While it's still an early trend, more public cloud providers will start to offer a form of compliance and governance...
on demand. And, as they do, many of them will start to handle tasks such as identity and access management, encryption and assurance that their users adhere to regulatory and compliance requirements.
This new model of governance or compliance as a service, however, has its pros and cons. While it might enable enterprises to offload some of their compliance responsibilities to their cloud provider, there are inherent risks involved. And it's up to the enterprise to mitigate them.
The benefits of compliance as a service
A global corporation based in the U.S. has to adhere to national regulations, as well as the regulations within all other countries with which it does business. The amount of compliance-related processing and mechanisms involved -- such as required encryption types -- can be a nightmare to track. The result can be a fine or, worse, running afoul of the law -- typically inadvertently.
The idea behind compliance as a service is to simplify this process. To meet business requirements around governance -- including compliance -- enterprises use a cloud provider's services. These services supply prebuilt behaviors around specific regulations, such as needed encryption levels or what data types need to be hidden, and all the enterprise has to do is link to that particular cloud service.
For example, if you use Amazon Web Services (AWS) for Health Insurance Portability and Accountability Act (HIPAA) applications, you follow some general strategies, as listed by AWS, such as decoupling protected data from processing and orchestration, which is a requirement of HIPAA. Another requirement is to track data flows, as well as create logical boundaries between protected and unprotected workflows. To get to this level of compliance as a service, AWS and other cloud providers must pass tests, file documents and clear their staff with the regulatory organizations.
Compliance-as-a-service offerings are typically configurable, meaning no development is required. This can save an enterprise millions of dollars over the years and reduce the effort required to keep up with changing regulations, as well as internal and external corporate policies.
In addition, cloud providers maintain and update these services over time. If there are changes to financial regulations -- which happen consistently -- the provider adjusts its compliance services accordingly. This means, as a consumer of those services, the provider carries out these changes on your behalf, and you are automatically compliant -- or, that's the idea.
The drawbacks of compliance as a service
Despite its benefits, compliance as a service is not without its downsides. Ultimately, cloud users will be held accountable for any issues with the compliance service. While there can be legal agreements in place, the regulatory organizations and the request for fines will come to your door, not that of AWS, Google or Microsoft. It's important that you validate the compliance services to ensure there are no issues, at least before you go into production.
Also, while cloud providers do offer compliance services for major regulations, such as HIPAA and Sarbanes-Oxley, it's impossible for them to support all regulations in all countries. Moreover, since these are cloud-based services, there's always a risk that the providers will discontinue them at some point due to lack of use, even though your organization depends on them.
Overall, the idea is to get companies out of the business of adhering to legal requirements themselves and to outsource processes, technology and mechanisms to a provider that can manage them more cost-effectively. But keep these potential risks in mind before you commit.
Work together with cloud providers to keep data safe
Look into IAM services for regulatory compliance
Dig deeper to see if your cloud provider is truly secure