Regulatory compliance is an important consideration for many organizations, enabling them to participate in specific industries that require minimum standards for organizational processes and technology.
Compliance vs. Security
Regulatory compliance is a business requirement driven by the need to perform regulated tasks like accepting credit cards as payment, conducting health care activities, running energy production facilities, and more. In contrast, security is driven by the need to protect an organization’s assets from constant threat. Both activities often deal with security controls, but regulatory compliance is only assessed periodically through an audit. At the end of the audit an organization is granted an “Authority to Operate” wherein they can begin or continue the regulated activity.
How Compliance is Achieved
Regulatory compliance is assessed on implementations of systems and products, not on the products themselves. An auditor does not deal with hypothetical situations, system designs, or product capabilities. They want to see how the system is built and operated. While a VMware Cloud-based SDDC has hundreds of security features and is validated for use in the world’s most sensitive environments, it is still possible to make implementation decisions that provide opportunities for attackers and disasters. An auditor seeks to find those problems and shine a light on them.
VMware Cloud Trust Center
Because auditors assess implementations of systems, and VMware Cloud is an implementation of VMware’s infrastructure products, VMware can certify the environments against common regulatory frameworks. VMware keeps a record of these certifications at the VMware Cloud Trust Center:
Given the Shared Responsibility Model, certifications of infrastructure do not carry over to workloads themselves but do help organizations conduct audits faster because third-party auditors already certify the infrastructure, with the results posted in the VMware Cloud Trust Center or available under non-disclosure agreement via account teams.