Compliance as a Service (CaaS) is a cloud service service level agreement (SLA) that specified how a managed service provider (MSP) will help an organization meet its regulatory compliance mandates. Compliance support services in the cloud are often used by large organizations that operate in highly-regulated industries such as healthcare, banking and finance. The goal of Compliance as a Service is to reduce an organization’s compliance burden by outsourcing compliance management tasks to a third-party that has the resources required to meet regulatory requirements in a more cost-effective manner.
CaaS providers typically supply their customers with access to software and support materials that have been designed to be compliant with specific regulations. This is because compliance concerns manifest themselves in different ways, depending on the organization's line of business and location. For example:
- In healthcare, the Health Insurance Portability and Accountability Act (HIPAA) requires network administrators to create logical boundaries between protected and unprotected workflows.
- In finance, the Sarbanes-Oxley Act (SOX) requires specific encryption levels for different data types.
- In retail, PCI-DSS requires people and programming to have a business justification for accessing cardholder data.
- In Europe, the EU Data Protection Act requires European customer data to be stored on servers located in Europe.
Typically, CaaS offerings include assessing an organization's current governance, risk and compliance (GRC) strategies and helping the organization's Chief Compliance Officer (CCO) create and manage policies that support best practices both on site and in the cloud. To be effective, a CaaS provider’s services must be transparent. Customers should be able to easily monitor the service and confirm their data is being handled in accordance with legal restrictions and corporate policies.
CaaS is an emerging industry and it can be confusing for line of business (LOB) folks to read through a cloud provider's SLAs and understand what is actually being offered. To build trust, some vendors that offer CaaS will first get certified for regulations they support. For example, as of this writing, Microsoft Azure has successfully met criteria for 90 compliance certifications. 50 of them are specific to global regions and countries.
Advantages of Compliance as a Service
Compliance MSPs are responsible for maintaining and updating their cloud services over time. If there are changes to financial regulations, the provider will be responsible for adjusting services accordingly, as per the customer's SLA. This help alone means that Compliance as a Service can save a large enterprise millions of dollars over the years by reducing administrative overhead.
Disadvantages of Compliance as a Service
Despite its benefits, compliance as a service is not without its downsides because ultimately, cloud service users share risk with the provider. When a company fails to meet compliance standards, there can be severe legal and financial penalties. In the event of a financial penalty being levied because of something the cloud provider has done (or failed to do), the cloud customer will be fined (not the cloud provider) and it is up to the cloud customer to try and seek remuneration back from the cloud provider through the court system.
If a company decides to use Compliance as a Service, it must perform due diligence to find the right service. While many CaaS providers offer compliance services for major regulations, such as HIPAA and Sarbanes-Oxley, it can be difficult to find a CaaS provider in many vertical industries and some countries.