Public cloud providers have been fighting a battle about their lack of preparedness for enterprise compliance, and it is costing them revenue opportunities and credibility gains.
And why wouldn’t it be? No corporate executive wants to face his board trying to explain why a particular cloud vendor was not certified for compliance, or why a major data breach occurred on the cloud network that is going to cost the company millions.
Enterprise concerns about cloud compliance remain major impediments to public cloud adoption. "We take compliance extremely seriously at Google," said Google spokesperson Tim Drinan. To this end, Google is certified with FISMA (the Federal Information Security Management Act), a compliance security standard intended to safeguard government information, operations, and assets from outside threats and attacks.
But compliance with one set of regulations still won’t attract the broader enterprise market, which consists of many different industry verticals and compliance standards. Depending on the makeup of its customers, a public cloud provider might have to offer compliance with HIPAA (Health Insurance Portability and Accountability Act), ITAR (International Traffic in Arms Regulations), SOX (Sarbanes Oxley Act), PCI (Payment Card Industry), or some other regulation.
“We began our cloud offering in the aerospace industry, where our original expertise came from, but now we are pursuing new clients from different industry verticals,” said Alan Gilbert, marketing executive at supply chain public cloud provider Exostar. He says that his company is frequently required as part of the RFP (request for proposal) process to demonstrate or obtain compliance for regulations. “It is a cost of doing business,” he said. “Our customers expect us to be fully compliant in their industries, and we have to demonstrate that we are.”
So is the public cloud push for compliance making a difference?
Current practice suggests that more cloud computing decisions are being made by business end users, who might not be as particular about compliance and security as IT. But these enterprise users don’t want to end up standing in front of their boards explaining a compliance or security failure, either.
Public cloud providers understand this; and the more they’re able to demonstrate a complete set of regulatory and security capabilities to their enterprise prospects, the more often they’re winning enterprise business.
Of course, the price of compliance isn’t cheap. Public cloud providers have learned that they must take the following steps to ensure success:
Invest in compliance. Earning regulatory and security certifications in different industry verticals is time-consuming and expensive -- but it’s the cost of admission if you want to do big business with enterprises.
Retain auditors and perform annual regulatory and compliance reviews. Enterprise prospects expect to see third-party-documented proof that the cloud provider conforms to industry standards and regulations.
Ensure that regulatory and security standards are captured in application code that is part of the cloud. Cloud providers, especially those offering SaaS (software-as-a-service) public cloud services, are expected to incorporate logic in their apps to accommodate industry guidelines and regulations -- and to keep them current.
Best of breed public cloud providers are pursuing these steps and will likely be the final survivors as less-compliant solutions fall to the wayside. “Today, we are compliant in government, but there are still other industry verticals we have to certify on,” Google’s Tim Drinan acknowledged.
Like Google, virtually no public cloud provider will tell prospective customers that they can comply with regulatory requirements from every enterprise industry vertical -- but the best will get there. As this happens, comfort levels with public clouds will rise in executive suites.
— Mary E. Shacklett, President, Transworld Data