Connect with us

Hi, what are you looking for?


Cloud Security

SaaS Service Agreements Can Leave Security on the Table

Ambiguity often abounds when it comes to the security requirements contained in contracts with software-as-a-service [SaaS] vendors, but there are minimum steps users can take to get what they want, according to industry analyst firm Gartner Inc.

Ambiguity often abounds when it comes to the security requirements contained in contracts with software-as-a-service [SaaS] vendors, but there are minimum steps users can take to get what they want, according to industry analyst firm Gartner Inc.

The analyst firm is predicting that through 2015, 80 percent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections relating to security. According to Gartner, SaaS contract often lack specificity when it comes to the maintenance of data confidentiality, data integrity and recovery after a data loss incident. 

Part of the problem, opined Gartner analyst Jay Heiser, may be that customers rarely have the leverage to demand substantive changes to SaaS contracts. Even in the cases where they do, it is still debatable how much impact this has on security, he said, adding that in highly-regulated businesses, cloud customers generally do look for specific contractual provisions.

“SaaS customer security sophistication is steadily increasing,” he told SecurityWeek. “The buyers are becoming more realistic on what they can and cannot put into a contract, and they are becoming more aware of other, non-contractual ways that they can ensure appropriate use of SaaS.”

Earlier this year, a study by CA Technologies and Ponemon Institute found that just 51 percent of the 748 IT pros surveyed evaluated the security of SaaS applications prior to deployment. This was a slight increase from 2010, when the survey found that 45 percent did so.

At a minimum, Gartner recommends cloud customers need to ensure SaaS contracts allow for an annual security audit and certification by a third-party and include the option to terminate the agreement if a breach occurs due to the provider failing to meet any important standards. The provider should also be able to meet the control objectives set by the Cloud Security Alliance’s Cloud Controls Matrix.

“As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting…on-site audits and/or monitoring the cloud services provider,” Gartner analyst Alexa Bona said in a statement.

Another issue is the lack of real financial compensation for losses of security, service or data, according to Gartner.

Advertisement. Scroll to continue reading.

“SaaS is a one-to-many situation in which a single service provider failure could impact thousands of customers simultaneously, so it represents a significant form of portfolio risk for the provider,” Bona said. “Therefore, the majority of cloud providers avoid contractual obligation for any form of compensation, other than providing service in kind or penalties in the event that they miss a service level in the contract. SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where possible.”

Interestingly, Heiser argued that contracts may be a less significant part of the overall risk control mix for SaaS than some assume when it compared to other more traditional forms of outsourcing.

“In a one-on-one scenario, such as traditional hosting, you negotiate for a specific service,” he said. “In a one-to-many scenario, such as SaaS, it isn’t practical to offer different levels of service to different customers, so providers are highly reluctant to agree to any substantive changes. However, the market puts huge incentives on cloud service providers to avoid security failure—much more so than traditional outsourcing. No CSP [cloud service provider] can afford the negative PR that would occur if thousands of customers were simultaneously impacted. This is abstract, a property that is very difficult to incorporate into a formal risk assessment, but this ‘market pressure’ is hard to deny.”

Still, a customer who wants to put highly-regulated data in the cloud needs more of a concrete justification that “those guys have a market incentive to protect my data,” he said. 

“Buyers are looking to contractually provisions that might reduce the risk ambiguity, and they are looking for ways that the SaaS provider can share some of the risk,” said Heiser. “Without getting into a debate about how high or low SaaS risk actually is, I personally do not expect any significant change in contractual practices in the near to medium term future.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.