Compliance With Clouds: Caveat Emptor

Today's organizations face aggressive cost-cutting and efficiency pressures that drive businesses to consider cloud sourcing solutions. While the many properties of cloud services, such as elasticity, low entry costs, and faster time-to-market, are well suited to supporting a wide range of business functions, compliance has been a difficult proposition for organizations considering moving to the cloud. Support for regulatory, regional, or internal policy compliance is arguably the weakest aspect of cloud computing. Today's infrastructure-as-a-service (IaaS) players don't provide geographic ubiquity, and software-as-a-service (SaaS) players rarely offer comprehensive data-level controls. As a result, leveraging the benefits of cloud and maintaining compliance can be at odds with each other. Security and risk professionals assisting businesses with sourcing selections must understand that your organization is ultimately responsible for compliance and it is your responsibility to help business assess compliance risks. When necessary, you should implement compensating controls atop the cloud infrastructure to attain compliance.