Compliance is important to cloud adopters and remains a barrier to entry for some large enterprises and government agencies. Without assurance that services will meet the right standards, many adopters are unwilling to put their data and applications in the cloud.
Companies planning to store or share sensitive data often use high-level certifications – such as the ISO 27000 series – as a starting point for evaluating cloud providers. But many adopters also look for compliance certifications that are required for specific industry verticals. Payment Card Industry (PCI), Healthcare Insurance Portability and Accountability Act (HIPAA), and Federal Information Security Management Act (FISMA) compliance are several of the most commonly sought certifications.
Adopters have reasonable concerns about compliance, and they want to know which providers are actually capable of meeting their requirements.
- ISO/IEC 27000
- SSAE 16
- PCI DSS
- Safe Harbor / EU Directive 95/46/EC
Of the 26 cloud providers available for comparison as of March 2015, only four were compliant with all six categories. These providers were AWS, M5, Microsoft and Stratogen. One provider was surprisingly absent from this list – Google.
After digging deeper, it turns out that Google has yet to achieve FISMA compliance for Google Cloud Platform (GCP). It also lacks compliance with the Federal Risk and Authorization Program (FedRAMP), which provides government standards for evaluating and monitoring the security of cloud services. Google hasn’t ignored FISMA certification completely; in 2010 it made efforts to certify its portfolio of business applications, aka Google Apps. But when Google announced that it had achieved FISMA compliance, the Department of Justice revealed that only Google Apps Premier had been certified, and not Google Apps for Government. Google was also confronted by Microsoft on the legitimacy of its claims. Google has since received complete FISMA certifications for Google Apps, and is currently listed as a “CSP pursuing an Agency Authorization” for FedRAMP; but it’s been a bumpy ride.
Google has also lagged behind on HIPAA compliance, and only began offering business associate agreements (BAA) to customers in early 2014. The HITECH Act of 2009 states that any HIPAA business associate serving a health care provider or institution is subject to audits and can be held accountable for data breeches. AWS started entering into BAAs with customers in mid-2013, but a key difference is that AWS was already well established within the healthcare segment and had a platform that was recognized for its compliance with HIPAA policies.
Keep in mind that Google was relatively late to the cloud race. Google Compute Engine (GCE) only became generally available in December 2013. But Google wants to cement its position as one of the “big three” players. Realistically it should be delivering the same level of compliance as Microsoft and AWS on all fronts. Providers that lack compliance, including Google, are missing out on major sales opportunities in new and fertile market segments.
Compliance Is a Dealmaker – and a Deal Breaker
It’s somewhat surprising that Google lacks FISMA and FedRAMP compliance when its competitors have secured government contracts in the order of nine to ten figures. IBM was awarded a stunning $1B cloud contract by the Department of the Interior (DOI) in 2013, which is the largest federal cloud contract to date. AWS made a similar $600M deal with the CIA in 2013 for a private computing cloud. AWS also offers GovCloud services: “an isolated AWS Region designed to allow US government agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements.”
Can big players like Google really afford to overlook compliance certifications when competitors are scooping up massive customers in these untapped segments?
Some cloud providers are even approaching compliance as a way to differentiate and surpass competitors. Microsoft recently became the first cloud provider to comply with ISO 27018 standards, which establish guidelines for protecting personally identifiable information in accordance with ISO/IEC29100 in public cloud environments. As a result, Microsoft has secured bragging rights and achieved significant visibility.
Providers like AWS and IBM prove that compliance is a dealmaker. In fact, both companies were prime candidates for the same CIA contract. Even though AWS walked away with the deal, IBM’s strengths landed it an even bigger contract with the DOI. It also surpassed Amazon by $400M. This is a notable accomplishment considering that AWS is widely recognized as the top player in the cloud space. It also shows that there is enough demand for more than one provider to fulfill.
Compliance can also be a deal breaker. In 2012, Fujitsu was blacklisted by the UK government as being “high-risk” for failing to comply with performance standards set by the Cabinet Office. A spokesman from the Cabinet Office stated, “Suppliers deemed high-risk will be subject to particularly close scrutiny when awarding new work.” As a result, Fujitsu lost the renewal of three government contracts with the Cabinet Office, the Treasury, and the Department of Environment and Climate Change, for outsourcing of IT infrastructure and services. It is probably just a matter of time before we see agencies in the U.S. take a stronger stance against non-compliant service providers.
Failure to Comply Is Not An Option
Cloud computing is well beyond its infancy, but many providers still lag in compliance, and don’t seem to understand that compliance drives buying decisions in the cloud. By failing to comply, they are excluding large segments of potential customers.
Providers that want to compete in the big leagues shouldn’t overlook compliance certifications such as HIPAA, FISMA and FedRAMP. Compliance impacts their bottom line, and they could be losing deals whether or not they’re aware. Providers like AWS and IBM demonstrate how compliance can translate to significant revenue.
One thing is clear – there are many organizations that have yet to make the transition to the cloud. Compliance will be the key to breaking down adoption barriers within industry verticals, and could drive sales representing billions of dollars in potential revenue. For cloud providers, failure to comply is no longer an option.