Gee, I remember when a cloud was used in BPP (Before PowerPoint) slideware to represent the mysterious public networks (like X.25 "" readers under 40 might need to Google it) provided by even more mysterious telecom giants.



Now the cloud represents the potential virtualization and dynamic "on-demand" "pay as you go" set of IT infrastructure, application platforms and applications. It is being discussed as the next major disruptive technology in the IT industry. Like the Internet, everyone wants a piece of the action as a buyer or seller "" unlike the Internet, you don't have to pay big dollars for a dopey name you hope you don't have to use.

While CIOs are considering cloud computing as a potential hedge for future IT infrastructure investments, the various compliance teams are saying/thinking: "You want to put what, where?" I have had discussions with a few members of the media on this issue (read more here, here, and here) and I thought I would summarize my few thoughts in a post.

My thesis on this cloudy issue is the following:

>> The cloud is a spectrum of technologies and services that can be provided by vendors outside the logical internal network of an organization

>> These services can range from good ole outsourcing, Software-as-a-Service (SaaS) as per Salesforce.com, Platform-as-a -Service as per Amazon Web Services, and Infrastructure-as-a-service as per GoGrid

>> As you move down the above technology stack (application to silicon) the concern for compliance will increase because there are less and less potential controls to "ac-cumulus" in each "stratus" of the stack

>> Depending where you are on this stack, cloud computing has significant compliance benefits for organizations (please read this twice for emphasis) - and I am willing to do a separate discussion on these benefits

>> To achieve these benefits, organizations must be able to:

[1] define/monitor/manage/ their compliance portfolio across their entire IT ecosystem of internal infrastructure/s, partners, vendors, and clouds

[2] engage with cloud vendors that will include compliance capabilities in their services that are always monitored and current

[3] have SLAs with cloud vendors that include compliance metrics as part of the on-demand services.

>> Organizations cannot deal with the GRC issues of this mashed IT infrastructure without technologies like GRC platforms used by both the organizations and the cloud vendors which can integrate with each other over some level of standardization of compliance information.

Well, there you go! The cloud does have a silver lining for IT organizations "" and the cloud vendors, GRC platform vendors, and the bloggers. Even the compliance folks! And the good news is that the cloud provides all of these stakeholders with significant challenges of technology, application development, vendor selection, business terms, SLA terms, management of the whole IT ecosystem, and an enterprise GRC platform that can deal with that ecosystem.

Cloud computing is at a stage in the technology maturation lifecycle where it is an excellent opportunity for the GRC champions of organizations to become "cirrus" (serious) and embrace the cloud, include a compliance-ability in the organizations' cloud strategy, and become part of that "nimbus" (nimble) thought leadership "" and maybe even join the local cloud appreciation society.


*Image used under Creative Commons License courtesy of kevindooley.