How VMware IT Maintains Security Across a Multi-cloud Environment: Part One

By: VMware Head of Security Engineering and Architecture Brad Doctor; VMware Staff II Engineer – Cloud Security Casey Lems; and VMware Senior Security Architect Craig Savage

Transforming your security organization into a savvy cloud security shop takes time and effort. During our journey, VMware IT identified the steps to maintain security across our global cloud estate. We cover four steps in part one of our blog series.

1. Clarify internal responsibility

The IT organization needs to determine an owner for public cloud security, and this may mean assigning specific areas of responsibility across several teams. Defining these boundaries helps to eliminate the risk of assuming another team is responsible. It is crucial to ensure all relevant groups are involved, such as security, finance, DevOps, and application/service owners. Even in smaller organizations, it may be necessary to extend the shared security model internally.

2. Effective communication

Equipping and educating cloud teams to manage risk requires clear communication between teams managing the overall cloud footprint, and the developers using those clouds. To build a structure around this process, VMware IT created a Cloud Center of Excellence Team that includes key stakeholders in Cloud Engineering, Cloud Security and Finance. They establish, maintain, and handle the deployment of critical governance controls that apply universally across the cloud footprint.

After securing buy-in from Engineering, DevOps, and Line of Business Owners, we work together to implement best practices for security, controls and governance for optimal business operation.

To ensure teams focus on developing products, we provide methods to raise concerns in a timely manner–regular meetings and shared collaboration tools.

3.  Asset Visibility

One of the top critical controls in cloud security is asset visibility and identification. You cannot secure what you do not know about; therefore, an effective collection strategy is a must. We will cover this in part two of our blog series.

4. Define Your Standards – Create a Governance Program

Creating a governance program is important and involves defining what gets monitored and prescribes how to meet security requirements.


Start by deriving a set of common standards and choose wisely. Your cloud providers will have published many standards that include hardening guides. Standard bodies have also established controls to associate with a lead set of programmatic cloud controls. We use compensating controls where they are relevant to our business. The objective is to make a control set something the IT team can use and thrive within, without the risk of non-compliance.

Target Environments

It’s important to identify the environments that matter most at the business level. Once defined, determine what must be checked and enforced across the entire set of cloud accounts.


When approaching governance controls, assume that every control you put in place may need an exception. Review individual applications to identify specific nuances or differences and develop a workflow process to manage them. This may be as simple as allowing the teams to place a tag on the resource. The team may need to deploy additional mitigating controls before the exception is allowed.

Regardless of the process chosen, handling these exceptions through a pre-planned decision tree (and focusing on automating this process) is critical to allow your Center of Excellence to keep up with the speed of the cloud.

Next Steps

The VMware IT team uses these steps to manage cloud security. We review and fine-tune our processes regularly.  Check back soon to read the remaining blogs in this series.

VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.   


Leave a Reply

Your email address will not be published. Required fields are marked *