain risk management, managed services, and cloud services.
Cyber Supply Chain Risk Management
VMware has a comprehensive vendor procurement and risk management program to choose providers that meet identified security baseline requirements. Supplier agreements ensure that providers comply with applicable laws, security, and privacy obligations.
VMware has a formal process to document and to track non-conformance as a part of our ISMS. To help assure reasonable information security across our information supply chain, VMware also conducts risk assessments for service sub-processors at least annually to ensure appropriate controls are in place to reduce risks to the confidentiality, integrity, and availability of sensitive information.
Managed Services and Cloud Services
Workspace ONE UEM Cloud services incorporate managed services and cloud services from various service providers. VMware’s standard supplier management processes are used to track and manage the use of these third-party services.
Guidelines for Security Documentation
VMware has developed controls and processes for cyber security documentation, including development and maintenance of both general and system-specific security documentation.
Development and Maintenance of Security Documentation
VMware maintains an organization-wide Information Security Program and Policies, and we perform annual reviews and audits of our program to keep the documentation up to date. Formal documentation, such as business continuity and disaster recovery plans, are reviewed at least annually or upon significant system change.
Security documentation for the Workspace ONE UEM Cloud service is the responsibility of applicable product managers and is maintained by the relevant operations and engineering teams. Changes to security for VMware cloud services have an approval process involving Information Security.
System-specific Security Documentation
Service-specific documentation such as data flow and network diagrams, risk registers, deployment procedures, and so on, are reviewed and updated regularly.
VMware applies consistent incident response plans across its cloud services, which are led by the VMware SOC.
Cloud services for VMware also apply a consistent continuous monitoring plan for proactively identifying, prioritizing and responding to security vulnerabilities. The VMware Security Response Center (VSRC) is responsible for managing and resolving security vulnerabilities in VMware products and services that are available to customers. VSRC has a mature process for investigating reports, coordinating disclosure activities with researchers and other vendors when appropriate, and communicating remediation to customers via security advisories, blog posts, and email notifications.
Guidelines for Physical Security
VMware and its cloud hosting partners have developed controls and processes for physical security, including facilities and systems, as well as ICT equipment and media.
Facilities and Systems
VMware leverages Amazon Web Services (AWS) and VMware Cloud on AWS (VMC on AWS) within Australia to support the Workspace ONE UEM Cloud service offering. AWS maintains physical and environmental security controls for the cloud-delivered services, as well as for related premises and ICT equipment. AWS and VMC on AWS have completed IRAP assessments (PROTECTED), SOC 2 Type 2 audits and have achieved at least ISO 27001 certification.
The VMware physical security policy governs security for our offices and other global business locations to safeguard information systems and staff.
Key elements of this policy include controls around: physical security perimeters, physical entry controls, physical access, securing offices, rooms and facilities, visitors to facilities, records, preventing the misuse of facilities, protecting against external and environmental threats, working in secure areas, access to restricted areas, delivery and loading areas, equipment siting and protection, supporting utilities, equipment maintenance, removal of assets, security of equipment and assets off-premises, secure disposal or reuse of equipment, unattended user equipment, and clear desk and clear screen.
ICT Equipment and Media
VMware leverages Amazon Web Services (AWS) and VMware Cloud on AWS (VMC on AWS) within Australia to support the Workspace ONE UEM Cloud service offering. AWS maintains suitable controls to restrict access to the underlying ICT equipment for the services. AWS has completed an IRAP assessment (PROTECTED) which includes the ICT equipment for AWS services within the assessment scope.
All user data stored within Workspace ONE UEM is encrypted at rest with a minimum level of AES-256 symmetric encryption.
Guidelines for Personnel Security
Cyber Security Awareness Training
In alignment with the ISO 27001 standard, all VMware personnel and alternative workforce are required to complete annual business conduct and security awareness training. Employees undergo annual data handling and privacy training that includes the secure handling of customer data.
Access to Systems and Their Resources
VMware HR applies policies and processes for background screening, employment and confidentiality agreements, and employee termination procedures.
Access privileges to the Workspace ONE UEM hosted infrastructure are enforced using role-based access control, separation of duties, and the principle of least privileges. Production environment access requires secure VPN and jump server using MFA and AD credentials, and is restricted to authorized members of applicable teams. Logs are in place to review support staff access to all systems and environments.
Australian customer data is stored in data centers located in Australia, with backup also located in Australia. However, VMware uses a 24x7 “Follow-the-Sun” support program. This means that, outside business hours in Australia, support services may be manned by employees in our global office locations (for example, United Kingdom, United States) and data may be accessed (or processed) outside of Australia. Remote access to the production environment, for the purposes of maintenance and support, may also be used by our global data center operations team.
Guidelines for Communications Infrastructure
Our cloud hosting partners have developed controls and processes for communications infrastructure, including cabling infrastructure.
Cabling Infrastructure
VMware partners with AWS to support Workspace ONE UEM Cloud services in Australia, and AWS manages cabling infrastructure used to host the services. AWS services are assessed under the PROTECTED classification of IRAP.
Emanation Security
Workspace ONE UEM Cloud will not be used for SECRET or TOP SECRET systems or information and so emanation security controls are not applicable.
Guidelines for Communications Systems
No controls and processes have been developed for communications systems, including telephone systems, video conferencing, Internet protocol telephony, fax machines, and multifunction devices as these systems are not applicable to the Workspace ONE UEM cloud service.
Telephone Systems
Telephone services are not applicable for the Workspace ONE UEM Cloud service.
Video Conferencing and Internet Protocol Telephony
Video and voice over IP services are not applicable for the Workspace ONE UEM Cloud service.
Fax Machines and Multifunction Devices
Fax and multi-function device services are not applicable for the Workspace ONE UEM Cloud service.
Guidelines for Enterprise Mobility
VMware has developed controls and processes for enterprise mobility and mobile device management.
Mobile Device Management
VMware secures all company workstations and mobile devices using a centrally managed corporate Workspace ONE UEM instance. Any device connecting to VMware corporate resources is required to be enrolled and managed. Systems settings prohibit end users from disabling endpoint protection software.
Staff are permitted to use personal devices to access a limited set of VMware corporate services and information. However, personal devices are prohibited from accessing production environments for VMware products and services. VMware managed laptops must be used to access production environments.
Guidelines for Evaluated Products
No controls and processes have been developed for evaluated products, as this activity is not applicable to the Workspace ONE UEM cloud service.
Evaluated Product Acquisition and Usage
Evaluated products are not procured for the Workspace ONE UEM Cloud service. Workspace ONE UEM version 1907 is certified for Common Criteria; however, the cloud service is not an evaluated product.
Guidelines for ICT Equipment
VMware’s cloud hosting partners have developed controls and processes for ICT equipment, including usage, maintenance, and repairs, as well as sanitation, destruction, and disposal.
ICT Equipment Usage; Maintenance and Repairs; Sanitation and Destruction; Disposal
VMware partners with AWS to support Workspace ONE UEM Cloud services in Australia, and AWS manages the underlying ICT equipment used to host the services. AWS services are assessed under the PROTECTED classification of IRAP.
Guidelines for Media
VMware’s cloud hosting partners have developed controls and processes for cyber security media, including usage, sanitation, destruction, and disposal.
Media Usage; Sanitation; Destruction; Disposal
VMware partners with AWS to support Workspace ONE UEM Cloud services in Australia, and AWS manages the physical media that is used for the services. AWS services are assessed under the PROTECTED classification of IRAP.
Guidelines for System Hardening
VMware has developed controls and processes for system hardening, including processes for operating systems, applications, authentication, and virtualization.
Operating System Hardening
VMware disables unnecessary ports, protocols, and services as part of baseline hardening standards. We follow industry best practices in applying secure configurations to managed servers that are used to provide the Workspace ONE UEM Cloud services.
For Workspace ONE UEM servers that use Windows operating systems, the team hardens server configurations using GPO policies (for example, account policies, user rights, security options, event log settings, app restrictions). Workspace ONE UEM Linux-based servers use Amazon Linux AMI for system hardening. The Amazon Linux AMI includes default security configurations, such as: limited remote access using SSH key pairs, remote root login disablement, reducing non-critical package installation, and automatic security related updates.
Application Hardening
VMware uses secure-by-design principles in developing its Workspace ONE UEM software and applies strong security management practices for the ongoing management of the Cloud services.
Authentication Hardening
VMware applies authentication standards for all VMware products as part of the VMware Product Security Requirements (PSR) which are examined during the Security Development Lifecycle.
VMware applies industry best practice authentication for VMware personnel with access to all VMware code, software pipelines or cloud service environments. Industry best practice authentication is also applied for service accounts in cloud service environments. Authentication requirements are verified by our third-party auditors during our annual compliance activities.
Virtualization Hardening
VMware leverages host virtualization capabilities from AWS and VMware as well as Kubernetes-based containers in providing the Workspace ONE UEM Control Plane. We follow industry best practices in applying secure configurations to virtualization and container platforms.
Guidelines for System Management
VMware has developed controls and processes for system management, including system administration, patching, data backup, and restoration.
System Administration
VMware applies robust processes for administration of all systems that are involved in providing Workspace ONE UEM Cloud services. These systems and associated administrative infrastructure are strictly isolated from the VMware corporate network.
System Patching
VMware maintains the systems it uses to deliver Workspace ONE UEM Cloud services, including the application of patches deemed critical for the target systems. Our policy is to patch or upgrade network, utility, and security equipment after analyzing the severity and impact of potential vulnerabilities. Critical vulnerabilities are addressed in a timely manner, and changes are made using industry best practices.
Vulnerability scanning and remediation is in line with PCI-DSS. Scans are performed at least monthly, and system and application owners are required to address critical and high vulnerabilities with a plan of corrective action after vulnerability discovery. Other vulnerabilities are addressed with a plan of corrective action within a reasonable period.
Data Backup and Restoration
Workspace ONE UEM Cloud employs a highly redundant design with multiple best-in-class redundancy technologies combined with data replication strategies deployed at the data layer. Backup schedules are defined, and cloud operations personnel regularly review backup processes to help ensure data integrity.
Guidelines for System Monitoring
Event Logging and Monitoring
VMware Cloud Operations is staffed 24x7 and the team deploys several commercial and custom purpose-built tools to monitor the performance and availability of all hosted solution components. Components include the underlying infrastructure servers, storage, networks, portals, services, and information systems used in the delivery of Workspace ONE UEM Cloud.
Workspace ONE UEM Cloud leverages a robust centralized SIEM infrastructure. Critical systems and privileged access to Workspace ONE UEM Cloud infrastructure are logged and monitored. Auditable events are in alignment with PCI-DSS requirements and include user identification, type of event, data and time, success or failure indication, and origination of event. Access to the audit trail is protected, and logs are stored separately and securely.
Guidelines for Software Development
VMware has developed controls and processes for software development, including both application and web application development.
Application Development
VMware follows a defined Software Development Lifecycle (SDLC) which incorporates security into each phase (for example, requirements, design, implementation, verification) of development. VMware’s SDLC is based on industry-recognized best practices and standards, including PCI-DSS common coding vulnerabilities, OWASP, OSSTMM, SANS/CWE, and SCRUM methodologies. For more information on the VMware SDLC, see the VMware Product Security Whitepaper.
Web Application Development
VMware’s Security Development Lifecycle applies industry best practices for secure application development, including secure web application development practices.
Guidelines for Database Systems
VMware has developed controls and processes for database systems, including database servers, DBMS, and databases.
Database Servers; DBMS; Databases
Workspace ONE UEM Cloud service databases are implemented using industry best practices, including hardening by disabling unnecessary services and accounts, applying the principles of least privilege and separation of duty, enforcing network segmentation, executing parameterized queries, and full logging and monitoring capabilities.
Guidelines for Email
No controls and processes have been developed for cyber security emails, including usage, gateways, and servers as these systems are not applicable to the Workspace ONE UEM cloud service.
Email Usage; Gateways and Servers
Email management and email gateways and servers are not applicable for the Workspace ONE UEM Cloud service.
Guidelines for Networking
VMware has developed controls and processes for networking, including network design and configuration, , and service continuity for online services. No controls have been developed for wireless networks as these are not applicable to the Workspace ONE UEM cloud service.
Network Design and Configuration
Workspace ONE UEM Cloud has a multi-tiered architecture with front-facing web and app servers that are isolated in a restricted Demilitarized Zone (DMZ) and are separated from the state tier which houses the databases and management services tier. Workspace ONE UEM Cloud also contains an orchestration layer called the Control Plane – containerized services that are leveraged for performance and high availability. The UEM Control Plane ecosystem contains an application workloads cluster, core services cluster and a management cluster that spans across the web and app layers, state, and management services tiers.
Wireless Networks
Wireless networks are not applicable for the Workspace ONE UEM Cloud service.
Service Continuity for Online Services
Workspace ONE UEM Cloud employs a highly redundant design with multiple best-in-class redundancy technologies combined with data replication strategies deployed at the data layer. The infrastructure is designed to ensure that customers will typically not notice a disruption during a component or system failure inside a primary data center.
Disaster recovery strategies include:
- The use of Amazon Web Services (AWS) Availability Zones for applicable locations
- Database replication
- Encryption of backups in transit and at rest (AES-256)
Guidelines for Cryptography
Workspace ONE UEM Cloud collects limited personal data used for user activation and management. All user data stored within Workspace ONE UEM Cloud is encrypted at rest with a minimum level of AES-256 encryption. Backups are also encrypted.
All traffic traversing public networks and any sensitive interactions between Workspace ONE nodes (Workspace ONE and its integration components) and the device agents are done using message-level TLS encryption. These message-level interactions are encrypted with 2048-bit RSA asymmetric keys using digital certificates. Workspace ONE UEM Cloud supports TLS versions 1.2+.
Guidelines for Gateways
VMware has developed controls and processes for gateways, including firewalls, web proxies, web content filters and filtering. No controls have been developed for cross-domain solutions, diodes, and peripheral switches as Workspace ONE UEM will only contain PROTECTED data and these controls are not applicable.
Gateways; Firewalls; Web proxies; Web Content Filters; Content Filtering
The Workspace ONE UEM Cloud service architecture implements gateways using L7 traffic management/SSL acceleration appliances that proxy all connections to the web and app servers located in the DMZ. Workspace ONE UEM also implements robust perimeter defenses, including perimeter firewalls and real-time intrusion detection technologies to detect malicious behavior.
Cross Domain Solutions; Diodes; Peripheral Switches
Workspace ONE UEM Cloud is offered as a public cloud service and so it will only be used for unclassified information or for information classified PROTECTED. Cross Domain Solutions and Diodes are not applicable. Controls related to peripheral switches are only applicable for AWS as part of the shared responsibility model.
Guidelines for Data Transfers
VMware has developed controls and processes for data transfers and the protection of data exports.
Data Transfers
VMware employees are prohibited from manually transferring customer data from the production environment (for example, removal and storage of customer data on removable media). To ensure accountability, full auditing capabilities are enabled on all VMware cloud environments.
Customers can import and export their data using manual techniques and are responsible for developing and implementing data transfer policies and procedures, including accountability, scanning, auditing, and logging.
Summary and Additional Resources
This document addresses the security for VMware Workspace ONE Unified Endpoint Management (UEM) Cloud service in relation to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM). Information contained in this document is solely for the use of evaluating Workspace ONE software and services and does not represent an official Infosec Registered Assessors Program (IRAP) certification or endorsement of Workspace ONE UEM by the ACSC.
Additional Resources
For more information about Workspace ONE UEM, you can explore the following resources:
- Workspace ONE Compliance with the 14 NCSC Cloud Security Principles
- Workspace ONE Cloud Services Security
- Workspace ONE UEM Architecture
Changelog
The following updates were made to this guide:
| Date | Description of Changes |
| 2022/11/16 |
|
About the Author and Contributors
This document was authored by Andrea Smith, Program Manager, EUC Security and Compliance Assurance.
The following people also contributed their knowledge and assistance with this document:
· Kevin Shaw, Program Manager, EUC Security and Compliance Assurance, VMware
· Stephanie Specht, Program Manager, EUC Security and Compliance Assurance, VMware
· Subha Ramachandran, Program Manager, EUC Security and Compliance Assurance, VMware
Feedback
Your feedback is valuable.
To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.