Pursuing Azure Solution Compliance in the Real World

In my experience, the following are the some of the usual reasons behind their concerns in cloud adoption.

• What about Network latency?
• Will we be losing control?
• Cloud? what is it exactly?
• Regulations, Regulations! 

What about Network latency?

This is somewhat justified, as nothing will be faster than your own data center for back-end systems, the inevitable latency is governed by the laws of physics!

However, with Azure's wide coverage of more than 50 regions that are available worldwide, organizations can select the nearest region with the lowest latency for deploying their workloads, not only from the perspective of its back-end systems, but also enhance performance for their end-users.

New Azure regions are on the rise, with the latest announced in UAE, Norway, and Switzerland, at the time of writing this article.

Further, there are some service offerings that could further enhance latency, such as Express Route for high bandwidth, low latency organization network extension, and CDN for static content caching, just to name a few.

Will we be losing control?

Traditional organization are accustomed to having everything in their own data centers and under their control. This is a paradigm shift for these organizations, and if they are not serious about moving to the cloud, they simply won't.

Less control is not necessarily a bad thing, it also means lower responsibility for the organization in managing resources. Each organization should find the right level of control and responsibility by choosing the right cloud service type

Cloud? what is it exactly?

Some organizations' stakeholders see the cloud as a big unknown that will make them step out of their comfort zone and into a completely new territory. They simply don't fully understand it.

In these organizations, you may find opposing, contradicting objectives, they want to achieve digital transformation, and cloud adoption objectives, however, they will be reluctant to actually take any real steps towards these goals.

These customers usually have many questions, and they simply need guidance on how to tap into the cloud's full potential, and how it can truly become a key business enabler for the organization.

Demos and POCs are a great way to start. You should demonstrate the different cloud service types (IaaS, PaaS, SaaS) and what each of these bring to the table, provide guidance in terms of choosing the right service type.

Regulations, Regulations!

This is a tough one, as there are several regulations, revisions of these regulations, industry-specific regulations, country-specific regulations. You need to know which set of regulations that the organization should be compliant with.

Azure platform is compliant with mainstream regulations, and Microsoft is continuously addressing these regulations and achieving compliance certifications, as a cloud service provider for different regions and countries.

Check the following link for Azure compliance offerings: https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings

It is important to highlight that even with the Azure's ironclad compliance measures, it doesn't mean your cloud-based solution will inherently be compliant as well, you should do your due diligence to make sure that your solution itself doesn't violate the regulation constraints.

A great starting point should be to use Microsoft Reference Architectures, and to follow proven design and security practices.

The Platform and Solution are complaint, not enough?

In one project, I got a set of requirements and constraints from one organization. They had on-premises legacy systems with business-critical services that included sensitive data. 

Due to the organization's strict regulations and security constraints, they needed a solid hybrid architecture that is compliant with those constraints while fulfilling the new set of functional requirements using Azure workloads.

In this case, even though the solution was technically compliant and followed Microsoft reference architectures, and proven design and security principles, the customer's reluctance came from wanting to avoid the hassle of providing compliance and assessment processes and documentations to the relevant regulatory entity governing the organization.

Microsoft's Compliance Manager is a good tool that will assist in tracking and verifying the organization's regulatory compliance, however, I believe that tailored, on-site support from Microsoft team would be much better in terms of assisting organizations and streamline these compliance and assessment processes.

Final Thoughts

You should always try to understand the root cause of the customer's reluctance in cloud adoption, in order to appropriately address it, whether they are new to cloud platforms, have technical-related concerns, or are required to abide by a certain set of regulations. 

POCs are very powerful, as these provide a great way to show customers concrete evidence addressing any of their concerns. 

Further, Microsoft and ISVs should collaborate to fulfill organization's needs in terms of technical and compliance aspects. This will speed up their cloud adoption process, and most importantly will do that with a complete trust and understanding from our customers.