The cloud can simplify your IT infrastructure, but it also can complicate audit and compliance. This isn’t a deal-breaker; it’s more just another complication that must be identified and dealt with.

“There are many approaches and nuisances to cloud computing. Benefits to the enterprise as well as risks will vary depending on the types of service and deployment models selected, writes co-author Peet Rapp in a paper published by the ISACA titled “Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives.” He describes those models in the paper.

There are three main complications that make the cloud challenging from a security, compliance, and audit perspective: (1) Lack of direct control, (2) Location transparency, and 3) the Public nature of the cloud.

(1) Lack of direct control — The organization only controls what data it chooses to put in the cloud. Once the data is there, the organization loses direct control. It also does not have direct control of the applications, the cloud provider staff, or anything else outside of its own data center. As much as I hate involving lawyers in anything, this is where you will need a good lawyer to review the contracts and write in the appropriate language defining your cloud resources and the levels of service you expect in an auditable and enforceable way.

(2) Location transparency — This may be the thing that drives auditors the craziest. When you store data with a cloud provider, you can’t always be sure where that data resides physically. If you are running applications as a service, you don’t know where that application will actually process your data. The cloud provider may spread the data over multiple locations for perfectly good reasons. However, you may face regulations mandating that certain data not leave the state or, more likely, the country. If your auditor will go berserk to learn that pieces of your data end up in Mumbai or Belarus, you should resolve this at the start.

Again, the solution is to let the lawyers hammer out agreements to cover these contingencies. And even with all the agreements in place, understand that in the cloud your data can end up anywhere. As the cloud providers increasingly automate and optimize every aspect of operations to maximize their efficiency of scale, some automated system may decide, for the purpose of optimizing some particular detail, that your data must move, at least temporarily, to a server in, say, China. If that possibility presents a problem, keep that data at home in your data center.

(3) Public nature of the cloud — This is the part that drives IT and C-level executives crazy. The cloud can deliver its value because it is a shared resource, which means that others use it, too. Responsible cloud providers deploy an array of tools to prevent people and systems from reaching data to which they aren’t authorized access. Still, no security system is completely bulletproof. The knee-jerk reaction is to keep your data home in your own data center. This isn’t necessarily safe either; just ask TJX Companies.

If you have critical data anywhere that must be absolutely protected, then encrypt it. Encryption costs more and adds a performance hit. Still, if your encrypted data is exposed in the cloud, in your data center, or anywhere else, it doesn’t matter. Without the key, which only you hold and protect with your life, your data to them amounts to nothing but unintelligible garbage.

Welcome to 2010, the era of cloud computing. ###