By Matt Herreras, Director, Technical Marketing for VMC on Dell EMC
VMware’s VMC on Dell EMC solution has just achieved a certificate of compliance for ISO/IEC 27001. This adds to our growing list of security certifications including SOC2 type-1. ISO/IEC is a combination of two international standards bodies: the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). These two standards organizations meet, debate, vote for, and publish compliance guidelines. These guidelines can then be leveraged by an accredited auditor. Auditors provide a certificate attesting to whether a customer has met the guidelines. ISO/IEC 27001 represents a family of guidelines designed to control risk in customer environments. Specifically, it deals with the controls that are necessary to contain risk to a customer’s information security management system (ISMS). The goal is to help customers mitigate risk to information systems and the data stored on them. The controls take a systematic approach to examining IT risks. They consider the threats and inherent vulnerabilities facing customers such as outages or attacks. For the purposes of this announcement ISO/IEC 27001:2013 pertains to a certification of compliance for VMC on Dell EMC.
VMC on Dell EMC is a joint solution from VMware and Dell EMC. It delivers a complete managed cloud solution in customer data center and edge locations. This unique offering from two giants in the tech industry takes the best of VMware’s managed cloud service and delivers it on Dell’s premier hyper converged appliance offering, VxRail. This offering has now achieved the important ISO/IEC 27001:2013 certification through the well-respected firm Schellman.
The ISO/IEC 27001: 2013 certification
What This Means for VMware Customers
Customers want to meet compliance standards as cost effectively and as quickly as possible. They do this to meet an objective, fulfill a mission, or seize a business opportunity. From an auditor’s perspective compliance is a sacred trust to ensure that the customer has properly implemented the controls or processes of specific guidelines. A customer and an auditor will work together to measure the customer’s systems and operations. The end result of this collaboration is that together the customer and the auditor can attest that the environment being measured is compliant. The certification VMware is announcing today will make it easier, cheaper, and faster for VMC on Dell EMC customers to achieve a desired compliance state. This is because by sharing the certification with an auditor the customer highlights the controls that are in place. They also provide a clearer understanding of shared responsibility with VMware.
Why This Certification Matters
Reaching a state of compliance in an IT environment depends on two important factors. The first is establishing a “known architecture.” The second represents the controls or processes contained in a specific set of guidelines. For IT environments there are many paths to a production ready state. Customers or professional services engineers will leverage a combination of learned experience, best practices, and product documentation to implement an architecture. When the customer takes control of the architecture they apply their existing operational model to managing it. While the environment may perform well and meet the reliability needs of the business it may also be challenging for that customer to provide a clearly documented account of their systems and operations.
Think of the challenge as a geometry problem. Pythagoras’s theorem states that a2 + b2 = c2.
Let’s say the customer’s IT architecture is a2 and ISO/IEC 27001:2013 represents b2. The compliance measurement is represented as c2 or the hypotenuse of angle C. The fact that the compliance guidelines are published means that they can be measured. This helps, but what if it’s not easy to measure a2? Back to my point about the variance in how many IT environments are implemented and managed, documenting a measurable state of the architecture and operations equates to hard work on the part of the customer when preparing for an audit. But what if the fundamental architecture is a known state that has consistent infrastructure and operations? This scenario gives the customer a2. Better yet, if a customer can produce a third-party attestation or certificate that the architecture is compliant with ISO/IEC 27001:2013 then they can solve for c2 (a2 + b2 = c2). This is a key value of VMC on Dell EMC. It is a consistently implemented and operated SDDC managed by VMware. The fact that VMware can provide a certificate attesting to ISO/IEC 27001 compliance is a big advantage to customers.
Before I overextend my geometry metaphor, I should be clear that this does not mean VMware can guarantee all of a customer’s information systems are compliant. VMC on Dell EMC’s certification covers only what VMware and Dell EMC control. This is approximately 70% of the infrastructure and operations. The customer is still responsible for ensuring that virtual networking, virtual machines, operating systems, applications, data, and the operational processes under their control meet the guidelines. This shared responsibility is common across cloud providers and it is true for VMC on Dell EMC as well. I will make this last point with one more metaphor. When riding an elevator the rider can check the certificate of code compliance in the building office. However, not exceeding the elevator’s maximum load is the rider’s responsibility. Go here to learn more about VMC on Dell EMC’s documentation for shared security responsibility.
Conclusion
VMC on Dell EMC having achieved ISO/IEC 27001:2013 certification gives customers a logical and solid advantage (let’s call it a compliance theorem) when working towards complying with these guidelines. Compliance is not easy but we hope this will make it much easier for our customers to achieve.