Closing Security Loopholes in Cloud Service Agreements

Cloud business solutions have been growing at a skyrocketing speed especially Software-as-a-Service (SaaS). Companies, however, need to realize that cloud contracts have a lot of security loopholes that need to be addressed ASAP. Cloud contracts have a lot of growing up to do according to the results of the new research conducted by Gartner.

Business users of SaaS are discovering security issues in terms of data confidentiality, risk management, data recovery and data integrity. Gartner suggests that cloud contracts need more transparency in these areas to assure business companies.

“We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers,” Alexa Bona, Gartner VP and distinguished analyst stated.

Bona emphasized to business cloud users that it needs to push these issues in the cloud service agreement including data integrity and recovery time before finalizing a conract. It should also be made clear that the SaaS vendor agrees to do a regular vulnerability testing of at least once a year, and to ensure that there are no third party unauthorized data breaches. In cases of the latter, the agreement should state that customers can terminate the service agreement  immediately.

Another clause that should be included is the fee liability limits that are currently set at 12 months; it must be re-negotiated at a minimum of at least 24 to 36 months. CIOs can also add in the security clause that service vendors must respond to vulnerability issues as a result of the assessment tools. Useful resources that can be considered by businesses include Cloud Controls Matrix or Cloud Security Alliance (CSA). No matter how appealing a cloud service agreement sounds, the priority of every business is to ensure that SaaS providers are contractually obligated to ensure security measures are in place.

“It will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting on-site audits and/or monitoring the cloud services provider,” Bona said.

It is expected that SaaS vendors will begin to review its service agreements to appease its customers. This is especially following the news about the program PRISM from the National Security Agency.

“They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation,” Bona said.

One comment

  1. Before effective security agreements can be established for the cloud, there needs to be an agreement on security standards and testing practices. If an organization with confidential data wants to move that data into the cloud, they will need to show that they took reasonable precautions to secure that data, which means that we need to have a definition of exactly what a reasonable precaution is.

Leave a Reply

Your email address will not be published. Required fields are marked *