Commercial cloud service (especially SaaS) customers find security provisions inadequate Gartner reports, with contracts often bearing ambiguous data confidentiality maintenance terms.
Such lack of transparency leads to dissatisfaction among cloud services users, and makes it more difficult for service providers to manage risk and defense risk position with auditors and regulators.
According to the analyst 80% of IT procurement professionals will remain dissatisfied with SaaS contracts until at least 2015.
Thus Gartner suggests cloud service users ensure SaaS contracts allow for annual security audits and 3rd party certification, with an agreement termination option should the provider fail on any material measure in the event of security breach.
Cloud buyers should also ask providers to respond to findings from assessment tools such as the Cloud Security Alliance (CSA) Cloud Controls Matrix.
“As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing 3rd party audit statements, conducting an on-site audits and/or monitoring the cloud services provider,” Gartner continues.
Cloud users must also not assume SaaS contracts include adequate security and recovery service levels-- on the other hand, they should stress on the security specifics of the Service-level agreement (SLA), including recovery time and recovery point objectives and data integrity measures.
“Concerns about the risk ramifications of cloud computing are increasingly motivating security, continuity, recovery, privacy and compliance managers to participate in the buying process led by IT procurement professionals," Gartner concludes. "They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation.”
Go Cloud Contracts Need Security Service Levels to Better Manage Risk
