The Doppler Quarterly Special Edition 2019 | Page 89
When companies kept their applications in a data center,
compliance was a more straightforward process. It still
required energy and diligence, but the tasks were predict-
able. Servers and software were in the back room, paid for,
running on set schedules, year after year. Workers main-
tained specific legacy systems that they were well trained
on, configurations followed established patterns, and work-
loads were more easily tracked alongside company initia-
tives. Compliance could be handled as a quarterly or even
annual ritual.
ous delivery pipelines. Configurations that wouldn’t change
for months, perhaps years, in the data center now change in
minutes.
The app delivery process used to be concentrated; in the
cloud, it’s decentralized. Many developers and DevOps per-
sonnel play a role in software delivery. Some may not have
experience pushing changes to test or to other environ-
ments. This adds a layer of risk.
Cloud has flipped the compliance process upside down. It’s
introduced a whole new set of variables – new tools, new
configuration and approval processes, new job roles and
new rules for companies to follow. The changing environ-
ment has turned compliance into a moving target that’s
harder to control. Compliance can no longer be managed
once or twice a year. In the cloud, compliance needs to be
managed continuously. The different cloud environments create a layer of complex-
ity. The trend today is for companies to embrace multiple
cloud environments – such as AWS with a combination of
Microsoft Azure and/or Google Cloud Platform, or other
combinations. Each new tool and new environment,
increases the learning curve for a staff that’s already strug-
gling to stay current in their training. Plus, the cloud provid-
ers themselves are constantly innovating, adding new ser-
vices and new techniques.
To get cloud compliance under control, organizations must
first understand their scopes and their ability to handle
those scopes. The scope will vary for each organization, and
even within an organization, based on issues such as: the
regulations controls themselves; the complexities of
requirements demanded by the industry; the geography;
the impact to the business if it’s out of compliance; and the
level of cloud maturity and readiness to take on the job and
do it well. Here’s the bottom line. Cloud engagements are so dynamic,
they require new, updated compliance programs just to
keep up with the commonplace changes in their environ-
ments. You can’t check every six months and hope for the
best. You need to check continuously that the programs in
place are robust and happening continuously. Therefore,
you need a continuous monitoring and remediation pro-
gram to ensure that those services running in the cloud are
compliant.
Let’s look at these issues in more depth to evaluate how to
get your cloud compliance under control.
The Impact of Cloud and Automation on
Compliance
Looking more closely at cloud’s impact, it’s easy to see how
challenged organizations are when it comes to maintaining
control and, just as importantly, to demonstrating that
they’re maintaining control.
Above all else, cloud helps organizations improve their agil-
ity. They’re not hidebound by server policies and schedules,
so they make rapid and frequent changes to their environ-
ments. Cloud allows them to dial services up and down
according to needs and desires, and to create and deploy
software rapidly using continuous integration and continu-
Cloud engagements
are so dynamic, they
require new and
continuous compliance
programs just to keep
up with the common-
place changes in
their environments.
SPECIAL EDITION 2019 | THE DOPPLER | 87