As we shared earlier this year at VMworld, VMware Horizon Cloud has significantly grown in 2020. Cloud-based VDI has clear benefits for customers that needed to scale up remote working quickly, and as we look towards 2021, we know that the flexibility is going to continue to be important for even more of our customers.
Customers in regulated industries might be watching all this cloud VDI activity and wondering if it can work for them, too. Fortunately, VMware has long had a commitment to supporting industry-specific security requirements.
For this post today, we will review some of our most important regulatory compliance achievements and cloud security assurance materials for our Horizon Cloud offerings, including Horizon Cloud on Microsoft Azure, Horizon Cloud Control Plane and Horizon Cloud on IBM Cloud. Read on to learn more about our support for PCI-DSS, SOC, Cyber Essentials Plus and CSA CAIQ.
The Payment Card Industry Data Security Standard (PCI-DSS) was designed to enhance global payment account data security. This standard provides a baseline of technical and operational requirements and applies to all entities that store, process or transmit cardholder data or sensitive authentication data such as account numbers, cardholder names, PINs, etc.
VMware recognizes our services can be used to secure and deliver access to key financial or retail applications which is why we elected to undergo PCI certification for the referenced Horizon Cloud services.
To achieve compliance with this standard, the scoped Horizon Cloud services have undergone a rigorous assessment on security controls across a broad range of domains, including network security, encryption, vulnerability management, access controls, testing and information security policies. Each referenced Horizon Cloud service undergoes PCI-DSS compliance on an annual basis.
To learn more about PCI-DSS, click here.
System and Organizational Controls (SOC) reports are independent third-party examination reports that demonstrate how VMware meets compliance controls and objectives. SOC reports also offer VMware a way to report to our customers about the effectiveness of our cybersecurity programs.
VMware undergoes two types of annual SOC audits for our Horizon Cloud services: SOC 2 and SOC 3 reports.
The SOC 2 framework includes trust criteria with controls covering security, availability and confidentiality and are used to evaluate the systems VMware leverages to process users’ data. SOC 2 reports are available for distribution to VMware customers (with an NDA). Please contact your VMware Sales Representative to request a copy of the reports.
The SOC 3 reports are a more general report that covers the Trust Criteria controls listed in the SOC 2 report. These reports are available for download on the VMware Trust Center.
Cyber Essentials PlusSOC Reports
Cyber Essentials is a UK Government-backed framework that helps protect organizations from many different cybersecurity attacks. This certification covers five technical control themes, including firewalls, secure configuration, access controls, malware protection and patch management.
Cyber Essentials Plus also includes a hands-on verification that protections are put in place and requires an accredited third party to conduct external vulnerability testing to ensure security systems are protected.
To learn more about Cyber Essentials Plus, click here (PDF).
Cloud Security Alliance (CSA) is an organization that works to define and raise awareness of best practices for secure cloud computing environments.
VMware participates at CSA STAR Level 1 by completing the Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM).
The CCM covers a broad range of security control domains, including application security, business continuity and disaster recovery, change control, data security, identity and access management and many more. VMware updates START self-assessments on an annual basis.
CAIQs for Horizon Cloud services are available for download on the CSA website.
Where to Go for More Information
Information on the compliance artifacts listed above, along with additional compliance materials for all VMware services and a description of our security controls, can be found on the VMware Trust Center.