The cloud industry is loosely defined, unregulated, and quickly evolving. The typical cloud service provider (CSP) business model is very uniform. It looks the same across all industries — there’s no per-tenant service customization, CSPs don’t offer one-off contracts, and they don’t bend their terms and conditions for customers in any specific industries.
So can you use a CSP if your organization is in a highly-regulated industry? Steve Chambers, a Cutter Consortium Senior Consultant and expert on the CSP industry, explains:
Some CSPs enthusiastically embrace industry regulators as they see it as a competitive advantage. These CSPs build their own assurance programs that any customer can audit, effectively meeting an industry regulator halfway by supporting the regulated organization.”
According to Chambers, a review of public CSPs shows that the oldest, largest, and most mature CSPs have the most comprehensive set of assurance programs:
- AWS has 62 programs, reflecting its geographic and industry breadth, which requires alignment with both country and industry regulatory bodies.
- Microsoft Azure has more than 50, which also aligns with its acknowledged position as the number two global public IaaS provider.
- Google is a distant third with less than 20.
- The rest of the CSP field is smaller still in terms of number of compliance programs.
These programs help translate often vague industry-specific requirements into cloud-specific controls. For example, a finance industry-specific organization such as a bank must comply with PCI DSS (because its regulator says so) but a CSP does not — unless that CSP wants to work with a finance customer. In this case, the CSP will voluntarily (if it wants to win the finance business) align to PCI DSS. In effect, the CSP is acknowledging that if it wants to acquire a regulated industry’s business, it must comply with that industry’s relevant regulations. The CSP’s PCI DSS assurance program will explain to the bank, and its regulator, how that CSP meets the regulations for its part of the supply chain. A CSP’s certifications and compliance with standards are typically independently verified, though some certifications such as Cloud Security Alliance controls do allow for self-certification.”
If your industry is important enough to the CSPs, they may evolve their “no customization” rule and develop industry regulator-friendly programs to make life easier for you and your competitors to do business with them. But that doesn’t mean they will be pushovers when it comes to regulations, especially when it involves providing access to tenant data. However, organizations in regulated industries that have already signed up to a regulatory body already allow the regulator access to data as required, and the CSP can just match that agreement and giving nothing extra away.
For More on Cloud Procurement
Cutter Consortium Research: Cutter clients can read more from Steve Chambers, and get advice about what to do about CSPs for regulated industries in the Executive Update, How Do Industries Regulate and Supervise Cloud Service Providers?
Learn about how you can benefit from the changes in the way AWS is charging for its services in The End of the Minimum Hour Tax: AWS Launches Per-Second Billing.
If you are in the throes of cloud procurement — facing challenges around cost reduction, centralized billing, and agility — then buying indirect offers significant advantages. In The Cloud Buyer’s Advantage, you’ll discover how unlocking lower pricing to reduce costs and negotiating suitable procurement terms to improve agility can be achieved by buying cloud indirectly.
Watch Cloud Procurement: Find the Cost and Flexibility Balance. Cutter Senior Consultant James Mitchell explores why IT consumers should embrace trends toward commoditization of IT in order to access the ultimate in cloud procurement flexibility.
Consulting: Cutter Consortium Senior Consultant James Mitchell has developed a revolutionary way to determine how you can optimize your cloud use. Whether you’re moving to the cloud or looking to save on your cloud investment, via a Strategic Cloud Procurement Assessment, Dr. Mitchell provides the tools and insight to help you understand cloud procurement and optimize your cloud computing spend.