Compliance in the clouds

We're all accustomed to compliance responsibilities when it comes to the computer network. But what happens when the network in part or in whole resides in the clouds? This is a timely issue given that cloud computing seems to be taking off. Consultancy Gartner just placed it in the number-one position in its list of top 10 technologies for 2010. 

Dark Reading asks: "How do you manage the vulnerabilities of a server if you don't know where it is or what operating system it's running on?" It's fair to say that the process and rules that apply in the non-cloud do not work when you take your data and apps into the cloud. The issues get quite technical, but it's fair to say many organizations are concerned that will need new approaches to demonstrate compliance. The recent loss of consumer data for the Sidekick smartphone has highlighted this issue. Here's a roundtable discussion on CNET. 

HIPPA, Sarbanes-Oxley, and other regulations all assume some form of direct record control that seems impossible in a cloud deployment. Even if information is merely passing through a cloud rather than being stored there, compliance can be an issue. So what to do? Start with a hard discussion with your vendor. Don't be afraid to ask questions, about SAS-70 Type II or whatever. They should have some answers. 

For more:
- here's the Dark Reading article

Related Articles:
Time to consider a private cloud?
What to make of the clouds and your data warehouse
Here comes 'private cloud' computing