Skip to main content

Modernizing Compliance: Navigating the Cloud Securely


As an organization transforms itself by adopting modern technologies with cloud, it brings both opportunities and challenges for the compliance function. Modernization is a broad mandate that spans the way the compliance function is governed - the tools and technology it uses; the number and nature of its connections to other parts of the business; verifiability and auditability of the controls’ evidence, the expectations assigned to it; and more.


Through this blog, we discuss how Compliance and Audit teams can add value to enterprises, through the safe use of cloud technology, reducing risk through the use of the public cloud and architecting for a future where adherence to rules and regulations also helps improve baseline security controls. 


Compliance in the cloud


Harmonize and rationalize controls within different frameworks


One of the first steps that an organization should consider is to harmonize their security controls. Rather than taking the plunge immediately with  tools and technologies that they can adopt to make their controls more cloud-native, teams should be taking a holistic approach that involves people, processes, and technology.


As part of "Control Harmonization", compliance experts within the organization should analyze various standards and security controls to define a comprehensive list of controls that should be implemented. The goal would be to develop a set of common requirements and controls (often called generic controls or baseline) which should be implemented to meet the majority of the organization's compliance requirements. This newly defined control set then becomes the “harmonized controls” which help the organization meet their regulatory requirements of standards like FedRAMP, PCI DSS, NIST CSF, ISO 27001, etc. 


Use the right tools & processes


Traditional compliance methodologies, reliant on manual processes for evidence collection, are inefficient, prone to errors, and resource-intensive. According to the Gartner® Audit Survey, 75% of chief audit executives cited Audit’s ability to keep up with the fast-evolving cybersecurity landscape as their top priority. 


The right set of tools is key for a meaningful compliance posture in the cloud environment. The tools and controls that you select to implement should be able to help you answer the following questions: 



  • Are my workloads compliant?

  • Am I maintaining compliance while shifting workloads to the cloud or while using a multi-cloud environment?

  • How do I proactively ensure compliance, instead of making it work as an afterthought?

  • How do I  automate controls and monitoring? The question often arises if one needs to rely on cloud provider details or use 3rd party tools. Ultimately, the best approach depends on the specific needs and priorities of your organization. It's often beneficial to explore both options and conduct thorough research to determine the most suitable solution based on factors like integration, specialized features, flexibility, integration requirements etc.


The Audit & Assurance Program for Cloud : The audit function plays a critical and independent role to assess and provide assurance that an organization’s approach to managing risks and controls, and its governance of those, is effective.  


The below considerations can be crucial to assess and adjust the audit approach:



  • Does the set of auditable components sufficiently reflect the risks associated with the organization’s cloud transformation? 

  • Does the audit coverage cycle need to be adjusted to ensure that audits of the cloud adoption are timely and reflective of the broader strategic journey and key milestones?


Audit functions could scope their cloud audits by considering which question they are looking to answer. 



  • Is the organization set up right? This audit considers whether the foundational elements of governance, strategy, organization, skills and capabilities have been appropriately implemented for the phase of the journey that the organization is in.

  • Is the organization designing and delivering the right technical solutions? Here we assess whether the teams that are designing the core architectures, infrastructure models, and capabilities for development teams to leverage are doing so in a manner that is consistent with the policies and standards, and such that development teams will have appropriate guardrails in place. 

  • Are specific projects being delivered safely? This audit assesses whether the lifecycle of a specific project to migrate an application or workload to the cloud met the organization’s policies, standards and best practices, and whether the outcome is a secure, resilient and otherwise compliant application.


Compliance assurance on Google Cloud


Compliance assurance on Google Cloud rests on several interconnected pillars of risk management, control validation and enforcement and continuous monitoring & auditing.  Some examples are below - 



  • Audit Manager:  Can help automate control verification with proof of compliance for your workloads and data on Google Cloud. 

  • Assured Workloads: Enables the creation of secure, isolated environments and enforces controls related to data residency, personnel access restrictions, and compliance with specific regimes such as FedRAMP, IL4/IL5, HIPAA, and various regional standards.

  • Security Command Center (SCC): Centralized security and risk management platform. 

  • Cloud Audit Logs & Cloud Logging: Provide visibility into actions performed within the Google Cloud Platform (GCP) environment and record administrative activities, system events, and data access logs.

  • Organization Policies: Allows administrators to enforce specific  constraints centrally, preventing configurations or actions that violate internal governance rules or external regulatory requirements.

  • Cloud Security Posture Management : Involves continuously monitoring cloud infrastructure for risks, misconfigurations, and deviations from security best practices and compliance standards. 

  • Policy Intelligence: Helps  understand and manage Identity and Access Management (IAM) policies by highlighting overly permissive access or providing insights into policy usage.


Shared Responsibility Model for Compliance


Introducing "Shared Fate": Google's Evolved Approach


Recognizing the challenges customers face in navigating their responsibilities, Google Cloud promotes the concept of "Shared Fate" as an evolution of the traditional shared responsibility model.  At Google Cloud, we are active partners committed to helping you achieve your desired risk and security outcomes. We are not delineators of where our responsibility ends and where yours begins. Instead, we stand with you from day one, helping you implement best practices for safely migrating to and operating in our Trusted Cloud. We call this operating model shared fate. This involves working together with us as a team toward a common security and risk management goal, and share a fate greater than the terms of a transactional relationship.


At the end, we rely on close communication and reduce the possibility of erroneous security presumptions that can increase your risk level. To preempt this, the shared fate concept involves Google proactively offering best practice guidance, providing secured and attested infrastructure code templates, developing pre-built solutions combining multiple GCP services to address complex security problems and our commitment to closer interaction and collaboration with customers to help them successfully secure their resources on the platform. 


Building Trust: The Ultimate Outcome of Effective Compliance 


Strong compliance practices are fundamental to building and maintaining trust with all stakeholders, including customers, investors, and regulators. Demonstrating a consistent commitment to compliance with all applicable laws and regulations signals reliability and integrity. Consider resources like CSA’s cloud controls matrix, CRI’s control framework, and FINOS’ common cloud controls, to bridge industry frameworks with practical implementation. Where possible, codify operational controls to reduce their manual nature and potential for inconsistent application, while driving scalability, reliability, and architectural and operational effectiveness standards. 


This gradual shift towards automation and streamlined processes can also enhance the ability to effectively partner with the second and third lines of defense. Automate controls and engage stakeholders from all lines of defense early on. Define clear criteria for control evidence and align on risk tolerance. 


This systematic approach provides comprehensive visibility and control, reduces technical debt, and establishes clear metrics for measuring progress, providing meaningful insights to senior management and the board.  Proactively managing and mitigating risks showcases foresight and preparedness, enhancing the organization's reputation and resilience. Ultimately, strong compliance practices cultivate a culture of integrity and accountability throughout the organization, reinforcing trust at every level.

Be the first to reply!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.