For instance, "first we document everything," said Martin Dubois, chief counsel at Taleo Corp., a vendor in Dublin, Calif., that offers cloud-like human resources services. "Whatever we do -- be it encryption, access controls or separation of duties so that no one individual can control the process from beginning to end -- it is documented. When we code an application, we make sure that the one who wrote the code is not the one who reviews the code. Every week, we have several compliance audits by customers. With SAS 70 reports, they can see the compliance for themselves."
But some forms of compliance may remain elusive in the cloud. "It does not work where you have artificial restraints imposed by legislation," said Alistair Croll, analyst at Bitcurrent, a research firm in Montreal. "France, for instance, insists that certain types of records stay within France, so you cannot use Amazon in that situation, since you cannot guarantee where your data will be stored."
As more companies turn to the cloud to save money and gain flexibility, there's no doubt these and other compliance issues will continue to be raised.
Lamont Wood is a freelance writer in San Antonio. Computerworld is an InfoWorld affiliate.