Episode Summary

iland Director of Cloud Market Intelligence Brian Knudtson is joined by guests Tim Davis, Jonathan Pierce, and Marc Crawford for a conversation about the concerns customers have with achieving compliance in the cloud. They discuss how to ensure your compliance needs are being met, what cloud providers can do to improve your compliance situation, and the divide between individual and organizational concerns over compliance. Be audit you can be!


Tim Davis
Devops Advocate, env0

Twitter Link LinkedIn

Jonathan Pierce
Sr. Systems Programmer, Kindred Healthcare

Twitter Link LinkedIn Website Link Website Link

Marc Crawford
Systems Engineer, NJVC

Twitter Link LinkedIn

Cloud Conversations

Topic 1

[02:15] Customers should always evaluate that cloud providers can support their compliance needs. Is it enough to alleviate these concerns by simply verifying they have the needed compliance badges on their website?

Topic 2

[06:12] Compliance can be tough, especially for smaller companies that may have little or no legal or technology-focused employees. How can providers help improve a company’s compliance situation?

Topic 3

 [18:19] My polling found compliance to be a huge concern for companies, coming in at No. 4, but one of the lowest concerns for the individuals, at No. 15. Why are individuals so unconcerned about compliance, but yet they assume their companies are?

Cloud Bites

[01:15] “It’s exactly the same whether you’re on-prem or in the cloud.” — Tim Davis 

[02:39] “The whole point of compliance is not just saying that you follow the rules, it’s proving that you’re following the rules.”  — Tim Davis

[02:45] “The audit process is such a huge part of pretty much any compliance certification out there, it should be exactly the same for when you’re going to the cloud and you’re making sure they’re compliant.”  — Tim Davis 

[03:54] “It’s not enough just to make sure they have the badge on their website, contractually you’ve got to make sure that your data is protected and that all the compliance and regulatory needs are being met.”  — Jonathan Pierce

[04:23] “At the end of the day, if you’re trusting somebody else with your compliance and they fail, that’s on you. You should have been doing your due diligence to make sure that they were keeping up on their end by keeping up with your end.”  — Tim Davis

[05:31] “If you just keep up with it, if you stay on top of it, it’s not going to be that huge in the long run versus getting breached, having some kind of compliance failure, and then having to go through and mitigate and remediate after the fact.”  — Tim Davis

[06:22] “If you’re a smaller company and you don’t have the auditing, the infosec, the people hired around compliance, cloud can shoulder that burden.”  — Jonathan Pierce

[10:43] “Once we started moving and utilizing cloud services, it’s definitely making things easier on the compliance side, because somebody else on the back end is doing all the compliance work for all those cloud services.”  — Marc Crawford

[13:55] “If you think of like a database, you deploy an EC2 instance that has a full OS on it, that has the database stuff on it, that has the database, you’re having to manage the compliance on that whole stack, including the OS. If you just deploy an RDS database, there is no OS, so you don’t have to manage the patching of that; you don’t have to do this and that.”  — Tim Davis

[14:55] “That’s one of the things I love about the cloud, is that once you go up the stack, once you’re no longer worried about patching firmware and OSs and AV, and you’re looking at just microservices, you don’t have to worry about so much, and it’s beautiful. And I think it’s more important than actual cost, because it’s a framework for people to do actual architecture.”  — Jonathan Pierce 

[18:36] “So if they skip a quarter or two quarters and are not following up on all the compliance issues and they don’t see anything happen, nobody’s got in trouble and nobody found out, then everything’s all well and good. So they’re like, ‘well, yeah, I can just go another quarter and just check the checkbox and nobody will ever know.’”  — Marc Crawford 

[19:52] “If you don’t understand what happens when there’s a compliance break or a breach or a failure, then you don’t necessarily understand the gravity of all that. So it just kind of sits in the back of your mind or it doesn’t at all.”  — Tim Davis

[21:57] “If you’re not regularly communicating, figure out how do my decisions affect somebody else, how do somebody else’s decisions affect me, then you’re going to lose some of that perspective because you just don’t know.”  — Tim Davis

“The audit process is such a huge part of pretty much any compliance certification out there, it should be exactly the same for when you’re going to the cloud and you’re making sure they’re compliant.”


Episode Asset

iland In-House Compliance Services

iland’s services were built with compliance in mind and they are supported by iland’s in-house certified compliance team.

iland’s compliance team is here to support your needs. They are dedicated to ensuring iland’s systems meet regulatory requirements across the globe and strive to meet industry best-practice standards. They can also answer your due diligence questions and provide the documentation you need to conduct your third-party audits and trust iland as your partner.

Whether you have added in a new compliance requirement, adjusted your controls, or simply want to ask a question, the iland compliance team is available!