The 80/20 rule of Cloud Compliance

by Gerardo Estaba, Principal Solutions Architect at AWS.  

I love the Pareto principle, also known as the 80/20 rule. This principle states that roughly 80% of effects come from 20% of causes.

While the exact ratio may vary, you can see this pattern across many areas of life:

• Legend has it that Vilfredo Pareto first observed this rule in his garden, where 20% of pea pods produced 80% of his peas.
• In business, around 80% of profits often come from 20% of customers.
• For time management, about 20% of work delivers 80% of results.
• In padel tennis (yes, you should try it—no, it’s not pickleball), 20% of my moves look like I know what I’m doing, and they somehow deliver 80% of my points.

This principle shows an unequal relationship between inputs and outputs, making it especially useful for tackling complex, often daunting topics—like compliance.

The 80 20 rule applied for Compliance

Before diving into compliance, let’s clarify the difference between security and compliance – who are often used in the same sentence. 

Compliance provides the documented framework and regulatory requirements that guide security implementations, while security delivers the technical controls and operational measures needed to achieve and maintain compliance.

Say what? 

Think of security as the practical “how” and compliance as the documented “what” – they are two sides of the same coin working together to protect organisational assets. While security controls are how you protect your assets, compliance is about proving you’re doing the right things

Today, I’m diving into the 80/20 of compliance—security’s less glamorous cousin, yet equally critical.

The 80/20 of Compliance

Here’s my take on how to achieve maximum compliance impact with focused effort.

1. Documentation

If it’s not documented, did it even happen?

Comprehensive documentation is the bedrock (not that bedrock) of compliance. Well-organised, current documentation not only provides clarity during audits but also aligns your teams around policies and best practices. Key elements include:

• Security Policies: A structured set of rules on how assets are to be protected. These outline acceptable use, data protection practices, and user access controls.
• Incident Response Procedures: Clear steps for identifying, addressing, and reporting security incidents to mitigate damage quickly.
• Data Handling Guidelines: Protocols on how to collect, store, process, and share data securely, considering privacy laws and regulations.
• Business Continuity Plans: Preparedness strategies to ensure critical functions remain operational in the face of disruption.

Proper documentation not only supports compliance but also drives organisational resilience.

2. Regulatory Mapping

By prioritising key regulations, you’re not just checking boxes—you’re actually protecting the business where it counts.

Identifying which regulations apply to your organisation is step one. E.g.:

• APRA (Australian Prudential Regulation Authority) for Australian financial services
• GDPR (General Data Protection Regulation) for protecting EU data privacy
• HIPAA (Health Insurance Portability and Accountability Act) for healthcare data in the U.S.
• PCI DSS (Payment Card Industry Data Security Standard) for payment processing
• SOC 2 (Service Organisation Control 2) for service organisations with data security needs.

The next is embedding these standards into your operations. Here’s how:

1. Prioritise Key Requirements. Focus on high-impact regulations first, addressing those with major penalties or direct relevance to your core business.
2. Assign Accountability. Designate specific teams or individuals to manage compliance for each regulation, ensuring clear responsibility and tracking.
3. Integrate into Policies. Embed regulatory needs into day-to-day operations and policies—think GDPR data handling in customer support or APRA documentation in financial records.
4. Monitor Continuously. Set up regular audits and monitoring to stay compliant over time and catch issues before they grow.
5. Train Your Teams. Educate teams on the “why” and “how” of compliance to prevent errors and strengthen your front line.

By embedding regulatory standards into everyday practice, you create a proactive, sustainable compliance approach that targets what matters most.

3. Audit Readiness

The less panic prepping for audits, the more time for actual work—no one wants to be scrambling through files at the last minute

Continuous audit readiness ensures that when an audit arrives, you’re well-prepared with up-to-date records and documentation. Regular self-assessments and review procedures can streamline this process:

• Internal Audits: Scheduled evaluations to assess the effectiveness of compliance controls, highlighting areas for improvement.
• SOC Reports: Verified summaries that demonstrate security posture and control effectiveness.
• Evidence of Controls: Documented records and logs of your security and compliance actions, offering transparency and accountability.
• Monitoring Logs: Continuous logging and monitoring of compliance-related activities to catch issues early and provide a clear audit trail.

Proactive audit readiness can save time and resources by preventing last-minute scrambles and stress.

4. Data Governance

Managing data with clear rules keeps nasty surprises at bay.

Strong data governance is essential for compliant data management, especially with increasing regulations on data privacy and cross-border transfers. Essential practices include:

• Data Classification: Organising data based on sensitivity and regulatory requirements, helping teams understand the handling requirements for different data types.
• Retention Policies: Determining how long data should be stored and when it should be safely disposed of, in line with both business needs and regulatory guidelines.
• Privacy Requirements: Ensuring all personal data handling meets privacy laws like GDPR, which imposes stringent rules on data processing and protection.
• Cross-Border Transfer Rules: Complying with legal requirements for data transfer, particularly when it involves transferring data across different regions or countries.

Solid data governance practices prevent unauthorised access and misuse, helping to minimise regulatory risks.

5. Third-Party Risk Management

Trusting vendors without checking their compliance is like lending your car to a friend with no license. Risky.

Managing third-party risk is a key component of compliance, especially in cloud environments where services from multiple providers may be involved. Important steps include:

• Compliance Certifications: Verifying that vendors hold certifications like ISO 27001 or SOC 2, showing their commitment to security and compliance.
• SLAs (Service Level Agreements): Defining service expectations and responsibilities, which can be essential for maintaining compliance in outsourced functions.
• Vendor Assessments: Regularly evaluating vendors to ensure they maintain a compliance posture compatible with your requirements.
• Shared Responsibility Understanding: Clearly delineating which compliance responsibilities fall to you and which fall to your vendors, as defined in cloud provider agreements.

Properly managing third-party risk ensures that compliance gaps don’t emerge from vendors’ shortcomings, adding another layer of resilience.

The Bottom Line

These five areas typically satisfy most compliance frameworks’ core requirements.

Remember: Perfect is the enemy of good. Start here, get these right, and you’ll have a solid foundation that covers most compliance needs. The remaining 80% of compliance requirements often build upon these fundamentals.