The compliance rules are based on a checklist which VMware vRealize Operations Compliance Pack for Sovereign Cloud utilizes to monitor the products in the Sovereign Cloud stack.

The VMware Sovereign Controls are as follows:

Criteria Notes
Data Sovereignty and Jurisdictional Control
  • Data should reside locally.
  • The cloud should be managed and governed locally, all data processing including API calls should happen within the country/geography.
  • Data should be accessible only to residents of the same country, and the data should not be accessible under foreign laws or from any outside geography.
Data Access and Integrity
  • Two data center locations.
  • File, Block, and Object store options
  • Backup services, Disaster Recovery
  • Low-latency connectivity, Micro segmentation
Data Security and Compliance
  • Industry recognized Security Controls (minimum ISO/IEC 27001 or equivalent)
  • Additional relevant industry or governmental certifications
  • Third-party audits
  • Zero Trust Security
  • Encryption
  • Catalogue of trusted images using the sovereign repository
  • Support for air gapped zones/regions
  • Operating personnel requirements and security clearance
Data Independence and Interoperability
  • Workload migration with bi-directional workload portability
  • Modern application architecture using containers
  • Support for hybrid cloud deployments
Note: This set of controls is intended to provide general guidance for organizations that are considering VMware solutions to help them address compliance requirements. VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. Organizations should engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements.

In the following topics, you view the list of automated controls to verify many controls which are part of the Sovereign Cloud checklist.