Governance is the set of policies and structures that make security repeatable across teams. Compliance is the discipline of proving — to auditors, customers, regulators — that those structures actually work. The cloud gives you the tools; the work is mapping them to the rules that apply to you.
The Compliance Landscape
| Framework | Who needs it | What it covers |
|---|---|---|
| SOC 2 Type II | SaaS selling to enterprises | Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy |
| ISO 27001 / 27017 / 27018 | Global, enterprise customers | Information Security Management System; cloud and PII variants |
| PCI DSS | Anyone touching cardholder data | Network, encryption, access, monitoring, scanning |
| HIPAA / HITRUST | US healthcare | Protected Health Information handling |
| FedRAMP / DoD IL | US government workloads | NIST 800-53 baselines, ATO process |
| GDPR / CCPA / LGPD | Anyone processing personal data of EU/CA/BR residents | Lawful basis, rights, breach reporting |
| NIS2, DORA | EU critical infrastructure / financial | Risk management, incident reporting, third-party risk |
| CIS Benchmarks / CIS Controls | Voluntary, industry standard | Hardening guidance per OS / cloud / Kubernetes |
Most controls overlap. Define your control set once (often based on NIST CSF, NIST 800-53, or CIS Controls) and map it to whichever frameworks apply.
Customer Responsibility Matrices
Cloud providers publish CRMs / shared responsibility tables for each compliance program. These tell you, control by control, what the provider attests to and what you must do.
- AWS — AWS Artifact for downloadable attestations and CRMs.
- Azure — Service Trust Portal.
- GCP — Compliance reports center.
Read the CRM before assuming the provider has handled something for you.
Landing Zones / Cloud Foundations
Controls scale only if they are baked into the platform.
- AWS Control Tower / Organizations + SCPs — multi-account structure, centralised CloudTrail, SCP-enforced guardrails, Account Factory.
- Azure Landing Zones — Bicep / Terraform reference architecture with management groups, policy initiatives, and subscription vending.
- Google Cloud Foundation Toolkit / Assured Workloads — Terraform blueprints + regulatory-tier projects.
A new product team gets a pre-baked account/subscription/project with logging on, encryption defaulted, network templates, IAM roles wired, and policy-as-code applied. They cannot accidentally start out non-compliant.
Policy as Code
- AWS Config rules / Conformance Packs — declarative compliance rules with auto-remediation.
- Azure Policy / Initiatives — built-in policy initiatives for ISO, NIST, PCI, etc.
- GCP Org Policy / Policy Controller — constraints on resource attributes; Anthos Config Management for k8s.
- Open Policy Agent (OPA) / Rego and HashiCorp Sentinel for cross-cloud and Terraform-time policy.
Codifying compliance lets you generate evidence on demand instead of scrambling before audits.
Audit and Evidence
Auditors want evidence of three things, repeatedly:
- Control design — written policy and procedure.
- Control existence — the technical control is in place (e.g. MFA enforced).
- Control operating effectiveness — over time (e.g. quarterly access review actually happened).
Tools that automate evidence collection:
- AWS Audit Manager — pre-built frameworks; collects evidence from Config, CloudTrail, Security Hub.
- Microsoft Purview Compliance Manager — assessments tied to controls.
- Drata, Vanta, Tugboat Logic, Secureframe — third-party compliance automation across clouds and SaaS, very popular with start-ups going for SOC 2.
Continuous Compliance vs Point-in-Time Audit
The annual audit is a snapshot; reality drifts daily. Continuous compliance:
- Scans posture every few minutes (AWS Config, Defender for Cloud, SCC).
- Alerts on new violations (e.g. someone created a non-compliant resource).
- Auto-remediates obvious cases (apply Block Public Access, enable encryption).
- Tracks MTTR for remediation as a security KPI.
By the time the auditor arrives, you have a year of evidence — not a frantic two weeks of preparation.
Vendor Risk Management
Compliance increasingly extends to your vendors. Maintain:
- An inventory of third parties with access to data or production systems.
- Security questionnaires / SIG / CAIQ on file.
- Reviews of their attestations (SOC 2, ISO).
- Data Processing Agreements (DPAs) for GDPR.
- Continuous monitoring (BitSight, SecurityScorecard, UpGuard) for high-risk vendors.
Data Residency and Sovereignty
- Choose regions appropriate to data residency requirements (EU data in EU regions; UK government in UK; gov-cloud for US gov).
- AWS GovCloud, Azure Government, Google Assured Workloads provide isolated regions.
- For "EU-only" workloads, use Sovereign Cloud / Trusted Cloud where contractual sovereignty matters.
- Cross-region replication and backup destinations must obey the same residency rules.
Internal Governance
- Security policies signed off by leadership; reviewed annually.
- Acceptable use, data classification, incident response policies.
- Access provisioning and review processes.
- Change management linking deploys to ticket records (helps SOC 2 and regulated environments).
- Security awareness training for all staff; phishing simulations.
The Pragmatic Order of Operations
- Pick the framework that customers and regulators demand (SOC 2 most often first).
- Stand up a multi-account/subscription landing zone.
- Enable centralised logging, MFA, default encryption, basic guardrails.
- Pick a compliance automation platform (Drata/Vanta/Audit Manager) and connect it.
- Layer additional frameworks (ISO 27001, HIPAA, PCI) once SOC 2 controls are operating.
The goal of compliance is not the certificate — it is having an organised, repeatable security program. The certificate is the artifact of that program existing.