If you think the phrase "It's in the cloud" means that your data resides on the Internet and is thus accessible everywhere equally, think again. Most \n\ninfrastructure-as-a-service (IaaS) cloud services share the same residence model as traditional hosting and outsourcing deployments \u2014 they live \n\nin specific data centers in specific geographies. This means that customer data is generated and most likely stored in this physical location, giving it legal \n\nand privacy implications. Unfortunately, Forrester's conversations with end users and vendors suggest that many organizations simply aren't aware of where their cloud data \n\ncenters reside. This lack of information can be quite risky when the location of the data center triggers a number of privacy and data security \n\nrequirements that \u2014 if not met \u2014 may just land you in jail, facing a stiff fine, or at least navigating cumbersome compliance requirements. \n\nWhile cloud can be a catalyst for the IT-to-BT transformation, which I'll talk more about at next month's IT Forum, it can also be the most expensive project your company embarks on if \n\nyou don't have a solid strategy in place first.Security responsibility ultimately rests with you, the business \u2014 not the cloud provider. While most IaaS providers strive to secure their public \n\ndata center cloud environment, they're not likely to take responsibility for data protection and compliance. In fact, they take no responsibility for what \n\nyou do atop their virtualized infrastructures and services. Infrastructure and operations professionals should expect to have to carry this burden when \n\npartnering with a cloud provider. The mesh of privacy laws might seem daunting, but they can be managed by realizing that they are rules of engagement rather than business \n\nprevention tactics. They don't prohibit you from using IaaS cloud computing; these laws simply require you to pay attention to where these clouds are \n\nactually located and choose providers that will help you meet your constraints. In recent research, Forrester identified four best practices to help infrastructure and operations professionals think globally but act locally:1. Know The Locations Of Your Cloud Provider's Data CentersYou must understand where the cloud service provider will store the personal data of your employees, clients, and other parties. Knowing this is a \n\nprerequisite to implementing the required measures that ensure compliance with the laws where you do business (meaning wherever you have clients). \n\nThese laws often restrict where you store personal or financial data and cross-border flow of data. If the cloud provider conducts any off-site replication \n\nor backup of your environment, ensure that those copies also meet your privacy constraints. 2. Stay On Top Of Changes in Search and Seizure LawsEach country has unique restrictions on, and requirements providing for, law enforcement access to data \u2014 the US and China are among \n\nthose giving their law enforcement teams the most latitude. Pay attention to information available from the provider about the jurisdictions in which data \n\nmay be stored and processed, and evaluate any risks resulting from the applicable jurisdictions. Forrester provides an interactive map detailing the laws \n\ngoverning data privacy across various countries here.3. Use The Location That Makes Sense For The BusinessWhile an important factor, don't let privacy laws dictate how and where you conduct your business. If it makes sense for you to have a presence in \n\nthe U.S., Europe, and China \u2014 do it. Just be mindful of the laws in those geographies and make sure to deploy your services in a way that will \n\nensure compliance. This may mean setting up a series of hosting relationships (IaaS or other). You may alternatively establish channel relationships with \n\nother online providers that can cover these compliancy concerns for you. 4. Maintain The Security Posture Of Your Application And DataBusinesses using public IaaS cloud solutions need to have a strategy to ensure security of OS, applications, and data. This includes keeping \n\nup-to-date security mechanisms such as antimalware, eradicating vulnerabilities in your applications, and employing data security measures such as \n\nencryption to guard against threats to your data within the cloud. Follow the same security procedures you do for in-house applications, as consistency \n\ndrives comfort. Enterprises should expect privacy laws to get stricter in the near term, not simpler or more consistent. As technology innovations like \n\ncloud computing advance, many countries fear that if they don't require local information storage, companies will build data centers in adjacent countries \n\nwhere more favorable economics exist. Protectionist laws simply accelerate this transition because the country with the tightest laws becomes the most \n\ndifficult to work with.James Staten is a Principal Analyst at Forrester Research, where he serves infrastructure and operations professionals. He will be giving a \n\nkeynote speech at Forrester's 2010 IT Forum in Las Vegas, NV, May 26 - 28.