CDW Limited

CDW VMware (Broadcom) Live Recovery

VMware Live Recovery offers VMware Live
Cyber/Site Recovery. VLCR is an on-demand
solution that provides cyber and data resiliency
to VMware virtual machines by replicating and
recovering them quickly to a target cloud in case
of a natural disaster, ransomware attack, or other
unplanned disruption of your production data
center.

Features

• Next-gen antivirus and behavioral analysis to contain ransomware attacks
• Quarantined recovery environment with network isolation to prevent reinfection
• vSphere virtual machine replication as low as 15 minute RPO
• Variable retention schedule going back days/weeks/months/years
• Granular file/folder/VM level recovery
• DR test, failover and delta-based failback with full-featured DR orchestration
• Zero-touch day-2 lifecycle operations (upgrades, patching, etc.)
• Instant recovery using Live Mount capability
• Cloud-based Disaster Recovery portal

Benefits

• Quickly recover workloads from disasters, ransomware attacks, and other outages
• Perform behavioral analysis in an isolated environment to prevent reinfection
• Enable uniform processes to administer private and public cloud environments
• Simplify workflows for testing DR plans and for outage preparedness
• Zero-in on the right point-in-time from which to recover
• Spin-up a recovery SDDC only during testing or failover
• Automated compliance checks every 30 minutes
• Easy VM or file-level operational restores

£327 a virtual machine a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@uk.cdw.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

288647782531020

Contact

Andy Wood
0161 837 7744
tenders@uk.cdw.com

Service scope

• Service constraints: N/A
• System requirements:
  • VMware vCenter (VC) must be 7.0 or later
  • VC 7.0U3 or later for high-frequency snapshots (<4hours RPO)
  • At least 8GHz reserved vCPU capacity in production site
  • At least 12GiB of vRAM reserved in production site
  • At least 100GiB of virtual disk space in production site

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support response times - VMware Live Recovery; support SLAs are listed here; https://www.vmware.com/content/dam/digitalmar; keting/vmware/en/pdf/docs/vmware-liverecovery-sla.pdf . Accessibility specific tickets; can be filed here :; https://www.vmware.com/help/accessibility.html
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: No
• Support levels: VMware Live Recovery provides 24/7 production; level support as part of the service at no; additional cost.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide a range of resources to help to start; using VMware Live Recovery. These include; comprehensive documentation (in multiple; formats), introductory videos, hands-on labs,; access to a large ecosystem of partners and; support from the account teams. Recommended; starting point for all new users:; https://docs.vmware.com/en/VMware-LiveRecovery/index.html
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Replication of data to and from VMware Live; Cyber Recovery is fully managed by the; customer. Documentation exists along with; additional tools and services to facilitate the; replication, cloud failover, and failback of data.; VMware Live Cyber Recovery stores customers; data in an industry accepted virtual machine; format and VMware vSphere natively supports; the Open Virtualization Format (OVF), making it; simple to download, clone, migrate, copy, port or; transfer workloads between environments. Users; can restore data from all the VM snapshots; stored in the VMware Live Cyber Recovery; filesystem back to their production site using the; built-in failback workflow or individual VM restore; capability.
• End-of-contract process: https://www.vmware.com/content/dam/digitalmar; keting/vmware/en/pdf/agreements/vmwarecloud-services-guide.pdf . Please refer to the; section for VMware Live Recovery for all contract; details.

Using the service

• Web browser interface: Yes
• Using the web interface: VMware Live Cyber Recovery has two web; interfaces: Global DR Console and Orchestrator; UI. The Global DR Console enables users to; provision Orchestrators (also known as; "Recovery Regions") and to create subscriptions.; The Orchestrator UI allows users to consume; VMware Live Cyber Recovery and includes; several disaster recovery orchestrator; capabilities to automate the disaster recovery; process
• Web interface accessibility standard: WCAG 2.1 AA or EN 301 549
• Web interface accessibility testing: The Broadcom Accessibility team has conducted; testing on the product, evaluating its compliance; with WCAG 2.1 level A and AA guidelines. The; testing covered all product workflows, or user; journeys, utilizing various mainstream; accessibility-testing tools, including assistive; technologies such as VoiceOver on Mac and; NVDA on Windows and other tools. We have; individuals who use assistive technology; conducting the testing.
• API: Yes
• What users can and can't do using the API: What users can and can't do using the API; [Feature in Preview] Users can use public REST; APIs to query some basic information about their; DR plan configuration: get cloud file systems, get; protected sites, get protection groups, get; protection group snapshots, get protected VMs,; and get recovery SDDCs.
• API automation tools: Other
• Other API automation tools: Not specified
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • Other
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
• Using the command line interface: The VMware Live Cyber Recovery connector; CLI* allows users to deploy and configure the; connector on protected sites. Things users can; do with the connector using the CLI: deploy the; connector; configure the Connector; create a; restricted vCenter user; register a restricted; vCenter user; re-register a restricted vCenter; user; run a connector connectivity check; run a; connector performance check. *The Cyber; Recovery connector is a stateless virtual; appliance that enables replicating VM snapshot; deltas from a protected site to the cloud file; system, which are used for recovery operations.

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: There is both capacity and network level isolation; between different customers' environments to; prevent users and customers from accessing; resources not assigned to them. Each customer's; VMware Live Cyber Recovery deployment -; consisting of at least one Orchestrator; component and one Cloud File System; component - resides in a completely separate; cloud account with its own dedicated compute,; memory, networking, and storage resources. This eliminates the potential for other customers to; access their workloads.
• Usage notifications: Yes
• Usage reporting: Other
• Other usage reporting: The service alerts users of reaching limits and; provides suggestions via the CSP platform.

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • Number of active instances
  • Other
• Other metrics:
  • Logical storage capacity (in TiB) across all protected VMs
  • Breakdown of storage capacity and VMs for each Protection Group
  • Count of their total protected virtual machines
• Reporting types:
  • API access
  • Real-time dashboards

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: VMware (Broadcom)

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Backup data and DR configuration data; encrypted at rest using an industry-standard; AES-256 encryption algorithm
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up: Virtual Machines
• Backup controls: VMware Live Cyber Recovery enables virtual; machine snapshots to be replicated to a data; center location of the user's choosing. When; setting up a DR plan, users can create protection; groups, consisting of different virtual machines.; Each protection group has its own policies for; snapshots, which includes snapshot frequency; schedule and retention. Virtual Machine disk; images are backed up as part of each snapshot.; Multiple protection groups can be a part of an; entire DR plan. More information on configuring; protection groups here:; https://docs.vmware.com/en/VMware-LiveRecovery/services/vmware-live-cyber-covery/GUID-5A3D6A65-EA38-4045-8BFA556AFBAC9117.html
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery: Users can recover backups themselves, for example through a web interface

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: VMware will use commercially reasonable efforts; to ensure VMware Live Cyber Recovery is; available 99.9% during a given billing month. If; the Availability of the Service Offering is less than; the Availability Commitment, then you may; request an SLA Credit. Availability in a given; billing month is calculated according to the; following formula: “Availability” = ([total minutes; in a billing month – total minutes Unavailable] /; total minutes in a billing month) x 100 More; information about the SLA can be found at:; https://www.vmware.com/content/dam/digitalmar; keting/vmware/en/pdf/downloads/eula/vmwcloud-disaster-recovery-service-levelagreement.pdf
• Approach to resilience: VMware has a Business Continuity (BC); Management Program describing how VMware; will respond to events that significantly disrupt our delivery of the Service Offering. Business; Continuity Plan. VMware has a Business; Continuity Plan ("Plan") intended to identify what; preparations must be made in advance of a; disruption, as well as the steps to be taken when; an event actually occurs. The Plan is reviewed; periodically to determine which business; processes are most critical and what resources -; people, equipment, records, computer systems; and office facilities - are required for operation.; All documented plans follow an annual standard; maintenance and assessment schedule.; Customer's cloud backups are persisted to; durable cloud object storage that is replicated to; at least 3 separate AWS availability zones.; VMware Live Cyber Recovery Orchestrator and; Cloud File System instances are stateless and; automatically restarted as new cloud compute; instances within a short duration in case of any; disruption.
• Outage reporting: Email Alerts

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Management interfaces implement role-based; access controls and require members to; authenticate against the corporate identity; provider. Access is managed through the; management gateway which restricts access; based on originating IP address and SSL usage.; Additional security and authentication; mechanisms including the use of time-based; credentials are used to secure and monitor; access.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Devices users manage the service through:
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: KPMG
• ISO/IEC 27001 accreditation date: 31/12/2023
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 03/04/2024
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: N/A
• PCI certification: Yes
• Who accredited the PCI DSS certification: Crowe LLP
• PCI DSS accreditation date: 23/01/2024
• What the PCI DSS doesn’t cover: N/A
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO 27017
  • ISO 27018
  • SOC 2 Type 2
  • SOC 3

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: VMware security policies are documented and; available to employees on an internal web site.; Policies and procedures are reviewed annually,; updated as needed and retained for a minimum; of six years from the date of creation. VMware; utilizes a standard operating procedure; repository to store an extensive set of; documented procedures. Detailed procedures; are defined for the following categories of; functions: information security, physical security,; network availability, HR, communications,; risk/issues and service level customer service.; On an annual basis, VMware Live Recovery is; audited by third-party auditors for ISO 27001,; SOC 2, SOC 3 and HIPAA. Policy adherence is; included as a part of these third-party audits.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: The VMware Live Recovery team has a; comprehensive development lifecycle and and; change management system in place.; Continuous reviews and testing occur on the; software development pipelines for individual; components. Approvals for any changes related; to each new release are documented explicitly in; JIRA and Bugzilla tickets. VMware generates; builds from approved components and runs; these through BITs (Basic Integration Tests),; PVTs (Product Validation Tests), and Feature; Stress Lite Tests. Additionally, we run; performance tests, feature stress tests, security scans, vulnerability tests and System Tests at; scale for every cycle before any build is rolled out; to customer environments.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: VMware has comprehensive vulnerability; management program in place which includes; regular internal (at least quarterly) and third-party; vulnerability scanning and penetration testing.; The VMware Security Response Center (VSRC); leads the analysis and remediation of service; security issues. VSRC receives reports directly; and monitors the ecosystem for relevant security; issues and works with VMware R&D to develop; and resolve issues. VMware Live Recovery has; the capability to rapidly patch vulnerabilities.; Remediation efforts and timelines are prioritized; and applied using industry best practices. For; further details on the process and our; commitment to customers, see the VMware; Security Response Policy; https://www.vmware.com/support/policies/securit; y_response.html
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: VMware has a Security Operations Center; staffed 24x7 and alerted on security anomalies in; the VMware Live Cyber Recovery environment.; VMware Live Cyber Recovery has several; intrusion detection/prevention mechanisms in; place and the service continuously collects and; monitors the environment logs which are; correlated with both public and private threat; feeds to spot suspicious and unusual activities.; The customer is responsible for the security of; the environment over which they have; administrative level control. Details on the shared; responsibility model employed by VMware Live; Cyber Recovery are available here:; https://core.vmware.com/resource/vmwarecloud-disaster-recovery- shared-responsibilitymodel
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The process complies with industry standards for; legally admissible chain- of-custody and forensicdata-collection management processes and; controls. Response standards, procedures,; methods are implemented based on the severity; level. If VMware determines that unauthorized; access to/use/disclosure of customer content,; VMware will use commercially reasonable efforts; to notify customers, taking into account any; applicable law, regulations, governmental; request. VMware will also notify customers of a; suspected breach of the infrastructure if that; breach occurred on a segment of the platform; consumed by a customer, or in the event of; Denial of Service attacks. VMware does not; monitor guest workloads for such breaches.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: There is both capacity and network level isolation; between different customers' environments to; prevent users and customers from accessing; resources not assigned to them. Each customer's; VMware Live Cyber Recovery deployment -; consisting of at least one Orchestrator; component and one Cloud File System; component - resides in a completely separate; cloud account with its own dedicated compute,; memory, networking, and storage resources. This; eliminates the potential for other customers to; affect their workloads.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: VMware Cloud on AWS utilizes AWS datacenters; and information about AWS & Sustainability can; be found here: https://aws.amazon.com/aboutaws/sustainability/

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  Our 2023 Environmental, Social & Governance; Report highlights the actions and strategies we; have taken in our dedication to responsible; business practices and our commitment to the; betterment of our customers, employees and; communities as we strive to build a world. Please; find the details here -; https://www.broadcom.com/company/citizenship

Pricing

• Price: £327 a virtual machine a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@uk.cdw.com. Tell them what format you need. It will help if you say what assistive technology you use.