Software as a service (SaaS) contracts seem to be under fire for inadequate security provisions with ambiguous terms, IT research firm Gartner, Inc. (IT) has reported.
More specifically, the ambiguous terms encompass maintenance of data confidentiality, data integrity, and recovery after a data loss incident. These concerns can lead to the dissatisfaction among cloud services users and make it harder for service providers to manage risk and defend their risk position to auditors and regulators, Gartner said.
According to the report, 80 percent of IT procurement professionals will remain dissatisfied through 2015 with SaaS contract language and protections that relate to security.
Gartner Vice President and Analyst Alexa Bona said in prepared remarks that the firm "continues to see a frustration among cloud users over the form and degree of transparency they are able to obtain from prospective and current service providers."
Gartner said cloud services users need to pay attention to the following in SaaS contracts:
- Ensure annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure.
- Ask a provider to respond to the findings of assessment tools. For example, the Cloud Security Alliance (CSA) has a Cloud Controls Matrix in the form of a spreadsheet containing control objectives deemed by participants in the CSA to be important for cloud computing.
- Do not assume that SaaS contracts include adequate service levels for security and recovery.
- Be sure that some form of service, such as protection from unauthorized access by third parties, annual certification to a security standard, and regular vulnerability testing, is committed to in writing.
- Ask for meaningful financial compensation for losses of security, service, or data.
"Concerns about the risk ramifications of cloud computing are increasingly motivating security, continuity, recovery, privacy and compliance managers to participate in the buying process led by IT procurement professionals," Bona said. "They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation."