Cloud contracts vague on security; more transparency needed

Cloud contracts vague on security; more transparency needed

Summary: Cloud contracts contain vague terms and weak promises that ultimately affect satisfaction among users, according to the research firm.

SHARE:
TOPICS: Cloud
1
cloud

Security provisions in commercial cloud-based services, especially software-as-a-service (SaaS), are failing to live up to the expectations of users.

That's according to the latest research from Gartner, which claims a lack of such clear definitions and provisions makes it harder for service providers to manage risk and defend their position with not only customers, but auditors and regulators.

Read this

Security implications of public vs. private clouds

Security implications of public vs. private clouds

Nothing it seems is more confusing than the differences between public and private clouds, and beyond that, the safety and security implications of using either type of service. So in this article, we run through some of the basics.

In total, the research firm pegs 80 percent of IT procurement professionals will remain "dissatisfied" with the language used in SaaS contracts.

The one key takeaway? "More transparency, please."

Breaking down the results a little further, cloud service users want SaaS contracts to include annual security audits and third-party certification. In the event of a data breach, customers should have the option to terminate their engagement should the provider fail on any material measure, the report says.

"We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers," said Gartner vice president and analyst Alexa Bona.

Gartner notes that cloud users should not automatically assume that SaaS contracts come with adequate service levels for security and recovery. Regardless of the terminology used in service-level agreements (SLAs), Bona said IT procurement professionals should ensure before signing contracts that data is protected from attacks, and can be recovered in the event of one.

In many cases, these SLAs reject the notion of compensation except where a service level is missed and savings are passed onto the customer. Google and Microsoft, for instance, both have SLAs where should a certain level of uptime not be met, the customer will receive discounts over time.

SaaS users should negotiate for 24 to 36 months of fee liability limits, according to Bona, rather than 12 months. "They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation," she added.

Topic: Cloud

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • For the smaller cloud service providers vague is an understatement

    As an owner of a small consulting firm, I have looked at cloud services for a number of things from bug tracking to backup. In every case when I pushed for a security policy it became obvious that the vendor did not have one. "Don't worry, be happy" seems to be the theme with vendors going "no one would look at your customer files" and "were in the cloud of course we are secure and reliable".

    I expect a pushback at some point after enough breakins and breakdowns of the cloud show it to be a false economy.
    oldsysprog