SOC2 Type 2

VMware is pleased to announce that VMware SASE™ has attained a SOC2 Type 2 report with no qualified opinions. Independent consultants KPMG, one of the “Big 4” audit firms, issued the report to VMware after a rigorous audit process that adhered to the highest standards. The report is for the period April 1, 2022 to March 31, 2023.

Also through KPMG, VMware received ISO 27001, 27017, and 27018 certifications for VMware SASE. Renewed PCI compliance for VMware SD-WAN™ was attained with Crowe auditors. These achievements are another proof point for the rigorous security measures that VMware has implemented and underscores our commitment to protect customer data with secure and reliable solutions.

More about the SOC2 report

In a digital landscape where data breaches and cybersecurity incidents have become all too common, organizations and businesses must prioritize the security and privacy of their customers’ sensitive information. To ensure the highest level of trust and confidence, various regulatory frameworks and certifications have been established, one of which is a SOC2 report.

SOC2, short for Service Organization Control 2, is an assurance report that attests to an organization’s information security controls and processes. SOC2 is based on the Trust Services Criteria developed and maintained by the American Institute of Certified Public Accountants (AICPA) and focuses on a service organization’s non-financial reporting controls related to security, availability, processing integrity, confidentiality, and privacy.

SOC2 Type 1 vs. SOC2 Type 2

Last year, VMware SASE obtained a SOC2 Type 1 report, which provided a snapshot of its security controls at a specific point in time. However, SOC2 Type 2 takes the assessment to the next level by evaluating the effectiveness and operational efficiency of these controls over a defined period, usually six to twelve months. This longer assessment period allows auditors to gain deeper insights into an organization’s security practices and identify any potential gaps or weaknesses.

The importance of SOC2 Type 2

The rigorous assessment necessary for SOC2 Type 2 certification evaluates security controls, data protection measures, access management, and incident response protocols, among other critical aspects. This certification conveys the following benefits for VMware customers:

Third-party risk management: A SOC2 report provides assurance to customers that VMware has maintained a rigorous information security program in alignment with its risk profile. Customers can leverage VMware’s SOC2 report to support their internal third-party risk management programs.
Risk mitigation: Through comprehensive security assessments, SOC2 certification helps identify vulnerabilities, enabling organizations to implement robust risk mitigation strategies.
Enhanced security: SOC2 Type 2 certification demonstrates that VMware SASE has implemented and maintained stringent security controls and practices. These controls protect customer data against unauthorized access, breaches, and other security threats. The certification assures customers that their sensitive information is handled with the utmost care and in compliance with industry best practices.
Operational excellence: By subjecting VMware SASE security controls to an extended period of evaluation, VMware is showcasing its commitment to operational excellence through continuously improving our security posture and maintaining a high standard of performance.

ISO certifications

ISO certifications are crucial because they demonstrate a high level of commitment to information security and the protection of sensitive data, especially in cloud environments. VMware SASE products have been certified for ISO 27001, 27017, and 27018. These standards set by the International Organization for Standardization (ISO) address different aspects of information security management systems (ISMS) and cloud-based services. These standards play a critical role in networking products, providing guidelines for how to properly manage and protect sensitive information.

ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of an organization. Its ultimate goal is to help organizations manage their security practices consistently, cost-effectively, and with due regard for risk.
ISO 27017 provides guidelines for information security controls applicable to the provision and use of cloud services, for providers and customers. The certification provides reassurances about how sensitive data is processed and stored.
ISO 27018 deals with protecting personally identifiable information (PII) in public clouds acting as PII processors.

PCI certification for VMware SD-WAN

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. PCI compliance is an ongoing process, and VMware has again renewed the PCI compliance for VMware SD-WAN. To learn more, visit the VMware SASE PCI compliance web page.

Adding VMware Edge PoPs

One of the characteristics that sets VMware SASE apart is a global network of over 200 PoPs from VMware and our service provider partners. These PoPs provide unparalleled access to major cloud and SaaS providers, putting users within milliseconds of cloud resources. VMware recently brought three SASE-enabled VMware Edge PoPs online in Mexico City, Auckland, and Mumbai, furthering our commitment to a worldwide network enhanced by the utmost trust and security.

The VMware SASE family of solutions includes:

The VMware SD-WAN Client and VMware Edge Network Intelligence were not included in the scope of latest SOC2 report or the ISO certifications mentioned above; however, these offerings will be included in our compliance programs in the future.

Commitment to our customers’ security

In an era where data security and privacy are paramount concerns, VMware SASE’s attainment of these reports and certifications marks a significant achievement. These accomplishments underscore our commitment to safeguarding customer data, providing operational excellence, and complying with industry regulations. VMware is committed to robust security practices and maintaining the highest standards of information security.