I did an article that just appeared in SC Magazine.  It is relevant to our recent thread of data security and compliance for two key reasons.
First, I have seen an increase in media inquiries around security of SaaS. This might be a good time for a discussion of this topic.
Second, there has been a general confusion of what's a good security model for securing outsourcing activity. The notion that only non-critical data should be outsourced has clearly been thrown out. Look at the practical success of salesforce.com. Consider how many BPO outsourcers have access to your critical financial and credit data today.

My SC article introduces two observations that are based on analogies:

• Access control vs. access auditing: illusion of control vs. real control that comes from knowledge
• Outside-in security vs. inside-out security: security vs. risk management.

I could describe these in detail, but for now a quick example from real-life should drive the point home. Recently I was visiting an enterprise customer who had deployed Mantra DAM to audit their privileged users on Oracle. I was interested in understanding if they would be interested in extending their use  to incorporate automated security capabilities (such as terminating users, etc.). I expected the customer to be a whole-hearted fan of this. But the customer shook his head vigorously and said, "Wait a minute - stop!" What I heard from him was very interesting. The fundamental problem of users and how and what they access goes to guts of understanding business & IT activity. This requires some on-going interaction and periodic reviews. The moment the product becomes a self-healing application firewall, this stops happening. At this point, the customer was concerned that they would stop gaining further insight into risks, because the deployment of a system would be perceived as a firewall - eventually making it a black-box with false sense of security and insight. The beauty of a DAM solution is that it gives you insight into what makes sense and what does not - this is the definition of real control provided you use it as such. Access control on the other hand might give you a sense of hard control, but is illusory.  Ultimately protecting data while maintaining seamless business transactions is about risk management. Security becomes a by-product, not the means.

I meant to educate the customer, but he ended up educating me.