Page 1085 - Cloud computing: From paradigm to operation
P. 1085

Security                                                   7


            CLD.9.5.2   Virtual machine hardening

            Control
            Virtual machines in a cloud computing environment should be hardened to meet business needs.

            Implementation guidance for cloud services

                          Cloud service customer                          Cloud service provider

             When configuring virtual machines, cloud service customers and cloud service providers should ensure that
             appropriate aspects are hardened (e.g., only those ports, protocols and services that are needed), and that the
             appropriate technical measures are in place (e.g., anti-malware, logging) for each virtual machine used.

            CLD.12.1    Operational procedures and responsibilities
            The objective specified in clause 12.1 of ISO/IEC 27002 applies.

            CLD.12.1.5  Administrator's operational security
            Control

            Procedures for administrative operations of a cloud computing environment should be defined, documented
            and monitored.
            Implementation guidance for cloud services

                          Cloud service customer                          Cloud service provider

             The cloud service customer should document       The cloud service provider should provide
             procedures for critical operations where a failure can   documentation about the critical operations and
             cause unrecoverable damage to assets in the cloud   procedures to cloud service customers who require it.
             computing environment.
             Examples of the critical operations are:
             –  installation, changes, and deletion of virtualized
                devices such as servers, networks and storage;
             –  termination procedures for cloud service usage;
             –  backup and restoration.
             The document should specify that a supervisor should
             monitor these operations.

            Other information for cloud services

            Cloud computing has the benefit of rapid provisioning and administration, and on-demand self-service. These
            operations are often carried out by administrators from the cloud service customer and the cloud service
            provider. Because human intervention in these critical operations can cause serious information security
            incidents, mechanisms to safeguard the operations should be considered and, if needed, be defined and
            implemented.  Examples of  serious  incidents  include  erasing  or  shutting  down a  large  number  of  virtual
            servers or destroying virtual assets.

            CLD.12.4    Logging and monitoring
            The objective specified in clause 12.4 of ISO/IEC 27002 applies.

            CLD.12.4.5  Monitoring of Cloud Services
            Control

            The cloud service customer should have the capability to monitor specified aspects of the operation of the
            cloud services that the cloud service customer uses.






                                                                                                        1077
   1080   1081   1082   1083   1084   1085   1086   1087   1088   1089   1090