“Moving to the cloud” appears more and more in organizations’ strategy and roadmap nowadays. Along the migration, “Regulatory Compliance” also becomes a hot topic. In fact, regulatory compliance is always a hot topic, but its temperature raises more when organizations are massively moving their workloads and applications from their compliant on-prem environment to the cloud.
There are quite a number of laws and regulations surrounding organizations in different industries and regions. Finding information of the regulation in concern can be a pain. Luckily AWS, Azure and GCP have all provided compliance resource sites to help organizations learn about compliance in the cloud. In this article, we’ll compare the these CSPs’ compliance offerings.
About Regulatory Compliance
As usual, let’s understand the “food” first before we have a bite on it. If we take a literal look at the phrase “Regulatory Compliance”, Regulatory is an adjective and Compliance is the noun. When we drill into the meanings behind each word, they are like:
- Regulatory refers to the activity of checking whether a business is working according to official rules or laws;
- Compliance refers to the act of obeying a rule or law.
So from the organizations’ point of view, compliance is the actual goal they need to achieve. Then the next question is what rules or laws an organization needs to conform? Usually we can group them in three ways:
- Compliance by Category
e.g. Certification/Attestation, Laws/Regulations/Privacy, Alignments/Framework
- Compliance by Region
e.g. Global, Regional, Local
- Compliance by Industry
e.g. Financial, Healthcare, Automotive, etc.
When organizations choose to host their workloads or applications in the cloud, compliance becomes the shared goal and responsibility between CSPs and organizations (ref Shared Responsibility Model in AWS, Azure and GCP). So it makes CSP’s compliance status a prerequisite for organization’s compliance. In the following sections, we’ll compare AWS, Azure and GCP’s compliance from the three ways of grouping.
Please note that all CSPs are constantly working to expand their compliance offering coverage. We’ll also periodically review the lists in this article and update them to map to the latest state. However, please always refer to these CSPs’ official websites for details of their compliance offerings (ref AWS Compliance Programs, Azure Compliance Documentation and Google Cloud Compliance Offerings).
Compliance by Category
Compliance by Region
Compliance by Industry
After listing the compliance offerings from AWS, Azure and GCP, we felt much sympathy for the CSPs. One organization may only need to comply with one or a few laws or regulations, but CSPs will need to go through as much compliance as they can to be able to offer compliant cloud services to their customers in various regions and industries.
The compliance offerings listed above may change/grow the very next day. To get the comprehensive information about AWS, Azure and CSP’s compliance offerings, please refer to their official website: AWS Compliance Programs, Azure Compliance Documentation and Google Cloud Compliance Offerings.