Compliance and the Cloud: Reality Check

Wercker is a Docker-Native CI/CD Automation platform for Kubernetes & Microservice Deployments

Twain Taylor
Twain Taylor
April 6, 2017

Let’s agree on one thing to start—compliance is crucial no matter what kind of company you are. It’s a myth that only banks, government organizations, and the Fortune 500s care about compliance.

Even if you’re a startup whose target market is enterprises, you won’t land your biggest deals unless you’re compliant. Even consumer-centric startups like social media applications often come under the radar for their stance on privacy, and security. Compliance is not a nice-to-have—It’s a necessity for every kind of organization large or small.


Data storage in the cloud

The key issue with compliance is the way proprietary data is stored, accessed, and managed by an organization. In a traditional setup, IT had to ensure their physical servers were tightly secured, and only authorized personnel had access to them. Reflecting this, the data stored in them, and applications that run on them were equally secured by encryption, role-based access, and rigid control over the devices that were used to access the data. With the move to the cloud, there were a lot of concerns about how organizations could achieve the same level of security they were used to with physical servers.

While this was a strong deterrent to cloud adoption initially, the scalability, cost savings, and agility provided by the cloud was too attractive to overlook. As smaller, more nimble competitors started to gain a competitive advantage using the cloud, even traditional organizations cautiously jumped ship to adopt the cloud. With more adoption came additional security measures, and soon the cloud shed its image of being non-compliant.


Common compliance policies

Here’s a list of the most common policies that businesses of various types need to comply with:

  • ISO/IEC 27000: A list of six regulations set by the International Organization for Standardization (ISO) to ensure the secure handling of information by any organization.
  • Sarbanes–Oxley Act (SOX): Governs the handling of accounting and financial information by publicly traded companies to protect the interests of investors and shareholders.
  • PCI-DSS: Set by the Payment Card Industry (PCI) for any organization that handles users’ card details. This includes cards like credit cards, debit cards, and prepaid cards.
  • HIPAA: Applicable to all Healthcare organizations, it protects data related to users’ medical histories, personal information, and financial information.
  • FISMA & FedRAMP: These regulations apply to government organizations and related agencies to ensure the proper handling of information.

With such a variety of compliance regulations, it takes a concentrated effort to ensure your organization is fully compliant.


Shared responsibility

At the end of the day, compliance is your responsibility, not a cloud vendor’s, or that of any other service provider—even if they slip up. This doesn’t mean a cloud vendor can be let off the hook. They still have a key role to play in ensuring compliance. While the buck stops with you, it’s their responsibility to ensure clear communication with you about where they stand on compliance. This approach of working together towards compliance is all about shared responsibility.


Different flavors of cloud

Not all cloud platforms are created equal. Depending on what kind of cloud infrastructure you need, you can opt for a SaaS, PaaS, or IaaS cloud. SaaS puts more responsibility on the shoulders of the cloud vendor, and IaaS puts more responsibility on you. PaaS is somewhere in between. This is because IaaS platforms like AWS give you utmost control over the management of your data. SaaS platforms like Salesforce are the least flexible.

Cloud vendors provide multiple services via many tools, and not all of them will be compliant with the policies that matter to you. You need to check every service you’ll end up using to make sure there isn’t a compliance gap in your cloud toolset.


Read the fine print

Multi-tenancy uses a single server to provide cloud instances to more than one customer. Each server has a list of tenants, and each tenant can influence the performance of another tenant. This is called the "noisy neighbor" problem, and was initially a major obstacle to cloud adoption. This is becoming less frequent now.

If multi-tenancy sounds like a compromise to you, you can find ways to ensure you get a higher level of service. You can check your vendor’s default compliance policies and ask for exceptions where needed. Keep a ready checklist of SLAs you’d like the vendor to meet, and discuss it with them. Finally, you need to check their incident management process to know how they respond when something goes wrong. If they can provide detailed forensic investigations on incidents, there’s more reason to trust them.


Consider dedicated solutions

While multi-tenant offerings are the most popular form of cloud services, they aren’t the only option. You should find out about dedicated server offerings. AWS, for example, offers dedicated instances, and dedicated hosts, where you get full access to the underlying hardware server that runs your cloud instances.

Apart from this, there are many bare-metal cloud services which provide hardware servers in the cloud that are dedicated to a single organization. These dedicated offerings are more expensive than their multi-tenant counterparts, but their cost is justified by the level of control and visibility they provide.


Build compliance in from the start

You need to plan for compliance right at the start of your project planning, not as an afterthought. Many organizations consider compliance only during the testing and release stages of their software delivery pipeline. This is too late, and results in apps being built that aren’t compliant.

In conclusion, the cloud is capable of perfectly compliant data storage today. This may even be a safer option than managing compliance in-house. However, it’s up to you to ensure you’re getting what you need. Compliance is not the sole responsibility of the cloud vendor. It’s a shared responsibility between you and the cloud vendor, but the buck stops with you.  


About the Author

Twain Taylor began his career at Google, where, among other things, he was involved in technical support for the AdWords team. His work involved reviewing stack traces, and resolving issues affecting both customers and the Support team, and handling escalations. Later, he built branded social media applications, and automation scripts to help startups better manage their marketing operations. Today, as a technology journalist he helps IT magazines, and startups change the way teams build and ship applications.


Like Wercker?

We’re hiring! Check out the careers page for open positions in Amsterdam, London and San Francisco.

As usual, if you want to stay in the loop follow us on twitter @wercker or hop on our public slack channel. If it’s your first time using Wercker, be sure to tweet out your #greenbuilds, and we’ll send you some swag!   

Topics: Tutorials