Cloud // Software as a Service
News
8/2/2013
01:10 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Cloud Contracts Need Work, Gartner Says

Gartner publishes guidance for IT on tightening up cloud service provider contracts to better protect corporate assets.

10 Tools To Prevent Cloud Vendor Lock-in
10 Tools To Prevent Cloud Vendor Lock-in
(click image for larger view and for slideshow)
Bad news: While cloud technologies continue to advance, the language in cloud contracts still has much growing up to do, according to new research from Gartner.

"We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers," said Alexa Bona, Gartner VP and distinguished analyst., in a statement.

Bona was speaking in connection with the release of new research from her team looking into the security provisions of commercial cloud services, especially software-as-a-service (SaaS).

The research suggested these commercial documents are frequently "inadequate." Specifically, too many contracts contain "ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident," it said.

[ Vendors may need an attitude adjustment. See Gartner Tells Outsourcers: Embrace Cloud Or Die. ]

And as no consensus exists in the nascent market about precisely how commitments to security services should be described, most SaaS vendors choose to commit themselves as little as possible in this area, Bona added.

That doesn't get away from the fact, she said, that buyers need spelled-out security commitments from cloud service providers -- like when penetration testing by third parties is going to happen, and how regularly -- in writing.

And if you're entering such negotiations now, look to require an annual security audit and certification by a third party, with the option to terminate the agreement in the event of a security breach if the provider fails on any material measure, suggested Gartner. Another must-have: SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where and whenever possible.

Smart CIOs should also demand their cloud partners respond to the findings of assessment tools. Bona suggested as a useful resource the Cloud Security Alliance (CSA), especially its Cloud Controls Matrix, essentially a spreadsheet containing control objectives determined by its members to be important in the context of cloud computing.

"It will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting on-site audits and/or monitoring the cloud services provider," said Bona.

At the same time, never assume your shiny new SaaS contracts include adequate service levels for security and recovery. "Whatever term is used to describe the specifics of the service-level agreement, IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations," she noted.

"We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed," she said

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Author
8/29/2013 | 3:10:06 AM
re: Cloud Contracts Need Work, Gartner Says
A Michael Byrne at FCC said the other day, "Procurement is the silent killer of innovation."
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
8/6/2013 | 9:51:51 PM
re: Cloud Contracts Need Work, Gartner Says
The way I hear it, major corporations have a hard time getting cloud operators to budge on contract terms. If you're a small time operator, terms are strictly take it or leave it.
WKash
50%
50%
WKash,
User Rank: Author
8/2/2013 | 7:53:16 PM
re: Cloud Contracts Need Work, Gartner Says
Sounds like government agencies are not alone in trying to write better SLAs and contracts for cloud services.
The next wave in APM
The next wave in APM
Find out how to get the benefits of application monitoring while avoiding the complexity and performance headaches.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.