Risk is inevitable, whenever a company stores data, processes transactions, or interacts with their customers. They are dealing with risky situations since there will always be bad actors that want to steal or manipulate the data, transactions, or interactions. But bad actors are not the only risk that a company faces; compute resource faults or software bugs are also a very real possibility that must be managed appropriately by any company. The cloud offers a shift in risk, but not a reduction in risk. Most major cloud providers operate under a shared responsibility model for implementation of security and controls. Typically, this means that the cloud provider owns and operates (and assumes the risk for) the concrete to the hypervisor, while customers are responsible for the operating system up to the application stack. It is also typical that cloud providers often are very aggressive in achieving various industry and governmental compliance certifications (the Payment Card Industry Data Security Standard, or PCI-DSS, ISO 27001, for example) for their individual services. The risk with this is that a company must understand that, under the shared responsibility model, the cloud provider's services might be certified for a specific type of workload, but unless the workload is designed by the company to implement these same controls, it will not pass audits.

Compliance is not only an external concern; often, a company will have a strict internal governance model that requires specific controls to be in place for certain types of data and workloads. In these cases, the cloud provider will not be able to implement those requirements since they are specific to that organization. However, there are often ways to map these internal controls to other certifications with similar requirements to show compliance. The mapping of these controls, both external and internal, are critical to success in the cloud to ensure that the data and workloads are using services that are in scope for the classification of a specific application. Large and complex organizations often have hundreds or thousands of applications and each will have specific characteristics of data and processing types, so completing this compliance exercise is an important component of the cloud operating model.

One important consideration to be discussed here is that the pace of innovation of the cloud vendors will likely outpace a company's ability to analyze and approve services for use in new workloads. While it's critical that a company is diligent in ensuring that services being used in their systems are secure and can pass external and internal audits, it is also important that they not use that as a way to slow down their own business requirements. It is possible to leverage new service innovation in a safe and timely manner, and companies should strive to make this a reality. One example might be to allow an innovation team to focus on new development for less mission-critical systems using the most advanced cloud native services, while focusing critical system development on more mature services.