Cloud Compliance and Security

 

VMware is committed to delivering a cloud service that adopts industry best practices in order to meet a comprehensive set of international and industry-specific security and compliance standards. VMware adheres to rigorous security standards and is expanding coverage for various industry-specific security and compliance measures. VMware makes independent third-party examination and audit reports available to customers that will satisfy a wide range of customer-specific compliance requirements. For more details on any of the reports and certifications listed, please contact your VMware representative.

 

To learn more about vCloud Air Security, please read the solution brief.

Privacy  


Strict laws and regulation apply to the collection, handling and protection of individuals’ data. VMware protects customer to the standards required by applicable data protection laws worldwide.

Cloud Compliance and Security Certifications

ISO/IEC 27001 (Global)

ISO/IEC 27001 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). VMware continues to maintain a current ISO/IEC 27001 Certification for vCloud Air and has recently issued updated certification for ISO/IEC 27001:2013. Achieving certification means that VMware has implemented a holistic security program that conforms with the ISO 27001 standard requirements, both in the security management system and control activities. The audit of the ISMS was completed by Schellman, formerly Brightline, an ANSI-ASQ National Accreditation Board (ANAB). View the certificate verification and contact your VMware sales representative for a copy of the ISO 27001 Certificate, the AT101 Report, and Statement of Applicability.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which incorporated requirements from the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, established national standards for the security and privacy of Protected Health Information (PHI) in the United States. To help customers comply with HIPAA, VMware offers a Business Associate Agreement (BAA) to all interested customers using our US-based data centers. The BAA was designed in conjunction with a leading law firm with expertise in HIPAA and provides fair and reasonable terms for healthcare providers, insurers and other organizations. VMware has completed an independent third-party examination of vCloud Air against applicable controls of HIPAA. Current or potential customers interested in the vCloud Air HIPAA examination or BAA may contact their VMware representative.

SOC 1 (SSAE16/ISAE 3402)

Service Organization Control (SOC) 1 reports are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). The SOC 1 framework reports on internal controls over financial reporting for any service organization such as VMware vCloud Air. SOC 1 aligns to the International Standard on Assurance Engagements (ISAE) 3402 international reporting standards. SOC 1 examinations are specifically intended to meet the needs of vCloud Air customers and vCloud Air customers’ auditors, as they evaluate the effect of the controls at vCloud Air on the clients’ financial statement assertions. VMware has completed an independent third-party examination of vCloud Air which spans a twelve (12) month review period. To review our SOC 1 controls in more detail, please review the vCloud Air SOC1 Matrix. To review a copy of the SOC1 Type 2 Independent Service Auditor’s report, interested customers may contact their VMware representative.

SOC 2

The Service Organization Control 2 (SOC 2) report is composed of a comprehensive set of criteria on security, availability, processing integrity, confidentiality, and privacy and is similarly set forth by the American Institute of Certified Public Accountants (AICPA). The SOC 2 reports are intended for use by stakeholders (e.g. customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. VMware has completed an independent third-party examination of vCloud Air that also spans a twelve (12) month review period. To review a copy of the SOC 2 Type 2 Independent Service Auditor’s report, customers may contact their VMware representative.

SOC 3


Trust Services Report for Service Organizations Control 3 (SOC 3) reports are designed to meet the needs of customers who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy. VMware has completed an independent third-party SOC 3 examination of vCloud Air. SOC 3 is composed of a comprehensive set of trust principles including security, availability, processing integrity, confidentiality and privacy. The vCloud Air SOC 3 report is publicly available for customer review.

Cloud Security Alliance

VMware vCloud Air has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). CAIQ provides industry-accepted ways to document what security controls exist in IaaS, PaaS and SaaS offerings. Visit the CSA STAR Registry to view VMware’s response to more than 250 questions related to cloud security, trust principals, and assurance controls. You can also download it here.

N3

N3SP is leading the way on convergence, VOIP and customized service solutions, which enable the NHS to make the most of a single NHS network and maximize on cost savings, reflecting a move away from tactical opportunities to strategic services. VMware is an approved and compliant Commercial Third Party (National Code: 8JF88). As part of the process to provide an N3-connected vCloud Air Service, VMware completed a Healthcare Information Governance Connectivity Assurance Process (HIGCAP) application for connection to the N3 Network. Additionally, VMware has signed an Information Governance Assurance Statement and will comply with the N3 Acceptable Use Policy.

Please see the VMware blog here.

UK G-Cloud 8


VMware vCloud Air is part of the UK G-Cloud 8 program. Operating under the G-Cloud framework ensures that VMware has been vetted by the UK government and is available for authorized use by the government and public sector organizations in that region. vCloud Air can be found on the Digital Marketplace, which is a publicly accessible, searchable database of services offered under G-Cloud. For a particular vCloud Air service, please see the resources below.

Your Privacy Matters

How VMware Protects Your Data

vCloud Air provides "black box" services. While VMware provides the physical infrastructure, including servers, storage devices, and networking equipment to host workloads and content, the customer is in control of its data. VMware has no visibility of, or access to, customer content except by permission or by legal obligation.

This means that you keep control over your content at all times, and can rest assured that the VMware infrastructure on which your applications run is protected by best-in-class security measures. For your added security, you can choose to encrypt or hash any content you upload onto our infrastructure, making it inaccessible to anyone but you.

International Data Transfers of Customer Information

VMware customers in the European Economic Area (EEA) and Switzerland are subject to strict rules governing international data transfer which mandate that personal data sent outside of the EEA and Switzerland will remain adequately protected to the standards required by European and Swiss laws.

Historically, VMware provided customers with the assurance that their data would continue to be protected through our participation in the US-EU and US-Swiss Safe Harbor frameworks. While VMware continues to certify and comply with these regimes, the European Court has recently discredited the assurance offered by these mechanisms.

VMware is taking the European Court of Justice’s decision to invalidate the US/EU Safe Harbor program very seriously. Your personal data is still protected in accordance with EU data privacy laws and regulations. VMware recognized the potential for this development and has prepared alternative arrangements.

Protecting Health Information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) as well as the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 are US laws applicable to healthcare entities with access to patient information. VMware has completed an independent third-party examination of vCloud Air against applicable controls of HIPAA/HITECH. To help vCloud Air customers comply with HIPAA and HITECH, VMware offers a Business Associate Agreement (BAA) to interested customers using our US-based data centers. Customers interested in our HIPAA examination or BAA should contact their VMware representative for details.

Cooperating with Law Enforcement

VMware policy on responding to law enforcement and government data requests is clear: VMware does not disclose any customer content stored on VMware infrastructure without the customer’s consent except where we are under a compelling legal obligation (e.g. a court order) to do so.

Keep in mind that VMware operates on a "black box" basis, as described in "How VMware Protects Your Data". VMware personnel have no knowledge of the content that customers store on vCloud Air infrastructure. VMware directs such requests to the customer to respond. Further, where customers choose to encrypt or hash content on our infrastructure, VMware has no means to identify and disclose that content.