The VMware Site Recovery for VMware Cloud on Amazon Web Services (AWS) DRaaS offering now supports PCI-DSS compliance.VMware Site Recovery recently received the highest level of PCI certification (PCI DSS Level 1 provider status).
By being certified as PCI DSS compliant level 1 service provider, VMware Site Recovery service operates in compliance with PCI DSS compliant security measures and controls, thereby potentially addressing the needs of a broad range of customers and workloads that need to store, process, or transmit cardholder or sensitive authentication data. PCI compliance will be enabled in the AWS regions that support VMware Cloud on AWS where SDDCs are configured for compliance hardening for PCI.
VMware Site Recovery implements a shared responsibility model that defines distinct roles and responsibilities of the three parties involved in the offering: Customer, VMware, and Amazon
Customer Responsibility
On-premises Security - The customer is responsible for installation, configuration, and continuous operations of all the on-premises software components and hardware in compliance with PCI-DSS requirements. This includes the network connection over which communication between on-premises and cloud components occurs. This could include but is not limited to using encryption where applicable, having processes for regular software security patching, credential rotations, auditing, and user access controls.
Security in the Cloud – Customers are responsible for the configuration of the DR protection of their sites, via the Service UI and API interfaces. This includes but is not limited to the configuration of network firewall rules, VPNs, Site pairing, replications, protection groups, inventory mappings, and recovery plans.
VMware Responsibility
Security of the Cloud – VMware is responsible for protecting the software and systems that make up the VMware Site Recovery and VMware Cloud on AWS
AWS Responsibility
Security of the Infrastructure – AWS is responsible for the physical facilities, physical security, infrastructure, and hardware underlying the entire service.
Shared Responsibility Matrix
Details on the shared responsibility model employed by VMware Site Recovery can be found in the table below.
Much of the low-level operational infrastructure is handled by the VMware Site Recovery and VMware Cloud on AWS Engineering and Operations teams, allowing the customer to focus on managing their workloads.
Entity |
Responsibility / Activity |
Customer |
|
VMware |
|
AWS – Amazon Web Services |
|
This is great news for customers looking for DRaaS that supports PCI certification. For more detail see the VMware Site Recovery Shared Responsibility Model whitepaper.