Connect with us

Hi, what are you looking for?


Cloud Security

SaaS Service Agreements Can Leave Security on the Table

Ambiguity often abounds when it comes to the security requirements contained in contracts with software-as-a-service [SaaS] vendors, but there are minimum steps users can take to get what they want, according to industry analyst firm Gartner Inc.

Ambiguity often abounds when it comes to the security requirements contained in contracts with software-as-a-service [SaaS] vendors, but there are minimum steps users can take to get what they want, according to industry analyst firm Gartner Inc.

The analyst firm is predicting that through 2015, 80 percent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections relating to security. According to Gartner, SaaS contract often lack specificity when it comes to the maintenance of data confidentiality, data integrity and recovery after a data loss incident. 

Part of the problem, opined Gartner analyst Jay Heiser, may be that customers rarely have the leverage to demand substantive changes to SaaS contracts. Even in the cases where they do, it is still debatable how much impact this has on security, he said, adding that in highly-regulated businesses, cloud customers generally do look for specific contractual provisions.

“SaaS customer security sophistication is steadily increasing,” he told SecurityWeek. “The buyers are becoming more realistic on what they can and cannot put into a contract, and they are becoming more aware of other, non-contractual ways that they can ensure appropriate use of SaaS.”

Earlier this year, a study by CA Technologies and Ponemon Institute found that just 51 percent of the 748 IT pros surveyed evaluated the security of SaaS applications prior to deployment. This was a slight increase from 2010, when the survey found that 45 percent did so.

At a minimum, Gartner recommends cloud customers need to ensure SaaS contracts allow for an annual security audit and certification by a third-party and include the option to terminate the agreement if a breach occurs due to the provider failing to meet any important standards. The provider should also be able to meet the control objectives set by the Cloud Security Alliance’s Cloud Controls Matrix.

“As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting…on-site audits and/or monitoring the cloud services provider,” Gartner analyst Alexa Bona said in a statement.

Advertisement. Scroll to continue reading.

Another issue is the lack of real financial compensation for losses of security, service or data, according to Gartner.

“SaaS is a one-to-many situation in which a single service provider failure could impact thousands of customers simultaneously, so it represents a significant form of portfolio risk for the provider,” Bona said. “Therefore, the majority of cloud providers avoid contractual obligation for any form of compensation, other than providing service in kind or penalties in the event that they miss a service level in the contract. SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where possible.”

Interestingly, Heiser argued that contracts may be a less significant part of the overall risk control mix for SaaS than some assume when it compared to other more traditional forms of outsourcing.

“In a one-on-one scenario, such as traditional hosting, you negotiate for a specific service,” he said. “In a one-to-many scenario, such as SaaS, it isn’t practical to offer different levels of service to different customers, so providers are highly reluctant to agree to any substantive changes. However, the market puts huge incentives on cloud service providers to avoid security failure—much more so than traditional outsourcing. No CSP [cloud service provider] can afford the negative PR that would occur if thousands of customers were simultaneously impacted. This is abstract, a property that is very difficult to incorporate into a formal risk assessment, but this ‘market pressure’ is hard to deny.”

Still, a customer who wants to put highly-regulated data in the cloud needs more of a concrete justification that “those guys have a market incentive to protect my data,” he said. 

“Buyers are looking to contractually provisions that might reduce the risk ambiguity, and they are looking for ways that the SaaS provider can share some of the risk,” said Heiser. “Without getting into a debate about how high or low SaaS risk actually is, I personally do not expect any significant change in contractual practices in the near to medium term future.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility