XTRAVIRT LIMITED

VMware SASE

Secure Access Service Edge (SASE) provides Cloud Web Security (CWS) functionality to protect users while access Web based services and applications. Access to CWS is achieved via SD-WAN and Secure Access (VPN) to provide a consistent secure Internet experience determined by user location and device posture.

Features

  • SSL Inspection
  • Cloud Access Security Broker
  • Data Loss Prevention
  • Content filtering and inspection
  • Resilient access
  • Cloud hosted security
  • Remote access with Virtual Private Network
  • User or Group access and security policies
  • Traffic and Threat Analysis
  • VMware SD-WAN integration

Benefits

  • Protected user experience for web-based access
  • Monitoring of Internet use and access by user
  • Integrated security posture for remote access and SD-WAN
  • Work anywhere secure Internet and on-premises access
  • Distributed global presence through VMware SASE POPs
  • Centralised configuration management
  • Integrated into VMware Workspace One for device control

Pricing

£1,000 a unit

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at robin.gardner@xtravirt.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

4 0 3 1 2 3 9 6 3 5 8 6 3 2 2

Contact

XTRAVIRT LIMITED Robin Gardner
Telephone: 08004880038
Email: robin.gardner@xtravirt.com

Service scope

Service constraints
VMware SASE documentation provides clear guidance regarding the implementation best practises needed for the service. Use of VMware Cloud Web Security (CWS) requests the installation of a Trusted Root Certificate to allow inspection of encrypted traffic. Secure Access (SA) uses the VMware Workspace One Tunnel client for access to allocated Points of Presence (POP). Policy for the tunnel client is configured in VMware Workspace One and then deployed at the time of device onboarding.
System requirements
  • Software license agreement per user
  • Compliant user device or SD-WAN edge connection
  • Integration into the customers' Identity Provider
  • Deployment of a Tunnel Client for Secure Access
  • Installation of VMware CWS SSL certificate

User support

Email or online ticketing support
Yes, at extra cost
Support response times
VMware offers online trouble ticketing through the Customer Connect portal provided at the VMware website. A response timeline is defined based on the tickets assigned severity level, and the level of support plan purchased: Production: Sev1 (<30 mins 24x7), Sev2 (<4 hours 12x5), Sev3 (<8 hours 12x5), Sev4(<24 hours 12x5) Premier: Sev1 (<30 mins 24x7), Sev2 (<2 hours 24x7), Sev3 (<4 hours 12x5), Sev4(<12 hours 12x5) Carrier Grade: Sev1 (<15 mins 24x7), Sev2 (<1 hours 24x7), Sev3 (<4 hours 10x5), Sev4(<8 hours 10x5) SASE Production Support: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/vmware-saas-production-support-and-subscription-datasheet.pdf SASE Premier Support: https://sase.vmware.com/content/dam/digitalmarketing/vmware-sase/pdfs/sdwan-797-vmware-sdwan-support-compare-ds-1119.pdf SASE Carrier-Grade Support: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/services/support/vmware-sase-carrier-grade-support.pdf
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
VMware SASE offers Production, Premier and Partner Support. Production Support for Cloud Hosted products is listed here: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/vmware-saas-production-support-and-subscription-datasheet.pdf. Premier information is available here: https://sase.vmware.com/support . Hours of operation are 24x7x365 with an unlimited number of support requests and remote support assistance. VMware partners are able to offer support using the Telco & MSP Support level: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/services/support/vmware-sase-carrier-grade-support.pdf Costs available in the pricing document. Technical Account Managers are part of the VMware service offering, but are funded by the customer unless otherwise agreed.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
VMware Professional Services can rapidly deploy solutions according to the business and technical requirements. This is focused on architecture, topology, and functional testing. Knowledge transfer sessions are completed to ensure that our customers are fully versed in the operational infrastructure. VMware also partners with organisations that can provide training, deployment, management, and customer-specific documentation for SASE implementations. VMware have user documentation that covers the SASE solution available at: https://docs.vmware.com/en/VMware-SASE/index.html
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
VMware enables periodic extraction of key configuration and statistics information for offline storage through REST API. The metadata available in Orchestrator is from flows that traversed from a LAN interface to a WAN interface. This data includes information on the host originating the flow such as source IP address, source MAC, address, and source FQDN. If the users have authenticated using WPA Enterprise, the username will also be associated with the flow and collected in the VCO.
End-of-contract process
The VMware SD-WAN Orchestrator (VCO) collects metadata from the flows that traversed from a LAN interface to a WAN interface. This data includes information on the host originating the flow, such as source IP address, source MAC address, and source FQDN. If users have authenticated using WPA Enterprise, the username will also be associated with the flow and collected in the VCO. After account termination, the accounts will be suspended; however, all data will remain in the account for up to 1 year after termination. Upon explicit request, the data can be deleted from the VCO at an earlier date. There are no additional costs involved for VMware to store the data.

Using the service

Web browser interface
Yes
Using the web interface
Users manage device onboarding through VMware Workspace One UEM. Workspace One controls the compliancy of devices, so they align with company standards. It also applies software, certificates and policy as required. Workspace One policy is used for the configuration of Workspace One Tunnel software, a VPN client used to access VMware SASE Secure Access. VMware SD-WAN Orchestrator is coupled with Workspace One to populate SASE POPs with Secure Access configuration. Secure Access configuration is mapped to specific users or groups. VMware SD-WAN Orchestrator is also used to create, manage, and deploy Cloud Web Security configuration. Internet web-based user traffic is mapped to the VMware SASE PoPs via Secure Access, or SD-WAN edge policy, so that Internet based access can be securely controlled. Administrators can use features such as Cloud Access Security Brokers, SSL Inspection, URL filtering, and Content filtering and Inspection to manage and protect user access.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
NA
Web interface accessibility testing
VMware has 146 products with ongoing efforts to increase accessibility. VMware has a team of accessibility subject matter experts embedded in the product teams. Over half of our accessibility team has a disability, including five screen reader users and one magnification/keyboard user, and including individuals with cognitive disabilities. VMware also does testing annually with users outside of VMware that have disabilities through the VMware Design Studio program.
API
Yes
What users can and can't do using the API
VMware Workspace One UEM and SD-WAN Orchestrator can be managed via a Northbound RESTful API via HTTP/TLS1.2. Core functionality is replicated in the APIs to allow workflows and custom applications to interface with both orchestration platforms.
API automation tools
  • Ansible
  • Other
Other API automation tools
  • Postman
  • CURL
API documentation
Yes
API documentation formats
  • HTML
  • PDF
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
Mware SD-WAN (part of SASE) provides a secure method to support CLI access to Edges using key pairs generated per user and sends a logged-in user into an Edge CLI shell that only exposes SD-WAN troubleshooting commands and meets CSO requirements. CLI is available for low-level debugging. VMware recommends utilizing SD-WAN Orchestrator or API for provisioning, configuration, and ongoing management and troubleshooting of SD-WAN Edges.

Scaling

Scaling available
Yes
Scaling type
Automatic
Independence of resources
VMware operations team monitor the load and take proactive management for SASE POP locations. VMware SASE gateways are mapped to customer tenants from pools of resources allocated to the Orchestrator. VMware SASE POP automation can add extra resources when thresholds are reached before operational impact is identified. Container based delivery is used to seamlessly add capacity.
Usage notifications
No

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • HTTP request and response status
  • Memory
  • Network
  • Other
Other metrics
  • Threat Analysis
  • Traffic Analysis
  • CASB Analysis
  • Web Logs
  • Events
  • WAN link utilisation
  • Loss, latency, and jitter measurements on WAN links
Reporting types
  • API access
  • Real-time dashboards

Resellers

Supplier type
Reseller providing extra support
Organisation whose services are being resold
VMware, AWS, Google, Microsoft, VEEAM, Zerto, Runecast

Staff security

Staff security clearance
Other security clearance
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • VMware SD-WAN Orchestrator database
  • Orchestrator DR as a hot-standby with live feed from primary
  • Extract key configuration and statistics information via API
  • Workspace ONE UEM database
Backup controls
Backups of the VMware SD-WAN Orchestrator are handled by the VMware operations teams. Workspace ONE backs up device configurations and resource entitlements provisioned through the solution but does not back up end-user data stored on the device or within apps.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
VMware will use commercially reasonable efforts to ensure that the services are available during a given month equal to the “Availability Commitment” specified as follows: VMware SD-WAN: 99.99%. VMware Secure Access: 99.90%. VMware Cloud Web Security: 99.99%. Availability in a given billing month is calculated according to the following formula: “Availability” = ([total minutes in a billing month – total minutes Unavailable] / total minutes in a billing month) x 100 Details regarding the Service Level Agreement can be found here: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/downloads/eula/vmware-nsx-sd-wan-by-velocloud-service-level-agreement.pdf
Approach to resilience
VMware SASE provides resilience through a global network of SASE POP locations. Each SASE POP provides Cloud Web Security and Secure Access functionality. Any user onboarded into Secure Access will be mapped to a number of SASE POP locations, typically five, with the user accessing the POP with the lowest latency. If a POP is experiencing difficulty, or connectivity is not possible, alternative POPs will be used.
Outage reporting
VMware reports outages of all cloud-hosted services on a public dashboard: https://status.vmware-services.io/history

Identity and authentication

User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Username or password
Access restrictions in management interfaces and support channels
The VMware SD-WAN Orchestrator is designed for multi-tenant environments. There are three organisational tiers providing distinct roles for access and visibility for the operator, multiple agents/managed services or channel partners, and multiple end enterprise customer tenants. VMware Workspace ONE uses built-in and custom roles to define the device groups that IT administrators can access and manage. These roles restrict the depth of device management information and features available to each console user. Authentication integrates with enterprise directory services or uses basic authentication, SAML, etc. The solution records all console activity and provides detailed logs of user access and events.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Devices users manage the service through
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
Yes
CSA STAR accreditation date
25/03/2022
CSA STAR certification level
Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover
NA
PCI certification
No
Cyber essentials
No
Cyber essentials plus
Yes
Other security certifications
Yes
Any other security certifications
  • IS27001
  • ISO27017
  • ISO27018
  • PCI-DSS
  • CSA-STAR

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
VMware assessments focus on meeting the needs of a broad range of users that need detailed information and assurance about the controls at VMware relevant to the security and availability of the systems that VMware uses to process and store users’ data. They include: · Secure operations and processes · Oversight of the organization · Vendor management programs · Internal corporate governance and risk management processes · Regulatory oversight
Information security policies and processes
VMware SASE has a security team that oversees security features during SDLC and manages ongoing security for our product and service offering. VMware is in the process of obtaining a SOC2, Type I report for SASE. The SOC2 report is an attestation of the design and operating effectiveness of controls relevant to security and availability at VMware provided by a qualified, independent, external auditor.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
VMware Configuration Management policy is based on industry best practices. Revisions and exceptions are processed through a documented procedure to help ensure the confidentiality, integrity, and availability of our hosted offering. - maintains cryptographic keys for required cryptography in the SaaS environment based on standards, procedures, and secure methods. Change Management is staged on the Orchestrator by creating a copy of the profile undergoing the change. The updated profile is attached to individual Edges to test and roll back as needed. All changes are logged in the Orchestrator event log, indicating who/when enacted the change.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
VMware analyzes identified vulnerability for applicability, adjusting the vulnerability score on mitigating factors determining the final criticality score. The network layer, application, and internal OS layer vulnerability scans are performed. This includes third-party vulnerability scanning and penetration tests. Vulnerability scans are reviewed annually. After analyzing the severity and impact, VMware patches all network, utility, and security equipment. VMware has subscriptions to vendor security and bug-tracking notification services. Critical patches are installed timely. Non-critical patches are applied within reasonable timeframes. Patch testing/rollback procedures are completed with minimal impact. Third-party auditors perform reviews against industry standards, including ISO 27001.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Security scans against the infrastructure components are completed regularly. If a security breach is detected, affected POPs will first be detached from the management core to isolate the exposure. Local bastion hosts will be spun up to provide out-of-band access to the resources. Once the compromised instance or instances are identified, these will be terminated and rebuilt to restore functionality or service. If a material breach is observed, impacted customers will be notified within five days or in the timeframe as required by local law or other applicable regulations (such as GDPR).
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
VMware has pre-defined processes for common events. VMware users who become aware of a security vulnerability in VMware products contact VMware with details of the vulnerability. VMware has established an email address used for reporting a vulnerability security@vmware.com. Incident reports are provided via email and release notes

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
No

Energy efficiency

Energy-efficient datacentres
Yes
Description of energy efficient datacentres
VMware SD-WAN typically utilizes AWS datacenters and information about AWS & Sustainability can be found here: https://aws.amazon.com/about-aws/sustainability/ .VMware SASE components typically utilise Equinix datacentres and infomation about their energy efficiencies can be found here: https://sustainability.equinix.com/environment/

Social Value

Fighting climate change

Fighting climate change

VMWARE: Sustainable growth for VMware’s business requires decoupling our company growth from carbon emissions. To this end, we’ve accelerated our focus on decarbonization and received third-party validation from the Science Based Target Initiative (SBTi) on our science-based targets. Since 2018, we have maintained our certified CarbonNeutral® company status, in accordance with The CarbonNeutral Protocol. Since 2019, we have sourced 100 percent of our power in our global facilities from renewable sources, in accordance with RE100 Reporting Guidance.
Xtravirt has taken initial steps to reduce our environmental footprint via the wholesale adoption of cloud services, reducing unnecessary consultant travel, and recycling of technology for reuse rather than waste. Where we supply or use technology, we ensure that we and our suppliers conform to WEEE Directive. We target being carbon neutral by 2025 and guide our staff to be responsible digital citizens. Where required, we support the definition and delivery of sustainability targets aligned to engagements and assist in the identification of opportunities across the customer organisations. Solution designs and engagements provide opportunities to support customer sustainability objectives, scaling capacity in line with adoption to avoid idle technology and sourcing solutions that minimise waste. Remote delivery of services is facilitated wherever possible by using effective digital collaboration services, minimising unnecessary travel. Internal prioritisation and delivery progress of environmental and sustainability commitments and initiatives are reviewed on an annual basis
Covid-19 recovery

Covid-19 recovery

VMware: Decisive action by VMware during the early days of the COVID-19 pandemic led to a company-wide remote workforce, which our customers were able to implement as well through VMware’s Workspace solutions. ● Through VMware’s unique Citizen Philanthropy approach to giving, we empower every VMware employee—wherever they are—to be active, engaged citizens, contributing to what matters most to them in their own communities. Throughout the pandemic, VMware people delivered food to neighbors in need, made masks and donated resources to frontline workers and relief efforts, and helped nonprofit organizations strengthen their IT operations so they can focus on supporting their communities. VMware also supported GlobalGiving’s Coronavirus Relief Fund and TechSoup’s COVID-19 Response Fund, and raised the limit on matching gifts available to all VMware people
Xtravirt helps organisations develop, deploy and operate technology and IT services that support effective remote working, enabling those who are vulnerable or isolating to continue to accelerate their return to work and contribute as an active and valued member of the workforce regardless of their location
Tackling economic inequality

Tackling economic inequality

VMware IT Academy partners directly with more than 2,500 educational institutions, governments and nonprofits globally to empower learners through coursework, labs and experiences. To enrich learning and help jump-start careers, our partner academic institutions can also access the latest suite of VMware software solutions and use them in a hands-on educational environment. VMware IT Academy is key to our 2030 goal of upskilling 15 million people through our educational offerings and creates a pipeline of diverse talent that is available to advance companies’ digital journeys and deploy VMware solutions. VMware Responsible Sourcingsupports sustainability, diversity and accessibility across our supply chain. VMware has committed to working with 75% of our suppliers (by spend) to set their own science-based targets by the end of 2024. We are also prioritizing the sourcing of goods and services through diverse businesses and have committed to spending $1.5B with diverse suppliers through 2030. Our definition of diverse supplier includes: small-business enterprises, minority-owned enterprises, woman-owned enterprises, and businesses owned by other underrepresented groups such as LGBTQ, veterans, and proprietors with disabilities.
Xtravirt is a member of the Living Wage Foundation. This foundation is at the heart of the independent movement of businesses, ‎organisations and people who believe that a hard day’s work should mean a fair day’s pay. It ‎recognises and celebrates the leadership shown by the 6,000 Living Wage Employers across the UK ‎who voluntarily commit to ensure their staff earn a real Living Wage that meets the cost of living.
Equal opportunity

Equal opportunity

VMware joined the Valuable 500, a global business collective that is igniting systemic change and unlocking the business, social and economic value of more than 1 billion people with disabilities around the world. From ensuring the technology we develop is accessible for all to empowering our employees through accessible, inclusive and innovative engagement and wellbeing programs, our company remains committed to driving meaningful impact on disability, wellness and neurodiversity inclusion. ● As a leading software company, user accessibility is top of mind at VMware. One of our ESG goals by 2030 is to ensure the technology that we develop, and source within our supply chain, is accessible for all. We created internal Accessibility Guidelines within VMware and committed to assess all new software and events suppliers for accessibility standards aligned with our own guidelines. ● Employee Resource Groups at VMware are called Power of Difference communities (“PODs”), and they play a strategic role in building a culture of belonging. We are focused on driving a culture that is inclusive of all forms of diversity, including supporting employees with disabilities. In 2021, VMware was named a Best Place to Work for Disability Inclusion by the Disability Equality Index (DEI).
Xtravirt is an equal opportunities employer. All job applicants receive equal treatment regardless of race, colour, ethnic or national origin, marital status, sexual orientation, disability, religion or age.
Wellbeing

Wellbeing

At VMware, we enrich lives at work, at home and in the community, because we believe that empowering our people to bring their authentic selves to work drives business excellence and enables us to achieve our business goals. We prioritize employee wellbeing and work hard to foster a culture that is ethical and respectful, kind and compassionate, which is defined by our EPIC2 values—Execution, Passion, Integrity, Customers and Community. ● Employee wellbeing at VMware is a top priority as we believe people are the key to our success, and we are always striving to make it easier for employees to pursue wellbeing on their own terms, which will also help them perform well at work. We recognize that VMware has a responsibility to help support our employees manage the added complexities of their work and family situations since the start of the COVID-19 pandemic. Our wellbeing benefits include: four supplemental days off (our “EPIC2” days), life coaching and emotional support, work-life services for employees and their families, and a wellbeing allowance.

Pricing

Price
£1,000 a unit
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
A Proof of Concept (PoC) trials are possible with VMware SD-WAN, but require approval and signed agreements in advance. PoCs are time bound by agreement and require the completion of a mutally agreed test plan.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at robin.gardner@xtravirt.com. Tell them what format you need. It will help if you say what assistive technology you use.