compliance as a service (CaaS)

What is compliance as a service?

Compliance as a service (CaaS) is a cloud service that specifies how a managed service provider (MSP) helps an organization meet its regulatory compliance mandates.

Compliance support services in the cloud are often used by large organizations that operate in highly regulated industries, such as healthcare, banking and finance. CaaS helps organizations reduce their compliance burden by outsourcing compliance management tasks to a third party with the resources to meet regulatory requirements in a more cost-effective manner.

CaaS providers typically supply their customers with access to software and support materials that have been designed to be compliant with specific regulations. Compliance concerns manifest themselves in different ways, depending on the organization's line of business and location. For example:

• In healthcare, HIPAA requires network administrators to create logical boundaries between protected and unprotected workflows.
• In finance, the Sarbanes-Oxley Act (SOX) requires specific encryption levels for different data types.
• In retail, PCI-DSS requires people and programming to have a business justification for accessing cardholder data.
• In Europe, the GDPR governs how organizations can store and use customer data.

CaaS offerings include assessing an organization's current governance, risk and compliance strategies and helping the organization's chief compliance officer create and manage policies that support best practices both on premises and in the cloud. To be effective, a CaaS provider's services must be transparent. Customers should be able to easily monitor the service and confirm their data is handled in accordance with legal restrictions and corporate policies.

CaaS is an emerging industry. It can be confusing for line-of-business professionals to read through a cloud provider's service-level agreements (SLAs) and understand what is actually being offered. To build trust, some CaaS vendors first get certified for regulations they support. For example, Microsoft Azure has successfully met criteria for more than 100 compliance certifications, with 50 specific to global regions and countries.

What are the advantages of compliance as a service?

Compliance MSPs are responsible for maintaining and updating their cloud services over time. If there are changes to financial regulations, the provider is responsible for adjusting services accordingly, as per the customer's SLA. This help alone means CaaS can save a large enterprise millions of dollars over the years by reducing administrative overhead.

What are the disadvantages of compliance as a service?

Cloud service users share risk with the provider. When a company fails to meet compliance standards, they can be subject to severe legal and financial penalties. In the event of a financial penalty being levied because of something the cloud provider has done or failed to do, the cloud customer will be fined -- not the cloud provider. It is up to the cloud customer to try to get remuneration from the cloud provider.

If a company decides to use CaaS, it must perform due diligence to find the right service. While many CaaS providers offer compliance services for major regulations, such as HIPAA and SOX, it can be difficult to find a CaaS provider in certain vertical industries or countries.