* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Products and Services](https://origin-researchcenter.paloaltonetworks.com/blog/category/products-and-services/)
* Achieve Business Harmony ...

# Achieve Business Harmony and Compliance Through Automated Policy Enforcement

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2019%2F02%2Fachieve-business-harmony-compliance-automated-policy-enforcement%2F)  
[](https://twitter.com/share?text=Achieve+Business+Harmony+and+Compliance+Through+Automated+Policy+Enforcement&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2019%2F02%2Fachieve-business-harmony-compliance-automated-policy-enforcement%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2019%2F02%2Fachieve-business-harmony-compliance-automated-policy-enforcement%2F&title=Achieve+Business+Harmony+and+Compliance+Through+Automated+Policy+Enforcement&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2019/02/achieve-business-harmony-compliance-automated-policy-enforcement/&ts=markdown)  
\[\](mailto:?subject=Achieve Business Harmony and Compliance Through Automated Policy Enforcement)  
Link copied  
By [John Martinez](https://www.paloaltonetworks.com/blog/author/john-martinez/?ts=markdown "Posts by John Martinez")  
Feb 21, 2019  
4 minutes  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Cloud compliance](https://www.paloaltonetworks.com/blog/tag/cloud-compliance/?ts=markdown)

I was doing some compliance research recently and came across the following statistic from the [Veritas Truth in Cloud Study](https://www.veritas.com/form/whitepaper/the-truth-in-cloud#):

"76% of organizations believe that their cloud service providers take care of all data privacy and compliance regulations."

Once I had a chance to collect my jaw from the floor, I began to write this blog post.

According to the [Shared Responsibility Model](https://www.youtube.com/watch?v=MeQwyc6LMOk), the customer (you) are responsible for ensuring the security, privacy and compliance of your workloads and data in the cloud.

For this post, let's zero in on compliance.

There are more compliance frameworks than I can count on two hands, and depending on your industry, it's mandatory to comply with one or more of them. Here's a small handful for example:

* ISO 27001: International standard
* SOC 2: Popular in the U.S., particularly with financial services and SaaS providers
* FedRAMP: Government clients, NIST 800-53
* PCI: Credit card payment processing
* HIPAA: Healthcare patient data
* GDPR: Personal data

Become intimately familiar with the frameworks that apply to your business as a prerequisite. From there, you can start tackling roles and responsibilities within your organization.

**Cloud Security and Compliance Is a Team Sport**

We hosted a [webinar](https://www.brighttalk.com/webcast/10903/337122/compliance-is-a-team-sport) on this very topic back in October, but I think it's important to reiterate some of the key players and their responsibilities around ensuring compliance.

*EVERYONE plays a role.*

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/02/Cloudcompiance-500x128.png)

I like to categorize in three different buckets:

* **Management** (e.g., C-levels): These are the people who are legally responsible if your organization is out of compliance. Not only from the brand standpoint -- these folks are literally on the line to shield the repercussions -- including jail time.
* **Compliance** (e.g., internal auditor and governance teams): These people are the interface between the business and the governance powers that be. They must make sure compliance programs are up to date and being tested consistently.
* **InfoSec and Developers** (e.g., SecOps and DevOps): These people are tagged to do the work the audit team needs to showcase proof of compliance.

And we can drill down even further. Let's look at the roles and priorities of three key players and the variance based on your organization's level of cloud maturity.

|----------------|-------------------------------------------------------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------|
|                | **Adopt Phase**                                                                           | **Expand Phase**                                                 | **Scale Phase**                                                  |
| **SecOps**     | Adapting policies Exploring tools                                                         | Automating security monitoring \& assessment for full visibility | Automating enforcement of policy                                 |
| **DevOps**     | Adopting a security-first approach Learning what is available from CSPs                   | Developing processes to ensure best practices are followed       | Automating workflows to validate configuration BEFORE deployment |
| **Compliance** | Learning plans and impact of deployments Understanding what is inherited from CSPs  | Performing periodic measurement to identify gaps in compliance   | Compliance scorecard by month, week or day                       |

Figure 1: Cloud maturity levels

**The Underlying Contention Between Teams**

It's arrived: the dreaded compliance audit. As if SecOps and DevOps aren't busy enough with IR, now they must shift focus and pile on a ton of work to help the compliance team ensure a passing score for a security audit -- a typically manual process that requires significant time and resources and causes hefty delays for their priority initiatives, apart from compliance. Herein lies the problem.

The good news is that automation can help reduce this contention and unite these teams for the greater good: continuous compliance.

**Security by Design -** **Automating Policy Enforcement**

According to the [RightScale 2018 Cloud Security Report](https://www.rightscale.com/press-releases/rightscale-2018-state-of-the-cloud-report), 42% of organizations are focused on automating policies for governance. This is good news. Even better, compliance requirements can be fulfilled in the cloud with the right strategy, tools and governance -- rooted in automation.

Automating policy enforcement is hugely beneficial. It helps ensure visibility of policies across clouds and the larger organization, and propels innovation through confidence that critical policies and standards are always being upheld. Here are some points to keep in mind as you build your strategy and execution:

1. **Take a "Shift Left" Approach**. Be sure to involve policymakers at each step, and as each project is deployed. Also, don't forget that incidents will happen. Account for these as part of your project delivery timelines upfront.
2. **Take a Cloud-Centric Approach**. Remember that the cloud is not your data center. You must approach security and compliance, including automated policy enforcement, differently.
3. **Prototypes Become Permanent**. In the cloud, it's never just an experiment. As quickly as you can say "cloud workload," your "experiment" can be exposed on a massive scale.

Maintaining compliance as requirements increase and expand in scope can be challenging. Palo Alto Networks RedLock security and compliance service continuously monitors all cloud resources for potential compliance violations and provides customizable one-click compliance reports. Click-through controls resolve issues quickly in the face of ever-changing configurations and development requirements.

*Want to learn more? Check out our on-demand webinar:* [*12 AWS Best Practices to Get You #CloudFit*](http://www.start.paloaltonetworks.com/are-you-cloudfit)

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Four Cloud Security Concerns (and How to Address Them)](https://origin-researchcenter.paloaltonetworks.com/blog/2019/05/cloud-security-concerns-address/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Cloud Compliance: The Cheeseburger Principle](https://origin-researchcenter.paloaltonetworks.com/blog/2018/10/cloud-compliance-cheeseburger-principle/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### It's Time to Bring Together Cloud Compliance and Security Analytics](https://origin-researchcenter.paloaltonetworks.com/blog/2018/10/time-bring-together-cloud-compliance-security-analytics/)

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Cortex Xpanse rated leading ASM product](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/cortex-xpanse-rated-highest-value-asm-vendor/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Zero Trust for Cloud Users and Environments](https://origin-researchcenter.paloaltonetworks.com/blog/2020/07/cloud-zero-trust-for-cloud/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Cloud Native Security: Intention vs. Practice](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/cloud-native-security-intention-practice/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language