Eight out of 10 enterprise Software-as-a-Service buyers will not be happy with the contracts they sign. And there's good reason for that.
That's the prediction from Gartner analyst Alexa Bona, who chides the current state of contracts, which all too often "have ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident."
Bona outlines three options enterprise cloud buyers need to exercise every time they cut a cloud agreement:
Bring in third-party verification. SaaS contracts should "allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure," Bona advises.
Insist on standardized assessments. "Ask a provider to respond to the findings of assessment tools," says Bona. "The Cloud Security Alliance (CSA), for example, has a Cloud Controls Matrix in the form of a spreadsheet containing control objectives deemed by participants in the CSA to be important for cloud computing."
Include adequate service levels for security and recovery, including recovery time objectives, recovery point objectives, and data integrity measures. “Whatever term is used to describe the specifics of the service-level agreement, IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations,” says Bona.
Along with Gartner's recommendations, there are other pro-active steps cloud consumers can take to ensure that their vendors fulfill their roles as partners:
Get involved with a user group or advisory committee associated with the vendor. This helps provide clout, as well as build personal relationships with managers on the vendor side.
Maintain relationships with mutiple providers, including the option of going back to your own data center. Nothing delivers more favorable terms in business than competition.
More food for thought: in an issue of Stanford Technology Law Review earlier this year, researchers affiliated with the QMUL Cloud Legal Project at the University of London reported on conversations with cloud providers and consumers, identifying the major points of discussion — or contention — that have been coming up in negotiations for cloud engagements.
Major areas of disagreement include the following, as outlioned in the article:
- Who’s liable for damages from interruptions in service? (Cloud providers won't accept liability for issues.) ,
- Number of perfromance indicators within service level agreements. (The more you pay, the more you get. Smaller customers tend to get 5-10 key performance metrics.)
- Data availability and data loss. (Many cloud porviders won't assume liability for data loss.)
- Physical location of data. (A big issue for European enterprises, since data must reside with the bounds of the EU. However, many providers are opaque about the whereabouts of data centers.)
- Vendor lock-in. (Vendors try to get long-term contracts, with onerous automatic renewal policies. But at the same time, that won't stop vendors from changing their service terms)
- Compliance data, return of data upon contract termination. (Vendors won't provide this voluntarily.)
- Intellectual property rights. (Right now, a very murky area. What happens when cloud providers make changes to data and applications?)