Cloud contracts poor on security, says Gartner

Buyers of commercial cloud services are finding security provisions inadequate, says analyst organisation Gartner

Buyers of commercial cloud services – especially Software as a service (SaaS) – are finding security provisions inadequate, according to a report by research firm Gartner.

Contracts need more transparency to improve risk management, analysts said, with SaaS contracts often have ambiguous terms regarding data confidentiality, data integrity and recovery after a data breach.

This leads to dissatisfaction among cloud services users and makes it difficult for service providers to manage risk and defend their risk position to auditors and regulators.

Up to 80% of IT procurement professionals will remain dissatisfied with SaaS contract language and protections that relate to security for at least the next two years, Gartner predicts.

“We continue to see frustration among cloud services users over the form and degree of transparency they obtain from prospective and current service providers,” said Alexa Bona, vice-president at Gartner.

At a minimum, Gartner believes cloud services users need to ensure that SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure.

In addition, Gartner believes it is reasonable for cloud service buyers to ask a provider to respond to the findings of assessment tools such as the Cloud Security Alliance (CSA) Cloud Controls Matrix.

Read more about cloud security

The CSA tool is in the form of a spreadsheet containing control objectives CSA members have identified as the most important to cloud computing.

“As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting on-site audits and/or monitoring the cloud services provider,” said Bona.

Contract shortcomings

Cloud users should not assume that SaaS contracts include adequate service levels for security and recovery, she said.

Bona advises that, whatever term is used to describe the specifics of the service-level agreement (SLA), IT procurement professionals expecting their data to be protected from attack – or to be restorable in case of an incident – must ensure their providers are contractually obligated to meet those expectations.

“We recommend they also include recovery time and recovery point objectives and data integrity measures in the service level agreements, with meaningful penalties if these are missed,” she said.

Gartner analysts have found that, because there is no consensus about how commitments to security services should be described contractually, most SaaS suppliers choose to commit to as little as possible.

Supplier responsibility

According to Gartner, it is crucial that service providers commit in writing to some form of service, such as protection from unauthorised access by third parties, annual certification to a security standard, and regular vulnerability testing.

The lack of meaningful financial compensation for losses of security, service or data also represents an undesirable form of risk exposure in SaaS contracts, said Gartner.

“SaaS is a one-to-many situation in which a single service provider failure could impact thousands of customers simultaneously, so it represents a significant form of portfolio risk for the provider,” said Bona.

Because most cloud providers avoid contractual obligation for any form of compensation – other than providing service in kind or penalties in the event that they miss a service level in the contract – SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances where possible, she said.

Gartner said concerns about the ramifications of cloud computing are increasingly motivating security, continuity, recovery, privacy and compliance managers to participate in the buying process led by IT procurement professionals.

“They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation,” said Bona.

Read more on Cloud security