colorful thread

Perspectives

Can you place cloud-based compliance into a domain?

Deloitte on Cloud Blog

Configurable domains may help you abstract yourself from regulatory complexity and remain compliant with minimal effort.

March 8, 2019

A blog post by David Linthicum, managing director, chief cloud strategy officer, Deloitte Consulting LLP

People often ask how I deal with compliance issues that can change each year. My answer? The right architectural approach is to place them into a configurable domain.

What does that mean? It could cover anything that needs to change based upon configurations instead of programming, such as the rules of a governance engine. Programming would require that changes go through testing, integration, etc., whereas rules or governance engines only require that we change policy or rule configurations.

A good analogy is the settings subsystem on our phones. While we could get into the iOS or Android operating systems programmatically to change the configuration, it’s much easier to leverage settings for tasks like WiFi configuration and password resets.

Since compliance is really about following rules, and those rules often change, then the ability to place those rules into a configurable domain is a good idea. Indeed, there are governance systems that address these specific issues by allowing you to create policies that determine and enforce rules, such as setting the time of day that people can log in, or backing up data that is regulated at intervals. My personal favorite is the ability to have regulations that layer on top of older regulations; nested regulation, if you will.

These governance engines can either exist as cloud-native systems or as governance engines that are supported and provided by a specific cloud computing provider. They can also leverage a third-party governance or rules engine, typically ones that are purpose-built to deal with compliance issues.

This is a very good idea when you get right down to it. It’s better to leverage a tool that allows you to abstract yourself from regulatory complexity and remain compliant with minimal effort or risk.

Of course, there are downsides. Extra cost, one more system to maintain and operate, the risk that interfaces will change and thus things will break; the normal stuff. These drawbacks all need to be factored into the overall value proposition of this approach.

Interested in exploring more on cloud?

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.