VIP (Validation ID Protection)

 View Only

 Symantec VIP Cloud security related questions

Fernando Sousa's profile image
Broadcom Employee Fernando Sousa posted Aug 17, 2022 02:08 PM
Regarding how Broadcom works with the security of its VIP cloud environment that supports its services and solutions, I would like to obtain more information in order to understand how reliable such an environment is. My main doubts are:
1. Is there protection against DDoS attacks?
2. Does Broadcom use WAF solutions to keep the environment secure?
3. Are there Standard Policies to Apply Patches or Updates?
4. Are all communications encrypted? Using which versions of TLS and encryption keys? Are all databases encrypted?
5. Is there alignment with GDPR? In case of storing customer data, are they masked? Is there logical and physical access control to all environments?
6. At the end of the license, if there is no renewal, does Broadcom keep customer data stored? Is it possible to export such data?
Rob Lindberg's profile image
Broadcom Employee Rob Lindberg posted Aug 17, 2022 04:04 PM
Hi Fernando,

Here are the answers to the questions you posted.

  1. In addition to the standard DDoS protection offered by our Cloud provider (Google Cloud), we do have additional rate limiting support.
  2. Perimeter protection is offered by Firewalls along with standard protection provided by Google cloud.
  3. We follow the respective Broadcom standard policies for with respect to patching and other updates. Please check the following for additional information regarding the VIP service, support and EULA : https://docs.broadcom.com/doc/validation-and-id-protection-vip-saas-listing & https://ftpdocs.broadcom.com/cadocs/0/contentimages/Maint-HB-RM106.pdf & https://docs.broadcom.com/doc/end-user-agreement-english
  4. We use FIPS compliant application libraries to protect sensitive information in our database. In addition we have all our data storages - block and cloud storage protected by our Cloud Provider. We are using TLS 1.2 for communications. As for TLS/Certificates and Encryption please check the following report: https://www.ssllabs.com/ssltest/analyze.html?d=manager.vip.symantec.com
  5. Customer data is compartmentalized in the VIP database. Data access is restricted such that only customers with valid VIP provided credentials  can access their data and we have guardrails to prevent cross tenant data access. We use Google as a Cloud provider and data at rest is protected by Google’s  comprehensive data at rest security strategy.
  6. Per our data retention policy, Broadcom will remove customer data after the contract has expired after a waiting period. The customer can use the VIP Manager or API's to retrieve their data prior to the end of the contract. Please check VIP API: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip/cloud/vip-web-services-and-apis-v127046027-d2278e2328.html

 
Regards,
Rob
Symantec VIP - Product Management Lead