Can Compliance Definition Really Include Cloud?

When system architects are establishing compliance definition, they may avoid cloud to avoid risk. But that risk may have been overhyped in the first place. Here's why.

Christopher Tozzi, Technology analyst

September 2, 2019

5 Min Read
Can Compliance Definition Really Include Cloud?
Getty Images

Can compliance definition include cloud? Compliance issues are often cited as a reason not to use the cloud, but many compliance risks associated with the cloud are not serious challenges today. In fact, they were probably overhyped in the first place.

Compliance Definition and the Cloud: The Problem

The conventional logic related to compliance and cloud computing boils down to the idea that keeping data and workloads compliant is more difficult if you use the cloud. At a high level, there is some truth to that. Generally speaking, moving data or workloads to the cloud means surrendering some control over things like the specific geographical location in which the data or workloads is physically hosted.

The cloud also forces you to give an external company--your cloud hosting provider--the ability to access anything that you run on its infrastructure. (And, when asked, some cloud providers are surprisingly vague about the extent of access that their employees have to cloud data and workloads.)

In both of these ways, the cloud can theoretically create compliance challenges related to securing workloads and guaranteeing privacy.

Cloud Compliance Is Less Complicated Than You Think

Yet, in three major ways, the idea that using the cloud inherently leads to compliance problems is flawed.

1. Compliance means many different things.

One of the problems with this idea is that compliance is a very broad domain. There is no single set of compliance rules that affect all organizations; instead, a litany of different compliance frameworks exist. Whether a given framework applies to you depends on your company’s industry, the country or countries in which you operate, the types of workloads you deal with, and a variety of other factors. Thus, it is an enormous generalization to conclude that the cloud is not compliance-friendly. Whether the cloud actually poses compliance challenges depends to a great extent on which specific compliance rules you actually face.

2. Most compliance rules don't specifically address the cloud.

On top of this, even if you are subject to a certain compliance policy, there is usually a huge gray area in determining how the policy's rules apply to the cloud. Many compliance frameworks don’t mention the cloud specifically--indeed, many of them were written before the cloud was even a thing. Thus, figuring out the ways in which a given compliance framework might impact your cloud workload requires you to read between the lines and make assumptions. You could choose to err on the side of a strict interpretation and be wary of using the cloud for fear of being found non-compliant.

But, in the absence of specific requirements regarding the cloud, you could take a different stance. For example, perhaps your compliance requirements say that you need to maintain physical control over personal data that you store digitally. You could interpret that rule to mean that you can’t move the data to the cloud, because it would no longer sit on servers that you control physically. Alternatively, you could adopt a pro-cloud interpretation and conclude that, because most cloud providers let you choose the geographic location of the data center that will host your cloud, you still have physical control over your data even if it runs in the cloud.

3. Some compliance frameworks are cloud-friendly.

While many compliance frameworks predate the cloud era and lack specificity about what you can and cannot do in the cloud, others (such as the GDPR) do get pretty specific about the cloud. For one thing, they don't say you can't use the cloud. They simply establish some firm rules about what you can and can't do in the cloud if you want to remain compliant. This is a good thing, because it removes much of the guesswork associated with building a compliant cloud strategy.

To be sure, frameworks like the GDPR are still subject to a fair amount of ambiguity. And things get even trickier when you introduce multiple clouds to the mix.

Don't Be a Compliance Extremist

If you are extremely risk-averse, you might decide that the safest thing to do to remain compliant with frameworks such as the GDPR is to avoid the cloud entirely. Doing so means you don't have to worry about nuances like which cloud regions store users' private data or whether operating on cloud infrastructure based in one country could make you subject to that country's compliance rules even if you don't otherwise operate in that jurisdiction.

But that is an extremist position to take. It's akin to choosing to unplug from the internet because most security threats originate there, or never leaving your house in the winter because it could expose you to the flu.

Conclusion

By and large, the idea that the cloud is intrinsically difficult to reconcile with compliance requirements is a myth--especially today, when compliance frameworks are increasingly being updated to make it clearer how cloud-based workloads and data should be architected.

About the Author

Christopher Tozzi

Technology analyst, Fixate.IO

Christopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like