Shifting to Software-Defined
Showing results for 
Search instead for 
Did you mean: 

Compliance in the Cloud: Hybrid Cloud Compliance


This is the ninth and final blog in a series of blogs and podcasts that provides the information surrounding the concepts of compliance in a cloud environment. In this series, we will offer greater insight into the concepts and best practices for many of the considerations that are generally part of a cloud compliance program. In the previous blog, we reviewed "Certifications for Cloud Providers”. In this installment, we will be discussing the topic: "Hybrid Cloud Compliance”.

For the past several months, we have explored many of the various considerations that a company should evaluate when approaching their overall compliance program in the cloud.  Today, in this last blog in the series, we will discuss the various topics that a company should look at when creating their hybrid cloud environment. 

To start, a hybrid cloud is generally defined as a computing environment which uses on-premises, private cloud and third-party, public cloud services with a bridge / orchestration layer between them. Sometimes the definition is even more basic than that.ComplianceInTheCloudSeries.jpg Gartner defines a hybrid cloud as “policy-based and coordinated service provisioning, use and management across a mixture of internal and external cloud services” – basically any environment that contains two or more types of infrastructure.   

Most companies will have a hybrid environment, as it is unlikely that most companies will completely move all of their workloads (at once) to a single cloud environment – public or private.  Here are some of the most important considerations from a compliance perspective that companies evaluating hybrid cloud architectures should evaluate:

Control Complexity

No real news here – whatever controls that exist with the company’s on-premise environment today will need to be reconciled between the hybrid environments.  Naturally, a hybrid cloud model actually increases the complexity of the security controls, if for no other reason than those controls must now be evaluated against multiple environments.  Choosing cloud environments that naturally map to an existing set on controls may reduce the overall complexity, but there should be an expectation that having to evaluate multiple environments may initially increase the amount of effort that you have to put into your overall security program.

Shared Responsibility

A shared responsibility model – one in which both the vendor and customer are responsible for certain aspects of security – is a fundamental consideration.  Most cloud providers have some level of a shared responsibility model to handle their security and compliance, and will be happy to share responsibility matrices as to how that may best work for your company.

Compliance Certifications

As I mentioned in my blog from last week, most cloud providers will have certifications that will aid in achieving your compliance program.  Often, the certifications will mesh with certifications that the company must also have (such as PCI or HIPAA).  Finding out what certifications the company’s auditors require, then aligning your cloud providers with those certifications will save the company a great deal of effort and compliance reconciliation. 

Compliance Support

Lastly, the cloud provider should provide a level of support to help the company achieve compliance.  This should be delineated as part of a master agreement or service level agreement.  They should also be able to provide examples of how they assist current customers with their compliance challenges.  Often, a cloud provider may charge additional fees for audit support, depending on the level of involvement.

These are just some of the considerations that a company should evaluate when moving to a hybrid cloud infrastructure. Using these points as a start can empower a company to make informed decisions regarding the compliance ramifications of moving to a hybrid cloud environment. 

To learn more about cloud compliance and hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security.

To find the additional parts of this series, please search for Compliance in the Cloud. Click here to find a list of all of Chris Steffen’s blogs on Grounded in the Cloud and here for his posts on his Medium site.

0 Kudos
About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.

See posts for
HPE at 2018 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2018.
Read more
See posts for dates/locations
Reimagine 2018
Join us at one of the Reimagine 2018 stops and see how we Simplify Hybrid IT, innovate at the Intelligent Edge and bring it all together with HPE Poin...
Read more
View all