Workspace ONE Cloud Services Security

Introduction

This document provides a general overview of the security controls implemented in Omnissa Workspace ONE® commercial cloud offerings and includes information on the following services:

Omnissa Workspace ONE® Unified Endpoint Management (UEM)
Omnissa Access and Omnissa Workspace ONE ® Hub Services
Omnissa Intelligence and Omnissa Connect
Omnissa Workspace ONE® Assist

Within this whitepaper, these services are collectively referred to as “Workspace ONE” or “Workspace ONE cloud services” unless otherwise specified.

Purpose

The intent of this document is to provide readers with an understanding of how Workspace ONE cloud services approach security, the key mechanisms, and processes that Omnissa uses to manage information security, as well as describe shared responsibilities for providing security in a modern cloud computing environment.

Audience

This document is intended for Workspace ONE commercial cloud administrators. It assumes at least intermediate knowledge of Workspace ONE cloud services and focuses on the policies, processes, and controls supporting the cloud-delivered services. Federal Risk and Authorization Management Program (FedRAMP), on-premises, and third-party offerings are not in scope for this document.

Note: You can find the definitions for acronyms used in this document in Acronyms used in the Workspace ONE and Horizon Cloud Security Series.

Shared Responsibilities

The end-to-end security of the Workspace ONE cloud-delivered service offerings is shared between Omnissa and our customers. Omnissa provides security for the aspects of the Workspace ONE service offerings over which we have sole physical, logical, and administrative-level control. Customers are responsible for the aspects of the service offerings over which they have administrative-level access or control. The primary areas of responsibility between Omnissa and customers are outlined in the Omnissa Cloud Services Guide.

Omnissa leverages co-located data center facilities and Infrastructure-as-a-Service (IaaS) providers to support the Workspace ONE service offerings. These providers maintain physical and environmental security controls for the cloud-delivered service. For more information, see Data Center Locations.

Compliance Reports

Refer to the Omnissa Trust Center list to see the latest list of industry certifications.

Data Center Locations

Workspace ONE service offerings are available in the US, Canada, the European Economic Area (EEA), and Asia-Pacific (APAC) regions. Data center partner hosting facilities’ physical addresses are confidential and on-site visits are prohibited. U.S.-based Workspace ONE UEM deployments are in either co-located data centers and Amazon Web Services (AWS), or VMware Cloud on AWS (VMC on AWS), depending on deployment size.

Note: U.S.-based deployments of over 250,000 devices are in co-located data centers.

Information Security Program

Maintaining hosted services and securing data confidentiality, integrity, and availability requires a wide array of tools and processes that must all be expertly designed to comply with laws and regulations while balancing customer satisfaction, business needs, product development, and shareholder expectations. Omnissa balances these needs with a set of controls and management processes designed to both mitigate risk and enhance our product and service offerings. Overarching principles include:

Risk – Managing risk by understanding the threat landscape, building a solid platform, and leveraging all decision makers when calculating risk.
Controls – Establishing a balance of effectiveness and efficiency by implementing the appropriate controls for the associated risk.
Security – Providing preventative and protective capabilities to ensure a secure service.

The Information Security Program leverages guidance from industry best practices and regulatory standards, including National Institute of Standards and Technology (NIST) SP 800-53, Payment Card Industry-Data Security Standard (PCI-DSS), and International Standards Organization (ISO) 27001. We maintain a written Information Security Program and Policies to protect customer data hosted in our systems, and we perform annual reviews and audits of our program to help ensure the integrity of our hosted offerings.

Omnissa has an Information Security Governance Committee (ISGC) chaired by members of senior management and representatives from our Information Security, IT Operations, HR, Marketing, Facilities, and Legal teams.

Figure 1: Comprehensive Security Framework

The Omnissa Information Security Management System

Omnissa has implemented various information security policies and procedures that are in line with its overall corporate objectives, which demonstrate a commitment to the management of a formal Information Security Management System (ISMS) that fulfills our obligations to its customers regarding information confidentiality, integrity, and availability. Our ISMS includes, but is not limited to, the following considerations and objectives:

The threats, vulnerabilities, and the likelihood of occurrences identified by risk assessments relative to the overall business strategy and objectives.
The legal, statutory, regulatory, and contractual requirements with which Omnissa and relevant applicable partners, contractors, and service providers must comply.
The principles, objectives, and business requirements for information handling, processing, storing, and archiving data developed by Omnissa to support its business operations.

Omnissa personnel are obligated to comply with Omnissa ISMS data protection requirements in their respective roles, processes, projects, and programs. Failure to adhere to these policies and procedures may result in disciplinary action, including possible termination, and civil or criminal liability.

Asset Management

Omnissa maintains an asset management program as part of our ISMS to categorize both physical and logical assets. The Asset Management policy is reviewed at least annually, and all changes are approved by our Information Security Governance Committee.

Data Center Operations teams maintain an inventory of all production assets, including but not limited to software license information, software version numbers, component owners, machine names, and network addresses. Inventory specifications may include device type, model, serial number, and physical location. The asset inventory is regularly reviewed in accordance with PCI-DSS requirements.

Data Classification and Handling

Data classification is one of the foundational elements of the Omnissa ISMS. As such, Omnissa has a comprehensive data classification policy and data handling and protection standards for all electronic and paper media. Data controls and protections are implemented according to their classification.

Our data classification policy provides a matrix of controls arranged by the data lifecycle, from creation of the data to its destruction, and covers all forms of media while in use, in transit, or archived. The policy focuses on data classification sources, status, risks, and categories associated with the normal data lifecycle. Assets are classified in terms of their value, legal requirements, sensitivity, and criticality to Omnissa and to our customers. Customer-owned information is classified as “Restricted,” which is the most stringent data classification at Omnissa. Data classification and handling policies are audited at least annually by independent third-party auditors.

Physical Security

Omnissa’s physical security policy governs security for our offices, data centers, support centers, and other global business locations to safeguard information systems and staff.

Key elements of this policy include controls around physical security perimeters, physical entry controls, physical access, securing offices, rooms and facilities, visitors to facilities, records, preventing the misuse of facilities, protecting against external and environmental threats, working in secure areas, access to restricted areas, delivery and loading areas, equipment siting and protection, supporting utilities, equipment maintenance, removal of assets, security of equipment and assets off-premises, secure disposal or reuse of equipment, unattended user equipment and clear desk and clear screen.

Omnissa leverages co-located data center facilities in the U.S. and IaaS providers (in the U.S. and globally) to support the Workspace ONE service offerings. These providers maintain physical and environmental security controls for the cloud-delivered services.

Data Center Security

Workspace ONE co-location and cloud-hosting partners are at least Tier III, have undergone SOC 2 Type 2 audits, and have achieved at least ISO 27001 and PCI-DSS certifications. Physical addresses for Workspace ONE hosting locations are confidential and on-site visits are forbidden.

Although each facility is unique, our data center providers are required to follow the same minimum requirements for redundancy and physical access control, including:

Ingress and egress points are secured with devices that require individuals to provide multi-factor authentication before granting entry or exit through a minimum combination of badge access, biometrics, and mantraps.
Physical access is controlled at building ingress points by 24x7 on-site professional security staff using surveillance, detection systems, and other electronic means.
Door alarm devices are configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication.
Physical access points to data centers are recorded by Closed Circuit Television Camera (CCTV). Recordings are retained according to legal and compliance requirements.
Environmental control systems are equipped minimally with N+1 power, cooling, and fire suppression measures to ensure continuous operations.
Data center partners must maintain certifications minimally aligned with ISO 27001 and PCI-DSS standards.

Omnissa Offices

All Omnissa offices deploy physical and environmental security measures to safeguard Omnissa facilities, staff, and assets. Omnissa uses a combination of building design, environmental controls, security systems, and designated security personnel, in conjunction with corresponding procedures, physical, and environmental controls to restrict access to information services and information assets. Controls include, but are not limited to:

Implementing entry controls to secure Omnissa facilities.
Maintaining and monitoring an audit trail of all access to the site through badge and visitor logs.
Requiring visitor sign in with date and time of entry and departure, and supervising visitation.
Performing regular access rights reviews to secure areas and updating or revoking these rights as necessary.
Revoking all access rights to Omnissa facilities and restricted areas immediately and deactivating access codes known by the staff upon staff termination.

Human Resources and Personnel Security

Human Resource considerations include processes for background screening, employment agreements, training, and employee termination.

Employee Background Screening

Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors, and involved third parties are subject to background verification. Omnissa conducts criminal background checks, commensurate with the employee position and level of access to the service.

Confidentiality Agreements

Omnissa employees and alternative workforce (AWF) are required to sign confidentiality agreements. Also, upon hire, personnel must read and accept the Acceptable Use Policy and the Omnissa Business Conduct Guidelines. Personnel who violate Omnissa standards or protocols are subject to appropriate disciplinary action.

Employee Training

In alignment with the ISO 27001 standard, all Omnissa personnel are required to complete annual business conduct and security awareness training. Personnel with access to cloud production environments receive additional training as they assume job roles and responsibilities. Omnissa periodically validates that those employees understand and follow the established policies through compliance audits.

Omnissa uses an enterprise Learning Management System (LMS) to deliver required onboarding and annual security awareness training. The LMS records successful completion and reports are reviewed during ISMS review meetings. This training must be completed before authorizing access to production systems.

Awareness training topics include, but are not limited to:

Secure system configuration
User account management policies
Environmental control implementation and operation procedures
Incident Response plans and procedures
Disaster Recovery plans and procedures
Physical Security controls

Employee Termination

Omnissa terminates access privileges to systems when an employee leaves the company. An employee who changes roles within the organization will have access privileges modified according to their new position. Terminated employees are required to return assets.

Business Continuity

This program implements appropriate security controls to protect its employees and assets against natural or man-made disasters. As a part of the program, a runbook system automates policy review, and policy updates made available to appropriate individuals. Additionally, these policies and procedures include defined roles and responsibilities supported by regular workforce training. Omnissa determines the impact of any disruption to the organization through identifying dependencies, critical products, and services.

Our global teams are located around the globe, giving us strong geographic resilience in terms of our ability to provide continuity of service for our customers. Omnissa Global Customer Support operates 24x7, and all team members are fully equipped to work from home efficiently and effectively if needed. The Omnissa Crisis Management Team, comprised of leaders from across the company, meets regularly and stays up to date with evolving global changes and developments in relation to ongoing world events.

Our business continuity plans are reviewed annually to determine which business processes are most critical and what resources – people, equipment, records, computer systems, and office facilities – are required for operation. All documented plans follow an annual standard maintenance, assessment, and testing schedule. Workspace ONE operations teams also maintain service-specific business continuity plans to address the unique needs of each cloud application.

Risk Management

In alignment with the ISO 27001 standard, Omnissa maintains a Risk Management program to mitigate and manage risk companywide. We perform risk assessments at least annually to ensure appropriate controls implementation to reduce the risk related to the confidentiality, integrity, and availability of sensitive information.

Omnissa cloud management has a strategic business plan to mitigate and manage risks that requires management to identify risks within its areas of responsibility and to implement appropriate measures designed to address those risks. Omnissa cloud management re-evaluates the strategic business plan at least two times per year.

Our Risk Management Program includes:

Identifying and characterizing threats
Assessing the vulnerability of critical assets to specific threats
Determining the risk (such as the expected likelihood and consequences of specific types of attacks on specific assets)
Identifying ways to reduce those risks
Prioritizing risk reduction measures based on a strategy

Vendor Risk Management

Omnissa has a comprehensive vendor procurement and risk management program to choose providers that meet identified security baseline requirements. Supplier agreements require that providers comply with applicable laws, security, and privacy obligations.

Omnissa has a formal process to document and to track non-conformance as a part of our ISMS. To assure reasonable information security across our information supply chain, Omnissa reviews compliance documentation for service sub-processors at least annually to help ensure appropriate controls are in place to reduce risks to the confidentiality, integrity, and availability of sensitive information.

Sub-processors

Omnissa leverages sub-processors to provide certain services on our behalf. Omnissa is responsible for any acts, errors, or omissions of our sub-processors that cause us to breach any of our obligations. Omnissa enters into an agreement with each sub-processor that obligates the sub-processor to process the Personal Data in a manner substantially similar to the standards set forth in the Data Processing Addendum and at a minimum, at the level of data protection required by applicable Data Protection Laws.

Change Management

Omnissa maintains a detailed Change Management policy that defines controlled changes to production environments. Changes are processed through a formal program that includes approval, testing, implementation, and rollback plans.

Third-party and internal audits of these processes are performed at least annually under the Omnissa ISMS program and are essential to the Omnissa continuous improvement programs.

Configuration Management

Omnissa maintains a detailed Configuration Management policy based on industry best practices to harden the cloud environment; revisions and exceptions to the Configuration Management policy are processed through the Change Management policy to help ensure the confidentiality, integrity, and availability of our hosted offering.

Baseline configuration standards include, but are not limited to:

Deactivating unnecessary ports, services, protocols, and physical connections
Reviewing server builds for gaps prior to image configuration
Hardening server configurations

Baseline configurations are documented for all software and hardware (where applicable – such as U.S.-based co-located data centers) installed in the production environment. Baseline configurations include the following information about system components:

Standard software packages installed on servers and network components
Current version numbers and patch information on operating systems and applications
Logical placement of all components within the system architecture

System Hardening

Omnissa deactivates unnecessary ports, protocols, and services as part of baseline hardening standards. We follow industry best practices in applying secure configurations to managed servers.

For Workspace ONE UEM and Workspace ONE Assist servers that use Windows operating systems, the team hardens server configurations using Group Policy Object (GPO) policies (such as account policies, user rights, security options, event log settings, app restrictions). Workspace ONE UEM, Omnissa Access, and Omnissa Intelligence Linux-based servers use Amazon Linux 2 images for system hardening. The Amazon Linux 2 images include default security configurations, such as limited remote access using SSH key pairs, remote root login deactivation, reduced non-critical package installation, and automatic security-related updates.

Time Synchronization

All cloud service components are time synchronized with a common centralized time source per ISO 27001 and PCI-DSS requirements.

Vulnerability and Patch Management

Omnissa employs a rigorous Vulnerability Management program as part of the Omnissa ISMS. Risk analysis and acceptance activities are performed on vulnerabilities to confirm the vulnerability and to determine the appropriate means of addressing the vulnerability.

System Monitoring

Omnissa Cloud Operations is staffed 7x24x365, and the team deploys several commercial and custom purpose-built tools to monitor the performance and availability of all hosted solution components. Components include the underlying infrastructure servers, storage, networks, portals, services, and information systems used in the delivery of Workspace ONE services.

Patch Management

Omnissa maintains the systems it uses to deliver Workspace ONE services, including the application of patches deemed critical for the target systems. Our policy is to patch or upgrade network, utility, and security equipment after analyzing the severity and impact of potential vulnerabilities. Critical vulnerabilities are addressed in a timely manner, and changes are made using industry best practices. Testing is conducted by the QE department to ensure compatibility with the production environment. If required, rollback procedures are conducted by the QE team.

For Workspace ONE UEM, technical standards and baselines have been established and communicated for Windows and Linux operating system deployments. A process is in place for services to re-image production servers with the latest baseline configurations every month.

Automated mechanisms and periodic scanning have been deployed to detect and troubleshoot exceptions or deviations from the baseline in the Omnissa Access and Hub Services production environment. Mechanisms are in place for services to re-image production servers with the latest baseline configuration monthly through Amazon Linux 2 and Docker images using infrastructure as code.

Omnissa Intelligence base images receive patches and reboots as part of the bootstrap process. Containers are generated on a weekly basis, with all patches included. As instances are terminated, new instances are deployed: No instances live more than seven days.

For Workspace ONE Assist, patches are released in accordance with change and release management procedures and are implemented using AWS Systems Manager.

Vulnerability Scanning

Vulnerability scans are performed at least monthly on internal and external systems. In alignment with PCI-DSS, system and application owners are required to address critical and high vulnerabilities with a plan of corrective action after vulnerability discovery. Rescans are used to verify the remediation of high-risk vulnerabilities. Other vulnerabilities are addressed with a plan of corrective action within a reasonable period.

Note that Omnissa does not provide the results of vulnerability scans to customers. We do not feel these isolated pieces of information are of use to our customers in protecting their security objectives. Results are not in context, often generate a large volume of false-positives, and do not accurately represent the current security posture of a product or service.

Software Development Lifecycle

The Omnissa Security Development Lifecycle (SDL) program is designed to identify and mitigate security risks during the development phase of Omnissa software products. The development of our SDL has been heavily influenced by industry best practices and organizations such as the Software Assurance Forum for Excellence in Code (SAFECode) and the Building Security in Maturity Model (BSIMM).

The Omnissa Security Evangelism team works to actively cultivate relationships in the security community. Omnissa has been an active participant in the broader software industry security community and became an early BSIMM member in 2009. We have completed several reviews by BSIMM of our SDL. Findings are incorporated into our SDL to drive continuous improvements. Omnissa is a member of the Software Assurance Forum for Excellence in Code (SAFECode), an organization driving security and integrity in software products and solutions. Omnissa also works closely with Industry Organizations, Security Analysts and Researchers, and more to stay current on the industry threat landscape and security best practices. Omnissa Product Security Omnissa SDL is continuously assessed for its effectiveness at identifying risk, and new techniques are added to SDL activities as they are developed and mature.

SDLC Best Practices

We follow a defined Software Development Lifecycle (SDLC), which incorporates security into each phase (such as requirements, design, implementation, and verification) of development. Our programs and practices focus on:

Building secure software
Protecting the intellectual property related to software products
Managing software security supply chain risks
Managing technology and partner ecosystem risks
Delivering secure product support

Our SDLC is based on industry-recognized best practices and standards, including PCI-DSS common coding vulnerabilities, OWASP, Open-Source Security Testing Methodology Manual (OSSTMM), SANS/CWE, and SCRUM methodologies. Code undergoes rigorous review by our Engineering and Development Security teams. We consider attacker-centric categorizations (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE)) and defensive-centric perspective (ASF) for threat modeling. Additionally, Omnissa cloud services undergo multiple tests prior to release, including static and dynamic code reviews, penetration tests, fuzz and unit testing, attack surface reviews, and so on.

In alignment with PCI-DSS requirements, Omnissa encourages continuous employee training through annual training in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities. Omnissa also subsidizes certification attempts (such as ISC2’s Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP), including relevant conference passes, training classes, and subscriptions to leading online training platforms for enhancing technical and business acumen. Additionally, employees can participate in job rotation programs designed to reignite and broaden employee work experience.

Figure 2: Omnissa SDLC

Open-Source Software

Omnissa uses some third-party and open-source code in our solution offerings, and we perform open-source and third-party (OSS/TP) software validation to safeguard against known vulnerabilities prior to being included in an Omnissa product release.

Penetration Testing

Penetration testing includes testing of Omnissa and third parties and customer penetration testing.

Omnissa and Third-Party Testing

The Omnissa Penetration Testing Program is a rigorous set of processes that include automated tooling built into the Omnissa Security Development Lifecycle (SDL), Omnissa Red Team penetration testing, and third-party internal and external testing initiatives, all in alignment with industry best practices, standards, and frameworks such as NIST and PCI-DSS. Red Team and third-party tests are performed at least once per calendar year and include testing at the web application, network, logging, and infrastructure layers.

The penetration tests focus on identifying high-impact vulnerabilities that could lead to exploitation, theft of data, or overall privilege escalation. Tests follow a method intended to simulate real-world attack scenarios and threats that could critically impact data privacy, integrity, and overall business reputation. Experienced internal security engineering staff and penetration testing vendors use their industry expertise to develop a risk-informed threat model based on the criticality of resources and data and any specific areas of concern.

To increase the efficiency of testing and to achieve more meaningful results, tests are performed using a white box testing approach – during which the tester has access to source code. For third-party tests, vendors provide daily status updates during the testing period. Any critical or high findings are communicated to Omnissa immediately so they can be resolved during the testing period and be re-tested by the vendor prior to the project close-out.

Remediation Approach

The Omnissa Red Team uses the industry standard Common Vulnerability Scoring System (CVSS) 3 Scoring system, which takes the base score of the vulnerability and applies environmental and other considerations unique to Omnissa to arrive at a true risk score appropriate for our environment. Our policy mandates all vulnerability findings must be remediated with SLA. As such, we have a standard notification and escalation process to help ensure we secure Omnissa assets. If the user performs remediation within the SLA, then no escalation is necessary. If the user exceeds the SLA time period and does not have an exception approval, we will go through an escalation process to inform management of any non-compliant environments.

Findings from third-party testing are remediated according to a risk-based approach. Each finding is evaluated for probability and impact and is remediated accordingly. Omnissa remediation timelines are dependent upon several factors such as severity, complexity, impact, product life cycle, and location of finding (internal vs. external resource). We believe this is an important step towards reducing our exposure to risk from vulnerabilities and protecting the availability of our infrastructure. During annual compliance assessments, third-party auditors inspect tickets to determine that identified findings are documented and tracked for remediation.

Customer Penetration Testing

Customer-initiated penetration testing, port and vulnerability scanning, spoofing, web application scanning, protocol flooding, Denial-of-Service attacks, installation of malware, attempts to decompile source code, or any other actions that may disrupt the cloud-hosted production environment are explicitly forbidden in the environment (see Acceptable Use).

For Workspace ONE UEM and Omnissa Access only: With prior approval and under certain circumstances, customers can perform penetration tests in a simulated environment. All results must be made available to Omnissa for analysis and remediation (if necessary). Reach out to your Omnissa representative for more information.

Cloud Environment Monitoring

Omnissa Cloud Operations is staffed (7x24x365) and deploys several commercial and custom purpose-built tools to monitor the performance and availability of all hosted solution components. Components include the underlying infrastructure servers, storage, networks, portals, services, and information systems used in the delivery of Workspace ONE services.

Intrusion Detection and Prevention

Omnissa deploys several mechanisms to detect intrusions and help protect against distributed denial of service (DDoS) attacks. These mechanisms range from real-time Intrusion Detection System (IDS) technologies, internal logs and tools, and external intelligence (OSINT) data sources. Omnissa monitors for security events involving the underlying infrastructure servers, storage, networks, information systems, and upstream providers used in service delivery.

Workspace ONE applications are also assessed against the ‘OWASP Top Ten’ to identify potential application code and identify/remediate potential errors that could lead to unauthorized access or a DDoS. In alignment with PCI-DSS, Workspace ONE services use file integrity monitoring to detect malicious behavior or changes in system files or libraries. In addition, Omnissa and Omnissa Intelligence use a web application firewall (WAF), which provides application-layer protection against common web exploits.

Anti-Virus and Anti-Malware

Omnissa implements industry best practices for both administrative and technical controls to prevent, detect, and respond to viruses and malware, including ransomware. As part of our annual security training programs, Omnissa operates a quarterly Phishing Prevention Program to help train our employees to recognize threats. Social engineering topics (such as tailgating, badge access, and vishing) are also covered in our annual security training. Additionally, Omnissa hosts annual Security and Resilience Fairs for our employees to educate them on keeping Omnissa information systems secure and resilient. As our employees moved to a remote work model during the global pandemic, Omnissa created a Working from Home security guide that covers topics such as mobile device security, securing home Wi-Fi, phone and email scams, and securing homes for natural disasters.

In alignment with PCI-DSS, Omnissa has deployed and centrally manages Anti-Virus and endpoint protection on all employee workstations, which is configured to scan for updates to Anti-Virus definitions and update clients continuously. Additionally, the software performs on-demand virus scans of any attachments or content introduced into the workstation. Systems settings prohibit end users from deactivating endpoint protection software. All corporate-owned and personal devices are also enrolled in an Omnissa-managed instance of Workspace ONE UEM. Note that employees are prohibited from accessing Workspace ONE production environments using personal devices.

Our cloud services also implement strong technical controls, including encrypted backups, network segmentation, firewalls, and access control lists (ACLs) for mitigation, and containment from potential attacks, as well as to remediate from active attacks. For systems commonly susceptible to malicious attacks, such as Windows OS, Omnissa deploys enterprise-grade Anti-Virus software and is automatically patched, and signature updated with logging enabled; files are scanned on access. Omnissa Access and Omnissa Intelligence production systems are Linux-based and are hardened using Amazon Linux to secure images.

Log Management

Log management includes both infrastructure and application event logs.

Infrastructure Logs

Workspace ONE services leverage a robust centralized Security Information & Event Management (SIEM) infrastructure. Critical systems and privileged access to Workspace ONE infrastructure, firewall and IDS logs, and Domain Name System (DNS) Queries are logged and monitored. Auditable events are in alignment with PCI-DSS requirements and include user identification, type of event, date and time, success or failure indication, and origination of event. Access to the audit trail is protected, and logs are stored separately and securely.

Note: Omnissa does not provide SaaS infrastructure logs to customers. See Application Event Logs for customer-accessible logging options.

Omnissa System Security logs and events are centrally aggregated and monitored in real-time 7x24x365 by the Omnissa Security Operations Center (Omnissa SOC). Logs forwarded to the Omnissa SOC are retained for at least one year, in alignment with PCI-DSS requirements, with up to five years of archive storage.

Application Event Logs

Customers can access application-level logs within Workspace ONE UEM and Omnissa Access that record administrator and end-user device events. Workspace ONE UEM event logs include:

Device events show the commands sent from the console to devices, device responses, and device user actions.
Console events show actions taken from the Workspace ONE UEM console, including login sessions, failed login attempts, admin actions, system settings changes, and user preferences.
The audit events report in the Omnissa Access service lists the events related to a user, including:
The type of action within a specific date with criteria such as user, type, action, object, and date range.

Logs are available within the Workspace ONE UEM console for (30) days and the Omnissa Access console for (90) days. These logs can also be exported as *.csv files for storage offline to meet regulatory or business requirements. Workspace ONE UEM event logs can also be integrated with a customer’s existing Security Information & Event Mgt. (SIEM) solution using syslog.

Incident Management and Response

The Omnissa Incident Response (IR) program, plans, and procedures are developed in alignment with the ISO 27001 standard. Omnissa maintains contacts with industry bodies, risk and compliance organizations, local authorities, and regulatory bodies. Points of contact are regularly updated to ensure direct compliance liaisons have been established and prepared for a forensic investigation requiring rapid engagement with law enforcement. Under the Omnissa ISMS program, the incident response plan is tested at least once annually, regardless of whether a security incident has occurred.

Figure 3: Omnissa Incident and Response Cycle

Omnissa Security Operations Center (SOC)

The Omnissa SOC is staffed and monitors alerts on security anomalies 7x24x365. The Omnissa SOC leverages multiple log capture, security monitoring technologies, and intrusion detection tools to look for unauthorized access attempts, monitor for incoming threats, and detect activity from malicious insiders.

Incident Reporting

All staff are responsible for reporting information security events as quickly as possible. At a minimum, these scenarios include:

Ineffective security controls or access violations
Breach of information integrity, confidentiality, or availability expectations
Human errors
Non-compliance with policies or guidelines
Breach of physical security arrangements
Uncontrolled system changes
Malfunction of software or hardware

Breach Notification

In the case of a confirmed data breach, Omnissa shall, without undue delay, notify affected customers of the breach in accordance with applicable laws, regulations, or governmental requests.

Identity and Access Management

Managing identity and access includes access of both customers and Omnissa to production environments, as well as Omnissa access to customer networks.

Customer Access to Production Environment

As Workspace ONE services are SaaS-based offerings, customer administrators do not directly manage access to the production environment but rather access Workspace ONE services through web-based consoles. Granular role-based access controls (RBAC) restrict the depth of device management information and features available to each Workspace ONE console user. All Workspace ONE administrator changes are retained for review within the console event log. Customer administrators also manage access and entitlements for end-user devices.

Omnissa Connection to Production Environments

Workspace ONE is a multi-tenant cloud service. Service systems are accessed for maintenance and support purposes only. Omnissa does not request prior approvals to access service systems. Access privileges are enforced using role-based access control, separation of duties, and the principle of least privileges. Production environment access is secured through a combination of VPN, IP address allow-listing, or jump servers using Multi-factor Authentication (MFA) and directory credentials.

In accordance with ISO 27001 and PCI-DSS, access is restricted to authorized members of applicable teams, and system sessions are set to an idle timeout of 15 minutes. Logs are in place to review support staff access to all systems and environments. Quarterly User Access Reviews are conducted to review privileged access and to remove or deactivate accounts with 90 days of inactivity.

Omnissa Connection to Customer Consoles

Omnissa Global Customer Support may require access to customer consoles to resolve certain support tickets. Access to the customer console is tied to a support request and is granted after Customer Support obtains permission from the customer. Application logs (called Event Logs) are available to customers within the Workspace ONE consoles to review the actions taken by Omnissa Customer Support. Event logs are available in the Workspace ONE UEM console for 30 days and the Omnissa Access console for 90 days.

Omnissa Connection to Customer Networks

Workspace ONE services integrate with customer resources using optional customer-managed on-premises connectors. Workspace ONE services, therefore, do not require direct access to internal customer networks, and Omnissa support personnel do not have access to internal customer networks. For more information on the optional on-premises components, see the Common Components section of the Workspace ONE Reference Architecture.

Session Controls

Session controls include production environment sessions, the use of Workspace ONE UEM and Omnissa Access management consoles, and Hub services, as well as the Omnissa Access administrative panel and Workspace ONE Assist customer and administrator sessions.

Omnissa Production Environment Sessions

Workspace ONE SaaS production environment Omnissa administrator sessions are set to time out after fifteen (15) minutes of inactivity.

Workspace ONE UEM Management Console

The cloud-hosted Workspace ONE UEM console has a session timeout maximum of 60 minutes for customer administrators based on the load balancer persistence settings. Workspace ONE administrators can also configure an authentication timeout for end-user applications using the Workspace ONE Software Development Kit (SDK). Workspace ONE UEM console sessions include the following security controls:

HTTP sessions are secured using state and session tokens created and validated by the server.
Session control tokens are present on every HTTP transaction.
Authenticated sessions do not tie identity and authentication to anti-CSRF (cross-site request forgery) tokens.

Omnissa Access Management Console

Customer administrators set Workspace ONE single sign-on (SSO) session and per-app re-authentication policies to force users to authenticate again after a configurable length of time.

The Omnissa Access Administrative Console and Workspace ONE app catalog include the following security controls:

HTTP sessions are secured using state and session tokens created and validated by the server.
The solution uses HTTP Strict Transport Security (HSTS) headers.
Session control tokens are present on every HTTP transaction.
XSRF-TOKEN cookie is used to help prevent CSRF (or XSRF) attacks.

The Omnissa Workspace ONE® Intelligent Hub mobile app for end users leverages OAuth tokens which are stored encrypted within the app tokens using standard device-level encryption supported by each mobile operating system. All mobile Workspace ONE apps require a device-level or app-level passcode input by the end user to access the app. Expiry of these tokens is controlled by the server. The admin gets to choose how long the session is valid and how frequently it needs to be renewed. These tokens cannot be removed from the device and used elsewhere.

Workspace ONE Hub Services

Workspace ONE Hub Services is configured from the Omnissa Access and Workspace ONE UEM administrator consoles. Omnissa Access management console security is outlined above.

Omnissa Intelligence Administrative Panel

Generally, customers enable the Omnissa Intelligence administrative panel through the Workspace ONE UEM console or through the Omnissa Intelligence console via Omnissa Connect.

Omnissa Intelligence administrative panel sessions include the following controls:

JSON Web Tokens use certificates for authentication.
Access tokens expire.
Certificate downgrade is not possible.
CSRF tokens and security headers are configured to mitigate XSS.

Workspace ONE Assist – Customer and Administrator Sessions

A separate agent is required to be installed on a covered device, by Workspace ONE UEM on the Android, Windows 10, MacOS, and Windows CE operating systems. The capabilities are embedded in the Workspace ONE Intelligent Hub application on iOS. Workspace ONE Assist includes the following session protections:

HTTP sessions are secured using state and session tokens created and validated by the server.
HSTS headers are used.
Session control tokens are present on every HTTP transaction.
XSRF-TOKEN cookie is used to prevent CSRF attacks.

Cloud Security Architecture

Workspace ONE cloud services leverage robust perimeter defenses, including, access control mechanisms, perimeter firewalls, malware controls, auditing mechanisms, network controls, deactivation of unnecessary services, and maintaining defined configuration settings.

On-premises components are required to support certain solution features. Omnissa does not have, nor do we require access to customer internal networks. Customers manage on-premises connectors for the solution. Documentation on connectors is available on Tech Zone.

Workspace ONE UEM

The security of the Workspace ONE UEM architecture, including its microservices, Control Plane, and infrastructure, is assured through multiple layers of security measures as detailed below.

Disaster Recovery

Workspace ONE UEM is supported by defined enterprise resiliency programs which include business continuity and disaster recovery mechanisms. The Workspace ONE UEM cloud infrastructure is designed with high availability and resiliency by design. Redundancy helps ensure that customers will typically not notice a disruption during a component or system failure inside an Amazon Web Services (AWS) Availability Zone (AZ) or primary co-located data center.

AWS locations: Omnissa uses stretched cluster Software Defined Data Center (SDDC) for high availability in an active-active configuration: SDDC hosts are evenly split between two AZs within an AWS Region with an additional witness host in a third AZ to automatically protect against host failures or failures within the region.
U.S.-based co-locations: In the unlikely event that a primary data center fails in a co-located data center, a manual process is implemented to switch the primary database to the secondary database at the backup data center. Device and console front-end connectivity is migrated to the backup data center. Settings are manually updated to promote failover DNS from secondary to primary on the Global Load Balancer, this process changes IP address references to the backup data center.

Disaster Recovery (DR) plans are rigorously tested against various disaster scenarios and include tabletop and service restoration exercises. Additional DR strategies include:

Daily backups are stored for (30) days.
Monthly backups are retained for (60) days.
Backups are encrypted in-transit and backups are encrypted at-rest via Advanced Encryption Standard (AES-256), and support staff regularly review backup processes to help ensure data integrity.

Workspace ONE UEM Cloud Control Plane Architecture

Workspace ONE UEM has a multi-tiered architecture: Front-facing web and app servers are isolated in a restricted Demilitarized Zone (DMZ) behind L7 (Layer 7) traffic management/Transport Layer Security (TLS) acceleration appliances that proxy all connections to the web and app layer. Workspace ONE UEM also contains an orchestration layer called the Control Plane that uses containerized services for performance and high availability.

The UEM Control Plane ecosystem contains an application workloads cluster, a core services cluster, and a management cluster that spans across the web and app, state, and management services tiers. The core services cluster includes Kafka (for messaging), Postgres database, logging, and telemetry. The boundaries of the Control Plane are completely internal, and it communicates only to the Workspace ONE UEM instance. The Photon-based Linux Control Plane is scanned as a part of the deployment pipeline. The Workspace ONE UEM Control Plane also uses HashiCorp Vault for secrets lifecycle management. Secrets are used for encrypted communication between the Control Plane services. Coming soon, a new modernized architecture, called the UEM Modern Stack will be released. This modern architecture is composed of multiple microservices, each deploying its own group of service nodes and maintaining its own persistent data storage. The existing UEM components, such as the Console, Device Service, and API, will continue to serve as the application gateway to the modern SaaS architecture. For more details on the security of the UEM Modern Stack, see this whitepaper.

Figure 4: Workspace ONE UEM Control Plane Architecture

Omnissa Access

Workspace ONE cloud services leverage Omnissa Access, which includes disaster recovery (DR) mechanisms based on a three-tiered architecture application.

Disaster Recovery

Omnissa Access is supported by defined enterprise resiliency programs which include business continuity and disaster recovery mechanisms. The Omnissa Access service employs a highly redundant design with multiple best-in-class redundancy technologies combined with data replication strategies. The infrastructure is designed to ensure that customers will typically not notice a disruption during a component or system failure inside a primary data center.

DR plans are rigorously tested against various disaster scenarios and include tabletop and service restoration exercises. DR strategies include, but are not limited to:

The use of multiple AWS AZs and auto-scaling for capacity adjustments.
Daily database snapshots and datastore backups to support service RPO and RTO.
Database snapshots are stored for 14 days.
Backups are encrypted in-transit, backups are encrypted at-rest (AES-256), and support staff regularly review backup processes to help ensure data integrity.
Disaster recovery plans are tested and reviewed annually for Recovery Time Objective(s) and Recovery Point Objective(s):
- RTO = (4) hours
- RPO = (4) hours

Omnissa Access Architecture

Omnissa Access is a three-tiered architecture application hosted in a blue-green deployment in multiple AZs in AWS Regions globally. The front-facing web and app servers are isolated in a restricted Demilitarized Zone (DMZ) behind L7 traffic management/TLS acceleration appliances that proxy all connections to the web and app layer. Omnissa Access uses a micro-segmentation approach for the cloud network, and each instance or server belongs to a function-specific security group. A host-based intrusion detection system and file integrity monitoring are also in place. Omnissa Access uses network access control lists (NACLs), pre-defined security groups, and a Web Application Firewall (WAF) to restrict inbound access to the production environment.

Customers can integrate with existing enterprise systems, which are determined by the customer’s service needs and ultimately result in a wide range of external IP address destinations to deliver features. Customers can also configure custom ports for integration. To accommodate customer needs, Omnissa Access does not restrict outbound traffic; however, network address translation (NAT) is in place to track outbound traffic.

Figure 5: Omnissa Access Production Environment Architecture

AWS CloudFront Content Delivery Network (CDN) is used for the delivery of some of the Omnissa Access service content (static JavaScript, CSS, and images) for the admin console and end-user experience (login screen, Catalog, and so on) on HTTPS 443. On-premises connectors and third-party Identity Providers (IdPs) do not require any access to AWS CloudFront CDN. The CDN does not store customer Personally Identifiable Information (PII).

Omnissa Intelligence

Workspace ONE cloud services leverage Omnissa Intelligence, which includes DR mechanisms based on a multi-tiered application.

Disaster Recovery

Omnissa Intelligence is supported by defined enterprise resiliency programs, which include business continuity and disaster recovery mechanisms. The Omnissa Intelligence service leverages multiple availability zones in each deployment region, and databases are configured with daily point-in-time backups going back (30) days for resiliency. Additionally, Omnissa Intelligence infrastructure deployment is automated and can be quickly orchestrated as required. The infrastructure is designed to help ensure that customers will typically not notice a disruption during a component or system failure inside a primary site due to the resiliency and redundancy built-in.

DR plans are rigorously tested against various disaster scenarios and include tabletop exercises. DR strategies include but are not limited to:

The use of multiple AWS Availability Zones.
Backups are encrypted in-transit and at-rest, and support staff review backup processes to help ensure data integrity.
Disaster recovery plans are tested and reviewed annually for Recovery Time Objective(s) and Recovery Point Objective(s):
- RTO = (4) hours
- RPO = (4) hours

Omnissa Intelligence Architecture

Omnissa Intelligence is a multi-tiered application comprised of microservices applications, which is built on the Spring framework. All containerized services in the Omnissa Intelligence application are running in multiple Availability Zones to help minimize downtime and automate scaling. Omnissa Intelligence further limits downtime risk through a blue-green deployment architecture and a continuous integration, continuous deployment (CI/CD) pipeline. Services in the state tier are deployed with failover in multiple Availability Zones.

External traffic is routed through web application firewalls (WAF) and external load balancers; all internal microservices are deployed behind internal load balancers in private subnets. Daily snapshots are taken and replicated in-region.

Figure 6: Omnissa Intelligence Production Environment Architecture

For Workspace ONE UEM SaaS customers, Omnissa hosts the Extract, Transform & Load (ETL) server (in the Workspace ONE UEM cloud environment). The hosted ETL server transmits data from your Workspace ONE UEM cloud deployment to the Omnissa Intelligence cloud environment. On-premises Workspace ONE UEM customers must install an ETL server to connect their on-premises Workspace ONE UEM deployment to the Omnissa Intelligence cloud environment.

Workspace ONE Assist

Workspace ONE Assist is supported by disaster recovery mechanisms and a three-tiered architecture.

Disaster Recovery

Workspace ONE Assist is supported by defined enterprise resiliency programs, which include business continuity (BC) and disaster recovery (DR) mechanisms.

Omnissa cloud services employ a highly redundant design with multiple best-in-class redundancy technologies combined with data replication strategies. The infrastructure is designed to help ensure that customers will typically not notice a disruption during a component or system failure inside a primary data center.

DR plans are rigorously tested against various disaster scenarios and include tabletop and service restoration exercises. DR strategies include, but are not limited to:

The use of multiple Amazon Web Services (AWS) Availability Zones and auto-scaling for capacity adjustments.
Daily point-in-time snapshots and datastore backups to support service Recovery Point Objective and Recovery Time Objective(s).
- RTO = (4) hours
- RPO = (30) minutes

Workspace ONE Assist Architecture

Workspace ONE Assist is a three-tiered architecture application hosted in multiple Availability Zones (AZs) in AWS Regions globally. The front-facing web/app servers are isolated in a restricted Demilitarized Zone (DMZ) behind a load balancer that proxies all connections to the web/app layer. Workspace ONE Assist uses a micro-segmentation approach for the cloud network, and each instance or server belongs to a function-specific security group. These predefined security groups are configured to restrict inbound traffic into the production environment. External traffic is routed through AWS security groups, and internal services are deployed behind load balancers in private subnets.

Workspace ONE Assist leverages robust perimeter defenses, including access control mechanisms, perimeter firewalls, auditing mechanisms, network controls, deactivation of unnecessary services, and maintaining defined configuration settings. Security scanner agents are deployed on all internal servers; scanner reports are actively monitored.

Figure 7: Workspace ONE Assist Production environment architecture

Workspace ONE Data Processing

Data processing includes data collection, segmentation, and encryption, as well as key and certificate management.

Data Collection

By default, Workspace ONE solutions collect information necessary to manage users and devices. Omnissa publishes a Workspace ONE UEM Privacy Disclosure to inform customers who purchase the software to perform unified endpoint management and those individuals whose devices are being managed by the software regarding the types of information collected by the software about users and their devices.