Ensuring continuous compliance in dynamic multi-cloud architectures is quite the task. The challenge: Achieving and maintaining the required level of compliance across all environments. To many this seems more complex than traditional data center operations. But cloud computing opens up possibilities to stay compliant that by far outweigh the challenges it may add.

In this post you will learn

  • what we mean by continuous compliance,
  • about the typical challenges of implementing continuous compliance,
  • why a declarative approach is superior
  • and as a bonus: What tools and services Azure, AWS and GCP offer you to stay compliant.

Let's get started!

What is continuous compliance?

For compliance efforts to make any sense they have to be ongoing. That means they have to stretch way beyond the initial setup and migration. Continuous compliance ensures a compliant state of all cloud environments at any point - especially in day-to-day operations.

A failure to be compliant to - e.g. the European GDPR - can result in substantial fines and loss of reputation.

Continuous compliance is a matter of culture and strategy in your organization. It's a matter of using the right tools and services to actually live up to the set standards in practice.

Continuous compliance frees IT departments from only reacting to regulators or threats to data security: Well-implemented continuous compliance practices prepare the organization for future security threats and audit requirements.

The 3 hurdles to get over when implementing continuous compliance

There are 3 major hurdles any organization needs to clear when it comes to continuous compliance and moving to the cloud:

  1. Evaluation,
  2. building,
  3. scaling.

The evaluation of general and industry-specific regulation is the first - easier - step. It's followed by the assessment of possible cloud platforms and the definition of enterprise-specific compliance requirements.

With building we mean the challenge of implementing the continuous compliance strategy organization-wide. Spanning all teams, environments, and applications.

The last hurdle is making the continuous compliance strategy and implementation fit for scale. New cloud platforms, new projects, and the dynamic change of existing environments must all be incorporated in continuous compliance efforts.

Continuous Compliance in Cloud Computing

Moving workload to the cloud is a complex operation. Especially multi-cloud architectures with multiple cloud service providers like AWS, Azure, and GCP. Achieving and maintaining compliance across clouds and applications seems more difficult than the traditional datacenter operations.

Cloud migration timeline showing compliance milestones
On this timeline, you can see major compliance milestones in the cloud migration process and during operations: From evaluation to building and scaling.

The added complexity is outweighed by the added transparency the cloud offers: Cloud technology allows you to audit, query, alert and resolve issues on a grand scale across all environments.

There is no denying it - initial definition is complex: A service provided by central IT - let's say a jump host - may take weeks or even months to get security and compliance clearance. But services provided by the cloud, like logging and anomaly detection, paradigms like CI/CD, and automation are great tools to overcome complexity and build on a large scale.

The extent to which companies can utilize the new options and what it will cost them depends on the approach they opt for:

We discern between the workflow-centric and the declarative approach.

Challenges of the workflow-centric approach

A common way to speed up slow manual processes is to automate the workflow.

So for example, instead of having an Azure Admin manually create and configure a subscription for a DevOps team, there will be a script automating the workflow to reduce the time needed.

But what happens if the DevOps team lead goes ahead and changes the set up to better suit the application's needs? Right, configuration drift and no one will be aware of environments becoming non-compliant.

To detect non-compliant environments a compliance monitoring can be introduced subsequently: It issues an alarm if compliance policies are violated. A workflow must then be triggered again to resolve the discrepancies.

The declarative approach: Taking continuous compliance a step further

A superior approach is to define the desired state. That is what we mean by the declarative approach. It is the final and most mature stage in our multi-cloud management maturity model. It offers a lot of potential to take the hurdles of building and scaling we talked about earlier.

The declarative approach focuses on the what as opposed to the how of the workflow-centric approach: The declarative approach has the benefit that it enables a continuous validation of the actual state against the defined desired state (re-certification) and provides a single source of truth to avoid configuration drift.

To stick with the Azure example, this could be an Azure subscription with access permissions for a DevOps team lead and one of his team members. This desired state definition can be continuously compared to the actual state. If no subscription or permissions exist yet, they will be initially set up. If the DevOps team lead changes the configuration, this will be detected. If it is intended the desired state can be updated, if not the action can be undone to get back to the desired configuration.

The declarative approach covers both technical and organizational compliance measures: Tools like Azure Resource Manager templates help you describe the desired state to ensure continuous technical compliance.

The same is possible for continuous organizational compliance: As part of the government-funded MultiSecure project, meshcloud enables enterprises to describe organizational structures in a declarative format.

Let's have a quick look at an example: Productive cloud environments do not only have to follow specific configurations - provided by landing zones - but organizations have to make sure that only authorized staff creates and accesses these environments.

The idea of MultiSecure is to describe organizational elements and their relationships as code in an open and reusable format - a declarative manifest that represents the desired target state of the organization. MultiSecure allows centralizing this information in an open format, instead of squeezing the organization into the envisaged organizational models of the cloud providers and therefore maintaining multiple proprietary organizational models in parallel and distributed. It builds a projection of the organization that can be consumed by different systems.

A practical look at using meshcloud

Let's have a look at how you can prevent unauthorized and unintended permission changes in your cloud environments using meshcloud:

The creation of new cloud environments often comes with a certain permission set. A DevOps team lead creates a project and receives permissions to access and edit the corresponding cloud environments and so do the other DevOps team members who work on the application deployment.

If DevOps teams receive cloud-native access to the clouds, such permissions are prone to unintended or unauthorized change.

To prevent this configuration drift, the permissions must be monitored. With meshcloud - following the declarative approach - the desired state of configurations is continuously checked against the actual state of the subscription. In case of deviations, the configurations will be automatically restored to maintain a compliant state of all environments.

Bonus: A quick look at Azure, AWS and GCP compliance services

The big public cloud platforms offer a range of resources, tools, and services to help their customers implementing their continuous compliance strategies.

Let's have a look!

Microsoft Azure:

Microsoft puts its Azure Trust Center forward to explain what Azure offers in terms of compliance: From audit reports and compliance offerings (including regulation and certification like GDPR or ISO 27001) to their understanding of shared responsibility.

With Azure Security Center Microsoft offers an infrastructure security management system to protect cloud and data center workloads.

Further Azure services include

  • Azure Sentinel (cloud native SIEM and security analytics)
  • Azure Policy (implementing governance and standards for Azure resources)

Amazon AWS:

Amazon offers what they call the AWS Security Hub. It provides insights into the security state of AWS environments and helps to check against set security and compliance standards.

AWS Systems Manager provides visibility and control to manage infrastructure securely at scale. It helps to maintain compliance by detecting policy violations.

Google Cloud Platform:

In their Cloud Compliance Resource Center Google collects all important information on what tools and services GCP offer to help to stay compliant on their platform. Google provides a wide variety of compliance offerings - global and regional.

With Google Anthos there now is a service that lets you enforce security and compliance policies across all cloud environments.

GCP also supports third-party services like Forseti Security that provide monitoring, enforcing, and displaying policies.

To learn more about the meshcloud platform, please get in touch with our sales team or book a demo with one of our product experts. We're looking forward to get in touch with you.

One cloud is not enough: By now 81% of companies follow Multi-Cloud strategies. That makes it likely, that on top of managing your cloud migration you have to take care of managing the use of multiple cloud platforms as well – but when done right, the benefits outweigh the possible administrative overhead in many ways. We asked our customers and came up with 6 reasons why the Multi-Cloud approach is a winning strategy:

Avoiding Vendor Lock-in

While all hyperscalers offer multiple datacenter locations across the world, which enable companies to spread the risk and ensure availability – even when using only a single provider, the fear of dependency leads a lot of companies to the Multi-Cloud. Looking at the cloud-native landscape of the past couple of years, we see that there are new platforms appearing on the horizon continuously. How can you make sure you are betting on the right horse if you decide to go for a single cloud approach? (Spoiler: You can't and here is why).

Best-of-breed Approach

Companies run a large variety of applications. For example there may be a mobile application along with a heavily frequented e-commerce platform. Then there are internal applications to manage travel expenses and sick days and a new data science team uses collected data to run analyses to optimize resource management and fulfillment. The bigger the company the greater the variation in cloud service requirements. A best-of-breed approach describes an approach where the company uses the best suitable infrastructure type and provider for each workload.

Cloud Migration

Let's think about banks or industrial companies. They have been running software for decades, long before cloud computing even existed. The move to the cloud is an essential step as their business models are often at risk raising the need to innovate fastly. So they have two tasks to accomplish: 1) Build new applications based on cloud infrastructure, to enable scalability and fast adoption to the market with practices like continuous deployment. 2) Migrate existing applications to the cloud to enable automation and gain efficiency. As a result, they will have to deal with a very heterogeneous infrastructure during this cloud migration process. It makes sense to set up a system that is able to cope with multiple platforms and providers straight away. As this prepares for the future, where more cloud platforms will be integrated.


The big cloud vendors often offer better conditions if they get an exclusive contract in exchange. Therefore, cost-sensitive companies will compromise and choose a single provider, being aware of the vendor lock-in they get themselves into as well as the fact that the chosen cloud platform may not be the best candidate for all their workloads. It still makes sense to be prepared for Multi-Cloud scenarios. Especially fast growing B2C companies aiming for market leadership buy their smaller competitors. While these competitors may operate in the same manner, they may have chosen a different platform to start with. The systems have to be integrated, either by migrating the workloads of the acquired company to match the rest or by enabling the parallel use of multiple platforms. Having thought of this beforehand and planned the system accordingly will help here.

Skill and Employer Attractiveness

Finally, people are different. They have different backgrounds and different preferences. And sometimes it will make sense to go for the platform your employees are best trained in and most familiar with. An
example: It may be cheaper to run applications on IaaS. However, this requires your employees being familiar with setting up and automating infrastructure using infrastructure-as-code. If you don't have these resources, you may be better off investing into a PaaS platform that may be more expensive in infrastructure costs, but better leverages existing developer resources. It is not only the existing skill that matters. It has been found that developers are much happier, if they get to work with their preferred tools. While this may sound like a nice-to-have situation it actually impacts productivity as well as the attractiveness of the employer for new talent.

Cost Efficiency

Depending on the scale of your cloud spend it may be beneficial to spread your applications across different platforms and leverage price differences across providers for different services. Hybrid Cloud setups have even more space for optimization, if they have set up a fine-granular metering and billing solution for their private cloud environments. For smaller companies it may be beneficial to use multiple clouds as vendors provide them with big amounts of free credits that they use before having to pay.