The Cloud-Compliance Challenge

Cloud computing challenges the CIO legally as well as technically!

Cloud computing is the availability of standard IT resources over the internet in a pay-per use model. Initially this is an attractive proposition. However there are many challenges which CIOs will face when running firm critical applications and data over the internet. The most successful CIOs have built an IT governance strategy to avoid the uncontrolled variety of technologies, meta data and business process evolution in their IT landscape. A good governance strategy ultimately makes the implementation of legal compliance requirements from Basel II or SOX much easier. Without searching first for critical data, an orderly approach is much simpler and the CIO won’t be the only one sleeping better.

So long as everything is in your own company or at local infrastructure, IT governance and compliance should be governed centrally from the CIO office. But what happens when a firm’s cloud computing is effectively deployed? This technology paradigm has its largest cost savings when applications and business processes have extremely high and uneven resource requirements. In most cases these are automatically firm critical applications and confidential data. The responsibility of a CIO then moves from pursuing operational excellence in the datacenter, to the greater responsibility of developing and managing intelligent sourcing concepts in the cloud and bringing its consequences under control. The large cloud computing vendors are nearly without exception international firms and a core basis for their cost-effective deployment lies in their global sourcing strategies. IT governance and legal compliance must also be developed to cloud governance and global provider governance.

Most firms have their Basel II or SOX compliance under control. IT was an essential, but not the only, risk factor that needed to be dealt with. Many firms introduced tools to help better structure and document processes and document flows. Large firms even established new roles for taking such responsibilities, with titles such as the Chief Compliance Officer. The challenge for cloud computing is that the former compliance strains now appear as childsplay. Cloud compliance requires constant interaction with many different experts — and not only within your own company.

An international example is the move of SWIFT’s datacenters from the USA to Europe. SWIFT is known as one of the most important IT resources for banks outside of their own data centers, dealing with all kinds of money transfer between different banks. In today’s Cloud Taxonomy one would describe this as a “Virtual Private Cloud” (see Forrester’s Cloud Taxonomy). The legal situation has changed among European governments, regarding forbidding the unrestricted interception of banking details through the CIA. So far they have not done this. Although from December 2009 the European Parliament is discussing this option and could change its legality. From the perspective of banking CIOs then, cloud compliance is suddenly the interaction of internal technical experts and cloud vendors, as well as in-house legal experts and if necessary external legal advice. Compliance requirements should not however slow down the utilization of cloud resources. As to do so would mean the essential business advantages of the cloud will be lost — in particular the ability to react quickly to changing requirements. Forrester expects the first vendors in 2010 will bring compliance-tools to market that support a firm grip on cloud compliance. This will be an agile information exchange and approval process between IT, business and legal experts. But this time beyond the company borders. So these are even the best conditions to run cloud compliance tools as a SaaS application in the cloud, and not in your company.

Let me know if you are a vendor and plan to move into the Cloud-Compliance Space.

Regards,

Stefan