Companies that must meet regulatory requirements like HIPAA, PCI-DSS, HITRUST, and GDPR are less likely to migrate regulated workloads to the public cloud, according to a new report from Logicworks and Wakefield Research. In fact, 88% of the 400 IT decision makers surveyed agree that compliance inhibits further cloud adoption at their companies.
Why are IT decision makers hesitant to migrate compliant workloads to the public cloud? What roadblocks are holding them back?
Roadblock #1: The Cost of Cloud Compliance
Major cloud platforms like Amazon Web Services (AWS) and Microsoft Azure service thousands of customers in highly-regulated industries. AWS has over 20 certifications and is annually audited for an additional 25 regulations or frameworks. It has prioritized services that automate security and compliance tasks.
In short, public cloud providers have made significant investments in tools, documentation, and audits to enable compliance on their platforms. It is unlikely that cloud platforms themselves are inhibiting adoption. It is more likely a lack of education about these available resources.
However, there is often an additional cost associated with duplicating compliance tools, efforts, and audits on an additional platform. A PCI-DSS audit, for instance, can cost upwards tens of thousands or even hundreds of thousands of dollars per platform that you audit, plus the overhead of staff and maintenance.
This additional cost may be mitigated by two factors: the lower total cost of ownership associated with most cloud platforms and leveraging 3rd party providers, like Logicworks, to bear the cost and maintenance responsibility for infrastructure-related compliance tasks.
Roadblock #2: Lack of Expertise in Cloud Compliance
A majority of ITDMs say it is difficult to find engineers with compliance expertise, according to the Logicworks survey. This confirms related reports that major financial firms are paying a major premium for compliance talent. There’s high turnover, and existing compliance staff is difficult or impossible to replace.
This lack of expertise is highlighted by another shocking statistic from the new report: 49% of ITDMs believe that cloud providers are more responsible for compliance in the cloud. In fact, cloud providers like AWS are very clear on this point: “While AWS manages security of the cloud, customers remain responsible for compliance and security in the cloud.” The company, not the cloud provider, bears contractual responsibility for compliance (unless a special contract or BAA is signed, and even in this circumstance cloud providers assume very limited liability, usually only limited to physical security). Executives must understand compliance responsibility in order to successfully operate on the cloud. Further training is required to educate ITDMs and engineers on how to host regulated data on the public cloud, which will also reduce resistance to migrating compliant workloads to the cloud in the future.
Roadblock #3: Changes to Compliance Regulations
69% of IT decision makers think regulations will change in the next year, and half of those feel that these changes will increase the cost of compliance, according to the Logicworks survey.
Changes to compliance create additional complexity. So, on top of figuring out how to run compliant workloads on the cloud, companies must also interpret new regulations and hire more experts to maintain compliance. This additional complexity is another roadblock to cloud adoption for overburdened compliance teams.
Compliance is a major inhibitor of further cloud adoption — but most of these concerns are around expertise and regulation changes, not the capabilities of the cloud itself.
As cloud technology matures, so will best practices for maintaining cloud compliance. Companies need to prepare additional resources to migrate regulated data to the cloud and maintain compliance as regulations change.
If you’re interested in learning how Logicworks’ team of cloud compliance experts can help you migrate or manage regulated workloads on AWS or Azure, please contact us.