Going beyond compliance in the cloud

BrandPost By John Dodge
Nov 17, 2015
Cloud Computing


Individual organizations struggle to meet regulatory, security, and their own internal compliance policies. So imagine the challenge for enterprise cloud vendors serving a multitude of industry sectors. They have to meet compliance standards across industries and geographical boundaries.

The good news is that the breadth of protections that some enterprise cloud vendors have invested in often exceeds company-specific policies for protecting customer data. They can take what they learn in one industry and apply it to another – something an individual organization is unlikely to do.  

“If you invest in a cloud service, you must be able to trust that your customer data is safe, that the privacy of your data is protected, and that you retain ownership of and control over your data—that it will only be used in a way that is consistent with your expectations,” Microsoft notes on its cloud “Trust Center.”

You might think mastering myriad compliance standards would be impossible for an enterprise cloud vendor, but some are closer to that goal than others. As a rule, enterprise cloud vendors can raise the bar higher than any single customer still married to a homegrown data center.   

Let’s look at a couple of the compliance standards and consider how they can be leveraged.  

In government, there’s the FedRAMP cloud compliance standard in the United States. The UK’s equivalent is called G-cloud. What an enterprise cloud vendor might learn from G-cloud can be used with government customers in the United States. Cyber threat intelligence gathered from one industry might be shared with a customer in an entirely different industry. 

“We have a very high bar for the controls and certifications we are putting out there. Customers are often not at that bar,” says Ulrich Homann, a distinguished architect at Microsoft. “We build a foundation upon which we can meet these standards. Then we drive ourselves to the highest bar and raise it for everyone else.”

The bottom line is that the cloud has reached a point where it tends to be more secure and compliant than corporate data centers. Microsoft says it has upward of 30 compliance certifications[JC1]  for its Azure enterprise cloud platform and more than any other enterprise cloud vendor.

Government, financial services and healthcare have the strictest compliance standards. For example, ISO/IEC 27018 covers how governments handle the privacy of personal information. HIPAA regulates paper, in-person and electronic privacy for healthcare patients. And SOC defines financial reporting standards for information service providers.

As mission-critical applications such as ERP and financial trading systems start to migrate to the cloud, compliance standards will only get more stringent. Facing expanding volumes of data, system complexity and more cyber threats, compliance standards must be dynamic. A hacked financial system can mean huge losses in reputation, time, and money.  

“The bar is getting higher every day. Financial services, for instance, are under constant scrutiny,” Homann says. “There are literally hundreds of controls we are meeting on a continuous basis. Our approach is to take the highest compliance standards and use them only as a base.”