For SMBs in regulated industries figuring out what compliance actually means in the cloud
Why this issue exists
This is the first issue of "Built to Comply," a six-month newsletter for the small and mid-sized businesses (SMBs) we work with most: healthcare practices handling Protected Health Information (PHI), financial services firms preparing for their first SOC 2, defense subcontractors heading toward FedRAMP, legal and insurance teams answering enterprise security questionnaires for the first time. Over the next twenty-four weeks we will publish what we actually see in the field: the patterns that separate SMBs who pass audits without scrambling from the ones who scramble every cycle.
Issue 1 is about the part nobody likes to start with. The foundation. The work that everything else depends on, and the work that costs the most when it gets skipped.
The pattern we see in nearly every regulated SMB
You start by deploying. The cloud account gets opened, the first workloads ship, the team is moving. Compliance becomes a thing you will deal with later: when the first customer asks for a SOC 2 report, when the Business Associate Agreement (BAA) shows up, when the auditor's first email lands.
By the time later arrives, the foundation is already poured wrong. Storage buckets are configured the way the first engineer happened to set them up. Access has been granted and re-granted across half a dozen one-off requests. There is no central identity system, no logging strategy, no single place that proves who did what. Retrofitting these controls costs three to ten times more than building them in from the start, and we have seen the bill firsthand: engagements that should have been a thirty-day landing zone turn into a ninety-day untangling.
Teams who avoid that bill do one thing differently. They treat the foundation as the first deliverable, not the last.
Three myths that keep the foundation weak
The reason most SMBs do not invest in the foundation early is not budget; it is belief. Three specific assumptions keep regulated SMBs operating without the controls they need until something forces the conversation.
1. "AWS (or Azure, or Google Cloud) handles compliance for us." They do not. The shared responsibility model is explicit about this: the cloud provider secures the platform, you secure what you put on it. If your S3 bucket is publicly accessible, that is on you. If your database is unencrypted, that is on you. If the audit asks how you meet a specific control and you cannot map your answer to a documented configuration in your environment, the platform's underlying compliance does not get applied to your gap. Shared responsibility is one of the most-cited findings in our practice, and it is almost always preventable.
2. "Compliance is an annual event." Audits happen annually. Compliance does not. Between assessments, configurations drift, access expands, new resources show up without going through the approved process, and logging quietly stops working in March without anyone noticing. By the next assessment, the gap between what the documentation says and what the environment actually does is enormous, and the audit becomes a forensic reconstruction. Continuous monitoring is not a luxury for big companies; it is the cheaper path for a small one.
3. "Access controls are a startup problem we will fix when we are bigger." Access misconfigurations are the most frequently cited finding in compliance audits, full stop. Overly broad permissions granted to speed up onboarding, root account access nobody locked down, permissions that grew with a role and never shrank when the role changed. The fix is not size-dependent. Role-based access, multi-factor authentication on every privileged account, just-in-time access for elevated permissions, and a quarterly review cadence cost nothing to set up and prevent the highest-frequency audit finding in our practice.
What a real foundation looks like
A compliance-first cloud foundation, sometimes called a landing zone, is the set of controls that should already be in place before your first production workload runs. It does not have to be complicated. It has to cover five things:
- Organized environments: development, testing, and production are separated, each with its own security boundary. A misconfiguration in one does not bleed into the others.
- Centralized identity: every team member logs in through one system, with multi-factor authentication, and access maps to roles instead of one-off requests. When someone leaves, access is revoked in one place rather than across a dozen tools.
- Encrypted, isolated data: sensitive data is encrypted at rest and in transit, lives in private network segments, and is not reachable from the public internet by default.
- Continuous logging: every action is logged, the logs are stored immutably, and retention matches the framework (six years for the Health Insurance Portability and Accountability Act, one year minimum for the Payment Card Industry Data Security Standard).
- Automated guardrails: the platform enforces compliance requirements automatically rather than relying on the team to remember them. If someone tries to spin up a non-compliant resource, the system blocks it or flags it on the spot.
None of these are research projects. The cloud platforms already provide the services. The work is turning them on, configuring them against a written baseline, and making sure the result reflects your actual compliance scope.
The shift this issue is really about
The reason this is the first issue of a six-month campaign is that everything else depends on it. Authorization to Operate (ATO) work, continuous monitoring programs, defense and federal pursuits, end-of-year audit prep: none of it is recoverable if the foundation underneath is wrong. You cannot continuously monitor an environment with no logging strategy. You cannot pass an ATO when access has never been baselined. You cannot automate evidence collection when there is no evidence being captured.
The shift is from "compliance is something we will deal with later" to "compliance is the operating condition the rest of the business runs on." Teams who make that shift early stop spending weeks on audit prep, stop losing contracts that require compliance documentation, stop paying ten-times-more remediation costs every cycle. Teams who do not make the shift end up paying for the foundation later anyway, just in the most expensive currency available: scrambled audits, lost deals, and engineering time spent on cleanup instead of product.
Most useful resources from this month
- A Cloud Landing Zone is the Foundation of Cloud Compliance: What a compliant landing zone includes and why retrofitting costs three to ten times more than building it in from the start.
- The 5 Compliance Mistakes That Catch Regulated SMBs Off Guard: The five failure modes we see in nearly every compliance conversation, with the operational fix for each.
- How AI is Reshaping Compliance for Small Teams: Why a five-person regulated SMB can now maintain the same compliance posture as a twenty-person enterprise compliance team.
- Cloud Compliance Foundation Worksheet: A 20-question scoring tool across identity, data protection, network security, logging, and governance. Five minutes; you will know exactly where the gaps are.
- HIPAA & PCI Readiness Checklist: 24 items covering access controls, data protection, monitoring, and governance. Built for healthcare and payment-handling SMBs but useful for any team preparing for a framework audit.
One thing to do this week
Pick the cloud account that runs anything regulated. Open the Identity and Access Management (IAM) console. Find every account with administrator-level access and ask one question for each: "If this person left tomorrow, would I know what they had access to and what they did with it?"
If the answer is "no" for more than a handful of accounts, you have just identified the highest-frequency audit finding in our practice and the single cheapest one to fix. Document the justification for each privileged account. Tighten permissions to the minimum the role actually needs. Turn on multi-factor authentication for any account that does not already have it.
This is a one-afternoon exercise. It surfaces the issue most likely to come up first in any framework assessment, and it costs nothing to do.
What's coming next
- Week 6 (Jun 2-4): Blog 4 on building mission-critical applications on compliant infrastructure, paired with the Mission App Builder Guide for defense and Small Business Innovation Research (SBIR) teams.
- Week 7 (Jun 9-11): Blog 5 on the hidden costs of non-compliance, paired with the Audit Prep Template.
- Week 9 (Jun 23-25): Blog 6 on why ATOs take so long and what to do about it, paired with the ATO Readiness Checklist.
- Week 10 (Jun 30-Jul 2): Issue 2 of this newsletter, focused on the operational moves that separate fast ATOs from stalled ones.
Closing
The compliance work that is hardest to do is the work that should have happened first. The teams who win in this space are not the ones with the biggest compliance teams; they are the ones who built the foundation correctly the first time and never had to come back to retrofit it.
If you want a second set of eyes on what your foundation looks like today, or where it would not hold up under a framework audit, we offer free 30-minute consultations. Book one here.
Until next month,
Kim Howell CEO and Co-Founder, Pandora Cloud
Subscribe to get the next issue in your inbox
Built to Comply lands monthly. No jargon walls. No product pitches.