Security provisions of commercial cloud services - especially software-as-a-service (SaaS) - are frequently inadequate, with contracts containing "ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident", according to analyst group Gartner.
"We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers," said Alexa Bona, vice president and distinguished analyst at Gartner.
At the minimum, suggested Bona, users of cloud services need to ensure that SaaS contracts allow for an annual security audit and certification by a third party, with the option to terminate the agreement in the event of a security breach if the provider fails on any material measure.
Users should also have the power to demand that providers respond to the findings of assessment tools. Bona points to the Cloud Security Alliance (CSA), which has a "Cloud Controls Matrix" in the form of a spreadsheet containing control objectives deemed by participants in the CSA to be important for cloud computing.
"As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting an on-site audits and/or monitoring the cloud services provider," said Bona.
Furthermore, she warned, cloud users should not assume that SaaS contracts include adequate service levels for security and recovery.
"Whatever term is used to describe the specifics of the service-level agreement (SLA), IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations.
"We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed."
As no consensus exists about how commitments to security services should be described contractually, most SaaS vendors choose to commit to as little as possible. However, buyers need security commitments from providers - such as regular penetration testing by third parties - in writing.
The lack of meaningful financial compensation for losses of security, service or data also represents a risk exposure to both providers and users of SaaS.
For providers, one service failure could affect many users and, therefore, the costs of even modest compensation could add up. As a result, the majority of cloud providers avoid such contractual obligations, other than providing services in kind or penalties in the event that they miss a service level in the contract.
SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where possible, advises Gartner.
The analyst group's advice coincides with the release of a report into the subject, entitled Cloud Contracts Need Security Service Levels to Better Manage Risk.