Hazy cloud contracts are hurting everyone: Four ways to put them right

Dissatisfaction about cloud contracts is not going away and their inherent ambiguities will end up hurting providers as much as buyers.

Firms that buy cloud services are fed up with the vague terms covering risks and security found in most commercial contracts.

But those ambiguities will ultimately backfire on the cloud providers themselves, because typical contracts will make it harder for vendors to manage risk and defend their position to auditors and regulators, according to Gartner.

The analyst firm says software-as-a-service contracts in particular are often sketchy about maintaining data confidentiality and integrity, and recovering information after an outage.

Those ambiguities result in high levels of dissatisfaction among buyers, with eight out of 10 procurement professionals unhappy with SaaS contract language and measures - and that unhappiness is likely to persist over the next 18 months.

"We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers," Alexa Bona, Gartner vice president and distinguished analyst, said in a statement.

Here are Gartner's suggestions for what buyers should expect to see in contracts:

Cloud contract point 1: Audits

A minimum requirement by cloud services buyers should be a clause stipulating an annual security audit and certification by a third party, "with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure".

Buyers should be able to ask providers to respond to the findings of assessment tools, such as the Cloud Security Alliance's Cloud Controls Matrix, which is a spreadsheet containing important control objectives.

"As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting an onsite audit and monitoring the cloud services provider," Bona said.

Cloud contract point 2: Security and recovery

Cloud buyers would be unwise to assume the SaaS contract covers adequate service levels for security and recovery.

Gartner says whatever terms are used to describe the specifics of the service-level agreement, buyers must ensure providers are contractually obligated to meet expectations about protecting data from attack and recovering it after one.

"We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed," Bona said.

Cloud contract point 3: Written commitments

SaaS vendors commit to as little as possible because no consensus exists about how commitments to security services should be described contractually.

"It is crucial that some form of service, such as protection from unauthorised access by third parties, annual certification to a security standard, and regular vulnerability testing, is committed to in writing," Gartner said.

Cloud contract point 4: Compensation

SaaS contracts rarely mention meaningful financial compensation for lost security, service or data. That omission represents an undesirable form of risk exposure, according to Gartner.

"SaaS is a one-to-many situation in which a single service provider failure could impact thousands of customers simultaneously, so it represents a significant form of portfolio risk for the provider," Bona said.

But the reluctance of most cloud providers to mention any form of compensation in contracts beyond providing service in kind shouldn't prevent buyers from trying to "negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where possible".