Clouds and compliance: Yes, you can.

Cloud computing has stirred many reactions from TechRepublic members. In this blog, IT pro Rick Vanover sits down with a compliance expert for the hard facts on going to the cloud.

I have been covering cloud here on the Network Administrator blog simply to inform those who may have questions about cloud technologies. Every time I talk about cloud computing, surely someone will come up with negative commentary about compliance. I had a chance to sit down and talk with Dorian Cougias of California-based Unified Compliance Framework, which specializes in associating IT controls across international regulations, standards, and best practices.

Mr. Cougias did a good job of simplifying compliance for mainstream IT by saying: “Compliance has a blind eye to cloud computing.” This is due to the fact that the compliance controls are high-level to the technology solution in question. To say it another way, an organization has the burden to build and deploy a solution that is compliant. Be that in the cloud or in a private datacenter. Whether or not it is built correctly is the burden of the architect and organization.

Because the organization is still responsible to build a good system, another issue that frequently arises is a back-up strategy. This can be addressed through cloud-centric solutions or architecturally addressing data protection through cloud federation. Again, the compliance controls are focused at a high level instead of detailed software and hardware configurations.

Another discussion point is availability of the IT footprint. Speaking frankly, I think Google Apps, Amazon Web Services, Nirvanix Storage Delivery Network, and Windows Azure can all be better at running datacenters than what most of us can do. I gave a primer for service level agreements (SLAs) in an earlier post, and that got me thinking: How easy is it to get a formal SLA in your own organization? Can you make one as clearly defined as a cloud provider?

UPDATE: As usual, TechRepublic members respond in large force. But this time something is special. IT compliance expert Dorian Cougias has a challenge to the naysayers:

“Therefore, my challenge is this. I will pay the sum of $100 for any person who can send me a citation from any authority document (statute, code of regulations, judicial bench review, or international contractual obligation like PCI) that forbids cloud computing.”

What an opportunity! Respond to the previous thread if you are up to the challenge. The challenge is not sponsored by TechRepublic. This is, however, an opportunity for us to independently hammer out cloud topics.