Express Computer
Home  »  News  »  Cloud contracts need more transparency to improve risk management: Gartner

Cloud contracts need more transparency to improve risk management: Gartner

0 37

Buyers of commercial cloud services, especially software as a service (SaaS), are finding security provisions inadequate. Gartner Inc said SaaS contracts often have ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident. This leads to dissatisfaction among cloud services users. It also makes it harder for service providers to manage risk and defend their risk position to auditors and regulators.

Gartner said that, through 2015, 80% of IT procurement professionals will remain dissatisfied with SaaS contract language and protections that relate to security. “We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers,” said Alexa Bona, Vice President and Distinguished Analyst, Gartner.

At a minimum, cloud services users need to ensure that SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure. In addition, it is reasonable for cloud service buyers to ask a provider to respond to the findings of assessment tools.

The Cloud Security Alliance (CSA), for example, has a Cloud Controls Matrix in the form of a spreadsheet containing control objectives deemed by participants in the CSA to be important for cloud computing.

“As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting an on-site audits and/or monitoring the cloud services provider,” said Ms. Bona.

Furthermore, cloud users should not assume that SaaS contracts include adequate service levels for security and recovery.

“Whatever term is used to describe the specifics of the service-level agreement (SLA), IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations. We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed,” said Bona.

As no consensus exists about how commitments to security services should be described contractually, most SaaS vendors choose to commit to as little as possible. It is crucial that some form of service, such as protection from unauthorized access by third parties, annual certification to a security standard and regular vulnerability testing is committed to in writing.

The lack of meaningful financial compensation for losses of security, service or data also represents an undesirable form of risk exposure in SaaS contracts. “SaaS is a one-to-many situation in which a single service provider failure could impact thousands of customers simultaneously, so it represents a significant form of portfolio risk for the provider,” said Bona.

Therefore, the majority of cloud providers avoid contractual obligation for any form of compensation, other than providing service in kind or penalties in the event that they miss a service level in the contract. SaaS users should negotiate for 24 to 36 months of fee liability limits rather than 12 months and additional liability insurances, where possible.

“Concerns about the risk ramifications of cloud computing are increasingly motivating security, continuity, recovery, privacy and compliance managers to participate in the buying process led by IT procurement professionals. They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation,” said Bona.

Get real time updates directly on you device, subscribe now.

Leave A Reply

Your email address will not be published.

LIVE Webinar

Digitize your HR practice with extensions to success factors

Join us for a virtual meeting on how organizations can use these extensions to not just provide a better experience to its’ employees, but also to significantly improve the efficiency of the HR processes
REGISTER NOW 

Stay updated with News, Trending Stories & Conferences with Express Computer
Follow us on Linkedin
India's Leading e-Governance Summit is here!!! Attend and Know more.
Register Now!
close-image
Attend Webinar & Enhance Your Organisation's Digital Experience.
Register Now
close-image
Enable A Truly Seamless & Secure Workplace.
Register Now
close-image
Attend Inida's Largest BFSI Technology Conclave!
Register Now
close-image
Know how to protect your company in digital era.
Register Now
close-image
Protect Your Critical Assets From Well-Organized Hackers
Register Now
close-image
Find Solutions to Maintain Productivity
Register Now
close-image
Live Webinar : Improve customer experience with Voice Bots
Register Now
close-image
Live Event: Technology Day- Kerala, E- Governance Champions Awards
Register Now
close-image
Virtual Conference : Learn to Automate complex Business Processes
Register Now
close-image