Everything seems to be moving in the direction of cloud computing. In a recessionary economy, it's only to be expected. The cloud is less expensive, requires less hardware, less software, fewer people... But that doesn't mean it makes compliance any simpler. In fact, it may complicate compliance more than we realize.
That's probably why groups like the Computer Security Institute have been asking questions about compliance in the cloud for months now, and why the Cloud Security Alliance is set to launch soon. In September, CSI's Sara Peters asked simply, "How do you prove compliance in the cloud?" She noted:
[M]y guess is that organizations [using the cloud] have neither the authority nor the ability to establish log settings, maintain logs, or view logs of any activity conducted on that virtually infinite infrastructure.This is particularly worrisome if you are (and I really hope you aren't) using cloud computing services for storing sensitive/protected data.
Next month, Proskauer Rose attorneys Tanya Forsheit and Nolan Goldberg will participate in a session at CSI SX: Security Exchange on that very topic, but I have an opportunity to speak with them Friday afternoon regarding what the compliance concerns are with cloud computing as well as how those who take advantage of the cloud should approach those concerns. It's a starting point, at least.
Stay tuned for their insight.