SaaS Contract Ambiguity Raises Security Concerns: Gartner
Buyers of commercial cloud services, especially SaaS, are finding security provisions inadequate.Software-as-a-service (SaaS) contracts often have ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident, which leads to dissatisfaction among cloud services users, according to a report from IT research firm Gartner. Buyers of commercial cloud services, especially SaaS, are finding security provisions inadequate, and these ambiguous terms are also making it harder for service providers to manage risk and defend their risk position to auditors and regulators. The report cautioned that, at a minimum, cloud services users should ensure that SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure. "We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers," Alexa Bona, vice president and distinguished analyst at Gartner, said in a statement. "As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting an on-site audit and/or monitoring the cloud services provider."
Gartner predicted that, through 2015, 80 percent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections that relate to security. The Cloud Security Alliance (CSA), a nonprofit organization aimed at bolstering cloud computing, has a Cloud Controls Matrix in the form of a spreadsheet containing control objectives deemed by participants in the CSA to be important for cloud computing, one of the ways service contracts could be improved.