By Danny Lieberman, Security Expert and Founder of Software Associates

I recently saw a post from a blog on a corporate web site from a company called Cloud compliance, entitled Compliance is the New Security Standard.

Cloud Compliance provides a SaaS-based identity and Access Assessment (IdAA) solution that helps identify and remediate access control and entitlement policy violations. We combine the economies of cloud computing with fundamental performance management principles to provide easy, low cost analysis of access rights to prevent audit findings (sic) and ensure compliance with regulations such as SOX, GLBA, PCI DSS, HIPAA and NERC.

The basic thesis of the blog post was that since companies have to spend money on compliance anyhow, they might as well spend the money once and rename the effort “security”.

This is an interesting notion – although perhaps “placebo security” might be a cheaper approach.

Compliance is not equivalent to security  for several fundamental reasons.

Let’s examine this curious notion, using  PCI DSS 1.2 as a generic example of a reg