Export compliance laws are arguably some of the thorniest of all the complexities associated with cloud computing. The laws currently on the books—which vary from country to country—can make even the savviest attorneys’ and engineers’ heads spin.
All enterprises must adhere to a variety of industry- and country-specific security, data privacy, taxation and export control rules. But these regulations are especially murky around cloud services.
Export compliance rules raise difficult questions such as, how do you retain agility while adhering to regulations? And how do those regulations and controls vary according to workload? Like tax regulations, rules for collecting and distributing user data vary depending on location.
Three questions in particular are critical to answer to better understand cloud export compliance.
Can companies maintain compliance and agility?
Increased business agility is perhaps the greatest benefit cloud offers. Cloud computing facilitates rapid provisioning of resources, allowing companies to scale and adapt quickly. But what effect does export compliance have on cloud’s speed and flexibility? This unprecedented agility requires rethinking how governance and policy enforcement is managed. Instead of manual checks, companies must transition to real-time policy enforcement and recording. This marks a change in both culture and process—the rocky road where foundations can begin to crumble.
How do compliance rules vary around the world?
Companies that operate internationally are subject to a number of rules related to taxes, region-specific controls, paperwork, registration and data protection. Cross-border provisioning requires legal counsel to establish best practices and ensure compliance. Because the cloud is a relatively new phenomenon, however, legal expertise in this area is limited.
What steps can companies take to prepare for these requirements?
There are three measures companies can follow to help ensure their cloud services comply with global export regulations.
Identify: All software that could be subject to cross-border exports requires legal guidance and approval, which means you must determine the software being exported.
Register: After identifying the appropriate software, you need to maintain a registry. Whether an image or an automation routine deploys the software, have a clear record verifying what must be registered.
Record: Many businesses make excuses for why they don’t properly document these transactions—the virtual machines in question do not belong to them or recording export transactions is only mandatory when exporting to riskier markets such as China or Iran. To protect companies from liability or legal action, legal counsel may suggest recording all cross-border software movement.
Information is power, and the more you have, the more prepared you are to deal with thorny issues like export compliance. Having an experienced cloud platform provider with sound advice can help arm you with the information you need to get to cloud quickly, safely and securely.