SaaS Contract Ambiguity Raises Security Concerns: Gartner | eWeek

SaaS Contract Ambiguity Raises Security Concerns: Gartner

SaaS Contract Ambiguity Raises Security Concerns: Gartner
Written By
Nathan Eddy
Nathan Eddy
Aug 5, 2013
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Software-as-a-service (SaaS) contracts often have ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident, which leads to dissatisfaction among cloud services users, according to a report from IT research firm Gartner.

Buyers of commercial cloud services, especially SaaS, are finding security provisions inadequate, and these ambiguous terms are also making it harder for service providers to manage risk and defend their risk position to auditors and regulators.

The report cautioned that, at a minimum, cloud services users should ensure that SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure.

“We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers,” Alexa Bona, vice president and distinguished analyst at Gartner, said in a statement. “As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting an on-site audit and/or monitoring the cloud services provider.”

Gartner predicted that, through 2015, 80 percent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections that relate to security. The Cloud Security Alliance (CSA), a nonprofit organization aimed at bolstering cloud computing, has a Cloud Controls Matrix in the form of a spreadsheet containing control objectives deemed by participants in the CSA to be important for cloud computing, one of the ways service contracts could be improved.

“Whatever term is used to describe the specifics of the service-level agreement (SLA), IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations,” Bona said. “We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed.”

In addition, the lack of meaningful financial compensation for losses of security, service or data also represents an undesirable form of risk exposure in SaaS contracts. The report said it will be crucial that some form of service, such as protection from unauthorized access by third parties, annual certification to a security standard and regular vulnerability testing, be committed to in writing. In addition, SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where possible.

“Concerns about the risk ramifications of cloud computing are increasingly motivating security, continuity, recovery, privacy and compliance managers to participate in the buying process led by IT procurement professionals,” Bona said. “They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.