Compliance is a very broad concept that industry-by-industry and domain-by-domain might take different forms with different intents. No matter the situation, it is often viewed as a boogyman. We’re not so sure that should be the case.
Why compliance exists
Think of compliance like the guardrails on a curvy road. When not present, the drive gets dangerous. Business transactions are twisted journeys, too, and in regulated industries, the only trust that exists is the natural trust of one party with another, and sometimes those parties become bad actors. That’s where schemes, fraud, and over-leveraged deals arise. The reason why compliance exists, and why some industries are much more regulated than others, is because those industries are the ones where the most catastrophic damage to a society or individuals can happen if bad actors are in play. A swell of digital data about individuals is produced daily. Now, the lines are blurring. As a result, broad-brush regulations like GDPR now apply to all organizations that capture, process, or store individual information.
With compliance and the cloud, all roads lead back to privacy and security issues. It could be literal, in a technological sense, like encryption, but all policies for humans relate to the same thing — security. For example, best practices suggest using Access Control Lists (ACLs), a term that defines who can access certain systems on a server, and to what someone with a password sees when logging into an app, all the way up to how businesses manage and train employees. It all ties back to data security.
Compliance on the cloud, then, is the process of proving security of, on, and in the cloud. It’s how one organization gives assurances about best practices being used for security implementation to other organizations, be they partners, customers, or regulators. The compliance must-haves are essentially a proxy for privacy must-haves and security must-haves.
It is the right thing to do, not because you have to do it, but because you ought to do it.
The legal and technical collision of compliance
Compliance rules are drafted by lawyers and regulators, not necessarily technologists. While some technological definitions found within regulatory rules are inefficient or obsolete, the reasoning behind the rules are straightforward and correct. Implementing updated processes or controls to match the spirit of the rules, then getting those controls validated by a third party, is the right approach to compliance by a modern technology company. Trust is earned through validations of controls.
Therefore, compliance can be a litmus test for organizational integrity, which is why it’s viewed as an irritant by organizations without resources, time, or the patience to go through the process of understanding what compliance means. For better or worse, a three-person Silicon Valley startup building a digital health app at a weekend hackathon will find compliance a burden, whereas Fortune 100 enterprises view compliance as a cornerstone to their global business operations.
Add to that the continuous, always-on nature of compliance on the cloud, and compliance becomes expensive because it’s a process that acts essentially as a cycle. Compliance is set up and then a company must prove it is set up the right way. Then it’s managed and updated on an ongoing basis. One of those rules in the HIPAA Omnibus, for example, is the act of scanning for intrusions. Are there pings coming in from computer consoles in China, Russia, North Korea? Are people attacking an organization? That’s called intrusion detection, or IDS. Tracking that, reviewing the logs, and analyzing what kind of activity is coming in are rote daily tasks.
Compliance is really an asset
Compliance may seem like an onerous and unnecessary chore to please micromanaging lawyers and regulators, but that view is one-sided. Compliance is not simply a checkbox to get past. Compliance is an enabler or an asset instead of a blocker or liability. An organization, developer, or even a compliance officer must transmute the limiting view of compliance to an expanded one.
When an organization solves the problem of compliance and clearly demonstrates it, the organization can embrace the cloud and enable digital transformation, thus becoming a trusted industry leader, partner, and innovator. With compliance as an enabler of the cloud, organizations can fundamentally shift the role of IT from a bottleneck or cost center into a strategic voice in the C-suite and boardroom.
The modern and future cloud is about leveraging partners. The reliance on partners and models of Shared Responsibility, make compliance an even more powerful asset for any organization. To use that asset wisely, organizations must fundamentally shift their view of compliance.
Instituting a holistic program to manage compliance of, on, and in the cloud is the secret to turning the cloud into an engine for organizational innovation. Understanding what the cloud is today compared to the past and what it will be in the future is the first step.