The 5 Cs of Security as a Service

The 2nd C: Compliance

Continuing from our last train of thought, we are exploring the primary motivations for organizations to seek alternatives to traditional client/server architecture and on-premise software installations. The second “C” is for Compliance

Compliance
Corporate governance, risk management, and compliance with policies and regulations are in sharp focus for most organizations. It’s not enough to express intent to follow regulations and policies, but organizations must measure and transparently report on how completely they are being followed. Efforts to ensure consistent experiences for customers and to wring efficiencies from standardization are often competing with individual workers whose sense of privilege or creativity conflicts with the corporate standard. Getting it wrong in this area can have devastating consequences on the viability and competitiveness of any firm. Correspondingly, many organizations invest huge amounts of resources in auditing and assurance services to ensure compliance with standards and to evaluate controls.

In the context of physical security, compliance failures can result in data breeches, exposure to financial losses, denial of services, and bodily injury to employees and visitors. The use of traditional physical security client/server architecture exposes company assets and personal information to constant threats. A typical corporate installation may include dozens of PCs, each with access to security controls and sensitive personal information. Providing any assurance of how access to these resources is managed and what standards are being followed is a daunting task. From SOX to FISMA, detailed audits of data integrity are required. Imagine how much it would cost to perform an audit of dozens of access control PCs spread throughout the world. It could easily cost more than the systems themselves.

SaaS architecture greatly simplifies enforcement of polices and audits for compliance by providing centralized capabilities to establish standards as well as tools to track and report on compliance. Since a SaaS solution database is centralized, the cost for performing compliance audits is significantly reduced. Many SaaS providers are also able to provide evidence of internal controls certified by independent auditors, thus eliminating the need for a subscriber to incur these costs.

- John Szczygiel