stay connected facebook twitter YouTube LinkedIn
Forefront eNewsletter


Using the Cloud to Address – and Improve – Your Compliance Challenges

Migrating to the cloud is a significant undertaking, and IT, legal, and risk management professionals are right to be concerned about the implications for regulatory compliance issues. However, as many organizations from a wide variety of industries have by now examined regulatory compliance in the cloud, a number of best practices have emerged for not only ensuring that the same levels of compliance are maintained in the cloud but that in some cases, compliance can be quantifiably improved.

As my colleague Eduardo Kassner and I mention in our book, Enterprise Cloud Strategy, migrating applications from a data center to the cloud, or creating new cloud-native applications, requires the cooperation and collaboration of many groups in the enterprise: IT, finance, legal, risk management, information security, and corporate business planning, to name a few. Unquestionably, corporate applications and data are among the enterprise’s crown jewels, and should be treated as such: deliberately and with a plan.

First, of course, you should know what applications and data are subject to which regulations. Many enterprise IT departments maintain a database (often termed a portfolio management system) of the applications they support, the sorts of data they hold, and relevant regulations. In addition, organizations often use a classification system to tag data and documents with metadata about confidentiality, sensitivity, and regulatory information (such as lawyer/client privilege, for example).

Second, research the compliance certifications offered by the cloud technology providers. The leading cloud vendors offer a wide range of certifications in various industries in many countries, including finance (PCI, SOC1, SOC2, SOC3, and others); healthcare (HIPAA, MARS-E); manufacturing (FDA CFR, GXP, and others); and government (FEDRAMP, DoD DISA, ITAR in the US, Spain’s National Security Framework, the UK GovCloud, and others). In many cases, you can use the certifications already obtained by the cloud providers to demonstrate compliance to authorities.

Not sure? Ask the vendor: many have great experience in dealing with these issues, and some may offer assistance and even resources to help. The leading cloud vendors also maintain websites describing their certifications and policies.

But know that because a cloud provider has received a certification, your work is not necessarily done. The certification means that the platform supports the capabilities that your application needs. In many cases, you must still ensure that the application itself meets the compliance requirement. Again, this is an area that your cloud vendor can help you with.

Many companies use the opportunity of moving to the cloud to change and improve how they manage compliance, for example by creating automated scripts that periodically run and audit their application and data. Because the cloud provides rapid scale-up/scale-down capabilities, such scripts can run periodically using the computing resources they need and returning them when done – only paying what they need when they need it.

Finally, consider how cloud computing can actually improve compliance. Consider taking advantage of built-in failover and disaster recovery features in the cloud to ensure maximum uptime, for example. There are many similar examples in which fully utilizing the cloud can actually reduce the cost of compliance.

Consider as well more creative solutions. One government organization that required air traffic controllers to “read and acknowledge” daily reports took the opportunity to build a cloud-based mobile application to deliver the reports and get a positive acknowledgement they had been read. They also built dashboards that enabled supervisors to monitor compliance – and thus were able to improve their compliance and their employees’ effectiveness.

Other companies have built full-featured compliance management dashboards, capable of handling millions of messages per second and displaying real-time information. Because the cloud provides computing resources at massive scale, such applications are possible. In contrast, in a corporate data center, IT professionals would have to procure servers, find space, provision them, and manage all the system software – all features the cloud provides on your behalf. New applications can streamline the work of compliance, legal, and risk professionals.

In sum, think of the cloud as an opportunity to both ensure and enhance your response to regulatory obligations.


Microsoft's integrated infrastructure for the People-Ready business gives professional services firms the technology they need to build and sustain client connections, develop and retain top talent, manage business performance, improve compliance, and deliver distinctive client service experiences. Click here for more information.

Back to front page   |   Contact Forefront