Thursday, April 01, 2010

Transparent cloud wanted - apply within

I read “Compliance Under a Cloud” in CIO magazine and loved the ambiguity of how we are going to address security regulations and compliance for the cloud. “It depends” seems to be an answer thrown around a lot. The concluding paragraph is heavy. By “heavy” I mean that there a lot of work required to properly address the problems. Obviously, if you can’t audit your cloud because it is not transparent then you are in trouble. At the end of the day, the cloud is just another platform “out there” and your requirements for audit and security will still have to apply to that platform.
Using cloud computing services for data and applications subject to compliance regulations requires a high degree of transparency on the part of service providers. If you're considering these services, you need to think through what use cases make sense, closely review contracts and service-level agreements and understand how the cloud service meets compliance requirements. Insist on "right to audit" clauses and general transparency on the controls in use. Perhaps in the future cloud services will emerge that are tailored to meet the compliance requirements of specific industries, but for now—caveat emptor!
Caveat emptor indeed!

No comments: