I see Commercials and Capability progressing a lot faster than the ability to tackle Compliance. What’s more some of the issues faced here are related to people perceptions and they are not easily fixed with technology alone.
Take a SaaS example in Google Mail. Its low cost and highly capable (ok a few more bells and whistles needed but not many). So would you be happy if your doctor stored your medical records on Gmail? Your immediate thought is nope, the reason fits somewhere under the compliance umbrella.
The example in question is close to home as my brother Paul supports the world’s largest Exchange platform for the UK Health Service (2.3 Million mailboxes). He had to be UK security cleared to do that and it’s no surprise that the design needs to cater for tight authentication, recovery and archiving requirements.
Could this need ever be delivered using a true SaaS model? I wonder if large providers might think of using shared infrastructure with dedicated application layer instances (and people) to support private customers. Surely infrastructure reuse and duplication of software and management practices would be a lot more cost effective that building up from scratch.
No matter what I think the challenge ahead will be to clearly breakdown the fact from the fiction in the security space, solve the technical problems and hopefully commercial appeal with joined up thinking will help overcome the perception and political issues.