Cloud compliance is the practice of ensuring that cloud computing services meet all relevant enterprise compliance requirements issued by state and federal governments, regulatory bodies, or other jurisdictional authorities as well as any internal policies. Compliance failures can lead to regulatory fines, lawsuits, cybersecurity incidents, and reputational damage—as such, enterprises should take great pains to understand the details of cloud provider services and how well they meet the organization’s requirements.
This article provides an overview of cloud compliance considerations, and lists compliance services common among the top three cloud service providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.
Table of Contents
The Importance of Cloud Compliance
If an enterprise fails in its compliance measures, the costs can be extreme. The average cost of a data breach was $4.45 million in 2023, and there are other costs involved in rebuilding reputations and relationships with customers and investors.
CIOs and other top level executives can lose their jobs as a result of compliance failures. There’s also the issue of data trust. If enterprise users, executives, stakeholders, and customers do not trust that the company and its cloud providers are protecting data securely and handling it with integrity, revenues and operational performance can suffer.
How Does Cloud Compliance Work?
Enterprise data functions—transfer, storage, backup, retrieval, and access—are managed by IT, which nominally makes cloud compliance an IT concern. But other functions or departments within an organization should also be involved, as compliance requires decision-making, monitoring, audits, governance, security, data protection, risk management, and legal guidance.
Cloud compliance essentially demands that organizations using cloud services do three things:
- Define their enterprise compliance requirements internally.
- Vet all their cloud services providers to ensure their compliance standards are being met.
- Regularly review corporate and cloud compliance to ensure that the two remain consistent and synchronized.
Defining Compliance Requirements Internally
Compliance requirements are not uniform across all companies or industries. Healthcare companies must meet data and privacy requirements enumerated in the Health Insurance Portability and Accountability Act (HIPAA), for example, while financial organizations must conform with the data and reporting requirements of the Sarbanes-Oxley Act (SOX).
The credit card payment industry has a compliance regulation known as the Payment Card Industry Data Security Standard (PCI DSS), organizations with customers in the European Union must conform to regulations in the General Data Protection Regulation (GDPR), and industry-standard cloud regulations with outside auditors companies and their cloud providers are expected to comply with—such ISO 27017, for example.
Companies might also choose to add internal security and governance policies that they expect their cloud providers to meet.
Vetting Cloud Providers
Most cloud compliance work is regulatory in nature, and requires periodic reviews of corporate cloud providers. It’s often undertaken by an internal audit performed by an internal legal or regulatory group independent of the organization’s IT department.
If one of the company’s cloud vendors is found to be in violation, the organization must work with the provider to create a remediation plan. This is often when IT gets involved—compliance conformance must be tested on data and systems, and in some cases may involve writing new code.
Reviewing Cloud Provider Compliance
The best practice for cloud compliance is to ask cloud providers for their most recent compliance and security audits as part of the initial request for proposal (RFP)—if the compliance is unsatisfactory, the enterprise should not engage the cloud provider’s services until the issues are resolved. Once a cloud provider is engaged, the organization should review compliance annually to ensure that it remains on track.
Challenges of Cloud Compliance
Because enterprises don’t have direct control over their cloud providers, they must depend upon them as business partners to meet the compliance objectives that the enterprise holds for itself—which can present challenges.
Lack of Leverage
Smaller companies can ask in RFPs that prospective cloud providers furnish their latest security and compliance audits—but may lack the leverage to get them if the provider refuses.
No Centralized Control
An enterprise may not have centralized control over all of its cloud vendors—especially if user departments contract directly for services—making it difficult to vet and monitor providers.
In multiple cloud environments, applications can span many different clouds and on-premises systems, making it difficult to run down or get accountability for a security breach or compliance breakdown.
Though IT is responsible, it might not have the time and resources to monitor and manage compliance on all the clouds it uses, configures, and administers—especially if each cloud has its own set of tools.
Cloud Compliance Checklist
Enterprises that outsource cloud services to vendors aren’t outsourcing their compliance responsibilities. Regulatory bodies can still hold them responsible. So can their customers. Compliance is a dual responsibility.
Providers like AWS, Google Cloud, and Microsoft Azure have a level of contractual responsibility to their enterprise customers, but those enterprises have to look out for their own best interests—for example, choosing the right set of services for their own requirements and handling the configurations they control properly. The following table lists other compliance considerations for organizations to take into account.
|Data||Decide what will and will not be stored in the cloud, and why.|
|Data location||Auditors may ask where data is located, but your cloud provider might not reveal that information. Keep track of data locations when possible.|
|Asset management||Cloud providers are responsible for managing infrastructure assets, but as a customer, you are responsible for managing your assets, including hosted operating systems and applications.|
|Data access controls||Because compliance involves data security, your organization should make sure it knows who has access to what, both internally and at the cloud provider.|
|Configuration management||If your enterprise misconfigures an AWS S3 bucket, for example, it bears sole responsibility for the mistake. Pay careful attention to configurations and review them regularly.|
|Data encryption||Staying compliant usually means encrypting data, bot at rest and in motion to protect it.|
|Shared or private resources||Depending on specific compliance requirements, your company may require a private data center suite in the cloud service provider’s data center in order to meet compliance regulations.|
|Service Level Agreements (SLA)||Laws and regulations that apply to your company may have SLA requirements that limit the types of services your company can use.|
|Data protection||Companies should understand the degree to which cloud providers will protect their information. Ask your vendor and get it in writing.|
|Certifications and legally accepted substitutes||Not all cloud compliance services are capable of being certified—if certification is not possible, your provider may still find a way to be compliant (such as adhering to stricter standards, for example).|
|Auditors||Your company should understand which third parties audit cloud compliance and read the reports, and whether it will be entitled to audit cloud compliance itself.|
|Incident response||Make sure you understand the scope of potential incidents and what sorts of incident responses are in place should they arise (for example, receiving alerts and how quickly).|
|e-Discovery capabilities||This is a legal issue rather than a regulatory issue—if your company finds itself in any type of litigation, you’re going to want fast access to the requested data and only the requested data.|
|Security requirements||You should understand what forms of security your company requires to choose the right cloud services—but for compliance purposes, you also need to understand what level of security a law or regulation requires.|
|Disaster recovery||Outages happen—the laws and regulations that apply to your company may have specific disaster recovery requirements in the event that your provider goes down.|
|Due diligence||Understand how your cloud providers will conduct periodic due diligence.|
|Informational resources||The informational resources cloud service providers offer varies significantly—those that provide a lot of information do so to help customers succeed with cloud compliance from the get-go.|
|Compliance reports||Understand the scope of compliance reports you can access as a customer, and read them.|
What Cloud Compliance Policies do Service Providers Cover?
Different cloud service providers present cloud compliance services differently—in grids, tables, or lists, for example—making it difficult to find and compare specific information. Enterprises should always review their offerings carefully to ensure their requirements can and will be met. The following list covers the cloud compliance resources common to the top three providers—AWS, Google Cloud, and Microsoft Azure:
- Cloud Internet Service Providers in Europe (CISPE), a nonprofit that promotes high-level security and data protection.
- Clarifying Lawful Overseas Use of Data (CLOUD) Act, a U.S. federal law enacted in 2018.
- Center for Internet Security (CIS) Benchmark, configuration guidelines to safeguard against cyberthreats.
- Criminal Justice Information Services (CJIS), a set of recommendations for cloud computing by law enforcement, U.S. national security, and the intelligence community.
- Cloud Security Alliance (CSA), a list of best practices.
- Cyber Essentials Plus, certification by the U.K.’s National Cyber Security Centre.
- Family Educational Rights and Privacy Act of 1974 (FERPA), a U.S. federal law that governs access to educational information and records by public entities.
- EU-US Privacy Shield, a data protection framework.
- Federal Risk and Authorization Management Program (FedRAMP), a security standard certification.
- Federal Information Processing Standards (FIPS), a U.S. government computer security standard used to approve cryptographic modules.
- General Data Protection Regulation (GDPR), the EU’s Privacy Shield replacement in effect since 2018.
- G-Cloud, a framework that simplifies the procurement of technology products and services by U.K. government entities.
- Health Insurance Portability and Accounting Act (HIPAA), guidance for protection of health information in cloud systems.
- ISO 9001, the international standard for a quality management system (QMS).
- ISO 27001, an international standard that specifies requirements for establishing, implementing, maintaining, and improving an information security management system.
- ISO 27017, an international standard that provides guidelines for information security controls applicable to the provision and use of cloud services.
- Multi-tier Cloud Strategy (MTCS SS584), a Singaporean standard for sound risk management and security practices, transparency, and accountability.
- Motion Picture of America Association (MPAA), best practices for content security.
- My Number Act, A Japanese 12-digit personal identification number system.
- National Institute of Standards and Technology (NIST) 800-53, a catalog of security and privacy controls for federal information systems.
- Payment Card Industry Data Security Standard (PCI DSS), a standard that includes 12 requirements for any business that stores, processes, or transmits payment cardholder data.
- Securities and Exchange Commission (SEC) Rule 17-a, a broker-dealer data preservation regulation.
- Systems and Organizations Control (SOC) 1, a report on controls at a service organization that may be relevant to user entities’ internal control over financial reporting.
- Systems and Organizations Control (SOC) 2, a report that evaluates an organization’s information systems relevant to security, availability, processing integrity, confidentiality, or privacy.
- Systems and Organizations Control (SOC) 3, a report meant to be used as marketing material.
Organizations interested in procuring cloud compliance services should visit the respective service providers’ websites for the most up-to-date information.
Bottom Line: How to Think About Cloud Compliance
For the most part, cloud providers take compliance seriously. But that doesn’t mean every provider can or will meet your company’s own unique set of compliance requirements. Enterprises should discuss compliance needs with prospective cloud vendors upfront to determine whether any compliance gaps exist, and to make a plan to address them.
It is equally important for enterprises to get a handle on how many different cloud vendors they use. If user departments can contract with cloud providers on their own, it can limit the ability to centralize cloud management, giving the enterprise little control over compliance.
Above all, enterprises should not lose sight of the fact that compliance in the cloud is a shared responsibility. The cloud provider can furnish all of the tools needed to configure and monitor for compliance, but it is up to the enterprise client to do the work—they’ll be the one facing the financial, legal, and reputational consequences in the event of a failure.
Read our Ultimate Guide to Cloud Computing to learn more about how enterprises navigate the challenges and demands of working with cloud vendors.