Managing compliance in the cloud is highly complex. We explore the options for compliance assurance.

Compliance in the cloud is challenging for enterprises, particularly for those in regulated industries and with contractual requirements. A whole host of issues unique to the cloud conspire to make it difficult, including the shared responsibility model, lack of visibility, ephemeral nature of resources, and complications caused by managing a multi-cloud strategy.

What is compliance assurance?

Modern compliance assurance aims to resolve this problem through the automatic and continuous monitoring of cloud infrastructure for compliance with industry and geographically specific security standards and regulations. It describes the measures taken to ensure that compliance requirements, policies and processes are adhered to and uses continuous monitoring and auditing to identify instances that could increase the risk of non-compliance.

In the past, organisations had to design, manage and maintain their own compliance assurance programs. This exercise required the identification of risks and ways to reduce them, internal inspections and regulatory audits to assess how well compliance processes are being met and maintained, detailed reporting on issues that caused or threatened to cause non-compliance, change management to prevent incremental risk and regular testing to facilitate improvements.

This approach simply isn’t viable in the cloud where change is a constant, and the variety, volume, and velocity of services and dynamic landscape combine to make it impossible to manually maintain compliance. In addition, compliance demands within the cloud with respect to how processes are secured are different to those on a corporate network.

Today’s compliance landscape

Some of the most well-known compliance regulations in use today that demand compliance assurance in the cloud include:

  • FedRamp – Facilitated adoption of cloud services by federal agencies and standardised the approach to security assessment, authorisation, and continuous monitoring for cloud products and services.
  • HITRUST CSF – Widely adopted in the healthcare industry and brings together various security regulations and standards into a single framework by giving a threat-focused approach to data protection and compliance.
  • GDPR – Mandates businesses to protect the personal information of EU citizens and give individuals control over their personal data. The regulation also harmonises data privacy laws across the EU and imposes huge fines on businesses that breach the regulations.
  • CSA CCM – The Cloud Security Alliance has launched the Cloud Control Matrix v3.0.1, a framework of cloud-specific controls mapped to leading standards, regulations and best practices.
  • ISO 27001 – An international standard that defines requirements for an Information Security Management System. Compliance with ISO 27001 demonstrates the enterprise’s adherence to industry best security practices.
  • PCI-DSS – Sets the operational and technical requirements for any entity that stores, processes, or transmits cardholder data. These standards also apply to software developers and manufacturers of applications and devices used in such transactions.
  • HIPAA – Mandates the requirement for health care providers and their business associates to develop and follow procedures that ensure the confidentiality and security of protected health information at all times.
  • NIST – Provides a cyber security framework to enable greater development and application of practical, innovative security technologies and methodologies that enhance the ability to address current and future computer and information security challenges.
  • GLBA – The Gramm-Leach-Bliley Act mandates that companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – should explain their information-sharing practices to their customers and safeguard sensitive data.
  • CIS – The Centre for Internet Security has defined a set of controls and benchmarks for cloud service providers to enable enterprises to safeguard systems against ever-evolving threats.
  • POPIA – The Protection of Personal Information Act (or POPIA) is South African legislation that sets conditions for the lawful processing of personal information and applies to any person or organisation storing any type of records relating to the personal information of any person. POPIA aims to keep people’s personal information secure and protect them against identity theft, fraud, and similar breaches of their private information.

Depending on their global and geographical footprint, the organisation may well need to comply with a number of these standards and put compliance assurance processes in place to ensure these multiple standards are being met.

Cloud compliance assurance options

Leading cloud providers such as AWS, GCP and Microsoft Azure offer their own compliance assurance offerings over their platforms, but for those organisations with a hybrid or multi-cloud environment, this makes compliance monitoring problematic. They need a solution that provides them with visibility across these platforms 24×7 and that gives them ownership over the process so that they are able to monitor and correct their compliance posture.

A cloud-agnostic compliance assurance solution needs to provide:

  1. Configuration mapping. Detailed mapping of cloud software configurations to various industry regulation controls with industry and geography-specific compliance reports.
  2. Easy reporting. Contextual compliance reports across AWS, GCP and Azure delivered on a predetermined schedule such as weekly, monthly or quarterly, or made available to download on an ad-hoc basis.
  3. Continuous compliance. Constant and continuous compliance with regulations, standards, and industry best security practices.
  4. Highly customisable. Comprehensive compliance packages that can be customisedwith respect to industry, geography etc.

A continuous compliance assurance capability ensures that the organisation is always ‘audit ready’. This means internal compliance teams and auditors benefit from automated compliance checks and audits that can be run at pre-defined frequencies, while auditors can view security and compliance posture in real-time and download assessment reports for authorised cloud accounts. They can even access historical data and remediation logs to monitor improvements in cloud compliance.

External third-party auditors or their clients can get a birds-eye view of the security posture and perform a deep dive into compliance-related controls if needed. This helps increase transparency and can help with enforcing supply chain security.

The C3M Cloud Control solution incorporates a compliance engine that delivers multi-cloud compliance assurance for all of the above industry standards and regulations. As a cloud-native, cloud-agnostic solution, it provides configuration mapping, compliance reporting, continuous monitoring and customisable packages, and it also keeps pace with changes to the regulatory landscape, ensuring you stay compliant.

To find out how you can use Cloud Control to monitor and improve your cloud compliance, contact us for a consultation at or via +44 330 128 9180. Or, to read more about the solution, download the Cloud Control datasheet.