Editor’s note: Bob Broda is managing partner of Visage Solutions, a consulting company operating in the areas of regulatory compliance, risk assessment, information security, risk management and compliance processes.

RESEARCH TRIANGLE PARK, N.C. – The cloud computing phenomenon seems to have appeared in the market out of nowhere. Hardware vendors, software vendors, service providers are all touting the business benefits of Cloud Computing.

Although the term is relatively new and evolving, the concepts are based on mainly new technologies in infrastructures (mainly virtualization and cloud), new application technologies (Web 2.0 and parallel processing architectures) and expanding network connectivity options ( Cisco’s Data Center 2.0 and 3.0 initiatives, along with growing bandwidth options and multi-vendor solutions.

The idea that purchasing only the services you use from a cloud environment may allow businesses to both save money and focus on their core business is an enticing proposition in the current economic climate. However, it is critical for business consumers to understand the infrastructure, components, and service delivery characteristics of the service offering being considered.

However, concerns about security, privacy, reliability, and operational concerns top the list of potential barriers. Gartner predicts that it will be 2012 before the cloud computing offering becomes main stream. These concerns are typically mitigated by the providers supplying a SAS70, where an external third party comments on the strengths of internal controls based upon identified objectives. Business leaders need to evaluate whether the provider’s objectives are consistent with your goals and practices? How are the auditors going to react when the business cannot identify the location of the data or where the processing takes place, not to mention whether there is sufficient capacity to support peaks in operations or proprietary solutions that inhibit data relocation or recovery to a secondary provider. No matter where the data resides, the legal and regulatory, record keeping and fiduciary duties of the business do not change. These “Cloud” solutions will have to be auditable before SAS70s can be issued. Large businesses will not endorse this environment until they are assured that their legal and business issues are adequately addressed.

In the mid 90’s, people were hesitant to supply their credit card information over the web. People had the same issues and concerns over security and privacy. Now people supply their personal and credit card information daily. The convenience and value proposition of Cloud computing are too overwhelming for these concerns not to be overcome.

Microsoft has been able to earn the ISO 27001:2005 accreditation and SAS70 Type I and Type II attestations for the Microsoft cloud infrastructure. This sets the stage for product and service delivery providers to more efficiently obtain additional certifications and attestations as appropriate. Please note that the ISO certification is for the management processes put in place to address information security concerns, and the SAS70 is for services that Microsoft offers in regard to cloud computing, one can only assume their software is included in their service offering.

When evaluating service offerings an in-depth look is required to understand and assess what is being offered. The term “Cloud” tends to represent a wide variety of offerings. It is important to separate the reality from the hype, nearly anything to do with network-based computing, storage and applications is being positioned in some way as "cloud" (Damoulakis, May 2009). As such, it is crucial to fully understand the underlying technologies, how they are being deployed, managed, and updated consistent with an accepted IT framework.

Once in the “cloud”, coordinating releases, ensuring data integrity through either backup or replication and integrating into the System Development Life Cycle are critical to the long term success of moving your application to the virtual world. Considerations around data security become paramount in a shared environment with the loss of “Security through Obscurity”. Not to mention, what was once tangible, Performance and Capacity Planning, has taken on a rather cloudy view.

Visage will explore the Cloud in more detail, specifically focusing the internal controls necessary to allow service providers and business alike to take advantage of this Cloud concept in a regulatory environment.

Planned additional white papers:

• Considerations for moving to the cloud
• A fully auditable cloud – fact or fiction

Visage Solutions is a consulting company operating in the areas of regulatory compliance, risk assessment, information security, risk management and compliance processes. Utilizing our proprietary SingleVue™ and OpsAudit™ methodologies, the company focuses on assisting business entities in mitigating operational risk. Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. Our team is comprised of experienced executives, managers and consultants who can assist clients with the development, implementation and execution of their risk management and compliance strategy.