And if a cloud provider is generally deemed compliant with some security standard, that doesn't mean an individual business's use of that cloud will pass muster as well. "It's you the end customer who is responsible for compliance, not the service provider," he says.
For businesses that plan to use some form of cloud, Richter set down eight steps to follow to make the transition safely from a private traditional infrastructure:1. Appraise your applications. "Some applications are so woven into the corporate system that cloud really can't apply."2. Classify data. Determine what is sensitive and what's not. "This has ramifications for what type of cloud you choose."3. Determine the cloud type that suits you best, software as a service, platform as a service or infrastructure as a service.4. Choose a delivery model. Private, self-managed cloud, managed or outsourced, public cloud, enterprise public cloud, hybrid cloud.5. Specify platform architecture. This should include specifications for computing, storage, backup, network routing, virtualization vs. dedicated hardware.6. Specify security controls. This should include firewalls, intrusion detection/prevention systems, log management, application protection, data-loss protection, ID and access management, encryption and vulnerability scanning.7. Policy requirements. Check out cloud providers' policies to make sure they fit with your needs. "Believe me, they vary widely from provider to provider."8. Look at the service provider itself. Is it geographically dispersed, can customers auto-provision, does the provider have enough capacity to meet the needs of bursting, can they monitor all customers' traffic so one doesn't unintentionally launch a DoS attack against the cloud, what are the service-level agreements, is the provider financially stable?
Read more about data center in Network World's Data Center section.