2. Service Definition Considerations : 2.5 Security and Compliance : 2.5.3 Compliance Visibility and Transparency
2.5.3 Compliance Visibility and Transparency
Log management is often built into many of the compliance frameworks, such as ISO 27002, HIPAA/HITECH, PCI DSS and COBIT. Enterprise subscribers not only need visibility into their private vCloud instances, they also demand that providers give them visibility into their public vCloud environments. For example, enterprise subscribers must collect and archive logs and reports related to user activities and access controls such as firewalls.
To meet the requirements of being compliant with the controls, providers must enable reasonable visibility and transparency into their vCloud service architecture for subscribers. To accomplish this, service providers should collect and maintain logs for periods of 6 and 12 months for relevant components of the vCloud service and be able to provide pertinent logs back to individual vCloud subscribers on an as-needed basis. Service providers should also maintain and archive logs for the underlying multitenant hosting infrastructure, based on the same 6- and 12-month periods. In the event of an audit, service providers should be able and willing to provide these logs to an auditor and/or individual subscriber. In general, vCloud service providers should have logs covering the following components of a subscriber’s environment and keep them readily available for subscriber access for periods of up to 6 and 12 months:
*VMware vCloud Director®.
*VMware vCloud Networking and Security Edge™.
The VMware vCloud Suite is based on a set of products that have been used in many secure environments. Products such as VMware vCloud Director and VMware vCloud Networking and Security™ generate a set of logs that give subscribers visibility into all user activities and firewall connections. VMware provides the necessary blueprints and best practices so that providers can best standardize and capture these sets of logs and provide subscribers with the ability to access them.
In addition to logs, service providers should provide basic compliance reports to their subscribers so that they understand all the activities and risks in their vCloud environment. VMware provides design guidelines in this area so that vCloud service providers can meet common enterprise subscriber requirements. Service providers are responsible for logging of their vCloud services as well as their subscriber environments. These capabilities should be implemented and validated before any vCloud service is made generally available.