It’s good to do some reflection, and this is the last Saturday of he month, so here we are.
Securosis’ Rich latest post https://securosis.com/blog/summary-heads-up has a decent summary post, which is discussing what to do periodically – review current technologies and methods and see if those methods can improve your current operational methods and technologies.
We can only do what we can:
“I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. And by the grace of God, I will.” Edward Everett Hale
So what is Rich from Securosis saying? besides his personal story with the end result of the following:
cloudSOC – Security Operations Center and
SIEM – Security Information Event Manager
CloudSOC and SIEM are technologies that you need to learn to make hybrid clouds and cloud network integration security methods work.
Why is this? Because the cloudSOC is a service that can handle your new cloud security needs. As you know in PCI compliance and just general security reviewing logs is important, well what happens when your systems are no longer physical? If a cloud service now hosts your mail service, how can you look at logs? When a cloud service hosts your files?
Here is the cloudSOC pdf that Securosis put together:
https://securosis.com/assets/library/reports/Securosis_CloudSOC_FINAL.pdf
Notice one of the points that they have is to request Log access when drawing up the initial contracts, not later. The idea is to get access to your file system , web server, and email system logs.
The rest of the document lists the devices and methods in today’s computing environment that are used – cloud applications, mobile devices using many different cloud environments (hybrid clouds or cloud 2 cloud among many).
The environments are getting more complex, and the compliance still needs to be addressed. Securosis’ advice of checking the logging requirements before signing is a good idea, and also checking CloudSOC is good, especially if we can get the compliance methods solved.
Contact us to discuss your cloud compliance needs.