Most enterprises maintain their own software-patching infrastructure. It can be very expensive — over $1000/per server. In the Cloud marketplace, a subset has already been built into the service. If you don’t actually use it, you aren’t paying for it. It’s there in the event you actually need it. That closes the loop as to compliance.
Even so, pick a Cloud hoster with the tools necessary to maintain compliance without the penalty of acquiring and owning those tools—in case of an event—as opposed to the expected occurrence.
Standards are in place for performance in the Cloud for disaster recovery.
The standards are there but have not been implemented across the majority of the Cloud. Two differing Cloud positions are emerging. The Amazons of the world will say, “We are in the business of delivering ‘compute.’ You the customers are in the position of determining whether this will work for you or not.” If you read Amazon’s SLA, it becomes painfully obvious that they are in no obligation to service anyone. They do not charge for services they do not deliver. Otherwise there is no SLA.
There are other organizations in the marketplace embracing the standards by actually obtaining certifications or opinions from Big Four auditors. They are reaching this point by saying: this is the certification we have—when you, the customer, are using our Cloud service by default you access the certification to be returned to your auditor, making it part of their overall audit. Or you can present it directly to your customers to demonstrate in a Cloud environment that is compliant with whatever certification that customer needs. There is no certification for the Cloud per se.
There is a subset of this environment that will never trust a multi-tenanted environment—like a bank. What’s ironic is that same organizations will use a service provider to run an application and store its data on shared disc storage. There is almost a hypocrisy that exists today that is primarily driven by a lack of experience. Most system administrators understand what you get when you say you have disc segregation in a multi-tenanted disc environment. But the same system administrators don’t necessarily understand how to ensure segregation of the computing platform.