|Industry||Computing, Cloud computing, Web services|
|Headquarters||Palo Alto, California, United States|
|Key people||Zane Rowe (CEO)|
|Revenue||$3.3 billion (2020, Q4)|
VMware Cloud is a collection of hybrid and multicloud software solutions offered as a service by VMware that give you the "flexibility to migrate to any cloud, run apps on every major hyperscale cloud, and access hundreds of innovative cloud-native services to drive app modernization." Additionally, the solutions allow you to "choose the optimal cloud for your apps with the option to deploy natively or on proven VMware infrastructure." Solutions include VMware Cloud Foundation, VMware Cloud on AWS, VMware Cloud on Dell EMC, VRealize Cloud Management, and VMware Cloud Universal. The VMware Cloud solutions support the Amazon, Google, IBM, Microsoft, Oracle public clouds, among others.
VMware Cloud is also notable for its VMware Cloud Verified program. VMware notes: "VMware Cloud Provider Partners deliver VMware Cloud Infrastructure in services worldwide with the VMware Cloud Verified designation. Gain support for your apps—from existing to cloud-native to SaaS—across private, public, and hybrid clouds using services by partners displaying the VMware Cloud Verified logo." As of late April 2021, VMware Cloud boasts more than 250 VMware Cloud Verified providers around the world, with some 88 percent of them offering some flavor of infrastructure as a service (IaaS) offering and 33 percent of them offering some flavor of platform as a service (PaaS) offering. This includes major public cloud providers such as OVH. Interested parties can consult the search filters available for these providers to filter by data center location, region, validated service, compliance and certifications, services offered, and vertical markets.
This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for Your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made. Additionally, as a hybrid cloud provider, some of the questions from Chapter 5 (e.g., "How segregated is our cloud data from another customer's") are not relevant, as they are not providing public cloud services. Note that VMware Cloud offers some of its cloud services on the AWS IaaS and is not a public cloud provider itself, with VMware Cloud on AWS replacing its public cloud business in mid-2017.
1. What experience do you have working with laboratory customers in our specific industry?
VMware Cloud services have been used or are currently being used by laboratories such as Centre National de la Recherche Scientifique, Charles River Laboratories, and ESC Lab Sciences. A VMware Cloud representative is likely to be able to supply more examples of laboratories that use or have used VMware Cloud.
2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?
VMware speaks broadly of the importance of integration in hybrid cloud computing, but it doesn't appear to go into lengthy discussion of how its solution facilitates integrating with your systems and business practices. The company does discuss its VMware Cloud Director solution as an integration tool, though outside of features and benefits the company doesn't clearly say what the solution is other than calling it a "cloud service delivery platform." You'll have to discuss how VMware cloud can integrated with your systems and processes with a VMware Cloud representative.
3. What is the average total historical downtime for the service(s) we're interested in?
Some public information is made available about historic outages and downtime. VMware Cloud has a systems status page with status history (scroll down to the bottom and click on the "Incident History" link). You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. A follow-up on this question with a VMware Cloud representative may reveal more historical downtime history for the services you are interested in.
4. Do we receive comprehensive downtime support in the case of downtime?
VMware Cloud does not make this answer clear. However, the answer is likely tied to what support plan you choose. Confirm with VMware Cloud what downtime support they provide based on the services your organization are interested in.
5. Where are your servers located, and how is data securely transferred to and from those servers?
VMware Cloud in itself is not a public cloud, and as such, this question is not fully relevant. That said, it will be useful to understand the underlying technology supplied by VMware in regards to data transmission to public and private cloud instances. VMware says this about data transfer security:
For data that is required to move through public networks, VMware provides customers with the ability to create IPsec and SSL VPN tunnels from their environments that support the most common encryption methods, including 128-byte and 256-byte AES. Data in transit (authentications, administrative access, customer information, etc.) is encrypted with standard encryption mechanisms (i.e., SSH, TLS and Secure RDP). Communication that transports sensitive information (authentications, administrative access, customer information, etc.) is encrypted with standard encryption mechanisms.
6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?
VMware Cloud in itself is not a public cloud, and as such, this question is not fully relevant. That said, VMware says this about access to customer data specifically in regards to VMware Cloud for AWS:
Access to customer environments where a customer’s data is stored requires an authorized VMware operator to authenticate via two-factor authentication to an access control system to generate a user-specific time-based credential. Generation of these temporary credentials must be tied to a specific incident, and all activity performed by the users is logged. The VMware Security Operations Center uses log capture, security monitoring technologies and intrusion detection tools to monitor VMware personnel accessing customer data and to look for unauthorized access attempts.
As for training and certifications for VMware Cloud for AWS offerings:
In alignment with the ISO 27001 standard, all VMware personnel are required to complete annual security awareness training. Personnel supporting VMware managed services receive additional role-based security training to perform their job functions in a secure manner. Compliance audits are periodically performed to validate that employees understand and follow the established policies.
Consult the VMware Cloud for AWS security guide or a representative to learn more.
7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?
VMware Cloud in itself is not a public cloud, and as such, this question is not fully relevant. However, the company notes that "VMware builds security into the foundations of every one of our cloud solutions. This means our offerings align with major compliance certifications to maintain standards that meet industry best-practices."
8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)
VMware Cloud in itself is not a public cloud, and as such, this question is not fully relevant. However, VMware says this about segregation specifically in regards to VMware Cloud for AWS:
Production and non-production environments are logically and physically segregated. Development, quality assurance (QA) and production use separate equipment and environments, and are managed by separate teams.
To learn more, discuss this with a VMware Cloud representative.
9. Do you have documented data security policies?
VMware Cloud documents its thoughts and practices on security in several places:
- VMware Cloud Services security overview for offerings running on AWS IaaS
- VMware Cloud security page
- VMware multicloud security page
10. How do you test your platform's security?
Broadly speaking, VMware briefly notes that its security development lifecycle (SDL) includes "product security assessments, threat modeling, static and dynamic scans, and penetration testing." In regards to VMware Cloud for AWS, VMware discusses the security development lifecycle program it uses, with:
- code undergoing "a rigorous review for code security and quality"
- the software development lifecycle catching "security issues early in the lifecycle"
- verification that "all software suppliers adhere to industry standards for security development lifecycle security using its comprehensive vendor risk management process"
11. What are your policies for security audits, intrusion detection, and intrusion reporting?
VMware Cloud in itself is not a public cloud, and as such, this question is not fully relevant. The company says little about intrusion detection and reporting outside of its NSX Distributed IDS/IPS. In regards to its VMware Cloud for AWS, "VMware has an intrusion detection system and other tools in place that continuously monitor for deviations in production from our baseline configurations and generate notifications." Their security document adds:
The logging and monitoring framework for VMware Cloud Services allows for the identification of incidents to specific tenants. A SIEM system is in place and merges data sources for granular analysis and alerting, and is used by the VMware Security Operations Center.
12. What data logging information is kept and acted upon in relation to our data?
In its terms of service, VMware indicates:
We monitor and collect configuration, performance, and usage data relating to your use of the Service Offering: (a) to facilitate delivery of the Service Offering (such as (i) tracking entitlements, (ii) providing support, (iii) monitoring the performance, integrity, and stability of the Service Offering’s infrastructure, and (iv) preventing or addressing service or technical issues); and (b) to improve our products and services, and your experience. You must not interfere with that monitoring. We will not access Your Content except as necessary to provide the Service Offering, or pursuant to Section 1.9 (“Required Disclosures”).
For further details, discuss this with a VMware representative.
13. How thorough are those logs and can we audit them on-demand?
Like the prior question, discuss this with a VMware representative.
14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?
VMware Cloud in itself is not a public cloud, and as such, this question is not fully relevant. That said, it's worth noting that the VMware Cloud for AWS offering is "completed an independent third-party examination against applicable controls of HIPAA, and a Business Associate Agreement (BAA) is also available."
15. What happens to our data should the contract expire or be terminated?
Per the terms of service, "[d]eletion of any Content remaining in the Service Offering will occur as specified in the applicable Service Description. As between you and us, you are responsible for ensuring that you have necessary copies of all Your Content prior to the effective date of any termination." Presumably you'll be backing up your data and information elsewhere before then. However, discuss with a representative to learn more.
16. What happens to our data should you go out of business or suffer a catastrophic event?
It's not publicly clear how VMware would handle your data should they go out of business; consult with a representative about this topic. As for catastrophic events, VMware Cloud on AWS and VMware Site Recovery provide means for proactive disaster avoidance. This is a topic for further discussion with a representative.
17. Can we use your interface to extract our data when we want, and in what format will it be?
As a hybrid solution, you should be able to extract data at whim to another private of public cloud location. Extracting data for the VMware Cloud for AWS offering may be different. Consult with a VMware Cloud representative.
18. Are your support services native or outsourced/offshored?
It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with a VMware Cloud representative.
Managed security services
VMware Cloud doesn't appear to explicitly advertise "managed security services." VMware does, however, offer professional services through its VMware Professional Services offering. Under its "Intrinsic Security" section, VMware notes several categories of services:
- Advisory services: security rule and policy review, audits of remediation and threat intelligence, and system optimization
- System health check: analysis of system configuration and components, penetration testing, and configuration validation
- Operational services: gap analysis in business operations and security decision tree development
- Migration services: migration oversight and review of imported security profiles, automations, etc.
- Design and deploy: integration management, threat protection and prevention optimization, risk management, and policy implementation
- Network security: security policy and firewall rule development, antivirus and endpoint protection, micro-segmentation assistance, and security group and profile configuration
Documentation and other media
- VMware Cloud development and auditing practices
- VMware Cloud Verified provider search and filters
- VMware Cloud trust center
- VMware Professional Services
Rouse, M.; Moore, N. (April 2018). "VMware Cloud on AWS". TechTarget - SearchVMware. Archived from the original on 14 August 2020. https://web.archive.org/web/20200814113334/https://searchvmware.techtarget.com/definition/VMware-Cloud-on-AWS.
- ↑ "VMware Reports Fourth Quarter and Fiscal Year 2021 Results". VMware. 25 February 2021. https://ir.vmware.com/websites/vmware/English/2120/us-press-release.html?airportNewsID=3916c89f-daa8-4a0e-aa1d-ad61eaaaab38. Retrieved 29 April 2021.
- ↑ 2.0 2.1 2.2 "Transform Your Apps and Cloud Faster with VMware Cloud". VMware. https://www.vmware.com/cloud-solutions.html. Retrieved 29 April 2021.
- ↑ "Hybrid Cloud Solutions". VMware. https://www.vmware.com/cloud-solutions/hybrid-cloud.html. Retrieved 29 April 2021.
- ↑ "VMware Cloud Verified". VMware. https://www.vmware.com/vmware-cloud-verified.html. Retrieved 29 April 2021.
- ↑ 5.0 5.1 5.2 5.3 5.4 5.5 5.6 5.7 "VMware Cloud Services Security Overview" (PDF). VMware. August 2019. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/cloud-services/vmware-cloud-services-on-aws-security-overview-white-paper.pdf. Retrieved 29 April 2021.
- ↑ "What is VMware Cloud? Benefits for Service Providers". Acronis. https://www.acronis.com/en-us/articles/vmware-cloud/. Retrieved 29 April 2021.
- ↑ Hudson, A. (11 January 2019). "CNRS renews their IT infrastructure with private cloud". VMware Cloud Management Blog. VMware. https://blogs.vmware.com/management/2019/01/cnrs-renews-their-it-infrastructure-with-private-cloud.html. Retrieved 24 April 2021.
- ↑ VMware Cloud Provider Team (8 May 2012). "Another VMware Cloud: Charles River Laboratories Runs Their Hybrid Cloud on VMware". VMware Cloud Provider Blog. VMware. https://blogs.vmware.com/cloudprovider/2012/05/another-vmware-cloud-charles-river-laboratories-runs-their-hybrid-cloud-on-vmware.html. Retrieved 24 April 2021.
- ↑ VMware Cloud Provider Team (2 March 2016). "Another VMware Cloud in Action — ESC Lab Sciences Turns to VMware for Durable Disaster Recovery". VMware Cloud Provider Blog. VMware. https://blogs.vmware.com/cloudprovider/2016/03/another-vmware-cloud-in-action-esc-lab-sciences-turns-to-vmware-for-durable-disaster-recovery.html. Retrieved 24 April 2021.
- ↑ "VMware Cloud Trust Center - Security". VMware. https://cloud.vmware.com/trust-center/security. Retrieved 24 April 2021.
- ↑ "VMware Security Development Lifecycle". VMware. https://www.vmware.com/security/sdl.html. Retrieved 24 April 2021.
- ↑ 12.0 12.1 "Terms of Service" (PDF). VMware. 20 September 2020. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/downloads/eula/vmware-cloud-services-universal-tos.pdf. Retrieved 24 April 2021.
- ↑ Millington, J. (26 June 2018). "VMware Cloud on AWS Supports HIPAA Regulated Apps and Data for Healthcare Organizations". VMware Industry Solutions Blog. VMware. https://blogs.vmware.com/industry-solutions/2018/06/26/vmware-cloud-on-aws-supports-hipaa-regulated-apps-and-data-for-healthcare-organizations/. Retrieved 24 April 2021.
- ↑ Morgan, M. (24 March 2020). "Rapidly respond to business continuity challenges with VMware Cloud on AWS". VMware Cloud Community. VMware. https://cloud.vmware.com/community/2020/03/24/rapidly-respond-business-continuity-challenges-vmware-cloud-aws/. Retrieved 24 April 2021.
- ↑ "Professional Services". VMware. https://www.vmware.com/professional-services.html. Retrieved 27 May 2021.
- ↑ "Intrinsic Security". VMware. https://www.vmware.com/professional-services/intrinsic-security.html. Retrieved 27 May 2021.