Page 1072 - Cloud computing: From paradigm to operation
P. 1072

7                                                     Security


            12.4    Logging and monitoring

            The objective specified in clause 12.4 of ISO/IEC 27002 applies.
            12.4.1  Event logging

            Control 12.4.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.
            Implementation guidance for cloud services

                           Cloud service customer                           Cloud service provider

             The cloud service customer should define its requirements   The cloud service provider should provide logging
             for event logging and verify that the cloud service meets   capabilities to the cloud service customer.
             those requirements.

            Other information for cloud services
            The responsibilities of the cloud service customer and the cloud service provider for event logging vary
            depending on the type of cloud service being used. For example, with IaaS, a cloud service provider's logging
            responsibility can be limited to that of cloud computing infrastructure components, and the cloud service
            customer can be responsible for logging the events of its own virtual machines and applications.

            12.4.2  Protection of log information
            Control 12.4.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            12.4.3  Administrator and operator logs
            Control 12.4.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.
            Implementation guidance for cloud services

                          Cloud service customer                          Cloud service provider

             If a privileged operation is delegated to the cloud   (no additional implementation guidance)
             service customer, the operation and performance of
             those operations should be logged. The cloud service
             customer should determine whether logging capabilities
             provided by the cloud service provider are appropriate
             or whether the cloud service customer should
             implement additional logging capabilities.

            Other information for cloud services
            The allocation of responsibilities between the cloud service customer and the cloud service provider (see
            clause 6.1.1) should cover privileged operations related to the cloud service. Monitoring and logging the use
            of privileged operations are necessary to support preventive and corrective actions against incorrect use of
            these operations.

            12.4.4  Clock synchronization
            Control 12.4.4 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.












            1064
   1067   1068   1069   1070   1071   1072   1073   1074   1075   1076   1077