Thursday, June 14, 2012

Compliance and cloud

Many times when I mention we are a "Cloud first" shop people ask if we are worried about security. The answer is no.

If security is not the first question, than it is about compliance. Actually I'll admit, I was a little nervous about compliance but not anymore.

We had our kick off call with out audit company (one of the big 3, 5, ?) and one of our key financial reporting systems changed from an old in house system to a nice shiny new cloud vendor. During our call we discussed any changes and I was sure that there would be a lot of discussion around this new system.

There wasn't.

They asked if the cloud vendor was SAS70 certified (which is actually now superseded by SSAE16). I said yes and they said "Well as long as they have that and it covers the controls we are testing, that's all we need".  Well and that they would want to see our project documentation and testing, but that's normal for any new system.

So if you are worried about compliance the best advice is get to the cloud sooner rather than later. Then compliance becomes someone else's concern.


  1. I do not agree with that. The best companies involve their IT managers when ensuring compliance requires technical knowledge. If you just move to the cloud (which I still recommend) it would be foolish to assume that compliance is someone else's concern. Since compliance laws are generally written intentionally vague, having a responsible, informed party is necessary.

    That's when having a valuable partner who knows the system in and out can come in handy.

  2. Luckily for us we (IT) are fully engaged with all decisions moving to the cloud, in fact we are usually the ones driving the decision.

    Just going cloud without understanding what the vendor is doing (IE do they have SSAE or ISAE compliance) isn't going to work, but my point is the people screaming you can't go cloud because of compliance, probably either aren't as aware as they should be, or sell an on-premise solution and are playing the FUD game.

  3. It's funny you mention it being someone elses problem. I was talking to an IT manager for a large healthcare company a couple years back and he was talking about compliance... His take was he has to worry about it, ensure it was met, etc... I agreed with him but insisted, "My team of people get paid to think about compliance issues 40 hours per week, it's their job, it's what they do, it's all they do. Your team get's paid to keep the lights on, meet your customers needs, provide new systems and functionality and think about compliance." I made a bet that we could figure out his compliance problems faster than he could.

    I think about it like this, I love sushi. I can make it at home and it is almost passable. When I really want good sushi, I don't go to the fish market, I go to the sushi bar.

    I think your assessment is right on the money, go in with your eyes open, do due diligence on ensuring your vendors meet your needs, then let them worry about meeting their SLA.

  4. Jeff,
    Almost passable sushi, wow that sounds almost good. :)

    I tend to agree that the people that are 100% focused on compliance (or security or availability) are going to be better and more knowledgeable. Let them worry about it and I can worry about other things, like making sure I don't eat any of your homemade sushi. :)