In previous perspectives in this series, I’ve discussed some of the realities of cloud computing including costs, hybrid and multi-cloud configurations and business continuity. This perspective examines the realities of security and regulatory concerns associated with cloud computing. These issues are often cited by our research participants as reasons they are not embracing the cloud. To be fair, the majority of our research participants are embracing the cloud. However, among those that have not yet made the transition to the cloud, security and regulatory concerns are among the most common issues cited across the various studies we have conducted.
While organizations should continue to be disciplined in their approach to security and regulatory compliance, cloud providers now offer approaches with these requirements in mind. The reality in this 
case may be that cloud providers have more resources to devote to complying with various industry and governmental regulations than all but the largest organizations. Compliance and certifications have become competitive differentiators or, in some cases, a competitive necessity among cloud providers. Organizations can easily find providers with CCPA, FedRAMP, GDPR and HIPAA compliance, just to name a few. Listings of compliance programs for the major hyperscalers are available including, for example, Amazon Web Services (AWS), Google Cloud, and Microsoft Azure.
Platform certification is just the first step. Organizations also need to confirm that their software-as-a-service (SaaS) application vendors are providing the appropriate security and regulatory compliance. Vendors have made varying degrees of progress on their certifications, so it is important that organizations evaluate each vendor in light of their own requirements. However, if a SaaS vendor has achieved the certifications an organization requires, it can help justify movement to the cloud. It’s one less burden on an organization’s internal resources in much the same way using SaaS removes the burden of installing, configuring and maintaining servers.
Certifications of platforms and applications must be accompanied by good data governance as well. Regardless of whether an application is deployed in the cloud or on-premises, lax data governance policies can expose an organization to data breaches, fines and a damaged reputation. Our Data Governance Benchmark Research shows that organizations that have adequate governance technologies and use them frequently outperform those that do not.
However, organizations cannot abdicate security and governance entirely to the cloud platform and application providers. Organizations must use a variety of platforms and applications. They must monitor security and governance associated with these applications both to prevent and respond to attacks specific to their organization and to ensure the applications are performing adequately. A number of vendors provide security information and event management (SIEM) and observability to monitor both cloud and on-premises applications. We’ll address these vendors in a series of future perspectives.
As in the previous perspectives in this series, the point is not to discourage use of the cloud but to ensure organizations are aware of the realities of cloud computing. In many cases, security and governance concerns may be alleviated rather than exacerbated by cloud-based deployments. It is appropriate to go in with your eyes wide open, but it’s no longer appropriate to blanketly dismiss the cloud due to security and regulatory concerns.
Regards,
David Menninger
Authors:
David Menninger
Executive Director, Technology Research
David Menninger leads technology software research and advisory for Ventana Research, now part of ISG. Building on over three decades of enterprise software leadership experience, he guides the team responsible for a wide range of technology-focused data and analytics topics, including AI for IT and AI-infused software.
