Customers of commercial cloud computing services, notably SaaS (software as a service), are realizing serious data security holes in the contractual provisions of what is acclaimed by many as a practical cost-cutting IT solution. The IT market analyst Gartner has released a comprehensive report pointing out some discomforting oversights in cloud computing contracts which it characterized as containing “ambiguous terms” involving the maintenance of data integrity, confidentiality, and data recovery after a system failure leading to loss or compromised data housed in remote cloud computing servers.
The Problem Uncovered by the Garner Report
The situation has highlighted risks to data security that has led to jitters among cloud service customers while making it more difficult for service providers to rationalize the risk they expose their clients to without any clear contractual provision that can allay their data security fears. According to the Gartner report, 80% of IT professionals overseeing the contractual purchase of cloud services will remain dismayed over the inadequacy of data security protection in SaaS agreements with providers up to the year 2015.
The analysis section comprising the main body of the Gartner Report has sub-section titles that clearly indict the current state of SaaS contracts in the area of data risk management. It cautions cloud users not to use SaaS contracts as a “Hedge against Risks,” and not to be complacent in assuming that these contracts provide the company with “Risk Transparency” or the “Adequate Service Levels for Security and Recovery.”
At the moment, there is no standard or consensus among cloud service vendors on how best to provide the proper data security commitments. SaaS vendors would naturally want to expose themselves to as little commitment as possible. Among them, a single failure that compromise data security could affect several hosted customers so that even modest compensation costs could easily rack up. As a result, most cloud providers deliberately avoid such contractual obligations, some preferring to provide less expensive penalties in the form of services in kind in the event they fail to live up to any part of the SLA.
Putting in the right SLA provisions
According to Alexa Bona, VP of the prestigious firm, cloud service users are getting frustrated over the lack of transparency provided by current and prospective cloud service providers in risk management. She added that at the very least, cloud users should ensure that the SaaS agreement they enter with providers contain a provision that allow for an annual 3rd party security audit and certification, as well as the option for a unilateral termination of the contract should the provider fail to perform such measures.
Cloud customers should demand that SaaS providers respond to audit assessment as required in mitigating the risks. Bona refers to the Cloud Security Alliance (CSA) whose “Cloud Controls Matrix” in spreadsheet form effectively provides a comprehensive model listing the necessary control objectives considered by CSA participants as having high priority in cloud computing security. The more users demand this level of commitment, there is a higher chance that service level standards will improve, and covering data protection risks can become common practice among vendors through regular assessments as simple as service questionnaires, responses to 3rd party audit assessments, and client’s own on-site audit checks.
The report’s analysis section ends with the admonition that users should not assume that SaaS contracts have enough data security and recovery provisions in their service levels. This has obviously been the case so far and users reviewing their contracts with cloud service providers are recognizing the loopholes that expose them to the risk of data losses and recovery problems they didn’t have before going into cloud computing.
IT professionals responsible for procuring cloud services must ensure that their SLAs contain specific provisions that contractually obligates service provides to meet company expectations in protecting data from external attacks, theft and implementing data recovery. The Gartner report recommends that SLA provisions should include data recovery objectives, recovery time thresholds, and data integrity measures with sufficient penalties if missed. IT service procurement executives should ensure that there is enough security commitments in writing which, at the bare minimum, provide for regular penetration assessments by 3rd party security auditors, and an obligation to correct any potential problem uncovered by such audits. Needless to say, failure to act on the audit assessments should give customers the option to cancel the contract as well as demand a meaningful monetary compensation for any failure to address shortfalls in the security audit.
The risk implications to the business have driven IT professionals in the areas of data recovery, security, business continuity, and standards compliance to voice their concerns in the purchasing process when getting into commercial cloud services. Bona sees their active participation from here on in reviewing contracted SLAs to ensure that such agreements hold up to the company’s data security standards by having sustainable deals for adequate risk management on the part of cloud service providers. Lastly, Bona advises that cloud customers should seriously consider 2-3 year fee liability limits, instead of the usual 1-year period, along with procuring added risk and liability insurance policies whenever possible.