"We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers," said Alexa Bona, Gartner VP and distinguished analyst., in a statement.
Bona was speaking in connection with the release of new research from her team looking into the security provisions of commercial cloud services, especially software-as-a-service (SaaS).
The research suggested these commercial documents are frequently "inadequate." Specifically, too many contracts contain "ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident," it said.
[ Vendors may need an attitude adjustment. See Gartner Tells Outsourcers: Embrace Cloud Or Die. ]
And as no consensus exists in the nascent market about precisely how commitments to security services should be described, most SaaS vendors choose to commit themselves as little as possible in this area, Bona added.
That doesn't get away from the fact, she said, that buyers need spelled-out security commitments from cloud service providers -- like when penetration testing by third parties is going to happen, and how regularly -- in writing.
And if you're entering such negotiations now, look to require an annual security audit and certification by a third party, with the option to terminate the agreement in the event of a security breach if the provider fails on any material measure, suggested Gartner. Another must-have: SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where and whenever possible.
Smart CIOs should also demand their cloud partners respond to the findings of assessment tools. Bona suggested as a useful resource the Cloud Security Alliance (CSA), especially its Cloud Controls Matrix, essentially a spreadsheet containing control objectives determined by its members to be important in the context of cloud computing.
"It will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting on-site audits and/or monitoring the cloud services provider," said Bona.
At the same time, never assume your shiny new SaaS contracts include adequate service levels for security and recovery. "Whatever term is used to describe the specifics of the service-level agreement, IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations," she noted.
"We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed," she said