Monday, July 21, 2008

Cloud Compliance

Have a look at this:

A software as a service provider that does compliance. While I can see why someone would want to outsource this type of thing, I am not sure that person would be in or around the Feds.

You know why: a) why would you want to put your compliance data outside your infrastructure; b) you don't know what the backend looks like or who has access and; c) you don't know when the features you like are going away or new ones that you may or may not like are coming in.

I know that it is not directly related to FISMA, but how far away are we for something like this? I talk to some people and they are scared of SaaS or SOA or whatever you call it. They are even more scared that OMB wants more of the government onboard with SaaS for fiscal reasons.

The oppurtunity would be to setup a government wide thing that OMB ran, that would be something. But not just reporting to OMB, I mean requirements management, performing assessments, common ST&E procedures for popular platforms and certification package configuration management.

Perhaps there is something like this already or is on the way. I don't know. But it would be cool, at least for me.


Andrew said...
This comment has been removed by the author.
Andrew said...

Software as a Service (SaaS) is new and has a lot of advantages for the compliance space. Since most firms are small or mid size players and cannot afford significant investments in computing power, developers and support, SaaS applications provide these firms with an ability to affordably access enterprise level applications. Secondly, Compliance11 works with top CCOs from some of the most respected firms to develop and hone its applications. Thus firms are able to access some of the best thinking in the industry when they acquire a subscription to Compliance11’s Supervisory Suite. Third, since SaaS implies one application with database security for each customer, Compliace11 can make that application extremely robust. For instance, the application has full fail over capability in the event of an outage. It has powerful disaster recovery capability and can greatly simplify the process of implementing brokerage feeds, a major hassle for financial firms. Finally, the significant development staff at Compliance11 works for its customers. Clients propose changes and the system is upgraded 4 or 5 times a year. The client does not have to request budget approval or identify or hire IT resources.

As for the security issues, it is in Compliance11’s interest to develop a fool proof model as the firm can be hindered by a breech. It utilizes a SAS 70 Level 2 host, Rackspace. It can offer database encryption and VPNs to clients. All of tits staff are subject to extremely rigorous background checks and the firm has stringent policies around security. In short, Compliance11 is a financial firms trusted partner and its physical and virtual security needs to be as tight as its most concerned customer.

Analysts predict that by 2011, roughly 50% of client server application will be migrated to SaaS platforms. This may be part of the reason for the recent success of with large customers.

Chris said...

Thanks for your comment Andrew. Like I said, I don't doubt that someone would use the Compliance11 service, I am merely pointing that the solution doesn't necessarily lend itself to FISMA style compliance or the culture of the Federal government.

You also wouldn't know the security pains that the company has gone to by reviewing its website.

All I want to convey is that a subscriber to SaaS services should be careful what they are signing up for and ensure their data is protected.

Also, please feel free to contact me directly, (cyberhiker at gmail dot com) if you would like to go into more detail off line.