Cloud customers, vendors don't agree on SaaS security

The advent of software-as-a-service (SaaS) has changed how enterprises approach their IT operations, with many departments now regarding server infrastructure management, maintenance and vigilant security monitoring as tasks properly assigned to their cloud providers. In theory, this new division of labor permits businesses to devote more mindshare to application development and deployment, processes which are enhanced by the provider's presumed ongoing provision of scalable resources at a price that rivals or sometimes undercuts the cost of operating a legacy system.

However, the contractual, pay-as-you-go nature of SaaS makes it crucial that both the company and the provider know their responsibilities, and SaaS providers may be shortchanging their customers by not providing sufficient transparency on their security diligence. A recent groundbreaking Gartner study has revealed that SaaS agreements are often riddled with ambiguities about the exact security measures taken by the provider, which in turn frustrates the risk management efforts of enterprises that have strict data compliance imperatives. Additionally, even in the case of a enterprise finding fault with SaaS security, some contracts do not permit easy cancelation of service on the basis of perceived shortfalls in this area.

Dissatisfaction with SaaS is widespread, and it will continue for some time

Gartner analysts reported that most companies are currently unhappy with their SaaS contracts and will remain so for at least several more years, estimating that, through 2015, 80 percent of them will be dissatisfied with contract language. In the event of a major data breach or network attack, they would not feel confident about their providers having implemented the proper safeguards, nor their abilities to prevent data loss or compliance lapses. Moreover, they would not even know whether it was the provider's contractual obligation to do so.

"Whatever term is used to describe the specifics of the service-level agreement (SLA), IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations," said Gartner vice president and analyst Alexa Bona. "We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed."

Reporting on the Gartner study, ZDNet's Zack Whittaker pointed out that inadequate data governance, generated as a result of false assumptions about the distribution of cloud security responsibilities, could land organizations in hot water with not only their customers, but also regulators.

In the report, Gartner analysts recommended that companies demand from their SaaS provider the right to an annual, third-party audit and certification. If the security review exposes a key vulnerability, or if the organization ultimately suffers a breach of their cloud-contingent data, then it should also be able to terminate its SaaS contract, advised the report's coordinators.

"It will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting on-site audits and/or monitoring the cloud services provider," argued Bona.

What can companies do to ensure fairer, more transparent contracts?

In order to obtain more workable contracts, companies may also need to involve more security personnel in the process.

"Concerns about the risk ramifications of cloud computing are increasingly motivating security, continuity, recovery, privacy and compliance managers to participate in the buying process led by IT procurement professionals," concluded Bona. "They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation."

Also writing for ZDNet, cloud technologies analyst Joe McKendrick presented an additional set of specific measures that companies could take to obtain clearer contracts. Examining a report from the QMUL Cloud Legal Project at the University of London, he also explored some of the underlying conceptual disagreements between providers and customers that have led to the current impasse over SaaS security.

To put pressure on their providers to change, business can join users groups for a specific vendor, which McKendrick stated would give extra weight to their grievances and perhaps eventually connect them with individual SaaS managers. At a larger scale, companies can also maintain relationships with multiple vendors in order to prevent being completely reliant on one provider for management of their critical data.

However, these tactics do not resolve some fundamental differences separating SaaS providers and clients. For example, many organizations, especially ones located in the European Union, have firm requirements that their data reside within specific jurisdictions or geographies. Cloud providers do not often volunteer information as to the whereabouts of their server infrastructures, nor do they accept sole liability for service interruptions or subsequent data loss, resulting in contracts that do not meet client needs.

On top of ambiguity, many contracts contain what McKendrick called "onerous automatic renewal policies," which lock customers into these questionable terms for long periods and at great cost. In some scenarios, businesses may actually be better off, financially and operationally, reverting to an on-site data center while they sort out provider issues.