VMware vcloud Air Security TECHNICAL WHITE PAPER

Similar documents
HIPAA/HITECH Compliance Using VMware vcloud Air

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

VMware vcloud Networking and Security Overview

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

VMware vcloud Air. Enterprise IT Hybrid Data Center TECHNICAL MARKETING DOCUMENTATION

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table

Mobile Secure Desktop Maximum Scalability, Security and Availability for View with F5 Networks HOW-TO GUIDE

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

VMware vcloud Air Networking Guide

Virtualization Essentials

VMware vcloud Air HIPAA Matrix

BMC s Security Strategy for ITSM in the SaaS Environment

John Essner, CISO Office of Information Technology State of New Jersey

Managed Security Services for Data

Client Security Risk Assessment Questionnaire

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Cloud Security Trust Cisco to Protect Your Data

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Public Cloud Service Definition

vsphere Replication for Disaster Recovery to Cloud

VMware vcloud Networking and Security

Monitoring Hybrid Cloud Applications in VMware vcloud Air

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

Microsoft Azure. White Paper Security, Privacy, and Compliance in

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

VMware vcloud Director for Service Providers

vsphere Replication for Disaster Recovery to Cloud

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

How To Extend Security Policies To Public Clouds

Addressing Cloud Computing Security Considerations

vcloud Director User's Guide

Installing and Configuring vcenter Multi-Hypervisor Manager

Payment Card Industry Data Security Standard

Management of VMware ESXi. on HP ProLiant Servers

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

The Education Fellowship Finance Centralisation IT Security Strategy

The Technical Differential: Why Service Providers Choose VMware for Cloud-Hosted Desktops as a Service

VMware vcloud Powered Services

Upgrading Horizon Workspace

Building Energy Security Framework

A Guide to Disaster Recovery in the Cloud. Simple, Affordable Protection for Your Applications and Data

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

HEC Security & Compliance

Security in the Software Defined Data Center

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

StratusLIVE for Fundraisers Cloud Operations

Tenzing Security Services and Best Practices

Tufin Orchestration Suite

BEST PRACTICES. DMZ Virtualization with VMware Infrastructure

VMware Cloud Automation Design and Deploy IaaS Service

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

CHIS, Inc. Privacy General Guidelines

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

How to Use a LAMP Stack on vcloud for Optimal PHP Application Performance. A VMware Cloud Evaluation Reference Document

Overcoming Security Challenges to Virtualize Internet-facing Applications

Security Issues in Cloud Computing

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines

Vendor Questionnaire

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

What s New with VMware vcloud Director 5.1

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

VMware Integrated Partner Solutions for Networking and Security

How to Create a Multi-user Content Management Platform with Drupal in a vcloud Environment. A VMware Cloud Evaluation Reference Document

GoodData Corporation Security White Paper

Intel Enhanced Data Security Assessment Form

VMware vsphere with Operations Management and VMware vsphere

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

White Paper How Noah Mobile uses Microsoft Azure Core Services

Chapter 1 The Principles of Auditing 1

End Your Data Center Logging Chaos with VMware vcenter Log Insight

Why Choose VMware vsphere for Desktop Virtualization? WHITE PAPER

Anypoint Platform Cloud Security and Compliance. Whitepaper

Microsegmentation Using NSX Distributed Firewall: Getting Started

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

How to Create a Simple Content Management Solution with Joomla! in a vcloud Environment. A VMware Cloud Evaluation Reference Document

VMware EVO SDDC. General. Q. Is VMware selling and supporting hardware for EVO SDDC?

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Network Segmentation in Virtualized Environments B E S T P R A C T I C E S

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

How to Create an Enterprise Content Management Solution Based on Alfresco in a vcloud Environment. A VMware Cloud Evaluation Reference Document

Effective End-to-End Cloud Security

How to Create a Flexible CRM Solution Based on SugarCRM in a vcloud Environment. A VMware Cloud Evaluation Reference Document

VMware Solution Guide for. Payment Card Industry (PCI) September v1.3

Study Shows Businesses Experience Significant Operational and Business Benefits from VMware vrealize Operations

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

The Protection Mission a constant endeavor

Transcription:

TECHNICAL WHITE PAPER

The Shared Security Model for vcloud Air The end-to-end security of VMware vcloud Air (the Service ) is shared between VMware and the customer. VMware provides security for the aspects of the Service over which it has sole physical, logical, and administrative level control. The customer is responsible for the aspects of the Service over which the customer has administrative level access or control. The primary areas of responsibility between VMware and the customer are outlined below. VMware uses commercially reasonable efforts to provide: Physical Security: VMware protects the data centers housing vcloud Air from physical security breaches. Information Security: VMware protects the information systems used to deliver vcloud Air for which it has sole administrative level control. Network Security: VMware protects the networks containing its information systems up to the point where the customer has some control, permission, or access to modify the customer s networks. Security Monitoring: VMware monitors for security events involving the underlying infrastructure servers, storage, networks, and information systems used in the delivery of vcloud Air for which it has sole administrative level control over. This responsibility stops at any point where the customer has some control, permission, or access to modify an aspect of the Service. Patching & Vulnerability Management: VMware maintains the systems it uses to deliver the Service, including the application of patches it deems critical for the target systems. VMware will perform routine vulnerability scans to surface critical risk areas for the systems it uses to deliver the Service offering. Critical vulnerabilities will be addressed in a timely manner. The customer should address: Information Security: The customer is responsible for ensuring adequate protection of the information systems, data, content or applications that the customer deploys and/or accesses on vcloud Air. This includes, but is not limited to, any level of patching, security fixes, data encryption, access controls, roles and permissions granted to the customer s internal, external, or third party users, etc. Network Security: The customer is responsible for the security of the networks over which the customer has administrative level control. This includes, but is not limited to, maintaining effective firewall rules, exposing communication ports that are only necessary to conduct business, locking down access to only authorized users and other similar controls. Security Monitoring: The customer is responsible for the detection, classification, and remediation of all security events that are isolated within the customer s vcloud Air account, including virtual machines, operating systems, applications, data, or content, surfaced through vulnerability scanning tools or required for a compliance or certification program in which the customer is required to participate and which is not serviced under another VMware security program. WHITE PAPER / 2

Tenant External Network (Firewall, Routing, Ports, Protocols, Logs) Tenant Internal Network (Segmentation, Ports, Protocols, etc.) Tenant Application/Portal/Content Access Layer Tenant Application/Content Tenant Application/Content Tenant Operating Systems Tenant Operating Systems Tenant Operating Systems Tenant Virtual Machines Tenant Virtual Machines Tenant Virtual Machines VMware vcloud Air Management Systems (Hypervisor, Unified Portal, Operational Support Systems, Business Support Systems) VMware vcloud Air Physical Infrastructure (Servers, Storage Systems, Backup Systems, Switching Network) VMware vcloud Air Data Center Figure 1. This Responsibility Stack, illustrates the limits of control and areas of individual responsibility for VMware and tenants of its vcloud Air. The blue areas are the responsibilities of VMware while the grey areas are the responsibility of the consumer. Managing Security Threats The following section describes the various security threats currently addressed by VMware within the vcloud Air platform: Virtualization/Hypervisor Layer Security VMware vcloud Air leverages VMware vsphere virtualization and the VMkernel. VMkernel is fully dedicated to supporting virtual machines and leverages memory hardening, digital signing for integrity and authenticity, and the Intel Trusted Platform Module/Trusted Execution Technology (TPM/TXT) to provide remote attestation of the hypervisor image based on hardware root of trust. The vsphere platform is regularly reviewed for Common Criteria Certification and the latest certifications are available here: http://www.vmware.com/security/certifications Details on protecting your VM workloads can be found here: http://pubs.vmware.com/vsphere-55/topic/com. vmware.icbase/pdf/vsphere-esxi-vcenter-server-55-security-guide.pdf Data Security From a storage perspective, all storage is logically isolated between tenants using VMware vcloud Director and storage profiles. Block storage is carved up and assigned to each tenant. Each tenant can only access his or her own storage block. VMware supports in-guest encryption where customers can encrypt their data within the virtual machine to ensure privacy and compliance. Data Inflight Encryption: VMware vcloud Air requires customers to set up encrypted SSL VPN/IPsec VPN or Direct connect to ensure data inflight between the customer site and vcloud Air site is encrypted. Data at Rest Encryption: VMware vcloud Air strongly recommends the use of in-guest encryption tools to protect customer data at rest within our service. We have partnered up with CloudLink which can help encrypt your data using your existing Key Management solution. Details of the solution can be found here: https://solutionexchange.vmware.com/ store/products/94790 WHITE PAPER / 3

Network Security The vcloud Air Virtual Private Cloud (VPC) offering is a logically isolated set of resources with its own internal network and a virtual network Edge Gateway where customers can set up their own firewall and NAT rules. Network segmentation is achieved through virtual extensible LANs (VxLANs) allowing for a large range of isolated networks for customers. Customers can connect to their virtual machines over IPsec VPN tunnels. The vcloud Air Dedicated Cloud offering provides physically isolated and reserved compute resources from all other vcloud Air tenants, paired with one or more virtual network Edge Gateways where customers can set up their own firewall and NAT rules. Network segmentation is achieved through VxLANs allowing for a large range of isolated networks for customers. Customers can connect to their VMs over IPsec VPN tunnels. Physical Security VMware uses well-established data center providers to host their workloads. These providers have been examined and reviewed by an independent third party auditor to meet the physical security requirements for ISO/IEC 27001 certification, SOC 1 Type 2/SSAE 16/ISAE 3402 and SOC 2 Type 2. Full AT101 reports outlining these specifications are available upon request. Compliance Certifications vcloud Air has completed ISO 27001 certification and examinations against SSAE16 SOC2 Type 2 and HIPAA by an independent third party auditor. The Service is in the process of certifying against the SSAE 16 SOC3 and the PCI DSS 2.0 standards. VMware is also setting up a separate community cloud under the vcloud Government Service name that is in process getting certified against FedRAMP criteria by the Joint Authorization Board (JAB) to achieve provisional authority to operate. Patch Management VMware targets deployment of applicable patches within 30 days; any security related patches that have a critical or high rating are addressed on a case-by-base basis depending on the scope and affected component. Security Incident Response Process VMware will provide security incident response (e.g., detection, severity/threat classification, forensics, and resolution) pertaining to management infrastructure over which VMware has direct, administrative, and/or physical access and control, such as the vcloud Air servers, storage, applications, and network devices. These processes are internal to VMware service operations and used to ensure a high quality standard to VMware customers. Data Breach Monitoring and Notification If VMware determines that there has been unauthorized access to, or use or disclosure of customer content, VMware will use commercially reasonable efforts to notify customers taking into account any applicable law, regulation, or governmental request. Intrusion Detection Process VMware monitors for security events involving the underlying infrastructure servers, storage, networks, and information systems used in the delivery of vcloud Air for which VMware have sole administrative level control over. The goal of this process is to identify security incidents and respond to it proactively. This responsibility stops at any point where customers have control, permission, or access to modify any aspect of the service offering. The customer is responsible for the security of the networks over which they have administrative level control. This includes, but is not limited to, maintaining effective firewall rules, exposing communication ports that are only necessary to conduct business, locking down promiscuous access, and other such capabilities. WHITE PAPER / 4

Proactive Security Monitoring over Internet and Social Media (e.g. searching filesharing sites for customer data, seeding data with honey tokens) VMware security teams perform OSINT monitoring on the Internet for all VMware products and services. This includes harvesting data from search engines, file sharing, and social networking sites. This data is analyzed for keywords and other specific indicators. With regards to potential data leaks, the customer is solely responsible for protecting the security of his or her content, including any access provided to employees, customers or third parties. vcloud Air provides certain software and functionality to help protect content from unauthorized access such as firewalls, load balancers, and IPsec VPNs. Customers are encouraged to deploy additional security mechanisms similar to what exists in their current data center to address other security controls such as data encryption, intrusion detection, file integrity monitoring, and other such concerns relevant to the sector and regulatory requirements that apply to the specific business of a customer. Security Organization and Operations VMware maintains multiple security teams responsible for different aspects of delivering both products and services, as well as protecting VMware corporate networks. VMware has a dedicated Security Product Line Manager responsible for ensuring adequate security controls and features within the VMware Service offering. VMware has a product security team responsible for evaluating VMware software and products for vulnerabilities. They work closely with R&D and engineering teams to ensure secure coding practices and publish security-related advisories. VMware has an Information Security team responsible for securing VMware cloud services, setting security standards and policy, and the deployment and implementation of new security technologies. VMware has a dedicated 24/7/365 Security Operations team that is responsible for monitoring VMware cloud services. They perform incident response, forensic investigations, and OSINT monitoring. They also ensure adherence to internal policies and standards. VMware security teams hold multiple certifications from ISC2, GIAC, as well as others relevant for their particular areas of expertise and focus. Several VMware security team members also hold security clearances with the Department of Defense, and are members of other organizations such as the FBI Infragard program and the HTCIA. All VMware employees participate in continuing education, training, and certification. VMware performs background checks on all new hires. This includes verifying SSN, deemed export control/dpl, education, employment, as well as criminal history. WHITE PAPER / 5

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW6436-TWP-vCLD-AIR-SECURITY-USLET-102 08/14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information