Mathias Rosenthal - Fotolia
I recently saw that a vendor announced a new type of compliance as a service cloud host offering, which supposedly combines data hosting and meeting compliance requirements in one product. Is this an emerging cloud service segment or just clever marketing? What are the pros and cons of compliance outsourcing?
Compliance is clearly a growth market for cloud services. As organizations begin to realize the challenges associated with maintaining HIPAA- and/or PCI DSS-compliant infrastructures, they are turning to specialized vendors to offload much of that burden.
The most direct application of this approach is the use of software as a service offerings to handle sensitive information. For example, a website owner might engage a payment processing company to handle all aspects of credit card processing. The website never actually touches a credit card number, so the merchant's direct responsibility for PCI DSS compliance is minimized.
In other cases, businesses might engage partners to assist with certain aspects of compliance operations. For example, if a business does not want to be responsible for maintaining a HIPAA-compliant data center, it might turn to an infrastructure as a service provider who is willing to sign a HIPAA business asssociate agreement and accept responsibility for operating the physical data center in compliance with HIPAA.
Organizations engaging a business partner to assist with any regulated activities -- whether it's cloud compliance services or other types of regulatory assistance -- should carefully examine the scope of compliance covered by the vendor. While many businesses would like to sell "compliance in a box," it is more likely that some of the burden of compliance remains their responsibility. Ask the vendor to provide a formal scope of compliance document that spells out the exact requirements met by the vendor and those that remain your organization's responsibility.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Cloud vendors push for security-centric managed cloud services and compliance services
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading