Get ahead in the cloud: Easing the path to compliance

Adoption of cloud services has been steadily increasing, but the trend has been rapidly accelerated in the past year. Companies moved quickly to enable remote working through a range of Software-as-a-Service (SaaS) offerings, including Microsoft Teams and Zoom. Consumption of Infrastructure-as-a-Service (IaaS) platforms like Amazon Web Services and Microsoft Azure has followed and provided access to advanced services on demand.

Understandably, there has been a focus on the continuity of business. Large-scale adoption of remote working technology has enabled businesses to keep going through a hugely uncertain time. But having survived the rollercoaster of the past 12 months, many are now stopping to ask themselves: how compliant are we in this new world? The truth is that they don’t always know.

Businesses have spent decades developing the skills and knowledge needed for on premises compliance regimes. But they are still trying to understand what it means in the cloud and how best to apply it. There can be significant work involved in moving traditional IT controls frameworks to the cloud. And, unfortunately for large enterprises, there is no single button that can be pressed to automatically enable compliance.

A common challenge is keeping audit and compliance teams abreast of new technologies and how they align with regulatory requirements. Technology teams typically consume services that provide business benefits or competitive advantages. But we have seen migration efforts driven by technology lose momentum as security and compliance teams are engaged too late, only to demand delays to ensure security and compliance controls are embedded in cloud platforms, and that updates standards account for ongoing security, privacy, and confidentiality of data.

Transparent communication across an organisation is therefore important, before and during the cloud migration process. Involvement of security and compliance expertise can ensure these requirements are baked in rather than bolted on.

What’s happening behind the scenes?

We are seeing some regulated organizations look to slow their technical cloud migration efforts whilst they assess and implement frameworks to guide compliance. They want to ensure that security and compliance requirements are designed and implemented alongside the technical migration work. This is because organisations seeking to monetise applications hosted on cloud platforms are frequently looking to existing frameworks like SOC2 to evidence their controls. They want to give customers confidence that their data is protected, which is particularly important in Europe under the General Data Protection Regulation (GDPR).

We are also seeing customers reviewing their adoption of SaaS services, which typically includes Microsoft Office 365. In these cases, the Shared Responsibility Model makes the programme easier to manage but harder to ensure end-to-end data compliance and security. Having hastily adopted cloud collaboration services over the last year, they are now looking to ensure that no bugs or gaps have been inadvertently introduced.

What’s next for cloud compliance?

Ultimately, companies that can prove they are compliant have the opportunity to use regulation as a competitive advantage. Meeting SOX standards in the US, or others including NIST, SOC2 and ISO27001, can positively impact the perceptions of clients and customers. While these standards show a business is meeting its regulatory obligations, they also help to validate its operations in other people’s eyes.

But what’s clear is that companies still need to go on a journey to understand what cloud compliance means for them. On the one hand they are playing catchup following the past year; on the other, they are still learning what they need to do internally to carry out successful migrations to the cloud. Both of these trends represent opportunities to develop best practice.

If businesses can look at the bigger picture now, and learn to bridge the worlds of IT, audit, and compliance earlier, then they will be able to achieve more than a tick-box exercise. In future, they will be better equipped to understand cloud compliance, work together to achieve it, and further enhance their reputation with customers and clients.

This approach will count for a lot as technology adoption increases, and the guiding hand of regulation continues to protect customers online. It will also help businesses to respond more effectively when the next crisis comes along.