Security Experts:

SaaS Service Agreements Can Leave Security on the Table

Ambiguity often abounds when it comes to the security requirements contained in contracts with software-as-a-service [SaaS] vendors, but there are minimum steps users can take to get what they want, according to industry analyst firm Gartner Inc.

The analyst firm is predicting that through 2015, 80 percent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections relating to security. According to Gartner, SaaS contract often lack specificity when it comes to the maintenance of data confidentiality, data integrity and recovery after a data loss incident. 

Part of the problem, opined Gartner analyst Jay Heiser, may be that customers rarely have the leverage to demand substantive changes to SaaS contracts. Even in the cases where they do, it is still debatable how much impact this has on security, he said, adding that in highly-regulated businesses, cloud customers generally do look for specific contractual provisions.

"SaaS customer security sophistication is steadily increasing," he told SecurityWeek. "The buyers are becoming more realistic on what they can and cannot put into a contract, and they are becoming more aware of other, non-contractual ways that they can ensure appropriate use of SaaS."

Earlier this year, a study by CA Technologies and Ponemon Institute found that just 51 percent of the 748 IT pros surveyed evaluated the security of SaaS applications prior to deployment. This was a slight increase from 2010, when the survey found that 45 percent did so.

At a minimum, Gartner recommends cloud customers need to ensure SaaS contracts allow for an annual security audit and certification by a third-party and include the option to terminate the agreement if a breach occurs due to the provider failing to meet any important standards. The provider should also be able to meet the control objectives set by the Cloud Security Alliance's Cloud Controls Matrix.

"As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting…on-site audits and/or monitoring the cloud services provider," Gartner analyst Alexa Bona said in a statement.

Another issue is the lack of real financial compensation for losses of security, service or data, according to Gartner.

"SaaS is a one-to-many situation in which a single service provider failure could impact thousands of customers simultaneously, so it represents a significant form of portfolio risk for the provider,” Bona said. "Therefore, the majority of cloud providers avoid contractual obligation for any form of compensation, other than providing service in kind or penalties in the event that they miss a service level in the contract. SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where possible."

Interestingly, Heiser argued that contracts may be a less significant part of the overall risk control mix for SaaS than some assume when it compared to other more traditional forms of outsourcing.

"In a one-on-one scenario, such as traditional hosting, you negotiate for a specific service," he said. "In a one-to-many scenario, such as SaaS, it isn’t practical to offer different levels of service to different customers, so providers are highly reluctant to agree to any substantive changes. However, the market puts huge incentives on cloud service providers to avoid security failure—much more so than traditional outsourcing. No CSP [cloud service provider] can afford the negative PR that would occur if thousands of customers were simultaneously impacted. This is abstract, a property that is very difficult to incorporate into a formal risk assessment, but this ‘market pressure’ is hard to deny."

Still, a customer who wants to put highly-regulated data in the cloud needs more of a concrete justification that "those guys have a market incentive to protect my data," he said. 

"Buyers are looking to contractually provisions that might reduce the risk ambiguity, and they are looking for ways that the SaaS provider can share some of the risk," said Heiser. "Without getting into a debate about how high or low SaaS risk actually is, I personally do not expect any significant change in contractual practices in the near to medium term future."

view counter