Vmware Vcloud Air Basic Security Questions

FREQUENTLY ASKED QUESTIONS

VMware vCloud Air Basic Security Questions

Q. What industry regulations and security certifications has Q. Does VMware patch the Public Template Catalog? VMware vCloud® Air™ been audited against? How frequently? A. At this time, VMware vCloud Air has achieved ISO/ IEC A. VMware provides ready-to-use Operating Systems and 27001:2005 Certification of its Information Security Management packaged applications within vCloud Air via the ‘Public Template System (https://www.brightline.com/certificate- directory/ Catalog’. This public catalog is updated on a regular basis with Y8eJUUXMjLA3/) and has completed SOC II Type 1, SSAE 16 the most recent roll-up update. VMware may also choose to roll SOC 1 Type II and SOC 2 Type II examinations. VMware has also out critical, emergency patches to catalog objects. completed an examination of vCloud Air against applicable Q. How is VMware handling Patch Management for the Service? controls of HIPAA/HITECH and offers a Business Associate Agreement (BAA) to all interested customers using our A. VMware will maintain the systems it uses to deliver vCloud Air, US-based data centers. These ISO, SOC and HIPAA/HITECH including the application of patches for both Management layer examinations were completed by Brightline CPAs and Associates applications as well as Public Catalog Images/Templates. – an ANAB accredited certification body. vCloud Air is also Safe VMware will perform routine vulnerability scans to surface critical Harbor certified to meet European Data Privacy compliance risk areas for the systems it uses to deliver the service offering regulations. and will patch as required. Due to the architecture of the service, VMware may transparently patch underlying infrastructure in a Q. What sort of Network Perimeter protection is employed? way that is unnoticed by subscribers or end users. A. The vCloud Air architecture is built to protect network Regarding Operating Systems and workloads that are entry points for its tenants assigned to customers. VMware deployed in vCloud Air, VMware will patch and update leverages highly-available edge gateways and segmented Operating Systems and Applications provided in the Public network components that are dedicated and configured by Template Catalog. Only Public Catalog Templates will be each tenant to protect the perimeter of their environment. patched and updated by VMware, and customer- deployed VMware also protects the control and management plane workloads require additional patch management. from attack by employing firewalls that can be configured with customer specific policies, intrusion detection, network Q. Can we use our own security software or other tools to segmentation , as well as threat mitigation and zero-day monitor our environment? anomaly detection and mitigation for all VMware-managed A. Yes. While subscribers do not have the ability to monitor the infrastructure components. management stack directly, users are able to deploy networking Each subscriber is ultimately responsible for the security of the appliances, such as those found in the VMware Solution networks over which they have administrative level control. This Exchange, and agent-based security and monitoring tools to includes, but is not limited to, maintaining effective firewall ensure service stability and integrity. vCloud Network and rules, exposing communication ports that are only necessary to Security Edge Gateways provide Load Balancing, VPN, Firewall conduct business, locking down promiscuous access, secure and NAT services, but subscribers may choose to augment this VPN access, etc. technology with a third-party network and security solutions. These third-party networking or security utilities deployed within Q. What physical security is employed at the Data Centers vCloud Air require to be validated by customers to ensure that housing this service? they meet their security objectives. Also while virtual appliances A. The vCloud Air Data Centers are housed in world- class housed within the VMware Solution Exchange are considered facilities, employ multiple levels of physical security, and supported, they are not maintained by VMware. vCloud Air include measures such as: operates co-location facilities that provide customers the flexibility to acquire co-location space in the same physical data • Man Traps / Air Lock center and deploy their preferred security tools and thus • Badged Access maintain the exact same set of controls, security tools and • Securely locked cages posture as it exists in the private data center. • Biometric Access • Securely Isolated Storage Area • 24/7 security personnel on-duty

FAQ / 1 VMware vCloud Air

Q. Can we use VPN tunnels to connect to this service? Q. How does VMware help customers achieve reliable Business Continuity and Disaster Recovery? A. Yes. The service supports creating IPSec VPN tunnels through VMware vCloud Director® UI using the Edge Gateway services. A. For Customers, vCloud Air offers two Business Continuity There are several options for self-service deployment of VPN solutions; Disaster Recovery and Data Protection. tunnels between: Networks within the same Organization Virtual VMware offers a packaged, end-to-end Disaster Recovery as Data Center; Networks in different Organization Virtual Data a Service offering with vCloud Air. With this service, customers Centers (Dedicated Cloud Only); as well as networks in your local are able to use vCloud Air as a Disaster Recovery site to protect Data Center using either software or hardware VPN solutions. their existing on-premises clouds. Disaster Recovery is a warm The ability to Establish IPSec VPN’s is a self-service feature, standby replication solution that is cost effective and easy to but our vCloud Air Operations team is standing by to offer set up. assistance when required. Also, vCloud Air offers an add-on option called Data Protection. Users may also elect to use VMware vCloud® Connector™ to Data Protection performs periodic backups of a customer’s automatically create Layer 2 SSL-VPN tunnels on a per-Virtual specified workloads on an opt-in, per- workload basis. Those Machine or vApp basis using the Stretch Deploy feature. workloads can be easily restored at any point in time. Additionally, the core infrastructure components for the service Q. What kind of Data Center Geo-Redundancy is in place? have built-in redundancy, transparently leveraging VMware’s A. vCloud Air Data Centers are located in Nevada, Virginia, Texas, vMotion and “High Availability” features, ensuring Business California, New Jersey, UK & Japan . New data centers will be Continuity of all workloads within the vCloud Air tenant added a part of a phased-rollout program across the globe environment. continuing through 2014 and 2015. At this time users may choose Customers are able and welcome to configure their vCloud Air to subscribe to the service and reserve capacity at multiple data as a secondary data center and leverage their existing tools to centers. With multiple service instances across data center aid in their disaster recovery strategy. locations, the ‘Content Sync’ feature of vCloud Connector can be used to keep custom template libraries synchronized across Q. What sort of Uptime does the Service guarantee? clouds, including vCloud Air clouds and your private VMware A. Our Service Level Agreement can be reviewed here: http:// vSphere® Data Centers. www.vmware.com/support/product-support/vcloud- hybrid- Q. Are subscribers allowed physical access to the Data Center service/sla.html where vCloud Air is housed? Q. What sort of Encryption is available? A. Our Data Center is managed by a highly focused team of A. Established Site-to-site VPN tunnels via built-in vCloud Network experts, and adheres to strict security practices In order to and Security Edge Gateways encrypt network traffic between protect the security and privacy of our customers we do not the private data center and vCloud Air. allow physical access to our data centers to our customers. VMware only permits 3rd parties to access the data center for Traffic which traverses the management infrastructure is the purposes of auditing compliance certification. This ensure entirely encrypted. safe and compliant operation of our data centers and protects Q. What can customers expect from a Security Incident our customers and their data. Response process? Q. How does VMware guarantee the availability and redun- A. In keeping with the spirit of the NIST 800-62 guidelines, dancy in the vCloud Air environment? VMware will provide security incident response consisting of A. vCloud Air is delivered using infrastructure that is architected but not limited to the detection, severity/threat classification, for High Availability, leveraging vSphere vMotion™, vSphere systems and network forensics, recommendations and lessons DRS and vSphere HA to migrate live workloads and/or learned pertaining to management infrastructure over which automatically restart virtual machines in the event of VMware has direct, administrative, and/or physical access and unexpected failure. Using Highly Available, Active- Passive control, such as vCloud Air servers, storage, applications, and Edge Gateways provided by VMware vCloud® Network and network devices, on a case-by-case basis. Security™ ensures that networks are available to deliver the If VMware determines that there has been unauthorized most demanding traffic loads. access to, use or disclosure of ‘your content’, or other incident, VMware will use commercially reasonable efforts to notify all relevant parties, taking into account any applicable law, regulation, or governmental request.

FAQ / 2 VMware vCloud Air

Q. Who will have access to subscriber/customer data? A. Customers are solely responsible for their own ‘Content’. Customer access is restricted to that content and data. Customers do not have the ability to view content from any other customer using the service, and the service is architected from the ground up with this principle in mind. VMware accesses and uses this ‘Content’ only as necessary to provide the Service Offering (which we may do with the assistance of affiliates, service providers and contractors), perform or enforce contractual obligations, or comply with applicable law. Q. Have your developers been trained in secure coding practices? A. VMware engineers are required to participate in security related training from industry trusted consulting firms in areas such as code review, penetration testing, threat modeling, static analysis and vulnerability detection. Q. How is customer data segregated from each other? A. vCloud Air has three ‘core’ offerings with different degrees of isolation and data segregation: Dedicated Cloud: Provides physically isolated and reserved compute resources, separate from all other vCloud Air tenants. Dedicated Cloud also includes a dedicated vCloud and vSphere management stack. Virtual Private Cloud: The Multi-Tenant “Virtual Private Cloud” environment isolates user data by leveraging the vSphere hypervisor and vCloud Resource Pools. A guaranteed amount of resources is allocated per Virtual Data Center (VDC), and VMware closely monitors overall cloud performance to optimize the shared resource pool. Disaster Recovery: The Multi-Tenant “Disaster Recovery” environment, like Virtual Private Cloud, isolates user data by leveraging the vSphere hypervisor and vCloud Resource Pools. A guaranteed amount of resources is allocated per Virtual Data Center (VDC), and VMware closely monitors overall cloud performance to optimize the shared resource pool. All core service offerings have logically isolated networking and storage that ensures secure tenant separation via vCloud resource pooling and VLANs. Customers have complete control over the file systems and databases they deploy within the service.

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright © 2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW5166-FAQ-vCLD-AIR-BSQ-USLET-104 07/14