Cloud // Software as a Service
01:10 PM
Risk Data as a Strategy
Apr 06, 2016
There is a renewed focus on risk data aggregation and reporting (RDAR) solutions, as financial ins ...Read More>>

Cloud Contracts Need Work, Gartner Says

Gartner publishes guidance for IT on tightening up cloud service provider contracts to better protect corporate assets.

10 Tools To Prevent Cloud Vendor Lock-in
10 Tools To Prevent Cloud Vendor Lock-in
(click image for larger view and for slideshow)
Bad news: While cloud technologies continue to advance, the language in cloud contracts still has much growing up to do, according to new research from Gartner.

"We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers," said Alexa Bona, Gartner VP and distinguished analyst., in a statement.

Bona was speaking in connection with the release of new research from her team looking into the security provisions of commercial cloud services, especially software-as-a-service (SaaS).

The research suggested these commercial documents are frequently "inadequate." Specifically, too many contracts contain "ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident," it said.

[ Vendors may need an attitude adjustment. See Gartner Tells Outsourcers: Embrace Cloud Or Die. ]

And as no consensus exists in the nascent market about precisely how commitments to security services should be described, most SaaS vendors choose to commit themselves as little as possible in this area, Bona added.

That doesn't get away from the fact, she said, that buyers need spelled-out security commitments from cloud service providers -- like when penetration testing by third parties is going to happen, and how regularly -- in writing.

And if you're entering such negotiations now, look to require an annual security audit and certification by a third party, with the option to terminate the agreement in the event of a security breach if the provider fails on any material measure, suggested Gartner. Another must-have: SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where and whenever possible.

Smart CIOs should also demand their cloud partners respond to the findings of assessment tools. Bona suggested as a useful resource the Cloud Security Alliance (CSA), especially its Cloud Controls Matrix, essentially a spreadsheet containing control objectives determined by its members to be important in the context of cloud computing.

"It will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting on-site audits and/or monitoring the cloud services provider," said Bona.

At the same time, never assume your shiny new SaaS contracts include adequate service levels for security and recovery. "Whatever term is used to describe the specifics of the service-level agreement, IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations," she noted.

"We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed," she said

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Author
8/2/2013 | 7:53:16 PM
re: Cloud Contracts Need Work, Gartner Says
Sounds like government agencies are not alone in trying to write better SLAs and contracts for cloud services.
David F. Carr
David F. Carr,
User Rank: Author
8/6/2013 | 9:51:51 PM
re: Cloud Contracts Need Work, Gartner Says
The way I hear it, major corporations have a hard time getting cloud operators to budge on contract terms. If you're a small time operator, terms are strictly take it or leave it.
User Rank: Author
8/29/2013 | 3:10:06 AM
re: Cloud Contracts Need Work, Gartner Says
A Michael Byrne at FCC said the other day, "Procurement is the silent killer of innovation."
8 Steps to Modern Service Management
8 Steps to Modern Service Management
ITSM as we know it is dead. SaaS helped kill it, and CIOs should be thankful. Hereís what comes next.
Register for InformationWeek Newsletters
White Papers
Current Issue
2016 InformationWeek Elite 100
Our 28th annual ranking of the leading US users of business technology.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of April 24, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.