2. Service Definition Considerations : 2.5 Security and Compliance : 2.5.1 Compliance Definition
2.5.1 Compliance Definition
Transparency allows vCloud consumers to know who has accessed what data, when, and where. Payment Card Industry (PCI) requirement #10.3 is a good example of the need for transparency. It states that logs must contain sufficient detail for each event to be traced to a source by user, time, and origin.
Control gives vCloud consumers a necessary component of compliance by limiting access, based on a particular role and business need. Who can access, configure, and modify a vCloud environment, what firewall ports are open, when to apply patches, and where the data resides are common questions from auditors. Cloud consumers, and especially enterprise subscribers, believe that you can outsource responsibility, but you can’t outsource accountability. As evidenced in the PCI Security Standards Council Assessor Update: July 2011, active Qualified Security Assessors (QSA) have the ultimate responsibility for their client's assessment and the evidence provided in the Report on Compliance. Both vCloud consumers and their auditors retain final accountability for their compliance and enforcement.
By design, vCloud services are intended to address common security and compliance concerns with transparency and control by:
*Facilitating compliance through ISO 27001 certification and/or SSAE 16, SOC 2 reporting, based on a standard set of controls.
*Providing compliance logging and reports to service subscribers, for full visibility into their hosted vCloud environments.
*Architecting the service so that subscribers can control access to their vCloud environments.