Skip to content Skip to footer

Loading Results

Compliance in the cloud – embracing the new normal

From social media, through streaming music and videos to online shopping, technology has become an indispensable part of our lives – all made possible by cloud technologies. The “cloud” is a computing model provided by Cloud Service Providers (CSPs) that allows organisations convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or CSP interaction. A simple analogy for cloud computing would be renting a hotel room. But in the same way your security and privacy are impacted when stay in a hotel, so does that of your data when it resides in the cloud.

There is an increased appetite with organisations to adopt cloud services to reduce costs and increase efficiencies in operations. Cloud spending is rapidly increasing, with Gartner predicting that by 2020 the cloud market will be worth $383.3bn1, and they suggest that a corporate "no-cloud" policy will be as rare as a "no-internet" policy is today.

Asking the right questions

Individually, we are all adopters of Cloud services and we should understand how our personal data is being used and secured. For organisations using Cloud services, the worries and risks are multiplied. So what should they consider before using a Cloud service? Some starters:

  • What kind of data can I put out on the Cloud?
  • Is there any regulatory or compliance requirements that affect me?
  • Who owns the data and who has the rights to use it?
  • What security measures are in place to protect my data in the Cloud?
  • How do I ensure our data is appropriately segregated from other Cloud subscribers’ data?
  • Who is liable if things go wrong and what are the remedies?
  • What recovery and continuity procedures are available in the event of a loss of Cloud service?
  • What tools, procedures and support are available to migrate between Cloud providers?
  • What monitoring and reporting mechanisms are available to maintain governance and oversight over the services migrated to the Cloud?
  • How can we change service providers or exit the contract without incurring additional costs or exposing ourselves to risks?

Compliance in the Cloud

It is important to understand with whom compliance responsibility lies when using Cloud services. And it varies depending on the service and the CSP. What is clear, though, is that the more Cloud you adopt, the more you lose control. So the challenge, in my opinion, becomes one of understanding the risks and implementing the controls needed to manage them.

Achieving compliance

As the market matures, so have user expectations in regards to managing risks, especially in light of GDPR and recent high-profile security breaches (see our report “Cloud Hopper on Managed Service Providers”, for an example). There are growing expectations on CSPs to demonstrate a robust control environment. This leads to the frequently asked question: what options do we have to manage compliance in a cloud environment?

There are a variety of certifications and reports that can provide assurances to better understand how data is managed and secured by CSPs. To understand which you need, consider an important question: how are you using Cloud services?

If the answer is anything related to financial data or impacts your corporate financial reporting, you will need to ask your CSP for a Service Organisation Control (SOC) 1 (or equivalent) report. SOC 1 addresses how changes to the application, security within the application and general upkeep of the application are managed or administered or controlled.

For non-financial data, such as HR, then a SOC2 report. SOC 2 assessment consists of the Trust Service Principles (TSP) framework from American Institute of Certified Public Accountants (AICPA) for evaluating a service organization's internal controls against the prescribed set of Common Criteria found in the TSPs. SOC 2 assessments cover a wide range of controls such as operational, technical and information security controls. This is based on a core set of principles and criteria that address the risks and opportunities of IT-enabled systems.

Ultimately, in the same way that staying in a hotel impacts your security and privacy, putting your data into the Cloud should change your perspective on how to manage such risks.

1 Source: Gartner February 2017 (

Contact us

Krishna Iyer

Krishna Iyer

Director, Stakeholder Assurance, PwC United Kingdom

Tel: +44 (0)7841 566415

Follow us