Regardless of whether the standard has
a certification, requires an audit, or has
any official controls in place, rest assured
a badge is available somewhere on the
Internet and is often peppered across the
websites of cloud providers with reckless
Beyond the Compliance Badge
The reality is in the eventuality of an
actual disaster, followed by an audit, the
auditors would want to see some relevant
compliance paperwork during that period.
The best way to assess whether you could
deliver that data is by asking for audit
When you ask, “Can you give me some
documentation of your XYZ compliance
status?” you’re likely to get one of three
types of answers:
1. The logo is on our website. That is
2. Here’s a signed letter that says we comply,
from a third-party auditor.
3. Here is the full audit report. As you can see,
we passed with a 95 percent grade, having
mild issues ensuring our HR department
sent global emails regarding the snack
The first response is clearly suspect.
The second is sufficient, but vague. It’s
like hiring someone who got a “pass” on
their college education but who will not
report their GPA. A 2. 5 is a pass and a 4.0
is a pass, but wouldn’t you like to know if
the guy failed calculus? The third option
is obviously the most open stance, but it is
also not prevalent.
These responses, however, are a
barometer for the ease with which
you’ll get their part of the audit
paperwork in the event of an
actual audit. Ideally, the
reports that document compliance status are as accessible and on-demand as
those on your own workloads.
Returning to our heroes in
their disaster movie sequel, we
find them happily clicking through their
cloud console and printing off a few reams
of profoundly boring security and compli-
ance paperwork for the eager auditor in the
Just as the moviegoer is considering
using this boring lull in the action to refill
her popcorn, the auditor innocently asks:
Uh – this file integrity monitoring
report on the Nexus System – is it showing
an unaddressed error in the system files?
Our heroes, while diligent in their
cloud selection, can’t even pretend to be
well-versed in every page of the output,
from months ago, no less.
Does that impact our audit?
Now, while this drama doesn’t begin to
parallel the original movie’s tense water-seeping-through-the-door-jam climax, the
tension is palpable.
Most cloud teams are, at their core,
infrastructure experts or developers. They
are rarely trained security people and are
almost never compliance officers. When
auditors raise flags and ask questions,
this can be a costly one, as time is usually
money with auditors.
Who might know how the cloud reporting should work and how it impacts an
audit? Cloud facilitators who play in compliant domains have their own in-house
compliance teams, ensuring they pass
the aforementioned audits and supporting
customers when these esoteric questions
As cloud audits become more commonplace, it’s safe to bet the auditors
themselves will become more sophisticated consumers of cloud reporting. But
in the interim years, having the support of
a compliance team during audits can be a
game changer. They can interpret the questions of auditors, help craft the answers,
or even speak directly to them to clarify
reports or data.
A Documented, Peaceful End
Without hesitating, our heroes pick up
the phone and call their compliance team,
who quickly sort out the misunderstanding. Of course, the issue was addressed
and documented further down on page six
of the report.
The auditor, satisfied with the documentation during the April disaster, moves
on to look into the key-card system on the
south door of the data center. Our heroes
crack open a can of Diet Coke and breathe
a sigh of relief. Fade to black.
Of course, the post-disaster audit movie
is one that will never hit the big screen.
But, to an organization bound by compliance, it can be as costly and as stressful
as the initial disaster. Fines for being out
of compliance can be very expensive, and
the costs could be much higher if any data
breach occurred during the period in question.
Not unlike disaster recovery planning
itself, planning for the security and compliance of your workloads once they are in
the cloud is very possible in advance of the
Confidence in your business continuity plan is critical when danger strikes, but
confidence in the safety of your workloads
for the duration of their stay in the cloud
enables a smooth, unhurried transition
Lilac Schoenbeck has more than 18
years of experience with product strategy,
business development, marketing and software engineering in the grid, virtualization,
and cloud domains. She is vice president
of product management and marketing at iland, a global
enterprise cloud hosting provider. Lilac holds an MBA from
MIT Sloan School of Management and a computer science
degree from Pacific Lutheran University.