Azure VMware Solution addresses vulnerabilities in the infrastructure

At a high level, Azure VMware Solution is an Azure service, so it must follow all the same policies and requirements that Azure follows. Azure policies and procedures dictate that Azure VMware Solution must follow the Security Development Lifecycle (SDL) and must meet several regulatory requirements as promised by Azure.

Our approach to vulnerabilities

Azure VMware Solution takes an in-depth approach to vulnerability and risk management. We follow the SDL to ensure that we're building securely from the start. This focus on security includes working with any third-party solutions. Our services are continually assessed through automatic and manual reviews on a regular basis. We also partner with third-party partners on security hardening and early notifications of vulnerabilities within their solutions.

Vulnerability management

• Engineering and security teams triage any signal of vulnerabilities.
• Details within the signal are adjudicated and assigned a Common Vulnerability Scoring System (CVSS) score and risk rating according to compensating controls within the service.
• The risk rating is used against internal bug bars, internal policies, and regulations to establish a timeline for implementing a fix.
• Internal engineering teams partner with appropriate parties to qualify and roll out any fixes, patches, and other configuration updates necessary.
• Communications are drafted when necessary and published according to the risk rating assigned.

Tip

Communications are surfaced through Azure Service Health portal, known issues, or email.

Subset of regulations governing vulnerability and risk management

Azure VMware Solution is in scope for the following certifications and regulatory requirements. The regulations listed aren't a complete list of certifications that Azure VMware Solution holds. Instead, it's a list with specific requirements around vulnerability management. These regulations don't rely on other regulations for the same purpose. For example, certain regional certifications might point to ISO requirements for vulnerability management.

Note

You must be an active Microsoft customer to access the following audit reports hosted in the Service Trust Portal:

• ISO
• PCI: See the packages for DSS and 3DS for audit information.
• SOC
• NIST Cybersecurity Framework
• Cyber Essentials Plus

More information

• Azure VMware Solution security recommendations
• Azure VMware Solution security baseline
• Azure defense in-depth approach to cloud vulnerabilities
• Azure compliance offerings
• Azure Service Health portal