Shifting to Software-Defined
Showing results for 
Search instead for 
Did you mean: 

Compliance in the Cloud: Key Compliance Considerations


This is the seventh blog in a series of blogs and podcasts that provides the information surrounding the concepts of compliance in a cloud environment. In this series, we will offer greater insight into the concepts and best practices for many of the considerations that are generally part of a cloud compliance program. In the previous blog, we reviewed "Data Locality / Residency". In this installment, we will be discussing the topic: "Key Compliance Considerations”.

Deciding on a cloud architecture is a difficult decision for most organizations. ComplianceInTheCloudSeries.jpgThere are many reasons that a company may choose to not move their workloads to the cloud. But a 451 Research report finds that the most common reasons for a company to not move to the cloud are information security and compliance.

Today, every size company faces some kind of audit or regulatory considerations, from government regulations to the third party audits that a company does business with. A company must pay attention to these considerations when making a cloud infrastructure choice or developing their overall security plan.

The greatest compliance considerations can be summarized by the following three points:

What level of support does the cloud provider provide to help me through audits?

When selecting a cloud provider, one of the first questions a security professional / risk manager should ask is about the support provided by the provider to help with the inevitable audits. Some providers are proactive, providing their own certifications and reports (SSAE-16 SOC1 or equivalent) right up front. More times than not, these reports are accepted by a third party auditor for infrastructure related controls. Some cloud providers will ask to specify the level of support required by the customer and may add additional fees to the support contract. It is incumbent on the company to have any requirements they deem important included or addressed in the SLA or Master Agreement.

What controls are used by the cloud provider and how do they map to common certifications?

Many times, a cloud provider will have a set of security controls that a company can adopt to improve their overall security program. But sometimes these controls are not as mature as the controls already in use by the company. Cloud providers are also beginning to understand the benefit of providing reports and certifications up front. Most of the major providers already have mappings to PCI, HIPAA and CoBIT. Some also have advanced certifications for the federal government. Understanding what security controls are already in use by the cloud provider may help understand their approach to security and compliance, and guide a decision on which provider to choose.

How does the companies / agencies that regulate my company evaluate cloud infrastructures?

No matter what controls are used by the provider, one of the key considerations for a company to understand is how those that evaluate them view adding workloads to the cloud. Check with the regulators or auditors for their approach to auditing those workloads that you are considering moving to the cloud. Many auditors have developed guidance and controls that they will be using, or reports / certification that they will require for companies that do business in a cloud environment. It is better to understand those concerns up front than to try to scramble to meet a regulatory requirement after the fact.

There are many more points to consider when making a cloud decision, many of which I have detailed in previous blogs. From a compliance perspective, understanding these three points will start you down a path of greater understanding of the compliance ramifications on moving your company’s workloads to the cloud.

For the next blog in this series, we will discuss the compliance topic: "Certifications for Cloud Providers". To learn more about cloud compliance and hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security.

To find the additional parts of this series, please search for Compliance in the Cloud. Click here to find a list of all of Chris Steffen’s blogs on Grounded in the Cloud and here for his posts on his Medium site.

About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.

See posts for
HPE at 2018 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2018.
Read more
See posts for dates/locations
Reimagine 2018
Join us at one of the Reimagine 2018 stops and see how we Simplify Hybrid IT, innovate at the Intelligent Edge and bring it all together with HPE Poin...
Read more
View all