Compliance is a Pain in the SaaS
Software as a Service (SaaS) is a growing segment of the Information Technology (IT) market with Gartner predicting that SaaS spending will grow by 20% in 2020. The National Institute of Standards and Technology (NIST) defines SaaS as a capability provided to the consumer to use the provider's applications that are running on cloud infrastructure. The reasons for SaaS growth are numerous and include:
1) Zero data center footprint
2) Quickly turn on/off applications/services
3) Tight control of costs
4) Simpler upgrades
5) Little or no internal IT support
6) Scales up or down easily via a variable Operating Expense (OPEX) model
With all of these benefits, one has to wonder why all software isn't delivered via SaaS? This question is where compliance begins to raise its ugly head. When you use a SaaS product, you are trusting your data with a 3rd party where you have little or no control. Essentially, you have to trust that the SaaS provider is providing equivalent or better protection for your data and that the data will be safe with that provider while not introducing any unknown or unacceptable risks to your business.
The problem is that most companies, including ours, don't trust anyone with our data. We are all from Missouri and you are going to have to "show me" that you are compliant with our regulations so we can sleep at night feeling safe and secure in our SaaS environment. This is where organizations like FedRAMP come into the picture. They independently assess the security of the provider against a set of NIST compliance standards to provide assurance that your data is properly protected. While this approach is working for government, it doesn't always work for the SaaS provider since average turnaround times can be up to 6 months with costs ranging from $350k - $865k. This compliance cost effectively prices small businesses out of these markets since they can't afford to make that kind of investment in certification.
Fortunately, there are industry bodies such as the Cloud Security Alliance (CSA) that are working to make this process easier and more affordable via their Security Trust Assurance and Risk (STAR) Program . The CSA is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. In particular, they have published two key artifacts that make cloud security much easier:
- Cloud Controls Matrix (CCM) - provides a common mapping of controls across many compliance frameworks to lower the burden on cloud service providers by using a write once, use many approach to demonstrating compliance. The largest companies in the world participate in maintaining this matrix so you don't have to!
- Consensus Assessment Initiative Questionnaire (CAIQ) - a common set of questions that help ascertain the state of compliance of the cloud service provider. Think of this as having the questions on the test upfront :) You still have to do your part to implement controls and know the answers during the audit; but they at least take the surprises out of the equation.
While these artifacts are robust and useful, they can also be overwhelming. The CCM is a "mega-spreadsheet" that isn't really directly tied to the CAIQ. To help make this compliance process easier for our customers, we have built free software that automates and makes "user friendly" many components of the CCM and CAIQ; while also tightly integrating them both via our partnership with CSA. The result is an easy to use tool that lowers the cost of demonstrating compliance while accelerating the schedule to document all of the compliance controls.
At C2 Labs, we believe the compliance is too important be unaffordable and we have built a free software platform to help SaaS companies accelerate their compliance documentation while lowering their costs. Contact us today to learn about the platform, get a product demo, and find out how you can participate in our exclusive Private Beta program.