Cloud

Hazy cloud contracts are hurting everyone: Four ways to put them right

Dissatisfaction about cloud contracts is not going away and their inherent ambiguities will end up hurting providers as much as buyers.

Firms that buy cloud services are fed up with the vague terms covering risks and security found in most commercial contracts.

But those ambiguities will ultimately backfire on the cloud providers themselves, because typical contracts will make it harder for vendors to manage risk and defend their position to auditors and regulators, according to Gartner.

The analyst firm says software-as-a-service contracts in particular are often sketchy about maintaining data confidentiality and integrity, and recovering information after an outage.

Those ambiguities result in high levels of dissatisfaction among buyers, with eight out of 10 procurement professionals unhappy with SaaS contract language and measures - and that unhappiness is likely to persist over the next 18 months.

"We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers," Alexa Bona, Gartner vice president and distinguished analyst, said in a statement.

Here are Gartner's suggestions for what buyers should expect to see in contracts:

Cloud contract point 1: Audits

A minimum requirement by cloud services buyers should be a clause stipulating an annual security audit and certification by a third party, "with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure".

Buyers should be able to ask providers to respond to the findings of assessment tools, such as the Cloud Security Alliance's Cloud Controls Matrix, which is a spreadsheet containing important control objectives.

"As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting an onsite audit and monitoring the cloud services provider," Bona said.

Cloud contract point 2: Security and recovery

Cloud buyers would be unwise to assume the SaaS contract covers adequate service levels for security and recovery.

Gartner says whatever terms are used to describe the specifics of the service-level agreement, buyers must ensure providers are contractually obligated to meet expectations about protecting data from attack and recovering it after one.

"We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed," Bona said.

Cloud contract point 3: Written commitments

SaaS vendors commit to as little as possible because no consensus exists about how commitments to security services should be described contractually.

"It is crucial that some form of service, such as protection from unauthorised access by third parties, annual certification to a security standard, and regular vulnerability testing, is committed to in writing," Gartner said.

Cloud contract point 4: Compensation

SaaS contracts rarely mention meaningful financial compensation for lost security, service or data. That omission represents an undesirable form of risk exposure, according to Gartner.

"SaaS is a one-to-many situation in which a single service provider failure could impact thousands of customers simultaneously, so it represents a significant form of portfolio risk for the provider," Bona said.

But the reluctance of most cloud providers to mention any form of compensation in contracts beyond providing service in kind shouldn't prevent buyers from trying to "negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where possible".


About

Toby Wolpe is a senior reporter at TechRepublic in London. He started in technology journalism when the Apple II was state of the art.

7 comments
usman.soomro
usman.soomro

You could post on the samples for the blog. You may distribute it's priceless. Your blog critiquing should heighten your clicks… Blog Comment

abbasishariq2
abbasishariq2

seo melbourne

Your blog provided us with valuable to work with. Each & every tips of your post are awesome. Thanks a lot for sharing. Keep blogging..

usman.soomro
usman.soomro

What this means is that the disease has the capability of having negative effects to other parts of the body such as the eyes, the heart and other organs.... Off Page Seo Service

abbasishariq2
abbasishariq2

I really appreciate that you wrote this article and shared some really good information on this specific topic. I was in vital need to get some information on this topic and thanks to you, I've got that! Thanks, once again!voyance directe

asid33
asid33

What a fine article you've written here. Truly, one of the most finest articles that I've read. You've really impressed me with this today. Thank you, mate! alarm system

asid33
asid33

Nice work done! I am honored to read such an exquisite blog post here on your site today. You've shown once again today why you are the best. I wish to see more blog posts like this! door locks

asid33
asid33

Your very own commitment to getting the message throughout came to be rather powerful and have consistently enabled employees just like me to arrive at their desired goals. garage door

Editor's Picks