Transparency enables VMware Powered Public Cloud consumers to know who has accessed what data, when, and where. Payment Card Industry (PCI) requirement #10.3 is a good example of the need for transparency. It states that logs must contain sufficient detail for each event to be traced to a source by user, time, and origin.

Control gives cloud consumers a necessary component of compliance by limiting access, based on a particular role and business need. Common auditor concerns include who can access, configure, and modify a cloud environment; what firewall ports are open; when to apply patches; and where the data resides. Cloud consumers—especially enterprise subscribers—believe that you can outsource responsibility, but you cannot outsource accountability. As evidenced in the PCI Security Standards Council Assessor Update: July 2011, active Qualified Security Assessors (QSAs) have the ultimate responsibility for their client's assessment and the evidence provided in the report on compliance. Both vCloud consumers and their auditors retain final accountability for their compliance and enforcement.

By design, VMware Powered Public Cloud services can address common security and compliance concerns with transparency and control by doing the following:

For these reasons, VMware has enlisted its audit partners such as Coalfire, a PCI DSS-approved Qualified Security Assessor, to engage in a programmatic approach to evaluate VMware products and solutions for PCI DSS control capabilities and to document these capabilities in a set of reference architecture documents.