peshkova - Fotolia
The idea of partnerships and trust has always been a cornerstone of business operations. But the specter of regulatory compliance -- and the legal implications of compliance breaches -- has put extraordinary pressure on service providers and service consumers. Nowhere is this pressure more acute than in enterprise IT operations that use public cloud services such as Amazon Web Services.
As public clouds take on increasingly important workloads and sensitive data, business leaders must ensure that the public cloud provider can meet and maintain compliance needs. In response, providers are embracing a wide array of certifications to demonstrate an understanding of regulatory issues and assume a role of shared responsibility with their customers.
Before moving to a public cloud provider like AWS, take the time to investigate and verify where each stands on compliance; it will absolutely affect the business and risk assessments in the public cloud.
Perhaps the first and most notable attribute of a compliance-friendly public cloud provider is a public commitment to the standards or regulations that your enterprise needs. For example, a commercial merchant would almost certainly seek a public cloud provider that meets current Payment Card Industry Data Security Standard requirements for certification, while a healthcare business would likely seek a public cloud provider that meets Health Insurance Portability and Accountability Act (HIPAA) requirements. Some providers may specialize in one or more regulations, while the largest providers such as AWS can provide resources that accommodate numerous regulations to maintain compliance.
The goal is to find a public cloud provider that can meet the demands of the relevant regulation -- the provider itself may not hold that actual certification because it isn't in that specific business.
It's one thing for a public cloud provider to promote adherence to regulatory requirements, but it's also worth additional due diligence to investigate the public cloud provider. Speak with account representatives and let the cloud provider explain how it can address your enterprise's specific compliance concerns. If the provider can't explain what they're doing clearly, it might be necessary to find a different provider. Watch the provider's SLA closely and verify that it will continue to adhere to regulations that affect your organization.
Remember, certification instruments such as "letters of compliance" expire every few years, and the provider must renew its own certifications regularly. If they drop support for an important certification critical to your business, the business may face additional risk and even prompt a move to another public cloud provider.
Look for compliance-related support resources, including live support from compliance experts that can offer advice and guidance in the best use of public cloud resources. Support might also include forensic investigation capabilities using auditable logs and other management-level cloud data to ensure your enterprise can maintain compliance. Supplemental support could also offer detailed compliance documentation, such as compliance enablers from AWS, and deployment guidance that can help businesses use the provider's services while meeting compliance obligations and reporting requirements.
No cloud provider will make assumptions about regulatory or security obligations of an enterprise. A business cannot avoid compliance obligations by handing off workloads and data to a cloud provider. In the end, the business is ultimately responsible to maintain compliance, regardless of the cloud provider. Picking the right cloud provider can make compliance easier, but it's still the obligation of the individual business users.
AWS RDS gains HIPAA eligibility
Encryption cements solid base for AWS compliance
AWS supports business regulatory requirements
Dig Deeper on AWS compliance, governance, privacy and regulations
Related Q&A from Stephen J. Bigelow
Containers have rapidly come into focus as a popular option for deploying applications, but they have limitations and are fundamentally different ... Continue Reading
ALM and SDLC both cover much of the same ground, such as development, testing and deployment. Where these lifecycle concepts differ is the scope of ... Continue Reading
Eliciting performance requirements from business end users necessitates a clearly defined scope and the right set of questions. Expert Mary Gorman ... Continue Reading