Cloud computing is like the Wild West, where the players are rough around the edges, the borders are undefined, and the homesteaders are subject to unforeseen risks. In this environment, IT governance is nearly impossible -- but an absolute requirement.InformationWeek's Mike Fratto provides an eye-opening look into the state of governance in his article "Cloud Control," which appeared in the Jan. 26 issue of InformationWeek and is posted on InternetEvolution.com. Fratto talked to a handful of IT pros who are working through the issues of cloud computing governance. His sobering conclusion: "The courts and industry groups will eventually help develop guidelines, but for now, we're on our own."

Some of the issues that IT folks need to focus on as they consider cloud computing include security, privacy, availability, and performance. Governance requires applying policies, access controls, monitoring, and auditing to corporate use of cloud services.

One of the trickiest aspects of cloud governance involves just where data is located when it's in the cloud. As Fratto notes, it's not unusual for software-as-a-service and other cloud vendors to store data on servers managed by another company. In effect, there can be two or more degrees of separation between your company and your company's data.

"Outsourcing companies are themselves outsourcing their processing," says John Pironti, an IT consultant. "You have to worry about where your data ends up."

Cloud service providers tend to be opaque about their underlying architectures, making it hard for IT departments to know precisely where data is stored. At the same time, state and federal regulations govern the management of health-related and other personal data, and they won't accept "I don't know" as an answer to queries about where that data is stored.

Cloud service providers are taking steps to give customers more options and control. Just last month, Amazon made it possible for users to launch EC2 instances in specific regions of Europe. That capability was a must-have for companies needing to comply with EU regulatory requirements.

Even so, Amazon remains unacceptably opaque. The company refuses to reveal the locations of its data centers. "You can't audit what you can't see," writes Fratto. "This is a deal killer in many regulated industries."

What's the right course of action? InformationWeek recommends that IT pros be proactive and consult with their in-house security experts, legal counsel, and data owners before getting too far into cloud services.