With public cloud computing, part of your infrastructure and your trust boundary moves to a third-party provider. Maintaining consistent security across boundaries is complex and challenging for information security professionals. Evolving public cloud services will likely be complex webs and dependent on not only providers but also providers to providers. In fact, the SaaS service you receive may be provided by another IaaS provider (e.g., backup services using Amazon’s S3). The chain of dependencies may not be obvious, and the current lack of transparency from cloud service providers (CSPs) will make it difficult to comprehend the risks that come with the benefits. Most importantly, the lack of industry-standard controls to assess cloud risks, and lack of a baseline to benchmark the consumed cloud services, can result in operational inefficiencies and weaken compliance management.

You must carefully consider a number of control areas before you move computing operations to a CSP, since services provided are not under direct control of the customer. Risk management in cloud computing is an evolving area, and standards are being debated by the community. Given the current lack of agreed upon standards across providers, it is unlikely that customer requirements for mitigating controls to manage risk will translate into the control framework of CSPs. Therefore, it is unlikely that CSPs will directly implement controls specified ...