With the growth of cloud computing, enterprises may soon be having conversations about compliance as a service as they seek to deal with the legislative and compliance requirements around protecting personally identifiable customer data.
According to Peter Coffee, director of platform research at Salesforce.com, no matter how much the IT industry thought government regimes were out of touch with their legislation when it came to technology, compliance and legislation could not be avoided when it came to cloud computing.
“[Governments] have the gun and can put us in jail if we fail to respect their rules, no matter how much we feel they may be out of date,” he said at IDC’s cloud computing summit in Sydney.
“There are composite solutions [to compliance issues]: build the application in the cloud using nothing but anonymous tokens to identify customers… but that is not trivially easy to do,” he said.
“Instead, compliance as a service maybe be offered where [the service provider] acts as an intermediate layer of your application that takes care of a variety of things. They could indemnify the customer against any issues around personally identifiable information crossing boundaries.”
Under such a compliance service, a service provider would accept the burden of knowing the rules, court precedents and regulations which are industry-specific, Coffee said. Responsibility to sanitise data wherever it left the country over a broadband link would move from the customer to the service provider.
“Layers upon layers of new services will emerge representing new layers of expertise and therefore new layers of profitability for those providing services with that kind of value. I think that’s happening now and more so all the time.”
Linus Lai, associate consulting director at IDC, said that the government, defence, health care and banking sectors in particular were subject to compliance issues around data privacy and protection laws and standards.
Given the potential liability costs for a compliance service provider and the sheer number of regulations enterprises faced, providing a one stop shop compliance service would be a significant challenge.
“Compliance with regard to cloud computing is largely around the location of customer data, but at last count there were more than 1000 different types of regulation and compliance standards that relate to IT,” he said.
It was more likely that the fact that compliance touched areas as broad as IT security, enterprise search, data retention and archiving, that service organisations would likely continue to provide specialised services around compliance, Lai said.
“There is no silver bullet for compliance,” he said.