Distributed by Public, unedited and unaltered, on 16 June 2022 16:52:05 UTC. PDF VMware Service Level Agreements Guide Focused, 24-hour support for production environments. 1. Production environment access is secured through a combination of VPN, IP address allow listing or jump servers using Multi-factor Authentication (MFA) and directory credentials. Workspace ONE Cloud Services Security | VMware The following diagram applies to the Workspace ONE Assist architecture only. Refer to the VMware Cloud Services Guide for our obligations regarding data retention and deletion at termination. VMware RemoteHelp offers two service consoles for service administration: Workspace ONE is a multi-tenant cloud service. Personnel with access to cloud production environments receive additional training as they assume job roles and responsibilities. The key used to encrypt the master key and database snapshots is an AWS KMS key generated and stored by KMS. All containerized services in the Workspace ONE Intelligence application are running in multiple Availability Zones to help minimize downtime and automate scaling. VMware : Introducing VMware ONE Customer Contract Share "Introducing VMware ONE Customer Contract" on Twitter, Share "Introducing VMware ONE Customer Contract" on Facebook, Share "Introducing VMware ONE Customer Contract" on LinkedIn, Proact hybrid cloud service achieves VMware Cloud Verified status, VMware and Industry Leaders Collaborate to Accelerate the Adoption of Confidential Computing, VMware : Tufin R&D Uses Multi-Cloud Solutions to Thwart Cybersecurity Risk, VMware : Flip Forward to a More Sustainable World with the VMware Zero Carbon Committed Initiative, VMware, Inc.(NYSE:VMW) dropped from Russell 3000E Value Index, VMware, Inc.(NYSE:VMW) dropped from Russell 3000 Value Index, VMware, Inc.(NYSE:VMW) dropped from Russell Small Cap Comp Value Index, VMware, Inc.(NYSE:VMW) dropped from Russell Top 200 Value Index, VMware, Inc.(NYSE:VMW) dropped from Russell 1000 Value Index, How generative AI will transform the economy, Principled Technologies Study Reveals How Dell OpenManage Enterprise with OpenManage Enterprise Integration for VMware vCenter (OMEVV) Streamlines Server, VMware : Orange France Advances Towards Ambitious Energy-Saving Goals, VMware's Comprehensive Digital Employee Experience (DEX) Solution Empowers IT Teams with DataDriven Insights to Improve Employee Experience and Achieve Valuable Cost Savings, EU Said to Conditionally Approve Broadcom's $61 Billion VMware Purchase, S&P 500 and Nasdaq close at highest since April 2022, U.S. stocks extend rally; investors bet Fed will pause rate hikes, Broadcom set to win EU nod for $61 bln VMware deal, sources say, Wall St climbs with focus on inflation data, Fed decision, European Equities Close Higher in Monday Trading; UBS Completes Credit Suisse Acquisition, Sector Update: Tech Stocks Advance Premarket Monday, VMware's Comprehensive Digital Employee Experience (DEX) Solution Empowers IT Teams with Data-Driven Insights to Improve Employee Experience and Achieve Valuable Cost Savings, Broadcom Set to Receive EU Antitrust Nod for $61 Billion VMWare Deal, Broadcom Reportedly Set to Receive European Union Approval for $61 Billion VMware Acquisition, European Commission Set to Approve Broadcom's Planned $61 Billion VMware Takeover. A self-signed certificate is automatically created in the Workspace ONE Access service for SAML signing. Administrator Console provides carrier admins and MSP IT admins a way to configure the system for various roles, rules, and policies. Managers, developers, and quality engineers can make use of these courses early in the lifecycle of their product. These tokens cannot be removed from the device and used elsewhere. Customize your Workspace ONE and Horizon adoption communications using our templates as a starting point. VMware enters into an agreement with each sub-processor that obligates the sub-processor to process the Personal Data in a manner substantially similar to the standards set forth in the VMware Cloud Services Exhibit, and at a minimum, at the level of data protection required by applicable Data Protection Laws. The capabilities are embedded in the Workspace ONE Intelligent Hub application on iOS. Key elements of this policy include controls around: physical security perimeters, physical entry controls, physical access, securing offices, rooms and facilities, visitors to facilities, records, preventing the misuse of facilities, protecting against external and environmental threats, working in secure areas, access to restricted areas, delivery and loading areas, equipment siting and protection, supporting utilities, equipment maintenance, removal of assets, security of equipment and assets off-premises, secure disposal or reuse of equipment, unattended user equipment and clear desk and clear screen. VMware communicates feature releases and service announcements through VMware Docs, VMware Blogs, My Workspace ONE, and by email. Awareness training topics include, but are not limited to: Environmental control implementation and operation procedures, Assessing the vulnerability of critical assets to specific threats, Determining the risk (such as the expected likelihood and consequences of specific types of attacks on specific assets), Prioritizing risk reduction measures based on a strategy, Disabling unnecessary ports, services, protocols, and physical connections, Reviewing server builds for gaps prior to image configuration, Standard software packages installed on servers and network components, Current version numbers and patch information on operating systems and applications, Logical placement of all components within the system architecture, Workspace ONE Access, and Workspace ONE Intelligence Linux-based servers use Amazon Linux. VMware does not ship products to any entity or individual, whether in the U.S. or abroad, specified on these lists. Engage with VMware through a new and innovative digital experience with VMware Customer Connect. Global Services Support and Professional services have a comprehensive Business continuity plan in place. Customers can access application-level logs within Workspace ONE UEM and Workspace ONE Access that record administrator and end user device events. Data is aggregated from multiple sources to provide actionable security insights across devices and users. The policy focuses on data classification sources, status, risks, and categories associated with the normal data lifecycle. Our CISO is ultimately responsible for our Information Security program. The keys are randomly generated at the time of tenant creation. Additionally, the software performs on-demand virus scans of any attachments or content introduced into the workstation. As of the publishing of this whitepaper, the Workspace ONE UEM Control Plane architecture is available in our Shared SaaS environments. VMware Customer Connect simplifies management of free trials, product license keys, downloads, support and Learning. Secrets are used for encrypted communication between the Control Plane services. Customer must pay or reimburse VMware for all Taxes. Additionally, Workspace ONE Intelligence infrastructure deployment is automated and can be quickly orchestrated as required. All Workspace ONE customer production data is replicated to disaster recovery locations in region. VMware Global Support Services (GSS) may require access to customer consoles to resolve certain support tickets. The cloud-hosted Workspace ONE UEM console has a session timeout maximum of 60 minutes for customer administrators based on the load balancer persistence settings. While our offices are open at present, we are following international best practice guidelines and have seamlessly transitioned our global teams to a work from anywhere policy that allows them to work from their homes, utilizing our own industry-leading technology, and best-in-class collaboration tools. Rescans are used to verify remediation of high-risk vulnerabilities. Our public Pretty Good Privacy (PGP) key is found at kb.vmware.com/kb/1055. Each service within the Workspace ONE platform leverages encryption to help protect data both in transit and at rest. Log in to Customer Connect Select Products and Accounts > Accounts > Users & Permissions from the navigation bar at the top. Workspace ONE Access and Hub Services collect data such as authentication, user data, and logging data. Regardless of where a request comes from or who the customer is, VMware is vigilant about protecting Customer Content. We have many more paths than are shown here. You can review confirmation that this review has now been completedhere. Backups include daily full backup (24 hours), differential (15 minutes) and transaction log backups (ranging from 5 to 60 minutes minutes). Welcome to Customer Connect Forgot your password? Data center partner hosting facilities physical addresses are confidential and on-site visits are prohibited. Recipients or importers of customer's Personal Data include the entities in the VMware Group and select third-party vendors we engage who process Personal Data on our behalf to provide our services (Sub-Processors). A process is in place for services to re-image production servers with the latest baseline configurations on a monthly basis. Testing is conducted by the QE department to ensure compatibility with the production environment. Technician Console provides access for the technician to view and control the remote device with shortcuts and device diagnostic data. The intent is to provide readers with an understanding of how Workspace ONE cloud services approach security, the key mechanisms, and processes that VMware uses to manage information security, as well as describing shared responsibilities for providing security in a modern cloud computing environment. Services in the state tier are deployed with failover in multiple Availability Zones. Refer to Supported Data Categories by Integration for a complete list of data collection points on VMware Docs. For more information about Workspace ONE Cloud Services, you can explore the following resources: The following updates were made to this guide: The following individuals also contributed to the creation of this guide: To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com. VMware support desires a demarcation point to effectuate changes on the distributed switch without affecting other infrastructure switching and connectivity. Workspace ONE Access customer application logs (Event Logs) are stored for 90 days. A variety of types of encryption at-rest are available. Give developers the flexibility to use any app framework and tooling for a secure, consistent and fast path to production on any cloud. Ingress and egress points are secured with devices that require individuals to provide multi-factor authentication before granting entry or exit through a minimum combination of badge access, biometrics, and mantraps. Our Communities feature the top Digital Workspace Experts across the world and 3rd-party content. VMware is listed as a company for which the EU BCR cooperation procedure is closed. On-premises Workspace ONE UEM customers must install an ETL server to connect their on-premises Workspace ONE UEM deployment to the Workspace ONE Intelligence cloud environment. Data controls and protections are implemented according to their classification. VMware will reasonably cooperate with customers to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data to the extent that customer is unable to access the relevant personal data in their use of the service. Managing identity and access includes access of both customers and VMware to production environments, as well as VMware access to customer networks. Download Now Compare Support Packages Compare package tiers for our primary support services: On-premises, desktop and cloud. Remediation of penetration test findings is verified by third-party auditors during annual compliance assessments. Shared environments use shared Control Plane services such as Consul, Nomad, and Vault for security service communication, orchestration and scheduling, secrets management, and enforcing access control lists. Customers can only access data from their tenant. Customer certificates uploaded via the Workspace ONE UEM console are encrypted before upload and are password protected in the PKCS12 format. If the customer requests, we will, at the customers expense, take reasonable steps to contest any required disclosure. Workspace ONE Assist includes the following session protections: Workspace ONE cloud services leverage robust perimeter defenses, including, access control mechanisms, perimeter firewalls, malware controls, auditing mechanisms, network controls, disablement of unnecessary services, and maintaining defined configuration settings. Empower Frontline Workers Solution Architecture. Data Center Operations teams maintain an inventory of all production assets, including but not limited to, software license information, software version numbers, component owners, machine names and network addresses. The LMS records successful completion and reports are reviewed during ISMS review meetings. If you believe that your copyrighted work has been copied and is accessible in a way that constitutes copyright infringement you may send a notice to our copyright agent, providing the following information: (a) a description of the copyrighted work that you claim has been infringed and a description of the infringing activity; (b) thelocation of the material that you claim is infringing, such as the URL where it is posted; (c) your name, address, telephone number, and email address; (d) a statement byyou that you have a good faith belief that the disputed use of the material is not authorized by the copyright owner, its agent, or the law; (e) your statement underpenalty of perjury that the information in your notice of infringement concern is accurate, and that you are the copyright owner or are authorized to act on the copyrightowners behalf; and (f) your electronic or physical signature, as the copyright owner or as the person authorized to act on the copyright owners behalf. Mechanisms are in place for services to re-image production servers with the latest baseline configuration monthly through Amazon Linux 2 and Docker images using infrastructure as code. Additionally, these policies and procedures include defined roles and responsibilities supported by regular workforce training. For a complete list, see the Workspace ONE Privacy Disclosure. Each finding is evaluated for probability and impact and is remediated accordingly. In the column titled Users , click the 3 dots and select Add User to Contract. Production level support for all Cloud-based products with 24x7 coverage for all Severity 1 issues, Weekday global support Monday through Friday for SaaS deployments with 24x7 access to support for Severity 1 issues. Security scanner agents are deployed on all internal servers; scanner reports are actively monitored. Customer-owned information is classified as Protected which is one of the most stringent data classifications at VMware. If the Customer requests VMware to modify or remove the data, we will respond to the Customers request in accordance with our agreement with the applicable Customer or as may otherwise be required by applicable law. VMwares programs and practices focus on: Our SDLC is based on industry-recognized best practices and standards, including PCI-DSS common coding vulnerabilities, OWASP, Open-Source Security Testing Methodology Manual (OSSTMM), SANS/CWE, and SCRUM methodologies. If VMware receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data within Workspace ONE services, including requests from individuals seeking to exercise their rights under Data Protection Law, VMware will promptly redirect the request to the customer. For S/MIME certificates uploaded via the Self-Service Portal (SSP), the certificates are automatically purged after 48 hours, and the customer can configure that retention period down to as low as 60 Minutes via the SSP. For more information, refer to the Microservices Appendix. Complete this registration form to access VMware Customer Connect. The infrastructure is designed to ensure that customers will typically not notice a disruption during a component or system failure inside a primary site. AWS CloudFront Content Delivery Network (CDN) is used for delivery of some of the VMware Workspace ONE Access service content (static JavaScript, CSS, and images) for the admin console and end-user experience (login screen, Catalog, and so on) on HTTPS 443. Require Terms of Use (TOU) acceptance prior to end users accessing the service during enrollment. VMware Compliance with the 14 NCSC Cloud Security Principles Backups are stored for 180 days. The core services cluster includes Kafka (for messaging), Postgres database, logging, and telemetry. Streamlined application and script development, 12 hours per day, 5 days per week. For additional information on VMwares Binding Corporate Rules and to access VMware's EEA BCRs Processor Policy, seeVMware's Processor Binding Corporate Rules. New Workspace ONE Customers: How to onboard to VMware Cloud Services Additionally, Workspace ONE Intelligence infrastructure deployment is automated and can be quickly orchestrated as required. Workspace ONE UEM is supported by defined enterprise resiliency programs which includes business continuity and disaster recovery mechanisms. We do not feel these isolated pieces of information are of use to our customers in protecting their security objectives. Select Users & Permissions from the Quick Links options or Products and Accounts > Accounts > Users & Permissions from the top left of the home page. VMware deploys several mechanisms to detect intrusions and help protect against distributed denial of service (DDoS) attacks. VMware Support Offerings & Services Administrative Assistant, Deal Management Team (3 month fixed term Amazon S3 instances used for Workspace ONE Access and Workspace ONE Hub Services are encrypted. There is something for every experience level. Keys are stored separately on secure servers located on the internal VMware network and are accessible by a small subset of Operations personnel only. As part of VMwares SDLC, Workspace ONE applications are also assessed against the Open Web Application Security Project (OWASP) Top Ten to identify potential application code to identify and remediate potential errors that could lead to unauthorized access and DDoS. VMware System Security logs and events are centrally aggregated and monitored in real-time 7x24x365 by the VMware Security Operations Center (VMware SOC). Workspace ONE Intelligence consumes data from various sources as configured by customer administrators from Workspace ONE UEM, Workspace ONE Access, Workspace ONE Intelligence SDK, and the VMware Trust Network. VMware also publishes BCR frequently asked questions (FAQs) for customer and partner review. Figure 2: VMware Security Development Cycle. Log in to Customer Connect 2. VMware will not disclose Customer Content unless required to do so to comply with a legally valid and binding obligation or order. The Cloud Services Exhibit to the General Terms applies to purchases of Cloud Services. The end-to-end security of the Workspace ONE cloud delivered service offerings is shared between VMware and our customers. Occasionally, it is necessary for VMware to perform maintenance that has the potential to impact the availability of customer environments outside of scheduled maintenance windows, and VMware reserves the right to do so. Inform the relevant government authority, to the extent possible, that VMware is a service provider acting on the customers behalf and all requests for access to Customer Content should be directed in writing to the contact person the customer has identified to us. How can technology create tastier produce? Our customers say it best. VMware cloud management re-evaluates the strategic business plan at least two times per year. Workspace ONE UEM server keys are stored in an enterprise grade key management tool. VMware employs a rigorous Vulnerability Management program as part of the VMware ISMS. Inventory specifications may include device type, model, serial number, and physical location. KB article: 2023 VMware Workspace ONE UEM Maintenance (81448), VMwares Global Customer Support Services teams are strategically. Our customers say it best. Workspace ONE Access and Workspace ONE Intelligence production systems are Linux-based and are hardened using Amazon Linux 2 secure images. Workspace ONEAccessis supported by defined enterprise resiliency programs which include business continuity and disaster recovery mechanisms. employs a highly redundant design with multiple best-in-class redundancy technologies combined with data replication strategies. Figure 6: Workspace ONE Access Production Environment Architecture. For data processing locations, refer to the Workspace ONE UEM and Workspace ONE Access sub-processors lists available on the VMware ONE Contract Center. Sensitive customer data is encrypted with a per-tenant key and stored encrypted using a separate master key. These standing windows are scheduled annually and available on the My Workspace ONE support portal and in this publicly available KB article: 2023 VMware Workspace ONE UEM Maintenance (81448). All cloud service components are time synchronized with a common centralized time source per ISO 27001 and PCI-DSS requirements. XSRF-TOKEN cookie is used to prevent CSRF attacks. Vulnerability scans are performed at least monthly on internal and external systems. Here you can create an account, or login with your existing Customer Connect / Partner Connect / Customer Connect ID. VMware also works closely with Industry Organizations, Security Analysts and Researchers, and more, to stay current on the industry threat landscape and security best practices. VMware's Processor Binding Corporate Rules. Additional DR strategies include: Workspace ONE UEM has a multi-tiered architecture: Front-facing web and app servers are isolated in a restricted Demilitarized Zone (DMZ) behind L7 traffic management/SSL acceleration appliances that proxy all connections to the web and app layer. Refer to the VMware Product Security Whitepaper for additional information. Daily backups are stored for 30 days, and monthly backups are stored for 60 days. Let us help you learn how to use it. The Workspace ONE UEM Control Plane also uses HashiCorp Vault for secrets lifecycle management. We follow a defined Software Development Lifecycle (SDLC) which incorporates security into each phase (such as requirements, design, implementation, verification) of development. Antivirus software is automatically updated with logging enabled; files are scanned on access. VMware Cloud Operations is staffed 7x24x365 and the team deploys several commercial and custom purpose-built tools to monitor the performance and availability of all hosted solution components. The threats, vulnerabilities and the likelihood of occurrences identified by risk assessments relative to the overall business strategy and objectives. On-premises connectors and third-party Identity Providersdo notrequire any access to AWS CloudFront CDN. You can access My Workspace ONE using your VMware Customer Connect . VMware leverages sub-processors to provide certain services on our behalf. Support may be provided from other offices as our support team continues to expand to meet customer requirements. VMware Careers - Homepage Workspace ONE Assist and VMware RemoteHelp. Please join us as we continue to drive simplicity to the customer contracting experience!