Firms that buy cloud services are fed up with the vague terms
covering risks and security found in most commercial contracts.
But those ambiguities will ultimately backfire on the cloud
providers themselves, because typical contracts will make it harder for vendors to
manage risk and defend their position to auditors and regulators, according to
The analyst firm says software-as-a-service contracts in
particular are often sketchy about maintaining data confidentiality and
integrity, and recovering information after an outage.
Those ambiguities result in high levels of dissatisfaction among
buyers, with eight out of 10 procurement professionals unhappy with SaaS
contract language and measures – and that unhappiness is likely to persist over the next 18 months.
“We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from
prospective and current service providers,” Alexa Bona, Gartner vice
president and distinguished analyst, said in a statement.
Here are Gartner’s suggestions for what buyers should expect
to see in contracts:
Cloud contract point 1: Audits
A minimum requirement by cloud services buyers should be a
clause stipulating an annual security audit and certification by a third party,
“with an option to terminate the agreement in the event of a security
breach if the provider fails on any material measure”.
Buyers should be able to ask providers to respond to the
findings of assessment tools, such as the Cloud Security Alliance’s Cloud
Controls Matrix, which is a spreadsheet containing important control objectives.
“As more buyers demand it, and as the standards mature,
it will become increasingly common practice to perform assessments in a variety
of ways, including reviewing responses to a questionnaire, reviewing
third-party audit statements, conducting an onsite audit and monitoring the
cloud services provider,” Bona said.
Cloud contract point 2: Security and recovery
Cloud buyers would be unwise to assume the SaaS contract
covers adequate service levels for security and recovery.
Gartner says whatever terms are used to describe the
specifics of the service-level agreement, buyers must ensure providers are
contractually obligated to meet expectations about protecting data from attack
and recovering it after one.
“We recommend they also include recovery time and
recovery point objectives and data integrity measures in the SLAs, with
meaningful penalties if these are missed,” Bona said.
Cloud contract point 3: Written commitments
SaaS vendors commit to as little as possible because no
consensus exists about how commitments to security services should be described
“It is crucial that some form of service, such as
protection from unauthorised access by third parties, annual certification to a
security standard, and regular vulnerability testing, is committed to in
writing,” Gartner said.
Cloud contract point 4: Compensation
SaaS contracts rarely mention meaningful financial
compensation for lost security, service or data. That omission represents an
undesirable form of risk exposure, according to Gartner.
“SaaS is a one-to-many situation in which a single
service provider failure could impact thousands of customers simultaneously, so
it represents a significant form of portfolio risk for the provider,” Bona
But the reluctance of most cloud providers to mention any form
of compensation in contracts beyond providing service in kind shouldn’t prevent
buyers from trying to “negotiate for 24 to 36 months of fee liability
limits, rather than 12 months, and additional liability insurances, where