99 Problems but the cloud ain’t one: Compliance in the cloud


When an organisation makes use of cloud storage or backup services, it must acknowledge and abide by laws and industry regulations that seek to safeguard everyone from cyber threats – this is cloud compliance.   

With the cloud market projected to hit over $411 billion USD in 2020, it’s clearly an arena for huge growth. But like any IT rollout, it’ll need to be approached diligently and cautiously, especially with the frequency and severity of cybercrimes rising sharply to mirror the explosion of cloud computing.

Compliance was historically fragmented by industry sector, lacking a coherent and centralised set of guidelines for all organisations to follow. As of 2016, this is no longer the case. The timer is almost up; GDPR is fast approaching and the penalties for non-compliance are potentially lethal. 

So, why does compliance matter, what obstacles will it present and how can businesses make it work for them? 

Why compliance matters 

Beyond the obvious GDPR penalties, compliance is crucial for both cloud service providers (CSPs) and customers alike. As the cloud market grows, so too have user expectations in regards to risk management, especially in the wake of the highly damaging and prolific cyber-attacks of 2017 (e.g. the Equifax hack).   

The mantle of responsibility still falls on cloud customers to meet regulations and ensure their CSPs comply with the law. However, cloud providers like Navisite are now dedicating more time to help their customers achieve compliance, offering counsel on the safest and most effective use of the cloud.

Consequently, there are growing expectations on CSPs to demonstrate a robust control environment, with validated certifications on their standards of security and compliance. This has become crucial to winning new business in an increasingly crowded market. 

Compliance can even operate in the interest of national security. For example, defence contractors and manufacturers of advanced weaponry in the U.S. have to abide by the US ITAR regulations, prohibiting non-US nationals from working in the environment. The U.K. and France have implemented similar systems, requiring signed permission from government and explicit agreements about where the data is stored and who can access it.   

So, what’s the difference between security and compliance? In essence, the difference is that security is inherently risk-based, as opposed to compliance, which is better-defined as rule-based. Instead of measuring effectiveness based on regulatory adherence to achieve compliance, or best practice, good security is defined by its ability to protect against and respond to threats. 

Fortunately, despite differing goals, there is very little difference in 2018 when it comes to the practical considerations to be made for compliance and/or security when it comes to cloud and local IT infrastructure. All the security services you can implement for local environments are now also available on cloud, which CSPs can then certify on cloud platforms.   

The focus of IT teams has shifted from infrastructure to general best practice in security and compliance, and customers are quickly realising that cloud can offer regulatory compliance equal to or better than local solutions. 

The challenges to compliance 

Despite the advent of GDPR, the responsibility for regulatory compliance remains an area of confusion. According to a recent study, only 39 per cent of IT decision makers considered themselves responsible for the compliance of data stored on cloud services. In fact, around 20 per cent believed it was the sole responsibility of the CSP. 

This is an incredibly dangerous mindset to possess, as by law, the ultimate responsibility for compliance remains firmly in the hands of the customer. A CSP can offer counsel and the means to meet the necessary laws and regulations, but therein lies another challenge. 

A recurring problem is, dare I say, organisations understanding their own needs. Technology solutions exist for just about anything. But clients understanding what they need to meet the certification standards they have to hit can sometimes be lacking, due in part to the deliberate ambiguity of many compliance requirements.   

It’s not a case of buying technology and crossing your fingers. A lot is accomplished through process, procedure, policy and then enforcement.

Interestingly, a lot of IT professionals also don’t like asking for help as they essentially have to admit that they can’t protect their environments and data to a good enough standard, and that’s not an easy conversation to have. 

But security and compliance is a specialist field, which is why the most in-demand roles in the technology business are cyber security professionals. Smaller organisations can’t get access to these specialists in such a limited talent pool, but CSPs are quickly addressing the knowledge gap by building their own portfolios, giving smaller enterprises access to talent on an “as-a-service” basis. 

Making compliance a benefit, not a burden 

Cloud security solutions should be purpose-built to provide the highest levels of security and control for your cloud data. It must ensure you can adhere to even the most demanding compliance standards, as set forth by recent governmental measures. 

In the UK, Cyber Essentials is a government-backed, industry-supported scheme to help organisations protect themselves against common online threats, with tiered encryption standards. As a result, companies can ascertain the degree to which partners are compliant simply by checking the standard and simplifying the concept of compliance. Governments and local authorities also tend to have ISO Certification as a basic requirement.   

As a result, compliance has become imperative for businesses like Navisite to stay competitive, as potential customers can easily spot the front-runners using these encryption and security standards. Navisite’s commitment to compliance with an ISO27001 certification, as well as passing the SOC-1 and SOC-2 reports, means it can offer businesses the peace of mind when it comes to their data.

You might be asking – what happens when these regulations change? Surprisingly, regulations don’t change that often.   

When they do, they give businesses plenty of notice to adapt. GDPR has been on the agenda for several years, and it’ll still take four months before it’s even implemented. The important part is to take action during the notice period, amending provisions in existing contracts and integrating them into future ones. 

For smaller organisations, the access to qualified compliance and security officers in such a limited talent pool can also be a serious issue. One option is to run security as a service that combines cloud-based software and innovative analytics with expert services to assess, detect and block threats to applications and other workloads.   

The other option is to offload the responsibility onto an organisation like Navisite, enabling your business to focus on innovation and growth. If you were running the OSI model, Navisite could maintain six of the seven layers, reducing the burden on your staff and keeping your business agile.   

Compliance in the cloud will dominate the headlines in 2018 with the implementation of new regulations and the burgeoning cyber security market. It’s up to businesses to take the initiative with compliance before it’s too late.

Gary Smallman, Director of Operations at Navisite 

Image Credit: Docstockmedia / Shutterstock