Mathias Rosenthal - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Can compliance as a service cloud hosting benefit enterprises?

Is compliance as a service a good option for compliance outsourcing? Expert Mike Chapple explores this new option for enterprises.

I recently saw that a vendor announced a new type of compliance as a service cloud host offering, which supposedly combines data hosting and meeting compliance requirements in one product. Is this an emerging cloud service segment or just clever marketing? What are the pros and cons of compliance outsourcing?

Compliance is clearly a growth market for cloud services. As organizations begin to realize the challenges associated with maintaining HIPAA- and/or PCI DSS-compliant infrastructures, they are turning to specialized vendors to offload much of that burden.

The most direct application of this approach is the use of software as a service offerings to handle sensitive information. For example, a website owner might engage a payment processing company to handle all aspects of credit card processing. The website never actually touches a credit card number, so the merchant's direct responsibility for PCI DSS compliance is minimized.

In other cases, businesses might engage partners to assist with certain aspects of compliance operations. For example, if a business does not want to be responsible for maintaining a HIPAA-compliant data center, it might turn to an infrastructure as a service provider who is willing to sign a HIPAA business asssociate agreement and accept responsibility for operating the physical data center in compliance with HIPAA.

Organizations engaging a business partner to assist with any regulated activities -- whether it's cloud compliance services or other types of regulatory assistance -- should carefully examine the scope of compliance covered by the vendor. While many businesses would like to sell "compliance in a box," it is more likely that some of the burden of compliance remains their responsibility. Ask the vendor to provide a formal scope of compliance document that spells out the exact requirements met by the vendor and those that remain your organization's responsibility.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Cloud vendors push for security-centric managed cloud services and compliance services

This was last published in March 2015

Dig Deeper on Security audit, compliance and standards