Workspace ONE UEM Cloud Service Alignment with the ACSC Information Security Manual (ISM)
Introduction
This document addresses the security for Omnissa Workspace ONE® cloud services in relation to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM). The purpose of the ISM is to outline a cyber security framework that organizations can apply, using their risk management framework, to protect their information and systems from cyber threats.
Note: You can find the definitions for acronyms used throughout this document in Acronyms used in the Workspace ONE Security Series.
Purpose
This whitepaper summarizes Workspace ONE cloud services security controls alignment with the Cyber Security Principles and Cyber Security Guidelines within the ISM.
Audience
This document is intended for Australian government commercial cloud customers to evaluate Workspace ONE cloud security and any potential risks against the ACSC ISM. It assumes at least intermediate knowledge of Omnissa Workspace ONE® UEM, Omnissa Access and Omnissa Workspace ONE ®Hub Services, Omnissa Intelligence, and Omnissa Workspace ONE® Assist cloud services and focuses on the policies, processes, and controls supporting the cloud-delivered services. Federal Risk and Authorization Management Program (FedRAMP), on-premises, and third-party offerings are not in scope for this document.
Workspace ONE Cloud Security Compliance
For the most up-to-date list of security audits and certifications for Omnissa cloud services, navigate to the Omnissa Trust Center.
Alignment with the ACSC Cyber Security Principles
The Omnissa Information Security Program leverages guidance from industry best practices and regulatory standards, including NIST SP 800-53 and ISO 27001. Omnissa has created controls and processes using a set of driving principles to provide the underlying general rules and guidelines for security within our cloud-delivered services. Overarching principles include:
- Governance – Establishing a balance of effectiveness and efficiency by implementing the appropriate controls and managing risks by understanding the threat landscape and leveraging all decision-makers during risk analysis.
- Protection – Providing preventative and protective capabilities to ensure a secure service.
- Detection – Implementing 24x7 proactive monitoring to detect and identify security incidents.
- Response – Developing agile response procedures that address both individual security incidents and disaster recovery.
Alignment with the ISM Cyber Security Guidelines
To align with ISM Cyber Security Guidelines, Omnissa and our cloud hosting partners have developed controls and processes for every aspect of cyber security. This includes roles, incidents, outsourcing, documentation, physical and personnel security, communications infrastructure and systems, enterprise mobility, ICT equipment, media, system hardening, system management and monitoring, software development, database systems, email, networking, cryptography, gateways, and data transfer.
Guidelines for Cyber Security Roles
Omnissa has developed controls and processes for two main cyber security roles: chief information security officer and systems owners.
Chief Information Security Officer
Omnissa has a Chief Information Security Officer who leads, oversees, and is ultimately responsible for our Information Security program.
Omnissa coordinates cyber security through the Information Security Governance Committee (ISGC), which includes members of senior management and representatives from our Information Security, IT Operations, HR, Marketing, Facilities, and Legal teams.
System Owners
The Workspace ONE cloud services use numerous components and platform services. Workspace ONE product management teams have overall system ownership responsibility for the cloud services, although some underlying components have their own product managers. Operational security responsibilities are assigned to applicable cloud operations teams.
Guidelines for Cyber Security Incidents
Omnissa has developed controls and processes for detecting, managing, and reporting cyber security incidents.
Figure 1: Omnissa Incident Response Cycle
Detecting Cyber Security Incidents
The Omnissa Security Operations Center (SOC) enables rapid assessment and response to cyber security threats targeting Omnissa services through continuous collection, evaluation, and dissemination of cyber threat intelligence. The Omnissa SOC works with the Workspace ONE cloud service teams to provide proactive monitoring of hosted services and to support incident response activities.
The Omnissa SOC is staffed 24x7 and monitors alerts on security anomalies. The SOC leverages multiple tools for log capture, security monitoring, and intrusion detection to look for unauthorized access attempts, monitor for incoming threats, and detect activity from malicious insiders.
Managing Cyber Security Incidents
The Omnissa Incident Response plans and procedures have been developed in alignment with the ISO 27001 standard. Omnissa follows a formal Incident Management Plan that is maintained as part of our overall Information Security Program. Incidents are reported to the appropriate Cloud Operations team for categorization and resolution, and issues are escalated to senior management according to a pre-defined protocol. Omnissa tracks alerts, responses, and resolutions through to completion: incident response teams prepare post-mortem reports to internal stakeholders and to the Information Security Governance Committee for review.
Reporting Cyber Security Incidents
In the case of a confirmed data breach, Omnissa shall notify affected customers of the breach without undue delay in accordance with applicable laws, regulations, or governmental requests.
Guidelines for Outsourcing
Omnissa has developed controls and processes for cyber security outsourcing, including supply chain risk management, managed services, and cloud services.
Cyber Supply Chain Risk Management
Omnissa has a comprehensive vendor procurement and risk management program to choose providers that meet identified security baseline requirements. Supplier agreements ensure that providers comply with applicable laws, security, and privacy obligations.
Omnissa has a formal process to document and to track non-conformance as a part of our ISMS. To help assure reasonable information security across our information supply chain, Omnissa also conducts risk assessments for service sub-processors at least annually to ensure appropriate controls are in place to reduce risks to the confidentiality, integrity, and availability of sensitive information.
Figure 2: Omnissa Risk Management Cycle
Managed Services and Cloud Services
Workspace ONE cloud services incorporate managed services and cloud services from various service providers. Our standard supplier management processes are used to track and manage the use of these third-party services.
Guidelines for Security Documentation
Development and Maintenance of Security Documentation
Omnissa maintains an organization-wide Information Security Program and Policies, and we perform annual reviews and audits of our program to keep the documentation up to date. Formal documentation, such as business continuity and disaster recovery plans, are reviewed at least annually or upon significant system change.
Security documentation for the Workspace ONE cloud services is the responsibility of applicable product managers and is maintained by the relevant operations and engineering teams. Changes or exceptions to security for Omnissa cloud services have an approval process involving Information Security management.
System-specific Security Documentation
Service-specific documentation, such as data flow and network diagrams, risk registers, deployment procedures, and so on, are reviewed and updated regularly.
Omnissa applies consistent incident response plans across its cloud services, which are led by the Omnissa SOC.
Cloud services for Omnissa also apply a consistent, continuous monitoring plan for proactively identifying, prioritizing, and responding to security vulnerabilities. The Omnissa Vulnerability Response Team is responsible for managing and resolving security vulnerabilities in Omnissa products and services that are available to customers. Omnissa Vulnerability Response Team has a mature process for investigating reports, coordinating disclosure activities with researchers and other vendors when appropriate, and communicating remediation to customers via security advisories, blog posts, and email notifications.
Guidelines for Physical Security
Facilities and Systems
Omnissa leverages Amazon Web Services (AWS) within Australia to support the Workspace ONE cloud service offerings. AWS maintains physical and environmental security controls for the cloud-delivered services, as well as for related premises and ICT equipment. AWS has completed IRAP assessments (PROTECTED), SOC 2 Type 2 audits and has achieved at least ISO 27001 certification.
The Omnissa physical security policy governs security for our offices and other global business locations to safeguard information systems and staff.
Key elements of this policy include controls around: physical security perimeters, physical entry controls, physical access, securing offices, rooms and facilities, visitors to facilities, records, preventing the misuse of facilities, protecting against external and environmental threats, working in secure areas, access to restricted areas, delivery and loading areas, equipment siting and protection, supporting utilities, equipment maintenance, removal of assets, security of equipment and assets off-premises, secure disposal or reuse of equipment, unattended user equipment, and clear desk and clear screen.
ICT Equipment and Media
Omnissa leverages Amazon Web Services (AWS) within Australia to support the Workspace ONE cloud service offerings. AWS maintains suitable controls to restrict access to the underlying ICT equipment for the services. AWS has completed an IRAP assessment (PROTECTED), which includes the ICT equipment for AWS services within the assessment scope.
All customer content stored within Workspace ONE cloud services is encrypted at rest with a minimum level of AES-256 encryption.
Guidelines for Personnel Security
Omnissa has developed controls and processes for personnel security, including awareness training, and access to systems and respective resources.
Cyber Security Awareness Training
In alignment with the ISO 27001 standard, all Omnissa personnel and alternative workforce are required to complete annual business conduct and security awareness training. Employees undergo annual data handling and privacy training that includes the secure handling of customer data.
Figure 3: Information Security Awareness Training Topics
Access to Systems and Their Resources
Omnissa HR applies policies and processes for background screening, employment and confidentiality agreements, and employee termination procedures.
Access privileges to the Workspace ONE hosted infrastructures are enforced using role-based access control, separation of duties, and the principle of least privileges. Production environment access requires a secure VPN and jump server or allow-listed IP using MFA and directory credentials and is restricted to authorized members of applicable teams. Logs are in place to review support staff access to all systems and environments.
Australian customer data is stored in data centers located in Australia, with backup also located in Australia. However, Omnissa uses a 24x7 “Follow-the-Sun” support program. This means that, outside business hours in Australia, support services may be manned by employees in our global office locations (for example, United Kingdom, United States), and data may be accessed (or processed) outside of Australia. Remote access to the production environment, for the purposes of maintenance and support, may also be used by our global data center operations team.
Guidelines for Communications Infrastructure
Cabling Infrastructure
Omnissa partners with AWS to support Workspace ONE cloud services in Australia, and AWS manages the cabling infrastructure used to host the services. AWS services are assessed under the PROTECTED classification of IRAP.
Emanation Security
Workspace ONE cloud services will not be used for SECRET or TOP SECRET systems or information, so emanation security controls are not applicable.
Guidelines for Communications Systems
Telephone Systems
Telephone services are not applicable for the Workspace ONE cloud services.
Video Conferencing and Internet Protocol Telephony
Video and voice-over IP services are not applicable for the Workspace ONE cloud services.
Fax Machines and Multifunction Devices
Fax and multi-function device services are not applicable for the Workspace ONE cloud services.
Guidelines for Enterprise Mobility
Omnissa has developed controls and processes for enterprise mobility and mobile device management.
Mobile Device Management
Omnissa secures all company workstations and mobile devices using a centrally managed corporate Workspace ONE UEM instance. Any device connecting to Omnissa corporate resources is required to be enrolled and managed. Systems settings prohibit end users from disabling endpoint protection software.
Staff are permitted to use personal devices to access a limited set of Omnissa corporate services and information. However, personal devices are prohibited from accessing production environments for Omnissa products and services. Omnissa-managed laptops must be used to access production environments.
Guidelines for Evaluated Products
Evaluated Product Acquisition and Usage
Evaluated products are not procured for the Workspace ONE cloud services. Workspace ONE UEM (on-premises version) is certified for Common Criteria; however, the cloud service is not an evaluated product. See our Explore On-premises Certifications in the Compliance area of the Omnissa Trust Center for details on our Common Criteria certifications.
Guidelines for ICT Equipment
ICT Equipment Usage; Maintenance and Repairs; Sanitation and Destruction; Disposal
Omnissa partners with AWS to support Workspace ONE cloud services in Australia, and AWS manages the underlying ICT equipment used to host the services. AWS services are assessed under the PROTECTED classification of IRAP.
Guidelines for Media
Media Usage; Sanitation; Destruction; Disposal
Omnissa partners with AWS to support Workspace ONE cloud services in Australia, and AWS manages the physical media that is used for the services. AWS services are assessed under the PROTECTED classification of IRAP.
Guidelines for System Hardening
Operating System Hardening
Omnissa disables unnecessary ports, protocols, and services as part of baseline hardening standards. We follow industry best practices in applying secure configurations to managed servers that are used to provide the Workspace ONE cloud services.
For Workspace ONE servers that use Windows operating systems, the team hardens server configurations using GPO policies (for example, account policies, user rights, security options, event log settings, and app restrictions). Workspace ONE Linux-based servers use Amazon Linux 2 for system hardening. Amazon Linux 2 includes default security configurations, such as: limited remote access using SSH key pairs, remote root login disablement, reducing non-critical package installation, and automatic security-related updates.
Application Hardening
Omnissa uses secure-by-design principles in developing its Workspace ONE software and applies strong security management practices for the ongoing management of the cloud services.
Authentication Hardening
Omnissa applies authentication standards for all Omnissa products as part of the Omnissa Product Security Requirements (PSR), which are examined during the Security Development Lifecycle.
Omnissa applies industry best practice authentication for Omnissa personnel with access to all Omnissa code, software pipelines, or cloud service environments. Industry best practice authentication is also applied for service accounts in cloud service environments. Authentication requirements are verified by our third-party auditors during our annual compliance activities.
Virtualization Hardening
Omnissa leverages host virtualization capabilities from AWS and other vendors as well as Kubernetes-based containers in providing the Workspace ONE cloud services. We follow industry best practices in applying secure configurations to virtualization and container platforms.
Guidelines for System Management
System Administration
Omnissa applies robust processes for the administration of all systems that are involved in providing Workspace ONE cloud services. These systems and associated administrative infrastructure are strictly isolated from the Omnissa corporate network.
System Patching
Omnissa maintains the systems it uses to deliver Workspace ONE cloud services, including the application of patches deemed critical for the target systems. Our policy is to patch or upgrade network, utility, and security equipment after analyzing the severity and impact of potential vulnerabilities. Critical vulnerabilities are addressed in a timely manner, and changes are made using industry best practices.
Vulnerability scanning and remediation are in line with PCI-DSS. Scans are performed at least monthly, and system and application owners are required to address critical and high vulnerabilities with a plan of corrective action after vulnerability discovery. Other vulnerabilities are addressed with a plan of corrective action within a reasonable period.
Data Backup and Restoration
Workspace ONE cloud services employ a highly redundant design with multiple best-in-class redundancy technologies combined with data replication strategies deployed at the data layer. Backup schedules are defined, and cloud operations personnel regularly review backup processes to help ensure data integrity.
Guidelines for System Monitoring
Omnissa has developed controls and processes for system monitoring, including event logging and monitoring.
Event Logging and Monitoring
Workspace ONE Cloud Operation Teams are staffed 24x7, and the team deploys several commercial and custom purpose-built tools to monitor the performance and availability of all hosted solution components. Components include the underlying infrastructure servers, storage, networks, portals, services, and information systems used in the delivery of Workspace ONE cloud services.
Workspace ONE cloud services leverage a robust centralized SIEM infrastructure. Critical systems and privileged access to Workspace ONE cloud infrastructure are logged and monitored. Auditable events are in alignment with PCI-DSS requirements and include user identification, type of event, date and time, success or failure indication, and origination of event. Access to the audit trail is protected, and logs are stored separately and securely.
Guidelines for Software Development
Application Development
Omnissa follows a defined Software Development Lifecycle (SDLC), which incorporates security into each phase (for example, requirements, design, implementation, verification) of development. Our SDLC is based on industry-recognized best practices and standards, including PCI-DSS common coding vulnerabilities, OWASP, OSSTMM, SANS/CWE, and SCRUM methodologies. For more information, see our SDLC whitepaper on Omnissa Tech Zone.
Figure 4: Omnissa Secure Software Development Lifecycle
Web Application Development
Our Security Development Lifecycle applies industry best practices for secure application development, including secure web application development practices.
Guidelines for Database Systems
Database Servers; DBMS; Databases
Workspace ONE cloud service databases are implemented using industry best practices, including hardening by disabling unnecessary services and accounts, applying the principles of least privilege and separation of duty, enforcing network segmentation, executing parameterized queries, and full logging and monitoring capabilities.
Guidelines for Email
Email Usage; Gateways and Servers
Email management and email gateways/servers are not applicable for the Workspace ONE cloud services.
Guidelines for Networking
Network Design and Configuration
Workspace ONE cloud services are designed with multi-tiered architectures with public and private subnets using network access control lists (ACLs) and security groups, firewalls, and more to support a zero-trust security approach. For details on the architecture of each Workspace ONE cloud service, see our cloud security whitepaper on Omnissa Tech Zone.
Wireless Networks
Wireless networks are not applicable for the Workspace ONE cloud services.
Service Continuity for Online Services
Workspace ONE cloud service employs a highly redundant design with multiple best-in-class redundancy technologies combined with data replication strategies deployed at the data layer. The infrastructure is designed to help ensure that customers will typically not notice a disruption during a component or system failure inside a primary data center.
Disaster recovery strategies include:
- The use of Amazon Web Services (AWS) Availability Zones for applicable locations
- Database replication
- Encryption of backups in transit and at rest (AES-256)
Guidelines for Cryptography
Workspace ONE cloud services collect limited personal data used for user activation and management. All user data stored within Workspace ONE cloud services is encrypted at rest with a minimum level of AES-256 encryption. Backups are also encrypted.
Encryption in transit is also used for data transmitted between customer resources (such as devices and on-premises connectors) and Workspace ONE cloud services over the public internet. Omnissa uses strong in-transit encryption with a minimum of TLS 1.2.
Guidelines for Gateways
Gateways; Firewalls; Web proxies; Web Content Filters; Content Filtering
The Workspace ONE cloud services architecture implements gateway appliances that proxy all connections to servers located in the public subnets. Workspace ONE cloud services also use robust perimeter defenses, including perimeter firewalls and real-time intrusion detection technologies to detect malicious behavior.
Cross Domain Solutions; Diodes; Peripheral Switches
Workspace ONE cloud services are offered as a public cloud service, so it will only be used for unclassified information or for information classified PROTECTED. Cross Domain Solutions and Diodes are not applicable. Controls related to peripheral switches are only applicable for AWS as part of the shared responsibility model.
Guidelines for Data Transfers
Omnissa has developed controls and processes for data transfers and the protection of data exports.
Data Transfers
Omnissa employees are prohibited from manually transferring customer data from the production environment (for example, removal and storage of customer data on removable media). To ensure accountability, full auditing capabilities are enabled on all Omnissa cloud environments.
Customers can import and export their data using manual techniques and are responsible for developing and implementing data transfer policies and procedures, including accountability, scanning, auditing, and logging.
Summary and Additional Resources
This document addresses the security for Workspace ONE cloud services in relation to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM). Information contained in this document is solely for the use of evaluating Workspace ONE software and services and does not represent an official Infosec Registered Assessors Program (IRAP) certification or endorsement of Workspace ONE cloud services by the ACSC.
Additional Resources
For more information about Workspace ONE Cloud Services, you can explore the following resources:
- Workspace ONE UEM Architecture
- Omnissa Access Architecture
- Omnissa Intelligence Architecture
- Workspace ONE Cloud Services Security
Changelog
The following updates were made to this guide:
|
Date |
Description of Changes |
|
10/04/2024 |
|
About the Author and Contributors
The following people contributed their knowledge and assistance with this document:
- Andrea Smith, Sr. Program Manager, Customer Security Assurance
- Andrew Osborn, Staff Technical Marketing Architect, Technical Marketing
Feedback
Your feedback is valuable.
To comment on this paper, contact Omnissa Technical Marketing at tech_content_feedback@omnissa.com.