“Cloud compliance” used to be a dirty word – or at least a scary one. Security concerns ran rampant in the wild west of the cloud’s early days, and IT professionals fell into two camps: those who moved forward with cloud services, holding their collective breath against perceived risk, and those who simply stayed away from the public cloud altogether.
These days, both strategies are unnecessary. Cloud compliance is now very possible, and very do-able, as long as you avoid these five cloud compliance misfires:
- Avoiding the public cloud altogether. The cloud used to be seen as a security risk, especially at the executive level, and compliance was no different. Many organizations failed to take advantage of the scale, flexibility and cost savings that cloud-based services can deliver due to the simple belief that the cloud wasn’t right for them.
Today, there are few businesses, even in the most regulated industries, that can’t leverage the cloud. Leading cloud platforms support most frameworks and standards, like HIPAA, ITIL and ISO and combine the controls and reporting necessary to meet the strictest documentation requirements.
- Assuming your cloud provider has it covered. That being said, not all cloud providers are created equal. While some organizations provide comprehensive cloud compliance support, others only pay lip service to the topic. Saying that you adhere to a particular standard or requirement is not the same as passing a third-party audit or review.
Do your research and ask the right questions when choosing a cloud provider, including:
- Which standards and frameworks do you adhere to?
- What is your process for incorporating new standards into your service?
- Do you provide the reporting and control mechanisms necessary to meet my requirements?
- Do you belong to any cloud security and compliance organizations?
- How will you support me during an audit?
- Sacrificing control for reporting (or vice versa). Control and reporting are the yin and yang of true cloud compliance. Many organizations have controls in place, like history of login failures or password resets, but don’t have the reports that show what happened when. Conversely, some tools provide advanced reporting, but don’t let you act on the information. Instead, your team is responsible for installing your own controls, which gets complex and expensive.
Leading cloud providers integrate both of these pieces to streamline security and compliance, often into a single management console. This lets you manage your cloud footprint to your precise business requirements, confidently and securely.
- Failing to evaluate costs. The cloud improves on traditional IT in a wide variety of ways, but one thing stays the same: vendors will try to hit you with hidden costs. Compliance-friendly cloud platforms are no different. Ensure that you have complete transparency into your provider’s pricing model before you sign on the line, or your costs for keeping compliant may be as high as the alternative.
Look for providers who offer a variety of pricing models, including pay-as-you-go, a reserved pool of resources per month (CPU, memory and/or storage) or a fixed reservation with the flexibility to burst up to a pre-set cap. Each of these options lets you avoid paying per-instance, which often leads to under utilization and higher costs.
- Trying to go it alone. No matter how sophisticated your cloud platform, compliance is complex. Don’t be afraid to call in the experts. Many cloud providers maintain a dedicated compliance team as well as a veritable army of experts to help you meet your specific needs. Technology can only go so far when humans are always changing the rules. Look for a provider with built-in services that give you real-world support alongside cutting-edge tech.
Cloud compliance is not only possible, it’s game-changing. With the power of the cloud, plus the confidence of compliance, your business can achieve better results and greater competitive advantage.
Frank Krieger
