Page 1071 - Cloud computing: From paradigm to operation
P. 1071
Security 7
In order for the cloud service customer to perform capacity management for cloud services, the cloud service
customer should have access to relevant statistics on resource usage, such as:
– statistics for particular time periods;
– maximum levels of resource usage.
12.1.4 Separation of development, testing and operational environments
Control 12.1.4 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply.
12.2 Protection from malware
The objective specified in clause 12.2 of ISO/IEC 27002 applies.
12.2.1 Controls against malware
Control 12.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply.
12.3 Backup
The objective specified in clause 12.3 of ISO/IEC 27002 applies.
12.3.1 Information backup
Control 12.3.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply. The following sector-specific guidance also applies.
Implementation guidance for cloud services
Cloud service customer Cloud service provider
Where the cloud service provider provides backup The cloud service provider should provide the
capability as part of the cloud service, the cloud service specifications of its backup capabilities to the cloud
customer should request the specifications of the service customer. The specifications should include the
backup capability from the cloud service provider. The following information, as appropriate:
cloud service customer should also verify that they meet – scope and schedule of backups;
their backup requirements.
– backup methods and data formats, including
The cloud service customer is responsible for encryption, if relevant;
implementing backup capabilities when the cloud – retention periods for backup data;
service provider does not provide them.
– procedures for verifying integrity of backup data;
– procedures and timescales involved in restoring data
from backup;
– procedures to test the backup capabilities;
– storage location of backups.
The cloud service provider should provide secure and
segregated access to backups, such as virtual snapshots,
if such service is offered to cloud service customers.
Other information for cloud services
The allocation of responsibilities for making backups in the cloud computing environment is often unclear. In
the case of IaaS, responsibility for making backups generally resides with the cloud service customer.
However, a cloud service customer might not be aware of its responsibility to make backups of all cloud
service customer data produced in the cloud computing system, such as executable files produced by the use
of development capabilities of a PaaS service.
NOTE – Varying levels of backup and restore might be offered as a service at additional cost and, in this case, cloud
service customers can choose what and when to backup.
1063
