The Open Data Center Alliance Regulatory Framework usage model does a decent job of getting cloud providers to step up to the compliance plate while rightly insisting the cloud consumers are ultimately accountable for risks.
The Open Data Center Alliance (ODCA) Regulatory Framework (RF) publication is among the longest of the organizations usage models by virtue of a two lists that entail a rather frightening global list of regulatory bodies that must be reckoned with when coming up with a comprehensive compliance regime. The good news is that the RF recommendations take up just seven pages of the report. The RF focuses on an ongoing corporate compliance program for cloud environments, which matches best practice guidelines that I've seen for private data center operations. This means that the practices that your organization already follows aren't that different when data and applications are moved to a shared, cloud environment. What changes is that the cloud provider becomes the source of the risk assessment and management data. Thus, IT managers would do well to use the RF as a starting point for exploring the ability of an external cloud provider's ability to satisfy reporting and control requirements.
As I've touched on in earlier posts in this series, IT managers must understand the implications for locating data outside of a private data center. As the RF notes, cloud consumers should take into account the risks associated with data geo-location, data ownership considerations and access controls, or the lack thereof.
Data governance, risk and compliance is a fussy area of work. In acknowledgment of this the ODCA, through the RF, makes recommendations where it sees that open, intellectual property-free implementations can be implemented. IT managers at regulated organizations would be well served to spend some time with the RF and see if the ODCA recommendations make sense if your organization is considering moving regulated data and applications to the cloud.
Table of Contents for the Series:
1. IT Users Band Together: a brief introduction to the ODCA 2. Virtual Machine Interoperability 3. Carbon Footprint 4. Security Monitoring 5. Security Provider Assurance 6. Regulatory Framework 7. Standard Units of Measure for IaaS 8. Service Catalog 9. I/O Controls