Security provisions in commercial cloud-based services, especially software-as-a-service (SaaS), are failing to live up to the expectations of users.
That's according to the latest research from Gartner, which claims a lack of such clear definitions and provisions makes it harder for service providers to manage risk and defend their position with not only customers, but auditors and regulators.
In total, the research firm pegs 80 percent of IT procurement professionals will remain "dissatisfied" with the language used in SaaS contracts.
The one key takeaway? "More transparency, please."
Breaking down the results a little further, cloud service users want SaaS contracts to include annual security audits and third-party certification. In the event of a data breach, customers should have the option to terminate their engagement should the provider fail on any material measure, the report says.
"We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers," said Gartner vice president and analyst Alexa Bona.
Gartner notes that cloud users should not automatically assume that SaaS contracts come with adequate service levels for security and recovery. Regardless of the terminology used in service-level agreements (SLAs), Bona said IT procurement professionals should ensure before signing contracts that data is protected from attacks, and can be recovered in the event of one.
In many cases, these SLAs reject the notion of compensation except where a service level is missed and savings are passed onto the customer. Google and Microsoft, for instance, both have SLAs where should a certain level of uptime not be met, the customer will receive discounts over time.
SaaS users should negotiate for 24 to 36 months of fee liability limits, according to Bona, rather than 12 months. "They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation," she added.