VMware UK Limited

VMware SASE

Secure Access Service Edge (SASE) provides Cloud Web Security (CWS) functionality to protect users while accessing Web-based services and applications. Access to CWS is achieved via SD-WAN and Secure Access (VPN) to provide a consistent secure Internet experience determined by user location and device posture.

Features

• SSL Inspection
• Cloud Access Security Broker
• Data Loss Prevention
• Content filtering and inspection
• Resilient access
• Cloud hosted security
• Remote access with Virtual Private Network
• User or Group access and security policies
• Traffic and Threat Analysis
• VMware SD-WAN integration

Benefits

• Protected user experience for web based access
• Monitoring of Internet use and access by user
• Integrated security posture for remote access and SD-WAN
• Work anywhere secure Internet and on-premises access
• Distributed global presence through VMware SASE POPs
• Centralised configuration management
• Integrated into VMware Workspace One UEM for device control

£48.27 a user a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at chris.hardy@broadcom.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

174926367127407

Contact

Chris Hardy
07824 478092
chris.hardy@broadcom.com

Service scope

• Service constraints: VMware SASE documentation provides clear guidance regarding the implementation best practises needed for the service. Use of VMware Cloud Web Security (CWS) requires the installation of a Trusted Root Certificate to allow inspection of encrypted traffic. Secure Access (SA) uses the VMware Workspace One Tunnel client for access to allocated Points of Presence (POP). Policy for the tunnel client is configured in VMware Workspace One and then deployed at the time of device onboarding.
• System requirements:
  • Software license agreement per user
  • Compliant user device or SD-WAN edge connection
  • Integratation into the customers' Identity Provider
  • Deployment of a Tunnel Client for Secure Access
  • Installation of VMware CWS SSL certificate

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: VMware offers online trouble ticketing through the Customer Connect portal provided at the VMware website. A response timeline is defined based on the tickets assigned severity level, and the level of support plan purchased:; Production: Sev1 (<30 mins 24x7), Sev2 (<4 hours 12x5), Sev3 (<8 hours 12x5), Sev4(<24 hours 12x5) ; Premier: Sev1 (<30 mins 24x7), Sev2 (<2 hours 24x7), Sev3 (<4 hours 12x5), Sev4(<12 hours 12x5); Carrier Grade: Sev1 (<15 mins 24x7), Sev2 (<1 hours 24x7), Sev3 (<4 hours 10x5), Sev4(<8 hours 10x5); ; SASE Production Support: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/vmware-saas-production-support-and-subscription-datasheet.pdf; SASE Premier Support: https://sase.vmware.com/content/dam/digitalmarketing/vmware-sase/pdfs/sdwan-797-vmware-sdwan-support-compare-ds-1119.pdf; SASE Carrier-Grade Support: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/services/support/vmware-sase-carrier-grade-support.pdf
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: VMware SASE offers Production, Premier and Partner Support.; ; Production Support for Cloud Hosted products is listed here: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/vmware-saas-production-support-and-subscription-datasheet.pdf.; ; Premier information is available here: https://sase.vmware.com/support . Hours of operation are 24x7x365 with an unlimited number of support requests and remote support assistance. ; ; VMware partners are able to offer support using the Telco & MSP Support level: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/services/support/vmware-sase-carrier-grade-support.pdf; ; Costs available in the pricing document.; ; Technical Account Managers are part of the VMware service offering, but are funded by the customer unless otherwise agreed.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: VMware Professional Services can rapidly deploy solutions according to the business and technical requirements. This is focused on architecture, topology, and functional testing. Knowledge transfer sessions are completed to ensure that our customers are fully versed in the operational infrastructure. ; ; VMware also partners with organisations that can provide training, deployment, management, and customer-specific documentation for SASE implementations.; ; VMware have user documentation that covers the SASE solution available at: https://docs.vmware.com/en/VMware-SASE/index.html
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: VMware enables periodic extraction of key configuration and statistics information for offline storage through REST API. The metadata available in Orchestrator is from flows that traversed from a LAN interface to a WAN interface. This data includes information on the host originating the flow such as source IP address, source MAC, address, and source FQDN. If the users have authenticated using WPA Enterprise, the username will also be associated with the flow and collected in the VCO.
• End-of-contract process: The VMware SD-WAN Orchestrator (VCO) collects metadata from the flows that traversed from a LAN interface to a WAN interface. This data includes information on the host originating the flow, such as source IP address, source MAC address, and source FQDN. If users have authenticated using WPA Enterprise, the username will also be associated with the flow and collected in the VCO. After account termination, the accounts will be suspended; however, all data will remain in the account for up to 1 year after termination. Upon explicit request, the data can be deleted from the VCO at an earlier date.; There are no additional costs involved for VMware to store the data.

Using the service

• Web browser interface: Yes
• Using the web interface: Users manage device onboarding through VMware Workspace One UEM. Workspace One controls the compliancy of devices so they align with company standards. It also applies software, certificates and policy as required. Workspace One policy is used for the configuration of Workspace One Tunnel software, a VPN client used to access VMware SASE Secure Access. VMware SD-WAN Orchestrator is coupled with Workspace One to populate SASE POPs with Secure Access configuration. Secure Access configuration is mapped to specific users or groups. VMware SD-WAN Orchestrator is also used to create, manage, and deploy Cloud Web Security configuration. Internet web-based user traffic is mapped to the VMware SASE POPs via Secure Access, or SD-WAN edge policy, so that Internet based access can be securely controlled. Administrators can use features such as Cloud Access Security Brokers, SSL Inspection, URL filtering, and Content filtering and Inspection to manage and protect user access.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: N/A
• Web interface accessibility testing: VMware has 146 products with ongoing efforts to increase accessibility. VMware has a team of accessibility subject matter experts embedded in the product teams. Over half of our accessibility team has a disability, including five screen reader users and one magnification/keyboard user, and including individuals with cognitive disabilities. VMware also does testing annually with users outside of VMware that have disabilities through the VMware Design Studio program.
• API: Yes
• What users can and can't do using the API: VMware Workspace One UEM and SD-WAN Orchestrator can be managed via a Northbound RESTful API via HTTP/TLS1.2. Core functionality is replicated in the APIs to allow workflows and custom applications to interface with both orchestration platforms.
• API automation tools:
  • Ansible
  • Other
• Other API automation tools:
  • Postman
  • CURL
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
• Using the command line interface: VMware SD-WAN (part of SASE) provides a secure method to support CLI access to Edges using key pairs generated per user and sends a logged-in user into an Edge CLI shell that only exposes SD-WAN troubleshooting commands and meets CSO requirements.; CLI is available for low-level debugging. VMware recommends utilizing SD-WAN Orchestrator or API for provisioning, configuration, and ongoing management and troubleshooting of SD-WAN Edges.

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: VMware operations team monitor the load and take proactive management for SASE POP locations. VMware SASE gateways are mapped to customer tenants from pools of resources allocated to the Orchestrator. VMware SASE POP automation can add extra resources when thresholds are reached, before operational impact is identifed. Container based delivery is used to seamlessly add capacity.
• Usage notifications: No

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • HTTP request and response status
  • Memory
  • Network
  • Other
• Other metrics:
  • Threat Analysis
  • Traffic Analysis
  • CASB Analysis
  • Web Logs
  • Events
  • WAN link utilisation
  • Loss, latency, and jitter measurements on WAN links
• Reporting types:
  • API access
  • Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • VMware SD-WAN Orchestrator database
  • Orchestrator DR as a hot-standby with live feed from primary
  • Extract key configuration and statistics information via API
  • Workspace ONE UEM database
• Backup controls: Backups of the VMware SD-WAN Orchestrator are handled by the VMware operations teams.; Workspace ONE backs up device configurations and resource entitlements provisioned through the solution but does not back up end-user data stored on the device or within apps.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: VMware will use commercially reasonable efforts to ensure that the services are available during a given month equal to the “Availability Commitment” specified as follows:; ; VMware SD-WAN: 99.99%.; VMware Secure Access: 99.90%.; VMware Cloud Web Security: 99.99%.; ; Availability in a given billing month is calculated according to the following formula:; “Availability” = ([total minutes in a billing month – total minutes Unavailable] / total minutes in a billing month) x 100; ; Details regarding the Service Level Agreement can be found here: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/downloads/eula/vmware-nsx-sd-wan-by-velocloud-service-level-agreement.pdf
• Approach to resilience: VMware SASE provides resilience through a global network of SASE POP locations. Each SASE POP provides Cloud Web Security and Secure Access functionality. Any user onboarded into Secure Access will be mapped to a number of SASE POP locations, typically five, with the user accessing the POP with the lowest latency. If a POP is experiencing difficulty, or connectivity is not possible, alternative POPs will be used.
• Outage reporting: VMware reports outages of all cloud-hosted services on a public dashboard: https://status.vmware-services.io/history

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Username or password
• Access restrictions in management interfaces and support channels: The VMware SD-WAN Orchestrator is designed for multi-tenant environments. There are three organisational tiers providing distinct roles for access and visibility for the operator, multiple agents/managed services or channel partners, and multiple end enterprise customer tenants. VMware Workspace ONE uses built-in and custom roles to define the device groups that IT administrators can access and manage. These roles restrict the depth of device management information and features available to each console user. Authentication integrates with enterprise directory services or uses basic authentication, SAML, etc. The solution records all console activity and provides detailed logs of user access and events.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Devices users manage the service through:
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • SD-WAN part of SASE - ISO27001
  • SD-WAN part of SASE - ISO27017
  • SD-WAN part of SASE - ISO27018
  • SD-WAN part of SASE - PCI-DSS
  • SD-WAN part of SASE - SSAE16 / SOC2
  • SD-WAN part of SASE - CSA STAR

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: VMware assessments focus on meeting the needs of a broad range of users that need detailed information and assurance about the controls at VMware relevant to the security and availability of the systems that VMware uses to process and store users’ data. They include:; · Secure operations and processes; · Oversight of the organization; · Vendor management programs; · Internal corporate governance and risk management processes; · Regulatory oversight
• Information security policies and processes: VMware SASE has a security team that oversees security features; during SDLC and manages ongoing security for our product and service offering. VMware is in the process of obtaining a SOC2, Type I report for SASE. The SOC2 report is an attestation of the design and operating effectiveness of controls relevant to security and availability at VMware provided by a qualified, independent, external auditor.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: VMware Configuration Management policy is based on industry best practices. Revisions and exceptions are processed through a documented procedure to help ensure the confidentiality, integrity, and availability of our hosted offering.; - maintains cryptographic keys for required cryptography in the SaaS environment based on standards, procedures, and secure methods.; Change Management is staged on the Orchestrator by creating a copy of the profile undergoing the change. The updated profile is attached to individual Edges to test and roll back as needed. ; All changes are logged in the Orchestrator event log, indicating who/when enacted the change.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: VMware analyzes identified vulnerability for applicability, adjusting the vulnerability score on mitigating factors determining the final criticality score.; The network layer, application, and internal OS layer vulnerability scans are performed. This includes third-party vulnerability scanning and penetration tests. Vulnerability scans are reviewed annually. After analyzing the severity and impact, VMware patches all network, utility, and security equipment. VMware has subscriptions to vendor security and bug-tracking notification services. Critical patches are installed timely. Non-critical patches are applied within reasonable timeframes. Patch testing/rollback procedures are completed with minimal impact. Third-party auditors perform reviews against industry standards, including ISO 27001.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Security scans against the infrastructure components are completed regularly. If a security breach is detected, affected POPs will first be detached from the management core to isolate the exposure. Local bastion hosts will be spun up to provide out-of-band access to the resources. Once the compromised instance or instances are identified, these will be terminated and rebuilt to restore functionality or service. If a material breach is observed impacted customers will be notified within five days or in the timeframe as required by local law or other applicable regulations (such as GDPR).
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: VMware has pre-defined processes for common events. VMware users who become aware of a security vulnerability in VMware products contact VMware with details of the vulnerability. VMware has established an email address used for reporting a vulnerability security@vmware.com. Incident reports are provided via email and release notes

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: No

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: VMware SD-WAN typically utilizes AWS datacenters and information about AWS & Sustainability can be found here: https://aws.amazon.com/about-aws/sustainability/; ; . VMware SASE components typically utilise Equinix datacentres and infomation about their energy efficiencies can be found here: https://www.equinix.co.uk/data-centers/design/green-data-centers#:~:text=At%20Equinix%2C%20our%20purpose%20is,energy%20for%20our%20global%20platform and here: https://www.equinix.co.uk/about/sustainability

Social Value

• Fighting climate change:

  Fighting climate change

  ● Sustainable growth for VMware’s business requires decoupling our company growth from carbon emissions. To this end, we’ve accelerated our focus on decarbonization and received third-party validation from the Science Based Target Initiative (SBTi) on our science-based targets. Since 2018, we have maintained our certified CarbonNeutral® company status, in accordance with The CarbonNeutral Protocol. Since 2019, we have sourced 100 percent of our power in our global facilities from renewable sources, in accordance with RE100 Reporting Guidance. ; ● VMware’s net zero emissions goal builds on approved science-based targets and expands the scope of our climate commitments. For us, a net zero goal means reducing emissions for our entire carbon footprint. We are focused on prioritizing energy efficiency within our operations through our commitment to green buildings, working with our suppliers to reduce their emissions, and supporting distributed workforces through our Future of Work initiative. Through carbon financing, we support low carbon sustainable development projects that enable carbon avoidance to offset our remaining emissions. In line with the leading net zero guidance, we are developing our strategy to include carbon removal projects to address residual emissions. ; ● In FY22, we furthered climate transition planning at VMware, guided by Taskforce on Climate-related Financial Disclosures (TCFD) recommendations. As VMware continues to learn more about climate risks, we can build longer time horizon risks into our strategy to become even more sustainable and resilient.
• Covid-19 recovery:

  Covid-19 recovery

  ● Decisive action by VMware during the early days of the COVID-19 pandemic led to a company-wide remote workforce, which our customers were able to implement as well through VMware’s Workspace solutions. ; ● Through VMware’s unique Citizen Philanthropy approach to giving, we empower every VMware employee—wherever they are—to be active, engaged citizens, contributing to what matters most to them in their own communities. Throughout the pandemic, VMware people delivered food to neighbors in need, made masks and donated resources to frontline workers and relief efforts, and helped nonprofit organizations strengthen their IT operations so they can focus on supporting their communities. VMware also supported GlobalGiving’s Coronavirus Relief Fund and TechSoup’s COVID-19 Response Fund, and raised the limit on matching gifts available to all VMware people.
• Tackling economic inequality:

  Tackling economic inequality

  ● VMware IT Academy partners directly with more than 2,500 educational institutions, governments and nonprofits globally to empower learners through coursework, labs and experiences. To enrich learning and help jump-start careers, our partner academic institutions can also access the latest suite of VMware software solutions and use them in a hands-on educational environment. VMware IT Academy is key to our 2030 goal of upskilling 15 million people through our educational offerings and creates a pipeline of diverse talent that is available to advance companies’ digital journeys and deploy VMware solutions. ; ● VMware donates our technology to academic institutions, enabling learners with access to technical training and labs across technology solutions and companies through Academic Cloud. ; ● VMware IT Academy partners with the Rochester Institute of Technology (RIT) for their Cybersecurity Bootcamp, an immersive, 15-week hands-on training course to reskill or upskill unemployed individuals, including minorities and veterans. ; ● VMinclusion Taara offers free technical education on VMware products & technology that enable digital business transformation, addressing the gender gap in the Indian IT sector and empowering women with financial and social independence. ; ● VMware Responsible Sourcing supports sustainability, diversity and accessibility across our supply chain. VMware has committed to working with 75% of our suppliers (by spend) to set their own science-based targets by the end of 2024. We are also prioritizing the sourcing of goods and services through diverse businesses and have committed to spending $1.5B with diverse suppliers through 2030. Our definition of diverse supplier includes: small-business enterprises, minority-owned enterprises, woman-owned enterprises, and businesses owned by other underrepresented groups such as LGBTQ, veterans, and proprietors with disabilities.
• Equal opportunity:

  Equal opportunity

  ● VMware joined the Valuable 500, a global business collective that is igniting systemic change and unlocking the business, social and economic value of more than 1 billion people with disabilities around the world. From ensuring the technology we develop is accessible for all to empowering our employees through accessible, inclusive and innovative engagement and wellbeing programs, our company remains committed to driving meaningful impact on disability, wellness and neurodiversity inclusion. ; ● As a leading software company, user accessibility is top of mind at VMware. One of our ESG goals by 2030 is to ensure the technology that we develop, and source within our supply chain, is accessible for all. We created internal Accessibility Guidelines within VMware and committed to assess all new software and events suppliers for accessibility standards aligned with our own guidelines. ; ● Employee Resource Groups at VMware are called Power of Difference communities (“PODs”), and they play a strategic role in building a culture of belonging. We are focused on driving a culture that is inclusive of all forms of diversity, including supporting employees with disabilities. In 2021, VMware was named a Best Place to Work for Disability Inclusion by the Disability Equality Index (DEI).
• Wellbeing:

  Wellbeing

  ● Sustainable growth for VMware’s business requires decoupling our company growth from carbon emissions. To this end, we’ve accelerated our focus on decarbonization and received third-party validation from the Science Based Target Initiative (SBTi) on our science-based targets. Since 2018, we have maintained our certified CarbonNeutral® company status, in accordance with The CarbonNeutral Protocol. Since 2019, we have sourced 100 percent of our power in our global facilities from renewable sources, in accordance with RE100 Reporting Guidance. ; ● VMware’s net zero emissions goal builds on approved science-based targets and expands the scope of our climate commitments. For us, a net zero goal means reducing emissions for our entire carbon footprint. We are focused on prioritizing energy efficiency within our operations through our commitment to green buildings, working with our suppliers to reduce their emissions, and supporting distributed workforces through our Future of Work initiative. Through carbon financing, we support low carbon sustainable development projects that enable carbon avoidance to offset our remaining emissions. In line with the leading net zero guidance, we are developing our strategy to include carbon removal projects to address residual emissions. ; ● In FY22, we furthered climate transition planning at VMware, guided by Taskforce on Climate-related Financial Disclosures (TCFD) recommendations. As VMware continues to learn more about climate risks, we can build longer time horizon risks into our strategy to become even more sustainable and resilient.

Pricing

• Price: £48.27 a user a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: A Proof of Concept (PoC) trials are possible with VMware SASE, but require approval and signed agreements in advance. PoCs are time bound by agreement and require the completion of a mutally agreed test plan.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at chris.hardy@broadcom.com. Tell them what format you need. It will help if you say what assistive technology you use.