Shifting to Software-Defined
Showing results for 
Search instead for 
Did you mean: 

Compliance in the Cloud: The Need for Compliance


This is the first blog in a series of blogs and podcasts that provides the information surrounding the concepts of compliance in a cloud environment. In this series, we will greater insight into the concepts and best practices for many of the considerations that are generally part of a cloud compliance program. In this installment, we will be discussing the topic: "The Need for Compliance."

As discussed as part of the Cloud Security 101 series, cloud compliance is a significant concern most companies. According to a recent 451 Research report, compliance related concerns are the most significant barrier to cloud adoption.


Cloud compliance is the domain that talks specifically how a company’s cloud infrastructure will be regulated, and some of the differences and similarities between the controls used to regulate on premise systems and the workloads migrated to the cloud.

Cloud compliance covers a whole host of requirements and issues: basically any issues or controls that are currently regulated for on premise systems have an analog in the cloud. There are national data sovereignty requirements to comply with and laws effecting the international storage and movement of data such as the EU Data Protection Directive and USA Patriot Act. There are both global and national regulatory requirements for securing personal health data (HIPAA, HITECH), general privacy (PII, SPI), credit card holder information (PCI), sensitive industry data like ITAR and many, many more.

Today, every size company faces some kind of audit or regulatory considerations, from government regulations to the third party audits that a company does business with. A company must pay attention to these considerations when making a cloud infrastructure choice or developing their overall security plan.

A recent SANS Survey of IT Security Spending Trends shows that small to medium sized businesses are spending around 4-6% of their overall IT budget on security, and of that nearly half of those allocations are going to efforts and initiatives to improve compliance. In the financial services industry, some of the larger banks are spending up to $4 billion a year on compliance – on everything from litigation to audits to meeting regulatory controls. And some of these controls are often pushed downhill as part of vendor due diligence and regulatory requirements for vendor management.

Compliance considerations are affecting every business in every vertical. Businesses looking to take advantage of cloud computing need to include compliance considerations as part of their overall decision.

For the next blog in this series, we will discuss the compliance topic: "Global Privacy Regulations.” To learn more about cloud compliance and hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security.

To find the additional parts of this series, please search for Compliance in the Cloud. Click here to find a list of all of Chris Steffen’s blogs on Grounded in the Cloud and here for his posts on his Medium site.

0 Kudos
About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.