Page 1070 - Cloud computing: From paradigm to operation
P. 1070
7 Security
Implementation guidance for cloud services
Cloud service customer Cloud service provider
The cloud service customer's change management The cloud service provider should provide the cloud
process should take into account the impact of any service customer with information regarding changes to
changes made by the cloud service provider. the cloud service that could adversely affect the cloud
service. The following will help the cloud service
customer determine the effect the changes can have on
information security:
– categories of changes;
– planned date and time of the changes;
– technical description of the changes to the cloud
service and underlying systems;
– notification of the start and the completion of the
changes.
When a cloud service provider offers a cloud service
that depends on a peer cloud service provider, then the
cloud service provider might need to inform the cloud
service customer of changes caused by the peer cloud
service provider.
Other information for cloud services
The list of items that should be included in the notification can be identified in an agreement, e.g., a master
service agreement or a service level agreement (SLA).
12.1.3 Capacity management
Control 12.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply. The following sector-specific guidance also applies.
Implementation guidance for cloud services
Cloud service customer Cloud service provider
The cloud service customer should ensure that the The cloud service provider should monitor the total
agreed capacity provided by the cloud service meets the resource capacity to prevent information security
cloud service customer's requirements. incidents caused by resource shortages.
The cloud service customer should monitor the use of
cloud services, and forecast their capacity needs, to
ensure performance of the cloud services over time.
Other information for cloud services
Cloud services involve resources that are under the control of the cloud service provider and made available
to the cloud service customer under the terms of the master service agreement and a related SLA. These
resources include software, processing hardware, data storage, and network connectivity.
Elastic, scalable and on-demand allocation of resources in a cloud service generally increases the total
capacity of the service. However, the cloud service customer should be aware that the resources provided
could have capacity constraints. Examples of capacity constraints include the number of processor cores for
an application, the amount of storage available, or the network bandwidth available.
The constraints can vary depending on the particular cloud service or the particular subscription that the
cloud service customer purchases. If the cloud service customer has requirements that exceed the
constraints, the cloud service customer might need to change the cloud service or change the subscription.
1062
