Omnissa alignment with the ACSC ISM
Introduction
In the spring of 2026, Omnissa successfully completed its first IRAP assessment, reinforcing our strong security posture and commitment to Australian Government standards.
Working closely with an accredited IRAP assessor provided valuable insights into our technical, governance, and operational controls. The assessment validated where our practices align with the Australian government Information Security Manual (ISM) control requirements. It also highlighted opportunities to further enhance how we protect data classified up to and including PROTECTED levels.
This process has strengthened our internal capabilities and reinforced our readiness to support government and other high‑assurance environments.
This document addresses the security posture for Omnissa cloud services in relation to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM).
Purpose
This whitepaper summarizes the Omnissa information security program alignment with the Cyber Security Principles and Cyber Security Guidelines within the ISM.
Note: You can find the definitions for acronyms used throughout this document in: Acronyms used in the Workspace ONE Security Series.
Audience
This document is intended for Australian Government customers to evaluate our security controls present in our commercial cloud environments and any potential risks against the ACSC ISM. It assumes at least intermediate knowledge of the Workspace ONE Platform and Horizon Cloud, and focuses on the policies, processes, and controls supporting the cloud-delivered services. Federal Risk and Authorization Management Program (FedRAMP), on-premises, and third-party offerings are not in-scope for this document.
Alignment with the ACSC cyber security principles
- Governance – Establishing a balance of effectiveness and efficiency by implementing the appropriate controls and managing risks by understanding the threat landscape and leveraging all decision makers during risk analysis.
- Protection – Providing preventative and protective capabilities to help ensure a secure service.
- Detection – Implementing 24x7 proactive monitoring to detect and identify security incidents.
- Response – Developing agile response procedures that address both individual security incidents and disaster recovery.
Guidelines for cryptography
The purpose of the ISM’s guidelines for cryptography is to provide confidentiality, integrity, authentication and non-repudiation of data. Omnissa supports this through the enforced use of strong encryption both at rest and in transit.
Cryptographic fundamentals
Omnissa implements cryptographic controls aligned with IRAP and ISM requirements, underpinned by modern, cloud-native architecture and formalized governance processes. As validated through independent assessment, Omnissa has designed and deployed robust cryptographic key management practices that support the protection of sensitive data across its environments.
These controls are governed by a comprehensive Encryption Policy, which defines the requirements for the selection, implementation, and management of cryptographic mechanisms. This includes the secure generation, distribution, storage, rotation, and revocation of cryptographic keys, consistent with ISM guidance on key lifecycle management.
Omnissa leverages native cloud cryptographic services to provide centrally managed, highly available, and secure key management capabilities. Access to cryptographic material is tightly controlled through role-based access controls and integrated identity management, ensuring that only authorized personnel and services can access or use keys.
A notable strength of Omnissa cloud environments is their reliance on cloud provider–managed storage encryption. While Omnissa does not directly manage physical storage media within its cloud services, encryption is consistently applied at the storage service layer in alignment with cloud provider standards and default configurations, and in alignment with internationally recognized compliance requirements and regulations, such as ISO 27001 and PCI-DSS.
In addition, Omnissa leverages cloud-provider capabilities to help ensure that encryption keys are highly durable and that recovery processes are securely controlled. This approach significantly reduces the risk of data loss due to key corruption, compromise, or operational failure, reinforcing the overall resilience and security of the platform.
ASD-approved cryptographic algorithms and protocols
Omnissa maintains a high level of alignment with modern cryptographic standards, helping to ensure that only high-assurance algorithms and protocols, consistent with ASD ISM guidance and NIST recommendations, are used across our environments.
To support this effort, asset scanning is performed across the broader internal environment to assess network infrastructure, helping to ensure that hardware assets, load balancers, and storage layers meet the same rigorous cryptographic standards.
Transport layer security (TLS)
Omnissa implements cryptographic configurations in alignment with IRAP and ISM requirements, applying industry‑recognized algorithms and secure protocol configurations to protect data in transit and support strong authentication.
Encryption standards include the use of Advanced Encryption Standard in Galois/Counter Mode (AES‑GCM) with a minimum key length of 128 bits, combined with enforced Perfect Forward Secrecy (PFS). Secure session key establishment is achieved through ephemeral Elliptic Curve Diffie‑Hellman (ECDHE), ensuring that compromise of long-term keys does not expose historical session data, consistent with ISM guidance on key exchange and session confidentiality.
Authentication mechanisms are underpinned by the SHA‑2 family of cryptographic hash functions. SHA‑256 is used for digital certificates, while RS512 and HMAC‑SHA256 are applied to JSON Web Tokens (JWTs) and API request authentication, supporting integrity and non-repudiation requirements.
Omnissa further reduces cryptographic risk by explicitly disabling insecure or deprecated features. Anonymous Diffie‑Hellman (ADH) cipher suites are disabled to prevent unauthenticated key exchanges, and TLS compression is not permitted, mitigating exposure to known side-channel attacks. Weak or legacy cipher suites are also removed from supported configurations in accordance with ISM recommendations.
Supported transport protocols include TLS 1.2 and TLS 1.3, with TLS 1.3 adopted where possible to provide enhanced security guarantees. TLS 1.2 is maintained where required for compatibility with legacy customer environments; however, this is implemented with strong cipher suites only, preserving compliance with IRAP expectations for secure communications.
Secure shell (SSH)
Omnissa implements secure remote access controls for administration in alignment with IRAP and ISM requirements, applying hardened configurations to the Secure Shell (SSH) service to mitigate unauthorized access and lateral movement risks.
SSH access is restricted to public key–based authentication, with password-based authentication disabled to strengthen assurance of user identity. Legacy and insecure protocols, including SSH version 1, are disabled, and direct root logins are prohibited, supporting ISM guidance for privileged access control and secure configuration.
Additional hardening measures limit the attack surface and reduce the risk of misuse. High-risk features, including TCP forwarding and X11 forwarding, are disabled to prevent unauthorized tunnelling and lateral movement within the environment. SSH services are bound only to required network interfaces, restricting exposure to approved network segments.
Session security is further reinforced through the implementation of authentication timeouts, reducing the opportunity for brute-force or automated attacks. Configuration files are protected by strict file permission controls, maintaining the integrity of SSH settings and preventing unauthorized modification.
Internet protocol security
Omnissa implements secure remote access controls in alignment with IRAP and ISM requirements through a hardened Virtual Private Network (VPN) architecture built on modern, standards-based protocols.
VPN configurations enforce the use of tunnel mode, Internet Key Exchange version 2 (IKEv2), and the Encapsulating Security Payload (ESP) protocol across all connections. These controls provide strong protection for data confidentiality and integrity, consistent with ISM guidance for secure communications over untrusted networks.
Perfect Forward Secrecy (PFS) is enforced using approved Diffie‑Hellman group configurations, validating that session keys remain unique and cannot be derived from long-term key material. This significantly reduces the risk of retrospective decryption, even in the event of key compromise.
Guidelines for cybersecurity documentation
Omnissa has developed controls and processes for cyber security documentation, including development and maintenance of both general and system-specific security documentation. Governance is well-defined, with organizational-level documentation approved by the CISO, system-specific information managed by product teams, and mandatory architecture reviews conducted for all new systems prior to development.
Development and maintenance of cyber security documentation
Omnissa maintains an organization-wide information security program aligned with IRAP and ISM requirements, supported by formalized policies, standards, and governance processes. The program is subject to regular review, with annual assessments and audits conducted to validate effectiveness and maintain the accuracy and currency of security documentation.
Key security artefacts, including Business Continuity Plans and Disaster Recovery Plans, are reviewed at least annually and following any significant system or environmental change. This approach supports ongoing alignment with operational requirements and ensures that security and resilience controls remain effective.
Responsibility for security documentation across Omnissa cloud services is clearly defined. Product managers are accountable for ensuring that service-specific security requirements are documented, while operational and engineering teams maintain and implement these controls within their respective environments.
All changes impacting the security posture of Omnissa cloud services are subject to formal approval processes, including review and endorsement by the Information Security function. This governance framework supports controlled change, accountability, and alignment with IRAP expectations for policy management and security oversight.
System-specific cyber security documentation
Service-specific documentation such as data flow and network diagrams, risk registers, deployment procedures, and so on, are reviewed and updated regularly. Omnissa applies consistent incident response plans across its cloud services, which are led by Omnissa SOC.
Cloud services for Omnissa also apply a consistent continuous monitoring plan for proactively identifying, prioritizing, and responding to security vulnerabilities. The Omnissa Security Response Center is responsible for managing and resolving security vulnerabilities in Omnissa products and services that are available to customers.
Note that Omnissa focuses our documentation efforts on global standards rather than specific Australian Government requirements. Consequently, Omnissa does not currently produce standalone System Security Plans (SSPs) that define explicit system boundaries or map existing documentation directly to ISM-mandated controls. Furthermore, Omnissa uses an alternate control by performing its security assessments against ISO 27001.
Guidelines for cyber security incidents
To help maintain the confidentiality, availability, and security of our customer data, Omnissa has developed controls and processes for managing and responding to cyber security incidents.
The Omnissa Security Operations Center (SOC) is staffed 24x7 and monitors alerts on security anomalies. The SOC leverages multiple tools for log capture, security monitoring, and intrusion detection to look for unauthorized access attempts, monitor for incoming threats, and detect activity from malicious insiders.
Figure 1: Omnissa incident response cycle
Managing cyber security incidents
Omnissa maintains a mature and well-established capability for managing security events, grounded in a formal Cyber Security Incident Management Policy and a comprehensive Incident Response Plan (IRP). These frameworks are regularly validated through tabletop exercises and simulation activities to ensure strong organizational readiness.
At the core of this capability is a Cyber Security Incident Register, managed by our SOC. We have also implemented a formal Insider Threat Mitigation Program to proactively address internal risks. Our monitoring and reporting framework provides security personnel with broad visibility through robust data sources and advanced tools, enabling timely detection of key indicators of compromise.
While Omnissa has not experienced any material security incidents to date, our processes require that all security events are escalated to the Chief Information Security Officer (CISO) or their delegates immediately upon identification.
In addition, Omnissa maintains clearly defined breach notification timelines within our IRP and Data Processing Addenda. These commitments help ensure that both customers and, where applicable, regulators or the public are informed promptly regardless of whether customer data is directly impacted. Note that the Omnissa IRP currently contains no provision for reporting cyber security incidents directly to ASD (the Australian Signals Directorate) as soon as they are discovered.
Responding to cyber security incidents
The Omnissa Incident Response plans and procedures have been developed in alignment with the ISO 27001 standard. Omnissa follows a formal Incident Management Plan that is maintained as part of our overall Information Security Program. Incidents are reported to the appropriate Cloud Operations team for categorization and resolution, and issues are escalated to senior management according to a pre-defined protocol. Omnissa tracks alerts, responses, and resolutions through to completion: incident response teams prepare post-mortem reports to internal stakeholders and to the Information Security Governance Committee for review.
As noted above, Omnissa focuses on global security standards rather than specific Australian Government requirements. As such, there are currently no specific processes in place for reporting incidents directly to the ASD or the Australian Government. In the case of a confirmed data breach, Omnissa shall notify affected customers of the breach without undue delay in accordance with applicable laws, regulations, or governmental requests.
Guidelines for cyber security roles
Omnissa has developed controls and processes for three levels of cyber security roles: the board of directors and executive committee, chief information security officer and system owners.
Board of directors and executive committee
Omnissa leadership demonstrates a strong commitment to organizational security through active oversight and a culture of continuous improvement. Our Board and executive leadership team receive regular briefings on our cybersecurity posture and the evolving threat landscape, ensuring informed decision-making and proactive risk management.
This commitment is reinforced by a comprehensive, organization-wide security awareness program that addresses key topics such as mobile computing, data protection, and insider threats. This program helps foster a strong, security-first culture across the organization.
In addition, security roles and responsibilities are clearly defined and operationalized through mature governance frameworks and accountable senior leadership. Together, these elements provide an effective structure aligned with leading security practices and the intent of recognized standards such as ISM.
Chief information security officer
The Omnissa CISO provides strong, formally appointed leadership, overseeing a mature cybersecurity program that is fully integrated into our governance model through the Audit Committee and regular executive reporting.
Our CISO plays an active role in resilience planning, providing approval for Business Continuity and Disaster Recovery plans and participating in simulation exercises to help ensure business-critical services remain well protected.
Operationally, the CISO drives effective coordination between cybersecurity and business teams through shared risk management practices, including centralized risk registers that promote visibility and accountability across the organization.
Our technical capabilities are supported by highly skilled, specialized teams across the Omnissa SOC, software development, and penetration testing functions, all under the CISO’s oversight. While formal documentation defining role-specific skill requirements is evolving, the consistently strong performance and outcomes delivered by our teams provide assurance that the organization maintains the necessary depth of expertise.
System owners
Omnissa implements system ownership and governance practices in alignment with IRAP and ISM requirements, assigning designated owners with clear accountability for defining system boundaries, business criticality, and security objectives.
These requirements are enforced through formal governance processes, including the Architecture Technical Review Board (ATRB) and Production Readiness Assessment (PRA). These controls provide structured oversight prior to production deployment, validating that systems have undergone appropriate security design review, threat and risk assessment, and control implementation.
This approach supports formal system registration and authorization, with security controls (both standard and system-specific) selected and tailored to the operational context and risk profile of each system, consistent with ISM guidance.
Ongoing assurance is maintained through centralized governance and operational functions, which provide continuous monitoring, control validation, and risk oversight across the system lifecycle. While system owners retain accountability for defining and maintaining security requirements, the Omnissa Information Security team provides independent oversight and continuous improvement of controls.
Guidelines for database systems
Omnissa cloud architecture ensures a robust security posture for databases, with all controls assessed as Effective.
Database servers
Our cloud architecture provides a robust security posture for database services, with all relevant controls assessed as effective. Databases are deployed as dedicated services, providing clear functional separation from web servers and isolation from user workstation network segments.
This layered architecture is reinforced through strict network security rules, allowing communication only between explicitly authorized resources and components with a defined business need. Data integrity and confidentiality are maintained through encryption of all data in transit across cloud services.
To further strengthen security, Omnissa enforces rigorous access controls through cloud-based role-based access control (RBAC) and identity and access management (IAM) integration. These mechanisms assure that database access and key management privileges are restricted to authorized identities only.
Additionally, Omnissa maintains strong environment segregation across the system lifecycle. Development, testing, staging, and production environments are hosted in separate cloud environments, reducing the risk of cross-environment exposure and supporting secure operational practices.
Databases
Omnissa takes a proactive approach to database security and management, supported by continuous cloud-native monitoring and strong environmental separation. We maintain a dynamic database inventory through ongoing cloud scanning, allowing database resources to be identified, tracked, and verified in near real time.
This capability is underpinned by a formal Data Classification Policy, which requires that database services and the data they store are classified in accordance with their sensitivity and business impact.
Guidelines for networking
Omnissa has developed controls and processes for networking, including network design and configuration, and service continuity for online services. No controls have been developed for wireless networks, as these are not applicable to Omnissa cloud services.
Network design and configuration
Omnissa cloud service network architecture is designed and implemented in alignment with IRAP and ISM guidance, leveraging cloud‑native controls to enforce strong network segmentation, boundary protection, and secure communications.
Segmentation is achieved using Network Security Groups (NSGs), Virtual Private Clouds (VPCs), Virtual Networks (VNets), and Web Application Firewalls (WAFs), helping to ensure that systems, services, and customer environments are logically isolated in accordance with least privilege and segregation principles. Network access is restricted to explicitly authorized communication paths, supporting the enforcement of defined security domains and reducing lateral movement risks.
All data in transit is protected using TLS version 1.2 or higher, complying with ISM cryptographic requirements for the protection of data integrity and confidentiality across untrusted networks.
Privileged management interfaces and administrative functions are not exposed to the public internet. Instead, management access is mediated through the cloud service provider’s secure control plane, utilizing authenticated portals and APIs. This approach aligns with IRAP requirements for restricting administrative access and minimizing the exposure of management services.
Omnissa also implements WAF-based traffic inspection, centralized logging, and SIEM-driven monitoring and alerting. Together, these capabilities provide detection of anomalous, malicious, or non-compliant network activity and support timely incident response in accordance with established security policies.
Service continuity for online services
Omnissa cloud services are architected to meet IRAP and ISM requirements for system availability, resilience, and continuity of operations, leveraging the native capabilities of hyperscale cloud providers (AWS and Azure).
High availability is achieved through multi-zone deployment patterns, where services are distributed across approved availability zones. This design enables automated failover and supports continuity of critical services in the event of infrastructure or zone-level disruptions, consistent with ISM guidance on redundancy and fault tolerance.
Service capacity and availability are continuously monitored in near real time, providing visibility into system performance and utilization. These monitoring capabilities support dynamic scaling of resources to address fluctuations in demand, safeguarding that availability and performance requirements are maintained under varying load conditions.
Together, these controls support our ability to deliver resilient and highly available services, aligned with IRAP expectations for protecting business-critical systems against disruption and degradation.
Omnissa also implements network boundary protection controls in alignment with IRAP and ISM guidance, utilizing Content Delivery Networks (CDNs) and WAFs to manage and protect inbound traffic to public-facing services.
To minimize exposure and reduce the attack surface, origin infrastructure is not directly accessible from the public internet. Origin internet protocol (IP) addresses are obfuscated, and access is restricted exclusively to authorized CDN endpoints and controlled management networks, consistent with ISM principles for boundary protection and least privilege network access.
Domain name system (DNS) integrity is further protected through strict registrar controls, including domain locking mechanisms (for example, client transfer prohibited and server update prohibited). These controls reduce the risk of unauthorized domain modification or hijacking, aligning with ISM requirements for protecting externally accessible services.
Omnissa also maintains a comprehensive denial-of-service (DoS) mitigation capability using cloud-native services, including Azure Front Door, AWS Application Load Balancers, and Amazon CloudFront. These services provide scalable, distributed protection capable of absorbing and mitigating large-scale volumetric and application-layer attacks, in accordance with IRAP expectations for service resilience.
Additionally, critical backend services are segregated from public-facing endpoints, helping to ensure that external traffic is terminated and inspected at controlled ingress points before being routed to internal components. This layered approach supports enforcement of network security policies, limits lateral movement, and assures that only explicitly authorized traffic reaches sensitive systems.
Guidelines for personnel security
Omnissa has developed controls and processes for personnel security, including awareness training, and access to systems and respective resources.
Cyber security awareness training
In alignment with the ISO 27001 standard, all Omnissa personnel and alternative workforce are required to complete annual business conduct and security awareness training. Employees undergo annual data handling and privacy training that includes the secure handling of customer data.
Figure 2: Security awareness training topics
Access to systems and their resources
Omnissa implements access control measures aligned with IRAP and ISM requirements through formally defined Access Control and Acceptable Use Policies. All personnel are required to acknowledge system usage conditions prior to being granted access, supporting user accountability and compliant system use.
Each user is assigned a unique identity, providing individual accountability for all system activities in accordance with ISM identification and authentication principles. Omnissa maintains secure, lifecycle-based records for all users, capturing identity, authorization, and access levels to support traceability and audit requirements.
Access provisioning processes enforce least privilege and need-to-know principles. Access, both privileged and unprivileged, is validated at the time of initial request, ensuring that permissions are appropriate to the user’s role and business requirements.
All significant access-related events, including changes to security groups and privileged access activities, are centrally logged to support monitoring, auditing, and incident response. These controls help ensure that access to systems is appropriately governed, monitored, and reviewed, consistent with IRAP expectations for protecting system integrity and preventing unauthorized access.
Guidelines for procurement and outsourcing
Omnissa has developed controls and processes for cyber security outsourcing, including supply chain risk management, managed services, and cloud services.
Cyber supply chain risk management
Omnissa has a comprehensive vendor procurement and risk management program to choose providers that meet identified security baseline requirements. Supplier agreements help ensure that providers comply with applicable laws, security, and privacy obligations.
We formally document and track non-conformance as a part of our information security management system (ISMS). To help assure reasonable information security across our information supply chain, Omnissa also conducts risk assessments for service sub-processors at least annually to ensure appropriate controls are in place to reduce risks to the confidentiality, integrity, and availability of sensitive information.
Figure 3: Omnissa risk management cycle
Managed services and cloud services
Omnissa manages third-party and outsourced service risks in alignment with IRAP and ISM requirements through a comprehensive managed services register and an integrated risk management platform. This capability provides visibility of external service providers, including service scope, purpose, and data classification, confirming that outsourced services are identified, assessed, and continuously monitored.
Omnissa requires that all service providers implement controls that appropriately protect the confidentiality, integrity, and availability of entrusted data. These requirements are formally defined within contractual agreements. In addition, the Omnissa Supplier Code of Conduct obligates vendors to maintain transparency and provide access to relevant records and logs to support oversight, monitoring, and incident investigation.
Contractual obligations also require service providers to report unauthorized access, data breaches, or security incidents to Omnissa within 24 hours, supporting timely incident response and alignment with IRAP expectations for incident reporting and management.
Omnissa leverages IRAP-assessed infrastructure from hyperscale cloud providers, including AWS and Azure, to underpin its service delivery. For other third-party providers, Omnissa conducts internal security risk assessments to evaluate control effectiveness and determine suitability. While independent IRAP assessments are not mandated for all providers on a recurring basis, this risk-based approach helps ensure that security due diligence is applied proportionately to the level of risk.
Guidelines for software development
Omnissa has developed controls and processes for software development, including a strong overall software development program and through well-managed web application development.
Software development fundamentals
Omnissa follows a defined Software Development Lifecycle (SDLC) which incorporates security into each phase (that is, requirements, design, implementation, verification) of development. The Omnissa SDLC is based on industry-recognized best practices and standards, including PCI-DSS common coding vulnerabilities, OWASP, OSSTMM, SANS/CWE, and SCRUM methodologies. For more information on our SDLC, see our whitepaper on Omnissa Tech Zone.
Figure 4: Omnissa software development lifecycle
Web application development
Omnissa implements secure software development practices aligned with IRAP and ISM guidance, leveraging established development frameworks and adhering to industry-recognized standards including the OWASP Application Security Verification Standard (ASVS) and the OWASP Top 10 Proactive Controls. These standards are consistently applied across web applications and APIs to mitigate common application-layer vulnerabilities.
Security controls are validated through a defense-in-depth approach that includes both internal and independent external penetration testing. These activities provide assurance that implemented controls are effective and that vulnerabilities are identified and remediated in a timely manner, in line with ISM requirements for security testing and assurance.
All application traffic is enforced over HTTPS, providing encryption in transit and compliance with ISM cryptographic requirements. Session management is implemented securely using server-side controls, reducing the risk of client-side manipulation. Additionally, Single Logout (SLO) capabilities are supported across SSO-integrated services, strengthening session governance and access control.
Authentication and session integrity are further protected using digitally signed opaque bearer tokens within session cookies. In cases where tokens are not signed, testing has confirmed that they maintain sufficient entropy (minimum 128-bit), mitigating the risk of token prediction or replay attacks.
Guidelines for system hardening
Omnissa has developed controls and processes for system hardening across all layers, from operating systems to user applications.
Operating system hardening
Omnissa implements operating system hardening controls in alignment with IRAP and ISM guidance through a mature Standard Operating Environment (SOE). This is achieved through centrally managed and regularly updated golden images for containers, workstations, and directory services servers, ensuring consistent and secure baseline configurations across all environments.
These baseline images are built on current, supported 64-bit operating systems and are configured in accordance with vendor hardening recommendations and ISM guidance. Secure configuration is established from initial deployment, including the removal or disabling of default accounts, unnecessary services, and legacy components such as Internet Explorer 11, thereby reducing the system attack surface.
To protect against contemporary threats, Omnissa deploys endpoint detection and response (EDR) and next-generation antivirus. These controls are configured with advanced detection settings, including machine learning and reputation-based analysis, to identify and prevent malicious activity in accordance with ISM requirements for malware protection.
Software firewalls and EDR are enforced across all critical systems. Security-relevant events from both Linux and Windows environments are centrally logged to a SIEM, supporting monitoring, alerting, and incident response activities in line with IRAP expectations for auditability and event correlation.
Additionally, EDR controls enforce application control measures by preventing unprivileged users from installing unauthorized software or disabling security protections on production assets. This helps to ensure continued integrity of system configurations and supports compliance with ISM principles for least privilege and system hardening.
Server application hardening
Omnissa implements server and application hardening controls in alignment with IRAP and ISM guidance, applying a consistent and disciplined approach across the infrastructure supporting its cloud services.
A “clean slate” deployment model is used for web and application servers, whereby new instances are provisioned from centrally managed, hardened baseline configurations. This restricts deployments to current, supported versions of internet-facing applications and limits systems to essential components. Additional software is restricted to approved security-supporting tools, such as log forwarding agents, in accordance with least functionality principles.
System hardening is performed in line with vendor guidance and ASD recommendations, with Omnissa maintaining direct ownership of baseline configurations. During provisioning, default accounts and credentials are removed or disabled, unnecessary services and components are deactivated, and residual installation artifacts are purged to minimize the attack surface.
Critical infrastructure roles, including Domain Controllers and Certificate Authorities, are hosted on dedicated servers with strict role separation. Non-essential services are disabled, and administrative access is restricted to authorized personnel using dedicated, purpose-specific accounts that are not reused across environments, consistent with ISM privileged access requirements.
Backup controls for critical systems require that data is encrypted, securely stored, and accessible only to authorized backup administrators. Identity and authentication controls are further strengthened through the enforcement of Kerberos pre-authentication, strong certificate-to-user mapping, and approval workflows for certificate templates containing Subject Alternative Names (SANs).
Omnissa maintains strict governance over AD objects and privileges to prevent unauthorized modification, lateral movement, and privilege escalation, and standard computer accounts and domain groups do not possess elevated permissions over AD objects or membership in privileged groups. High-risk attributes are not used, and regular (at least weekly) validation activities are conducted to help ensure continued compliance.
The use of Service Principal Names (SPNs) is tightly controlled, restricted to service or computer accounts without replication-related privileges, and duplicate SPNs are not permitted. Privileged accounts and permissions, including those granting replication or delegation capabilities, are assigned on a least privilege basis and subject to periodic review (at least annually) to validate ongoing business need.
All security-relevant events across internal and internet-facing servers are centrally logged and monitored via the SIEM platform, supporting continuous monitoring, correlation, and incident response in accordance with IRAP expectations for auditability and security operations.
Authentication hardening
Omnissa implements strong authentication controls in alignment with IRAP and ISM requirements, requiring all users to be uniquely identified and authenticated prior to accessing system resources.
Comprehensive logging is in place to support audit and monitoring requirements, with all successful and unsuccessful authentication attempts (across both single-factor and multi-factor sessions) centrally recorded for analysis and incident response.
Legacy and insecure authentication mechanisms, including LAN Manager (LM) and NTLM, have been disabled within corporate Active Directory environments. Omnissa further mitigates credential theft risks through the implementation of controls such as Credential Guard, suppression of credential hints, secure password masking during entry, and continuous scanning for exposed secrets.
The management of high-value credentials aligns with ISM guidance for privileged access. Administrative and service accounts are required to use long, randomly generated, and unique passwords, managed through secure credential management platforms.
Credential lifecycle management is enforced through automated controls. User credentials are reset immediately if compromise is suspected or detected in plaintext. Additional controls limit credential exposure and lateral movement, including restricting cached credentials and prohibiting the use of physical authentication tokens where not required.
Where MFA is enabled, authentication protocols that do not support MFA are disabled, enforcing consistent application of strong authentication controls across the environment.
User application hardening
Omnissa deploys user applications in alignment with IRAP and ISM secure configuration and change management principles using Infrastructure as Code (IaC) and hardened, centrally maintained container images. This approach enforces consistent implementation of approved configurations and reduces the risk of unauthorized or inconsistent changes associated with manual configuration activities.
Application environments are provisioned from controlled baselines, supporting repeatability, traceability, and compliance with defined security standards. As part of the deployment and hardening process, all default user accounts, credentials, and configurations are systematically removed, disabled, or modified during initial provisioning to mitigate the risk of unauthorized access.
These controls support the maintenance of secure application states throughout the lifecycle and align with IRAP expectations for minimizing configuration drift and enforcing secure-by-design deployment practices.
Guidelines for system management
Omnissa has developed controls and processes for system management, including system administration, patching, data backup, and restoration.
System administration
Omnissa implements a structured and controlled approach to system administration in alignment with IRAP and ISM requirements, supported by formal processes and clearly defined operational procedures. Administrative activities are governed by a comprehensive Change Management Policy, which requires that all changes to production environments are assessed, approved, and implemented in a manner that minimizes risk and maintains system security and availability.
Segregation of administrative infrastructure is enforced through technical controls, with management functions isolated from standard user environments. Network-level protections further restrict administrative access, allowing management traffic to originate only from authorized administrative systems, while preventing non-administrative devices from accessing sensitive management network segments.
These controls are complemented using Infrastructure as Code, which provides consistency, traceability, and repeatability across administrative activities. Changes to infrastructure services and resources are executed through controlled IaC pipelines (for example, Terraform), with enforced approval workflows requiring review and authorization by at least two qualified engineers prior to implementation.
System patching
Omnissa maintains a proactive approach to patching and vulnerability management in alignment with IRAP and ISM requirements, supported by formal policies, centralized processes, and continuous monitoring across its cloud-delivered services. Patch management activities are governed by the Vulnerability Management Policy, which integrates operating system and application updates to preserve system integrity and reduce exposure to known threats.
For cloud-hosted environments, Omnissa utilizes centrally maintained software registers and hardened container images, enabling rapid deployment, consistency of configurations, and verification of the approved software stack. Internal and non-internet-facing systems are scanned at least monthly to identify missing patches and configuration weaknesses.
Vulnerability identification is implemented using industry-recognized tools and methodologies, including static application security testing (SAST) and software composition analysis (SCA) during development. These controls assist in identifying and remediating vulnerabilities prior to production deployment, aligning with secure development and continuous assurance practices.
Remediation activities are prioritized using a risk-based approach, considering factors such as exploit availability, threat intelligence, and potential business impact. To reduce exposure to unsupported technologies, Omnissa restricts the use of software to approved applications required to support its hosted services and systematically removes or replaces operating systems and applications that are no longer vendor supported.
Data backup and restoration
Omnissa implements a mature data backup and restoration framework aligned with IRAP and ISM requirements, governed by a formal Backup Policy. This framework provides protection for critical information, software, and systems against data loss, corruption, and service disruption.
Backups are performed automatically at defined intervals, based on the business criticality and recovery requirements of each system. The frequency, retention, and scope of backups are tailored to support recovery time objectives (RTOs) and recovery point objectives (RPOs), leveraging resilient, cloud-native backup capabilities provided by AWS and Azure.
Access to backup data is tightly controlled in accordance with ISM principles for least privilege and segregation of duties. Permissions to modify or delete backups are restricted, preventing both unprivileged users and standard privileged accounts from altering backup data. Dedicated Backup Administrators are assigned responsibility for managing and maintaining backup processes, with access limited to authorized personnel only.
Backup integrity and restoration processes are regularly validated through testing activities. These tests confirm that data can be reliably restored using controlled test environments and media, supporting assurance that recovery procedures will operate effectively during a disruption or disaster recovery scenario.
Guidelines for system monitoring
Omnissa has developed controls and processes for system monitoring, including event logging and monitoring.
Event logging and monitoring
Omnissa implements a comprehensive event logging and monitoring capability in alignment with IRAP and ISM requirements, supported by a dedicated Security Operations Center (SOC) operating 24/7 across its cloud and on-premises environments.
All relevant system components, including critical servers, internet-facing applications, and network devices, are configured to forward security-relevant logs to a centralized SIEM platform. Logs are captured in a structured format and include key metadata such as synchronized timestamps, user and process identifiers, and detailed event descriptions, supporting traceability and effective analysis.
The integrity and confidentiality of log data are protected through encryption in transit and strict access controls, assuring that audit records are safeguarded against unauthorized access or modification. Centralized logging enables the aggregation of events from diverse sources, supporting cross-system correlation and enhancing the detection of complex or multi-stage threats.
Log data is actively monitored and analyzed in near real time by the SOC to support timely identification and response to potential security incidents, in accordance with IRAP expectations for continuous monitoring and incident detection.
Retention of log data is managed in line with ISM requirements, with logs maintained in a searchable format for a minimum of 12 months. This supports forensic investigations, incident response activities, and compliance reporting, providing visibility across both current and historical security events.
Summary and Additional Resources
Introduction
This document addresses the security for Omnissa cloud services in relation to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM). Information contained in this document is solely for the use of evaluating Omnissa software and services. To help our customers determine whether the products align with their security requirements and risk tolerances, we also have developed an executive summary of our assessment report that covers:
- An overview of the shared responsibility model between Omnissa and our customers
- Details on our cloud service providers, including hosting locations
- A high-level summary of our technical strengths and areas for improvement
To receive a copy of the Omnissa IRAP executive summary, contact your Omnissa representative.
Additional Resources
For more information about Omnissa and IRAP you can explore the following resources:
- Omnissa trust center: IRAP
- Blog: Omnissa cloud services continue a legacy of trust through compliance
Changelog
The following updates were made to this guide:
| Date | Description of Changes |
| July 10, 2026 | Document Published |
About the Author and Contributors
The following people contributed their knowledge and assistance with this document:
- Andrea Smith, Sr. Information Security Analyst, Omnissa Customer Security Assurance
Feedback
Your feedback is valuable.
To comment on this paper, contact Omnissa Technical Marketing at tech_content_feedback@omnissa.com.