By Matt Herreras, Director, Technical Marketing for VMware Cloud on Dell EMC
VMware Cloud on Dell EMC has passed a SOC2 Type-2 audit adding to the growing list of security and compliance certifications for the service. These include SOC2 Type-1, GDPR, ISO/IEC 27001, 27017, and 27018, CSA, and the UK Cyber Essentials Plus certification. Please visit the VMware Cloud Trust Center for a full list of VMware cloud certifications.
What is SOC2?
Contents
SOC2 represents a framework that helps customers and auditors understand how a service provider manages support, security, and compliance in their offering. SOC2 Type-1 describes the provider’s systems and whether their architecture can meet applicable trust principles. SOC2 Type-2 documents the operational effectiveness of maintaining that design over time.
What was certified, and who is the auditor?
VMware Cloud on Dell EMC is a unique offering that takes the best of VMware’s managed cloud service and delivers it on Dell VxRail hyperconverged infrastructure instances in a customer’s data center and edge locations. VMware then maintains this service on behalf of the customer for the duration of the contract. See the following diagram for what is included in the service. 
PricewaterhouseCoopers recently completed a thorough SOC2 Type-2 audit of the joint VMware Dell solution.
What Does This Mean for You?
Customers want to meet compliance standards as cost effectively and as quickly as possible to facilitate business objectives, fulfill a mission, or seize market opportunities. VMware Cloud on Dell EMC’s SOC2 Type-2 certification will make it easier, cheaper, and faster to provide 3rd party attestation to an auditor, a compliance team, or a board of directors.
Compliance is hard
Reaching a level of compliance in an IT environment depends on two important factors: the architecture and the controls. Establishing a “known architecture” is important because it defines how the systems are built and how they relate to one another. The controls or processes are important because they define how the architecture is managed and maintained. Together these factors equate to a production ready IT environment. However, there are many paths to this end state. Customers or professional services engineers will leverage a combination of learned experience, best practices, and product documentation to implement the best possible architecture and controls. While the environment may be reliable and perform well, no two deployments are exactly the same. Also, strict adherence to operational controls are difficult to maintain. This makes working with auditors time consuming and expensive.
But, it could be easier
Now let’s imagine you’ve invested in VMware Cloud on Dell EMC. With this service the architecture and operational controls are documented and VMware works with our auditor to certify SOC2 Type-1 compliance. The software has automated controls and lifecycle management to prohibit any divergence from the baseline over time. To establish SOC2 Type-2, VMware works with the same auditor to determine the service remains compliant with SOC2 Type-1 over 6 months.
To be clear, this does not mean VMware can guarantee all of your information systems are SOC2 Type-2 compliant. While the service covers a significant portion of infrastructure and operations, VMware Cloud on Dell EMC’s certification only covers what VMware can control. You are still responsible for network segments, firewall rules, virtual machines, operating systems, applications, and data. This shared responsibility is common across cloud providers, and it is true for VMware Cloud on Dell EMC as well. To make this last point with a metaphor, before riding an elevator, the rider can check the certificate of code compliance in the building office, but not exceeding the elevator’s maximum load is the rider’s responsibility. To learn more about the shared responsibility model in VMware Cloud on Dell EMC, please see the Service Description documentation.
Because VMware Cloud on Dell EMC has achieved SOC2 TYPE-2 certification, customers of this managed on premises cloud service can be confident that a certified baseline, remains compliant over time.
Please visit the product page to learn more about this service.
