This article is now over two years old (which shows some good foresight by Lamont Wood), but it still a conversation I keep having/hearing today on the ability to provide compliance within a cloud based environment. While I hate to say the entire thing can be summed up in a single sentence, the following does a pretty good job:
“What it all comes down to, ultimately, is that the user organization is responsible for figuring out who is doing what to its data and requiring assurances about the data staying in compliance.”
This single statement addresses:
- Is compliance possible?
- Who is ultimately responsible?
- How is it done?
There’s a lot more in the rest of the article and is worth reading if you haven’t heard the same information from me directly.
- 10 Compliance Tips For SMBs (informationweek.com)
- GRC and Cloud Security (secureconsulting.net)
- Legal Implications of Cloud Computing Contracts (undermirc.wordpress.com)