The organization’s audit tools monitor and restrict the misuse of log data. Strict access control, separation of duty, and other policies define which users can access the management system of VMware.

The VMware Security Operations Center uses security information and event management (SIEM) tools to monitor logs and all the privileged access is captured in a centralized server. HR policies of VMware ensure that the terminated employees have no access. A quarterly access review audit is performed to ensure that the service access is appropriate. An employee who changes roles within the organization has access privileges modified according to their new position. Controls are applied to ensure that access to systems that are no longer required for business purposes is removed.

The third-party access to organization’s information systems and data is followed by coordinated application of resources to minimize and monitor the likelihood and impact of unauthorized access. Compensating controls derived from risk analyses are implemented before provisioning access. As a customer, you are responsible for managing access to the administrative console and end-user resources. You can also control the access to VMware Cloud services and virtual network. Access to diagnostic and configuration ports is restricted to authorized individuals and applications. VMware systems management access is performed over a dedicated network connection. Customer management access is performed over a dedicated management network connection established by VPN.

The Terms of Service document clearly defines the demarcation between responsibilities of VMware, separation of duties within VMware, the responsibilities of Amazon Web Services, and customer responsibilities.