Gartner calls for annual security audit for SaaS products.
Around 80% of IT procurement professionals will remain dissatisfied with SaaS contracts’ ‘vague’ security clauses through to 2015, according to analysts Gartner.
The research firm said cloud services users need to ensure that SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure.
Gartner VP and analyst Alexa Bona said: "We continue to see frustration among cloud service users over the form and degree of transparency they are able to obtain from prospective and current service providers."
According to Gartner, it is reasonable for cloud service buyers to ask a provider to respond to the findings of assessment tools.
The Cloud Security Alliance (CSA) has a cloud controls matrix in the form of a spreadsheet containing control objectives deemed by participants in the CSA to be important for cloud computing.
"As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting an on-site audits and/or monitoring the cloud services provider," Bona said.
Gartner analysts said that cloud users should not automatically assume that SaaS contracts come with adequate service levels for security and recovery.
Bona said regardless of the terminology used in service-level agreements, IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are under contract to meet those expectations.
Gartner suggested SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months.
"They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation," Bona added.