Cloud SIEM are now popular and considered a cheaper solution. There is no software to purchase, cybersecurity professionals to hire or additional training needed to the staff up. But you have to consider log shipping costs, data sensitivity, data sovereignty as potential cons with this approach.
There is a difficulty with Regulations Compliance for Cloud SIEM services. If we check Cloud SIEM services against GDPR, we have to consider:
Data portability for the controller: Controllers must be able to facilitate the right of data portability for data subjects. If the controller’s data is in the cloud, it must be possible for the controller to retrieve the data in a structured, commonly used, and machine-readable format to provide to the data subject or another controller.
Data ownership: As a controller, you must maintain control and ownership of your data. Therefore this must be spelled out in the contract. Next to this, you must confirm that, according to the host-countries’ laws, your company retains ownership of the transferred data.
Data localization: Complicated because depending on the type of data and country where the data is located, standards can restrict transfer, govern storage, or expand customer rights.
Processing of personal data outside the European Economic Area (EEA): Because data can be stored within multiple locations by cloud service providers, it might be possible that personal data are stored outside the EEA. For this processing, appropriate safeguards must be taken if no adequacy decision has been made about the country where the data resides. Controllers will need to define a multi-country cloud strategy to adhere to adequacy requirements as well as data localization laws.
This is not the case just for GDPR. If you have to obey India’s Personal Data Protection (PDPA) Act, you cannot send logs outside of India. The same is for many countries.
One of the biggest problems is “ What happens at the end of the agreement?”. You have to keep those logs for years to comply with regulations. Some Cloud SIEM solutions offer to send a copy of the logs to an AWS S3 bucket that you control daily. This is a way to have a copy for specific retention regulations. But this is an additional cost. Also, you have to manage those raw logs. And, you have to find a way to search billions of lines when required.
There is an alternative to Cloud SIEM solutions that is compliant with GDPR and other Personal Data Protection regulations. This is called Managed SIEM service.
Although Cloud SIEM service is cheap for the Cloud SIEM service operators when compared to installing a SIEM solution on the customer side and managing it remotely (Managed SIEM service). We are trying to solve customer problems, not Cloud SIEM operators.
This is not preferred by Cloud SIEM service operators, because it is costly for them. But it is a good alternative.