Professional Documents
Culture Documents
Workspace ONE Cloud Services Security Whitepaper
Workspace ONE Cloud Services Security Whitepaper
CONFIDENTIAL
Table of Contents
Document Scoping ..................................................................................................................................................... 5
Shared Responsibilities ........................................................................................................................................................ 5
Compliance Reports .............................................................................................................................................................. 5
Data Center Locations .......................................................................................................................................................... 5
Software Development Lifecycle ........................................................................................................................... 5
SDLC Best Practices.............................................................................................................................................................. 6
Security Engineering Processes ........................................................................................................................................ 7
Open-Source Software ........................................................................................................................................................ 8
VMware Information Security Program ................................................................................................................ 8
VMware’s Information Security Management System ................................................................................................ 9
Asset Management..................................................................................................................................................... 9
Data Classification and Handling .......................................................................................................................... 10
Physical Security ....................................................................................................................................................... 10
Data Center Security ...........................................................................................................................................................10
VMware Offices ...................................................................................................................................................................... 11
Human Resources and Personnel Security .......................................................................................................... 11
Employee Background Screening ..................................................................................................................................... 11
Confidentiality Agreements ................................................................................................................................................ 11
Employee Training................................................................................................................................................................. 11
Employee Termination ........................................................................................................................................................ 12
Business Continuity ................................................................................................................................................... 12
Risk Management ....................................................................................................................................................... 12
Vendor Risk Management .................................................................................................................................................. 13
Sub-processors ..................................................................................................................................................................... 13
Change Management ................................................................................................................................................ 13
Configuration Management .................................................................................................................................... 13
System Hardening ................................................................................................................................................................ 14
Time Synchronization .......................................................................................................................................................... 14
Vulnerability and Patch Management .................................................................................................................. 14
System Monitoring ............................................................................................................................................................... 14
Patch Management .............................................................................................................................................................. 14
Vulnerability Scanning ......................................................................................................................................................... 14
Penetration Testing .............................................................................................................................................................. 15
VMware and Third-Party Testing ............................................................................................................................................................15
Customer Penetration Testing .................................................................................................................................................................16
TECHNICAL WHITEPAPER | 2
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
TECHNICAL WHITEPAPER | 3
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
TECHNICAL WHITEPAPER | 4
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Document Scoping
This document provides a general overview of the security controls implemented in VMware Workspace
ONE® commercial cloud offerings 1 and includes information on the following services:
• Workspace ONE Unified Endpoint Management (UEM)
• Workspace ONE Access & Hub Services
• Workspace ONE Intelligence
The intent is to provide readers with an understanding of how Workspace ONE cloud services approach
security, the key mechanisms, and processes that VMware uses to manage information security, as well as
describing shared responsibilities for providing security in a modern cloud computing environment.
This document assumes at least intermediate knowledge of Workspace ONE cloud services and focuses on
the policies, processes, and controls supporting the cloud-delivered services. Federal Risk and Authorization
Management Program (FedRAMP), on-premises, and third-party offerings are not in-scope for this document.
Shared Responsibilities
The end-to-end security of the Workspace ONE cloud delivered service offerings is shared between VMware
and our customers. VMware provides security for the aspects of the Workspace ONE service offerings over
which we have sole physical, logical, and administrative level control. Customers are responsible for the
aspects of the service offerings over which they have administrative level access or control. The primary areas
of responsibility between VMware and customers are outlined in the VMware Cloud Services Guide available
for download from the VMware ONE Contract Center.
VMware leverages co-located data center facilities and IaaS providers to support the Workspace ONE service
offerings. These providers maintain physical and environmental security controls for the cloud-delivered
service. For more information, see Data Center Locations below.
Compliance Reports
Workspace ONE cloud services have achieved the Service Organization Control (SOC) 2 Type 2 and ISO
27001, ISO 27017, and ISO 27018 certifications. Additionally, Workspace ONE Access and Workspace ONE
Intelligence have achieved PCI-DSS certification. VMware can provide copies of the SOC 2 Type 2 report
under an NDA; please contact your VMware account representative to request these reports.
Refer to the VMware Cloud Trust Center to download the ISO certificate, PCI Attestation of Compliance
(AOC), and to see the latest list of industry certifications. Please note that, although some Workspace ONE
services are PCI-DSS certified, these services do not store, process, or transmit cardholder data.
1 Information on the Workspace ONE Assist add-on cloud service is provided in a separate cloud security
whitepaper.
2 U.S.-based deployments of over 250,000 devices are located in co-located data centers.
TECHNICAL WHITEPAPER | 5
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
VMware’s Security Development Lifecycle (SDL) program is designed to identify and mitigate security risk
during the development phase of VMware software products. The development of VMware’s SDL has been
heavily influenced by industry best practices and organizations such as SAFECode (the Software Assurance
Forum for Excellence in Code) and BSIMM (Building Security in Maturity Model).
VMware Security Evangelism team works to actively cultivate relationships in the security community. VMware
has been an active participant in the broader software industry security community and became an early
BSIMM member in 2009: We have completed several reviews by BSIMM of our SDL. Findings are incorporated
into our SDL to drive continuous improvements. VMware is a member of SAFECode, an organization driving
security and integrity in software products and solutions. VMware also works closely with Industry
Organizations, Security Analysts and Researchers, etc. to stay current on the industry threat landscape and
security best practices. VMware Product Security VMware SDL is continuously assessed for its effectiveness
at identifying risk and new techniques are added to SDL activities as they are developed and mature.
TECHNICAL WHITEPAPER | 6
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
• Threat Modeling – This activity identifies security flaws and incorrect design assumptions present in the
VMware Product Security architecture of a product.
• Open Source and Third-Party Software Validation (OSS/TP) – This activity validates that OSS/TP
software with known vulnerabilities are fixed before being included in a product release.
• Static Code Analysis – This activity uses automated tools to detect defects and security flaws in code.
• Vulnerability Scanning – This activity uses automated tools to detect security vulnerabilities in running
systems.
• Penetration Testing – This activity uses internal and external security teams to try to compromise
systems in isolated environments.
• Security Review – This activity examines the output and completion of all the other activities.
Open-Source Software
VMware uses some third-party and/or open-source code in our solution offerings, and we perform open-
source and third-party (OSS/TP) software validation to safeguard against known vulnerabilities prior to being
included in a VMware product release. Please refer to the publicly available Open-Source Disclosure page for
additional information on OSS/TP components.
TECHNICAL WHITEPAPER | 8
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Asset Management
VMware maintains an asset management program as part of our ISMS to categorize both physical and logical
assets. The Asset Management policy is reviewed at least annually, and all changes are approved by our
Information Security Governance Committee.
Data Center Operations teams maintain an inventory of all production assets, including but not limited to,
software license information, software version numbers, component owners, machine names and network
addresses. Inventory specifications may include device type, model, serial number, and physical location. The
asset inventory is regularly reviewed in accordance with PCI-DSS requirements.
TECHNICAL WHITEPAPER | 9
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Physical Security
VMware physical security policy governs security for our offices, data centers, support centers, and other
global business locations to safeguard information systems and staff.
Key elements of this policy include controls around: physical security perimeters, physical entry controls,
physical access, securing offices, rooms and facilities, visitors to facilities, records, preventing the misuse of
facilities, protecting against external and environmental threats, working in secure areas, access to restricted
areas, delivery and loading areas, equipment siting and protection, supporting utilities, equipment
maintenance, removal of assets, security of equipment and assets off-premises, secure disposal or reuse of
equipment, unattended user equipment and clear desk and clear screen.
VMware leverages co-located data center facilities in the U.S. and IaaS providers (in the U.S. and globally) to
support the Workspace ONE service offerings. These providers maintain physical and environmental security
controls for the cloud-delivered services.
TECHNICAL WHITEPAPER | 10
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
VMware Offices
All VMware offices deploy physical and environment security measures to safeguard VMware facilities, staff,
and assets. VMware uses a combination of building design, environmental controls, security systems, and
designated security personnel, in conjunction with corresponding procedures, physical and environmental
controls to restrict access to information services and information assets. Controls include, but are not limited
to:
• Implementing entry controls to secure VMware facilities.
• Maintaining and monitoring an audit trail of all access to the site through badge and visitor logs.
• Requiring visitor sign in with date and time of entry and departure, and supervising visitation.
• Performing regular access right reviews to secure areas and updating or revoking these rights as
necessary.
• Revoking all access rights to VMware facilities and restricted areas immediately and deactivating access
codes known by the staff upon staff termination.
Confidentiality Agreements
VMware employees and alternative workforce (AWF) are required to sign confidentiality agreements.
Additionally, upon hire, personnel are required to read and accept the Acceptable Use Policy and the VMware
Business Conduct Guidelines. Personnel who violate VMware standards or protocols are subject to
appropriate disciplinary action.
Employee Training
In alignment with the ISO 27001 standard, all VMware personnel are required to complete annual business
conduct and security awareness training. Personnel with access to cloud production environments receive
additional training as they assume job roles and responsibilities. VMware periodically validates those
employees understand and follow the established policies through compliance audits.
VMware uses an enterprise Learning Management System (LMS) to deliver required onboarding and annual
security awareness training. The LMS records successful completion and reports are reviewed during ISMS
review meetings. This training must be completed before authorizing access to production systems.
Awareness training topics include, but are not limited to:
• Secure system configuration
• User account management policies
• Environmental control implementation and operation procedures
• Incident Response plans and procedures
• Disaster Recovery plans and procedures
• Physical Security controls
TECHNICAL WHITEPAPER | 11
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Employee Termination
VMware terminates access privileges to systems when an employee leaves the company. An employee who
changes roles within the organization will have access privileges modified according to their new position.
Terminated employees are required to return assets.
Business Continuity
This program implements appropriate security controls to protect its employees and assets against natural or
man-made disasters. As a part of the program, a runbook system automates policy review, and policy
updates made available to appropriate individuals. Additionally, these policies and procedures include defined
roles and responsibilities supported by regular workforce training. VMware determines the impact of any
disruption to the organization through identifying dependencies, critical products, and services.
Starting in March 2020, VMware executed our business continuity plan in response to the global COVID-19
pandemic. Our global teams are located around the globe, giving us strong geographic resilience in terms of
our ability to provide continuity of service for our customers. While our offices are open at present, we are
following international best practice guidelines and have seamlessly transitioned our global teams to a “work
from anywhere” policy that allows them to work from their homes, utilizing our own industry-leading
technology, and best-in-class collaboration tools.
VMware Global Support Services continues to operate 24x7 and, given the current environment, have put
extra measures in place to help ensure continued smooth operations. Our Professional Services organization,
including our Consulting, Technical Account Management, and Education Services are also fully operational; all
team members are fully equipped to efficiently and effectively work from home. We have also added capacity
to our worldwide consulting centers and collaborated with our Product teams to offer rapidly deployable
solutions to expand infrastructure capacity as well as enable secure remote productivity for our customers’
employees. The VMware Crisis Management Team, comprised of leaders from across the company, meets
regularly and stays up to date with evolving global changes and developments in relation to ongoing world
events.
Our business continuity plans are reviewed annually to determine which business processes are most critical
and what resources – people, equipment, records, computer systems, and office facilities – are required for
operation. All documented plans follow an annual standard maintenance, assessment, and testing schedule.
Workspace ONE operations teams also maintain service-specific business continuity plans to address the
unique needs of each cloud application.
Risk Management
In alignment with the ISO 27001 and PCI-DSS standards, VMware maintains a Risk Management program to
mitigate and manage risk companywide. We perform risk assessments at least annually to ensure appropriate
controls implementation to reduce the risk related to the confidentiality, integrity, and availability of sensitive
information.
VMware cloud management has a strategic business plan to mitigate and manage risks that requires
management to identify risks within its areas of responsibility and to implement appropriate measures
designed to address those risks. VMware cloud management re-evaluates the strategic business plan at least
two times per year.
TECHNICAL WHITEPAPER | 12
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Sub-processors
VMware leverages sub-processors to provide certain services on our behalf. Refer to the Workspace ONE
lists available on the VMware ONE Contract Center for a list of sub-processors used globally. VMware is
responsible for any acts, errors, or omissions of our sub-processors that cause us to breach any of our
obligations. VMware enters into an agreement with each sub-processor that obligates the sub-processor to
process the Personal Data in a manner substantially similar to the standards set forth in the VMware Cloud
Services Exhibit, and at a minimum, at the level of data protection required by applicable Data Protection
Laws. Please refer to the VMware Data Processing Addendum for additional information.
Customers can sign up to receive updates to service sub-processors, please go to the Cloud Services
Preference Center and enable notifications for updates to this sub-processor list.
Change Management
VMware maintains a detailed Change Management policy that defines controlled changes to production
environments. Changes are processed through a formal program that includes approval, testing,
implementation, and rollback plans.
Third-party and internal audits of these processes are performed at least annually under the VMware ISMS
program and are essential to the VMware continuous improvement programs.
Configuration Management
VMware maintains a detailed Configuration Management policy based on industry best practices to harden
the cloud environment; revisions and exceptions to the Configuration Management policy are processed
through the Change Management policy to help ensure the confidentiality, integrity, and availability of our
hosted offering.
Baseline configuration standards include, but are not limited to:
• Disabling unnecessary ports, services, protocols, and physical connections.
• Reviewing server builds for gaps prior to image configuration.
• Hardening server configurations.
TECHNICAL WHITEPAPER | 13
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Baseline configurations are documented for all software and hardware (where applicable – i.e., U.S-based co-
located data centers) installed in the production environment. Baseline configurations include the following
information about system components:
• Standard software packages installed on servers and network components.
• Current version numbers and patch information on operating systems and applications.
• Logical placement of all components within the system architecture.
System Hardening
VMware disables unnecessary ports, protocols, and services as part of baseline hardening standards. We
follow industry best practices in applying secure configurations to managed servers.
For Workspace ONE UEM servers that use Windows operating systems, the team hardens server
configurations using GPO policies (i.e., account policies, user rights, security options, event log settings, app
restrictions). Workspace ONE UEM, Workspace ONE Access, and Workspace ONE Intelligence Linux-based
servers use Amazon Linux AMI for system hardening. The Amazon Linux AMI includes default security
configurations, such as: limited remote access using SSH key pairs, remote root login disablement, reducing
non-critical package installation, and automatic security related updates.
Time Synchronization
All cloud service components are time synchronized with a common centralized time source per ISO 27001
and PCI-DSS requirements.
System Monitoring
VMware Cloud Operations is staffed 7x24x365 and the team deploys several commercial and custom
purpose-built tools to monitor the performance and availability of all hosted solution components.
Components include the underlying infrastructure servers, storage, networks, portals, services, and
information systems used in the delivery of Workspace ONE services.
Patch Management
VMware maintains the systems it uses to deliver Workspace ONE services, including the application of
patches deemed critical for the target systems. Our policy is to patch or upgrade network, utility, and security
equipment after analyzing the severity and impact of potential vulnerabilities. Critical vulnerabilities are
addressed in a timely manner, and changes are made using industry best practices. Testing is conducted by
the QE department to ensure compatibility with the production environment. If required, rollback procedures
are conducted by the QE team.
For Workspace ONE Intelligence, base images receive patches and reboots as part of the bootstrap process.
Containers are generated on a weekly basis with all patches included. As instances are terminated, new
instances are deployed: No instances live more than seven days.
Vulnerability Scanning
Vulnerability scans are performed at least monthly on internal and external systems. In alignment with PCI-
DSS, system and application owners are required to address critical and high vulnerabilities with a plan of
corrective action after vulnerability discovery. Rescans are used to verify remediation of high-risk
vulnerabilities. Other vulnerabilities are addressed with a plan of corrective action within a reasonable period.
TECHNICAL WHITEPAPER | 14
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Please note that VMware does not provide the results of vulnerability scans to customers. We do not feel
these isolated pieces of information are of use to our customers in protecting their security objectives. Results
are not in context, often generate a large volume of false-positives and do not accurately represent the
current security posture of a product or service.
Penetration Testing
VMware and Third-Party Testing
In alignment with PCI-DSS, VMware performs extensive internal and external penetration tests on Workspace
ONE services using both third-party vendors and the VMware Red Team at least annually. The penetration
tests are generally divided in three different phases that focus on identifying high impact vulnerabilities that
could lead to exploitation, theft of data, and/or overall privilege escalation. Tests follow a method intended to
simulate real-word attack scenarios and threats that could critically impact the data privacy, integrity, and
overall business reputation. VMware does not provide results of our pen testing activities for Workspace ONE
services; however, executive summaries of our pen tests and third-party attestation letters are available by
request. Further evidence of our annual penetration tests can be found in our SOC 2 Type 2 audit reports.
Please note that VMware’s policy mandates all penetration test findings with Common Vulnerability Scoring
System (CVSS) rankings must be remediated within defined SLA timelines. This means that if any issues were
found during testing, they must be resolved within the timelines shown below. We believe this is an important
step towards reducing VMware’s exposure to risk from vulnerabilities and protecting the availability of our
infrastructure.
Pen Test Scoring and Remediation Timelines
The VMware Red Team uses the industry standard CVSS 3 Scoring system, which takes the base score of the
vulnerability and applies environmental and other considerations unique to VMware to arrive at a true risk
score appropriate for our environment. This score determines remediation timelines as shown below.
Severity Levels CVSS Definition Remediation
Timeline
Catastrophic Findings of this level can be used to gain control 72 hours
of the host, network or application that can lead
(CVSS score 9 - 10)
to potential leakage of highly sensitive
information and exploitation would result in a
catastrophic monetary loss, data loss or negative
public image. The attack can be done by
someone with no service credentials.
Critical Findings of this level of risk are serious 14 days
deficiencies that can result in potential misuse of
(CVSS score 7 - 8.9)
the host or network by intruders. Exploitation
would result in monetary loss, sensitive data loss,
or moderate negative public image. Attacks can
be performed by someone with and/or without
service credentials.
Serious Findings of this level indicate that while exploit of 30 days
the vulnerability would only evoke minimal
(CVSS score 4 -
damage or information leaks. This category may
6.9)
contain issues that are more difficult to execute.
Minor Findings in this category may not present an 60 days
actual threat at the moment but could become
(CVSS score 0.1 -
more dangerous if used in conjunction with other
3.9)
security issues.
TECHNICAL WHITEPAPER | 15
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
TECHNICAL WHITEPAPER | 16
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Intelligence uses the Amazon Web Application Firewall (WAF) which provides application layer protection
against common web exploits.
Log Management
Infrastructure Logs
Workspace ONE services leverage a robust centralized SIEM infrastructure. Critical systems and privileged
access to Workspace ONE infrastructure, firewall and IDS logs, and DNS Queries are logged and monitored.
Auditable events are in alignment with PCI-DSS requirements and include user identification, type of event,
data and time, success or failure indication, and origination of event. Access to the audit trail is protected, and
logs are stored separately and securely. Note: VMware does not provide SaaS infrastructure logs to
customers. Please see Application Event Logs for customer-accessible logging options.
VMware System Security logs and events are centrally aggregated and monitored in real-time 7x24x365 by
the VMware Security Operations Center (SOC). Logs forwarded to the VMware SOC are retained at least one
year, in alignment with PCI-DSS requirements, with up to five years of archive storage.
Application Event Logs
Customers can access application-level logs within Workspace ONE UEM and Workspace ONE Access that
record administrator and end user device events. Workspace ONE UEM event logs include:
• Device events show the commands sent from the console to devices, device responses, and device user
actions.
• Console events show actions taken from the Workspace ONE UEM console including login sessions, failed
login attempts, admin actions, system settings changes, and user preferences.
The audit events report in the Workspace ONE Access service that lists the events related to a user, including:
• The type of action within a specific date with criteria such as user, type, action, object, and date range.
TECHNICAL WHITEPAPER | 17
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
These logs can be exported as CSV for storage offline to meet regulatory or business requirements.
Workspace ONE UEM event logs can also be integrated with a customer’s existing SIEM solution using syslog.
Incident Reporting
All staff are responsible for reporting information security events as quickly as possible. At a minimum, these
scenarios include:
• Ineffective security controls or access violations.
• Breach of information integrity, confidentiality, or availability expectations.
• Human errors.
• Non-compliances with policies or guidelines.
• Breach of physical security arrangements.
• Uncontrolled system changes.
• Malfunction of software or hardware.
Breach Notification
In the case of a confirmed data breach, VMware shall without undue delay notify affected customers of the
breach in accordance with applicable laws, regulations, or governmental requests.
TECHNICAL WHITEPAPER | 18
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Session Controls
VMware Production Environment Sessions
Workspace ONE SaaS production environment administrative sessions are set to time out after 15 minutes of
inactivity.
TECHNICAL WHITEPAPER | 19
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
TECHNICAL WHITEPAPER | 20
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
TECHNICAL WHITEPAPER | 21
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
TECHNICAL WHITEPAPER | 22
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
TECHNICAL WHITEPAPER | 23
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
TECHNICAL WHITEPAPER | 24
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
AWS CloudFront Content Delivery Network (CDN) is used for delivery of some of the VMware Workspace
ONE Access service content (static JavaScript, CSS, and images) for the admin console and end-user
experience (login screen, Catalog, etc.) on HTTPS 443. On-premises connectors and third-party Identity
Providers do not require any access to AWS CloudFront CDN. The CDN does not store customer PII.
TECHNICAL WHITEPAPER | 25
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
TECHNICAL WHITEPAPER | 26
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
TECHNICAL WHITEPAPER | 27
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
For Workspace ONE UEM SaaS customers, VMware hosts the ETL server (in the Workspace ONE UEM cloud
environment). The hosted ETL server transmits data from your Workspace ONE UEM cloud deployment to the
Workspace ONE Intelligence cloud environment. On-premises Workspace ONE UEM customers must install an
ETL server to connect their on-premises Workspace ONE UEM deployment to the Workspace ONE
Intelligence cloud environment.
Customers can optionally leverage the Workspace ONE Trust Network to aggregate threat intelligence using
existing security tools, including VMware Carbon Black and Lookout, through secure API connections. Refer to
the VMware Solutions Exchange and service documentation on connectors is available on VMware Tech Zone
for more information.
TECHNICAL WHITEPAPER | 28
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Data Segmentation
Customer data is segmented in all Workspace ONE services. The data segmentation mechanism varies by
service and is detailed by service below.
Workspace ONE UEM
Workspace ONE UEM is available in both Shared and Managed Hosting environments. Workspace ONE
Access and Workspace ONE Intelligence are available in Shared Hosting environments only.
Workspace ONE UEM Shared Environment
Shared virtual machines are assigned to the Shared SaaS environment to host the Workspace ONE UEM
application. Data is isolated at the application layer using unique identifiers. The database resides on a shared
SQL cluster with shared infrastructure that contains data for multiple customers. Customers in the shared
environment can only access data from their tenant.
(Applicable to Control Plane Architecture deployments.) Shared environments use shared Control Plane
services such as Consul, Nomad, and Vault for security service communication, orchestration and scheduling,
secrets management, and enforcing access control lists. The Postgres database cluster used by the Control
Plane also resides on a shared infrastructure that contains data for multiple customers. Customers can only
access data from their tenant.
Workspace ONE UEM Managed Hosting
Workspace ONE Managed Hosting Service provides a single-tenant instance of the logical service, multiple
instances of the hosting service may leverage shared hardware infrastructure. There is no guarantee of or
design for dedicated physical servers.
• Dedicated VMs are assigned to the Managed Hosting environment to host the Workspace ONE UEM
application.
• SQL and (coming soon) Control Plane Postgres databases containing customer data are isolated and not
shared; please note that the databases do reside on shared SQL and Postgres clusters. For the Control
Plane, managed services customers will also receive dedicated Kafka topics (i.e., groups that hold
messages and events).
Workspace ONE Access and Workspace ONE Intelligence Shared Environments
TECHNICAL WHITEPAPER | 29
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Customer data is segmented at the application level using unique customer identifiers. Customers cannot
access data from another customer’s tenant.
Data Encryption
Each service within the Workspace ONE platform leverages encryption to help protect data both in transit and
at rest. Workspace ONE UEM, Workspace ONE Access, and Workspace ONE Intelligence collect varying data
points intended to achieve different outcomes in the delivery of the service. Due to these differences in
functionality, the specific encryption approach varies to align with the intended function of each service.
Encryption In-Transit
Workspace ONE UEM
All traffic traversing public networks and any sensitive interactions between Workspace ONE nodes
(Workspace ONE and its integration components) and the device agents are done using message-level
encryption. These message-level interactions are encrypted with 2048-bit RSA asymmetric keys using digital
certificates. In alignment with PCI-DSS, Workspace ONE UEM SaaS environments support TLS 1.2+. Note:
Managed hosting customers can restrict the TLS protocols communicating with their environment (e.g.,
customers can allowlist only TLS 1.2).
• Note: REST API calls take place over HTTPS with a certificate signed by a publicly trusted CA.
• Customers can also enable LDAPS to encrypt the directory services connection to on-premises solution
components such as the AirWatch Cloud Connector. The AirWatch Cloud Connector leverages HTTPS
communication to the cloud. Please refer to the Workspace ONE Reference Architecture for additional
information on on-premises solution components.
Workspace ONE Access
Communications for Workspace ONE Access is encrypted in transit via HTTPS (TLS) over public networks. In
alignment with PCI-DSS, Workspace ONE Access SaaS environments only support TLS 1.2+.
Each customer tenant is assigned unique private/public key pair. The keys are randomly generated at the time
of tenant creation. Private keys are encrypted at rest with AES-256.
Workspace ONE Intelligence
Communications for Workspace ONE Intelligence are encrypted in transit via HTTPS (TLS) over public
networks. In alignment with PCI-DSS, Workspace ONE Intelligence SaaS environments only support TLS 1.2+.
Encryption At-Rest
Workspace ONE UEM
All user data stored within Workspace ONE UEM is encrypted at rest via a combination of both hardware-
based array-level encryption and/or volume-level encryption with a minimum level of AES-256 symmetric
encryption.
Additional data-level encryption is implemented for customer content and sensitive fields as described in the
Data Security – Data Collection section of this document. All locally defined passwords, certificate private
keys, client cookie data, tokens, and AD Bind Account are stored within the database and are protected with
256-bit AES symmetric encryption algorithm. Stored credentials use PBKDF2 with a salt of at least 256 bits
and a sufficiently large number of iterations.
Note: Workspace ONE UEM does not store user credentials derived from customer AD integration.
Workspace ONE Access & Hub Services
Locally defined Workspace ONE Access passwords are secured with AES-256 and PBKDF2 and a randomly
generated salt. The service does not store user credentials derived from customer AD integration. The AD
Bind Account is stored in the Workspace ONE Access database and is encrypted (AES-256). Data considered
sensitive by the application is encrypted (AES-256) with a per-tenant key that is generated by Workspace
TECHNICAL WHITEPAPER | 30
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
ONE Access. Amazon S3 instances used for Workspace ONE Access and Workspace ONE Hub Services are
encrypted. Encryption is applied at the database level for Workspace ONE Hub Services.
Workspace ONE Intelligence
Workspace ONE Intelligence is a cloud service that provides deep insights, analytics, and automation for the
entire digital workspace. As such, Workspace ONE Intelligence was built as a cloud-native service and uses a
combination of AWS-managed and VMware-managed KMS keys for all encryption at rest across the solution
datastores. Data is encrypted at rest using AES-256 with GCM.
Key Management
Please note that Workspace ONE services do not currently support a bring your own key (BYOK) model. To
help ensure the security and integrity of the cryptography used in the cloud-hosted environments, only
authorized VMware support personnel have access to encryption keys, and keys are managed in line with PCI-
DSS. Customers can manage their own encryption keys for on-premises hosted resources, such as
establishing and managing the X.509 certificates for on-premises integration connectors (such as AirWatch
Cloud Connector).
TECHNICAL WHITEPAPER | 31
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
TECHNICAL WHITEPAPER | 32
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
3
Exception: Workspace ONE UEM web console administrator login history which is purged, by default, every 730 days—unless the customer configures an
Admin Terms of Use (TOU) prompt for users—to support customers’ security and auditing purposes. If the TOU prompt is configured, the admin login history
is not automatically purged to store a timestamp and admin record corresponding to the TOU acceptance.
TECHNICAL WHITEPAPER | 33
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
devices, but not for employee-owned Android devices. Privacy controls can be set up with role-based access,
restricting customer IT staff that do not have the appropriate privileges from modifying policies that do not
adhere to company policy.
VMware has no direct relationship with the Users whose data it processes in connection with providing the
Software and any related services. A User who seeks access, or who seeks to correct, amend, or delete
inaccurate data should direct their query to the Customer. If the Customer requests VMware to modify or
remove the data, we will respond to the Customer’s request in accordance with our agreement with the
applicable Customer or as may otherwise be required by applicable law.
At any time, an appropriately provisioned Workspace ONE administrator can take the following actions to
help comply with applicable data protection laws:
• Access, upload, update or remove data directly from the console at any time.
• Require Terms of Use (TOU) acceptance prior to end users accessing the service during enrollment. Users
must accept the TOU before proceeding with enrollment, installing apps, or accessing the console. The
console allows administrators to customize fully and assign a unique TOU to each organization group and
child organization group. TOU acceptance can be reviewed in the administrative console or within the end-
user VMware Intelligent Hub at any time.
• Export solution data, including user reports, at any time via CSV as well as PDF and XLS formats.
TECHNICAL WHITEPAPER | 34
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
PCI-DSS Certification
Workspace ONE Access and Workspace ONE Intelligence have achieved PCI-DSS certification. The PCI-DSS
Attestation of Compliance (AOC) can be downloaded from VMware Trust Center. Please note that, although
these Workspace ONE services are PCI-DSS certified, they do not store, process, or transmit cardholder data.
Terms of Service
The VMware Cloud Services Exhibit and the Cloud Services Guide govern VMware cloud delivered services in
addition to the VMware Data Processing Addendum.
Release Schedules
VMware communicates feature releases and service announcements through VMware Docs, VMware Blogs,
My Workspace ONE, and by email. Our frequent release schedule demonstrates our commitment to
continuous innovation. New software features and operating systems are released daily, and we aim to
provide same-day support for new major operating system updates and APIs:
• Workspace ONE shared cloud environments receive updates automatically.
• Workspace ONE UEM Managed Hosting Service schedule upgrades to their environment via a user-
friendly update scheduling tool.
TECHNICAL WHITEPAPER | 35
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Scheduled Maintenance
VMware schedules pre-defined maintenance windows to limit the potential to impact the environment
availability. These standing windows are scheduled annually and available on the My Workspace ONE support
portal and in this publicly available KB article.
Routine Maintenance
Occasionally, it is necessary for VMware to perform maintenance that has the potential to impact the
availability of customer environments outside of scheduled maintenance windows, and VMware reserves the
right to do so. A minimum of five days’ advance notice is given for routine maintenance.
Emergency Maintenance
Emergency maintenance is defined as potentially impactful maintenance activity that must be executed
quickly due to an immediate, material threat to the security, performance, or availability of the Service
Offerings. Every attempt will be made to provide as much advance notice as possible, but notice depends on
the severity and critical nature of the emergency maintenance.
TECHNICAL WHITEPAPER | 36
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Support Packages
VMware provides multiple support options designed to fit specific customer requirements. The following
support packages are available for Workspace ONE UEM:
• SaaS Basic Support – Weekday global support for SaaS products, 12x5 (SaaS Severity 1 issues 24x7)
• SaaS Production Support – Focused, 24-hour support for SaaS products, (SaaS Severity 1 issues 24x7)
• Success 360 – Priority access to Senior Engineers, Account Management, and advanced Skyline features,
24x7
For the most up-to-date support offerings, please refer to the VMware Customer Support Offerings page.
Existing support customers can leverage the My Workspace ONE support portal. Please visit the Cloud
Service Support Policies page for additional information.
Export Restrictions
The U.S. Department of Commerce and the U.S. Department of Treasury administer and maintain exclusion
lists. VMware does not ship products to any entity or individual, whether in the U.S. or abroad, specified on
these lists.
• U.S. Department of Commerce Denied Persons List
• U.S. Department of Commerce Denied Entity List
• U.S. Department of Commerce Unverified List
• U.S. Department of Treasury Specially Designated Nationals List
• U.S. Department of State Debarred List
• U.S. Department of State Nonproliferation Sanctions
TECHNICAL WHITEPAPER | 37
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
Appendix - Microservices
Workspace ONE extends core platform functionality through optional microservices which communicate with
the Workspace ONE UEM application via secure APIs over HTTPS/TLS. Microservices environments are also
governed by VMware information security policies outlined throughout this whitepaper.
TECHNICAL WHITEPAPER | 38
CONFIDENTIAL
Workspace ONE Cloud Services Security Whitepaper
• For enhanced security, ENS also supports Certificate Based Authentication (CBA) and OAuth on EWS.
Segmentation
ENS segments customer data at the application layer using unique identifiers.
Data in Transmission
Data transmitted to and from ENS is encrypted in transit over the public Internet via HTTPS/TLS. Exchange
credentials are transmitted to the service in an encrypted payload which ENS decrypts in order to retrieve
email details from Exchange.
TECHNICAL WHITEPAPER | 39
CONFIDENTIAL
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 vmware.com Copyright © 2022 VMware, Inc.
All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents
listed at vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. and its subsidiaries in the United States and other jurisdictions.
All other marks and names mentioned herein may be trademarks of their respective companies.