Cloud security compliance management functions
The objective of cloud security compliance management is to ensure that the organization is compliant with regulatory requirements (and internal policies) and efficiently tracks and reports status.
Cloud introduces changes to security compliance including:
Requirement to validate the compliance status of the cloud provider with your regulatory requirements. This validation is a shared responsibility. For more information about how these responsibilities differ for cloud types, see adopting the shared responsibility model
Pre-cloud guidance: While many regulatory requirements have been updated to incorporate the dynamic nature of cloud services, some requirements do not yet reflect these differences. Organizations should work with regulatory bodies to update these requirements and be prepared to explain these differences during audit exercises.
Linking compliance with risk: Ensure that organizations are tying compliance violations and exceptions to organizational risks to ensure the right level of attention and funding to correct issues.
Tracking and reporting enabled by cloud: This function should actively embrace the software-defined nature of the cloud, since it offers comprehensive logging, configuration data, and analytical insights that make reporting on compliance more efficient than traditional on-premises approaches.
Cloud-based compliance tools are available to facilitate easier reporting of regulatory compliance such as Microsoft Purview Compliance Manager, which can reduce overhead costs of this function.
Team composition and key relationships
Cloud security compliance management frequently interacts with:
- Security operations
- IT operations
- Organizational compliance/risk management teams
- Audit and legal teams
- Key business leaders or their representatives
Review the function of people security.