Security and data breaches continue to be among the top concerns of organizations around the world. As a SaaS provider, we always make the information security of our customers our top consideration and build service and the operational controls around it, all while striving to adhere to the best security practices the industry has established.
Today, we are excited to announce that VMware Tanzu Mission Control has undergone third-party audit and received the ISO/IEC 27001 certification. This adds to the growing list of industry security certifications that Tanzu Mission Control has received, including the SOC 2 Type 1 certificate in July and the CSA Star CAIQ Self-Assessment, which was completed in June. These certifications are the result of in-depth third-party audits that scrutinize the architecture and operations of the Tanzu Mission Control service. They provide tangible proof of our commitment to important industry principles and best practices.
What are these certificates and why do they matter?
Industry certifications benefit both the customer and the service provider. They give a consistent set of baseline criteria on which customers can evaluate their service providers. They also provide a standard set of guidelines that service providers incorporate into their processes to ensure a secure and controlled operation.
ISO/IEC 27001
The ISO/IEC 27001, also referred to as ISO 27001, is a globally renowned information security standard jointly issued by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides guidelines for information security management systems (ISMS) so as to ensure those systems’ security controls keep pace with variations such as vulnerabilities, risks, and business impact. Accredited auditors leverage ISO 27001 guidelines to examine individual organizations’ information security management systems and will certify them once they have met those guidelines.
SOC 2 Type 1
System and Organization Controls (SOC) 2, developed by the American Institute of Certified Public Accountants (AICPA), is an auditing procedure designed to ensure that third-party service providers can securely manage data to protect the interests and privacy of their clients. It sets criteria for managing customer data based on five trust service principles: availability, confidentiality, processing integrity, privacy, and security. Compliance with this auditing procedure is a prerequisite for service providers as it attests that the organization has put in place controls to meet those trust service principles. A SOC 2 Type 1 report describes a service vendor’s systems and determines whether it is capable of adhering to relevant trust principles by a specified date.
CSA STAR CAIQ Self-Assessment
The Security Trust Assurance and Risk (STAR) program established by the Cloud Security Alliance (CSA) is one of the industry’s leading programs for security assurance in the cloud. The CSA STAR Self-Assessment documents the security controls provided by various cloud computing offerings to help users assess the security of the providers they use or are considering using. Cloud providers submit a completed Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM), a controls framework comprising security concepts and principles aligned to the CSA guidance in 13 domains. This information then becomes publicly available, promoting industry transparency by providing customer visibility into specific provider security practices.
What did we do to achieve these certifications?
Achieving these certifications is not easy and requires dedicated effort. VMware is committed to delivering services at the highest standards and maintaining industry certifications is key to demonstrating that commitment.
We built a great service
The most important action we took to gain these certifications was to build a great service. We have held world-class security and operations practices as fundamental to our delivery model since the very beginning. It only took a few minor adjustments and refinements to some of our practices for us to make the grade.
We built a great team
As we built our platform, we also built strong product management and engineering teams. Our team members have experience at the highest level of SaaS delivery, having helped build some of the most well-known services from companies like Amazon, Google, and Microsoft. By leveraging all that experience and knowledge of best practices, Tanzu Mission Control fundamentally changes how our customers manage the modern applications that they rely on now—and will rely on into the future.
We followed a strict process
Shortly after we launched Tanzu Mission Control, we performed the CSA Star Self-Assessment to get “on the record” with our development processes and operational controls. The Tanzu Mission Control assessment was listed publicly in the CSA Star Registry in short order, alongside all the other great VMware products.
While doing CSA Star, we engaged a third-party auditor to begin the process of evaluating Tanzu Mission Control for SOC 2 compliance. Given the work we had done to pass our own internal security audit and the CSA Star attestation, we were able to quickly complete a submission to our SOC 2 auditor and pass that evaluation. We achieved SOC 2 Type 1 in June 2020.
We are now in the waiting period ahead of our SOC 2 Type 2 audit. In a SOC 2 Type 1 evaluation, you attest to and demonstrate controls; SOC 2 Type 2 audits adherence to those controls over a period of time. Six months must pass before a service can receive a SOC 2 Type 2 audit, so we expect to receive our SOC 2 Type 2 certification early in 2021.
After we received SOC 2 Type 1 certification, we immediately set out to achieve ISO 27001 certification as well. Similar to SOC, ISO 27001 evaluates the controls put in place around a service’s operation, in particular its cybersecurity practices. Whereas SOC is most prevalent in the United States, the ISO certifications are widely recognized globally, so it was important for us to pursue ISO 27001 as a compliment to the SOC certification.
Recertification in both SOC and ISO will become an annual process. We are fully committed to maintaining the operational practices that will allow us to recertify efficiently each year.
What do certifications mean for our customers?
Running a SaaS business is not easy, as our customers well know. Many use our products to run their own online services, so they need to be assured that VMware is up to the task of fully supporting them. These industry certifications are one way they can evaluate our ability to design, build, and operate a secure, resilient service they can rely on to underpin their own businesses.
These certifications are proof that Tanzu Mission Control is up to the task. When our customers engage their security teams to dig into our service design, these certifications provide assurance beyond our own claims and make clear that we’ve made an ongoing commitment to our operational practices.