Compliance and the Cloud

Tom McAndrew, Chief Executive Officer, Coalfire

“The Cloud” is a hot topic right now. Yet most people can’t even define what “the cloud” really is. As I talk to more companies, who are considering the move, they all have two main concerns: security and compliance. Of course, security and compliance are key when it comes to cloud computing, but the questions you really need to be asking is not, “Will I be secure and compliant if I move to the cloud?” but rather, “What do I need to do to be secure and compliant when I move to the cloud?”

The switch to cloud computing is inevitable for most companies, and choosing the best cloud environment is a huge decision. There are two simple steps you can take to safeguard your migration and make sure it is successful.

Get it in writing

First, you must compare the service provider’s contracts with the regulatory needs of your business. Your provider must acknowledge in writing their responsibility to protect your data. Contracts must stipulate that the provider understands what type of data they are dealing with. This will guarantee its protection and make sure that they will notify you immediately if there is any suspected incident. Also, make sure that if an incident does occur that they will cooperate with any investigation.

Know Your Stuff

Second, you must ensure that all of your stakeholders, this includes external auditors, regulators and IT staff, understand what cloud computing is. Many of your key players will have a varying level of technical knowledge.

Cloud computing is here to stay; it is only going to get bigger. While the standards of this newest IT evolution are still being established, there is no need to let uncertainty slow your migration. With a fundamental knowledge of cloud environments and a well-trained auditor, your organization can successfully lead the charge to the agile, on-demand world in the cloud.

Tom McAndrew


Tom McAndrew — Chief Executive Officer, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS