Navigating the Cloud in a Regulated Industry: It’s Tricky, You Have No Choice–and It’s Worth It

If you are like a lot of business executives I know, your head may be spinning over the onslaught of “cloud talk” these days: Cloud services, cloud security, cloud governance, cloud deployment, cloud this, cloud that. Admit it: When your CIO stands at a leadership committee meeting or presents to the board, and talks about adopting a cloud-first mentality, you are not sure whether to pat him or her on the back, or show them the door.

But do not let the jargon and potential confusion slow down your journey to the cloud. And one of the biggest things to keep in mind is how to account for regulations and standards in ensuring that you move ahead aggressively and securely to the cloud.

The industries where cloud not only has the greatest potential for good, but also the biggest challenges to overcome, tend to be the most highly regulated markets. Industries such as healthcare, government, and financial services are usually at the top of that list, but there are plenty of other industries where regulations, mandates, and government-imposed standards can make an organization’s journey to the cloud a tricky one. Does your organization have publicly traded stock or debt? Welcome to the world of Sarbanes-Oxley (SOX). Do your customers buy goods or services using payment cards? Say hello to PCI.

These and countless other regulations and standards have a big impact on how, when, where, and why you move important data, applications, and workloads to the cloud. Sorting this out requires you to do your homework and make smart decisions about your use of the cloud in a highly regulated industry. But let me emphasize that you do not have the option to turn away from the cloud just because regulatory compliance may be tricky.

Take SOX, for instance. Part of that act is a requirement of separation of duties, where developers are not allowed to directly push their code into a production system. But in a world where DevOps is fast becoming standard operating procedure, moving code to a completely different group of people who have not been involved in the process up until that point runs directly counter to what DevOps is all about. You end up with more silos, which adds complexity, inefficiency, and speed bumps.

Rather than just throw up their hands and blame the regulation, business leaders must empower their DevOps teams–working in concert with their InfoSec colleagues from the start–to develop and implement new policies that (A) account for the regulatory requirements, but also (B) operate smoothly in a cloud-first mindset.

Sounds tricky, right? Yes, in fact, it can be. But business leaders must listen to their DevOps, security, and compliance teams, which increasingly are collaborating on ways to support the letter and spirit of the standard without slowing down the DevOps-and-cloud locomotive. This is our “new normal,” and business leaders know that this is being done on an enterprise level at scale.

If FUD–fear, uncertainty, and doubt–is holding back your organization about cloud adoption amid the web of regulations and standards, you are not alone. But since when do organizations succeed by being cautious? Embracing cloud and DevOps in a secure, compliant manner is being done all the time–it is a movement that cannot be slowed, let alone stopped, by regulatory concerns.

So, what should business executives and boards of highly regulated organizations do when it comes to balancing the “need for speed” personified by cloud and DevOps with regulatory governance?

For instance, how data is handled in the cloud is fundamentally different from how it has been done in the data center, and many regulations were written in the pre-cloud timeframe. Fortunately, many standards have been written in ways to allow for a broader, looser, or newer interpretation in a cloud environment rather than in a physical, on-premises environment. Suppose there is a statute that you’ve always interpreted as “you must have virus protection on your servers.” But when you examine the statute more closely, it may actually say something different. For instance, in the HiTrust compliance standard for healthcare, it says, “Detection, prevention, and recovery controls should be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.” That is a big difference, because that allows you to rewrite policies that account for containers, immutable servers, or server-less computing.

Your teams have to do that kind of work–examine the regulations and interpret them in a modernized, real-world context where cloud, not on-site physical data centers, is the standard. This means your compliance and governance teams must work as closely and as collaboratively as possible with your DevOps teams and cloud architects. Even though many in-house compliance teams are hard-wired to block anything that may feel remotely close to a regulatory fault line, business leaders need to strongly encourage them to find ways to help the cloud and DevOps teams get what they need.

At the end of the day, it comes down to basic blocking and tackling:

  • Examine the standards in a modernized context for both IT and business issues.
  • Rewrite the policies where it makes sense to support agility and flexibility.
  • Put in “guard rails” to ensure that you do not stray into potential land mines, working closely from the start with your security and compliance teams.
  • Install automation tools to support new policies without putting a big management burden on DevOps and security teams.
  • Consider bringing in outside experts to audit your processes, offer suggestions, and help the organization move to the cloud and support DevOps as safely and securely as possible.

Adopting a cloud-first mindset is increasingly becoming a smart way to compete in the era of digital transformation–even for organizations in regulated industries. Avoid taking the easy way out and avoid the cloud and DevOps because you are uncomfortable re-evaluating your regulatory requirements.

The old story about the tortoise and the hare might be fine for putting your grandchildren to bed, but I prefer “the race goes to the swift.” And today, that means a cloud-first mindset.


Torsten Kablitz is Vice-President of IT and Cloud Engineering and DevOps Transformation at Change Healthcare, a global supplier of technology solutions for the healthcare industry.