Contact
QR code for the current URL

Story Box-ID: 615588

Gartner Deutschland GmbH Lehrer-Wirth-Str. 2 81829 München, Germany http://www.gartner.de
Contact Ms Marina Lovric +49 89 99837010
Company logo of Gartner Deutschland GmbH
Gartner Deutschland GmbH

Gartner Says Cloud Contracts Need More Transparency to Improve Risk Management

Analysts to Discuss Costs and Risks of Cloud Agreements at the 2013 Gartner IT Financial, Procurement & Asset Management Summits, 11-12 September in London and 25-27 September in Orlando, Florida

(PresseBox) (Egham, UK, )
Buyers of commercial cloud services, especially software as a service (SaaS), are finding security provisions inadequate. Gartner, Inc. said SaaS contracts often have ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident. This leads to dissatisfaction among cloud services users. It also makes it harder for service providers to manage risk and defend their risk position to auditors and regulators.

Gartner said that, through 2015, 80 per cent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections that relate to security. "We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers," said Alexa Bona, vice president and distinguished analyst at Gartner.

At a minimum, cloud services users need to ensure that SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure. In addition, it is reasonable for cloud service buyers to ask a provider to respond to the findings of assessment tools. The Cloud Security Alliance (CSA), for example, has a Cloud Controls Matrix in the form of a spreadsheet containing control objectives deemed by participants in the CSA to be important for cloud computing. "As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting an on-site audits and/or monitoring the cloud services provider," said Ms Bona.

Furthermore, cloud users should not assume that SaaS contracts include adequate service levels for security and recovery. "Whatever term is used to describe the specifics of the service-level agreement (SLA), IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations," said Ms Bona. "We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed."

As no consensus exists about how commitments to security services should be described contractually, most SaaS vendors choose to commit to as little as possible. It is crucial that some form of service, such as protection from unauthorised access by third parties, annual certification to a security standard, and regular vulnerability testing, is committed to in writing.

The lack of meaningful financial compensation for losses of security, service or data also represents an undesirable form of risk exposure in SaaS contracts. "SaaS is a one-to-many situation in which a single service provider failure could impact thousands of customers simultaneously, so it represents a significant form of portfolio risk for the provider," said Ms Bona. Therefore, the majority of cloud providers avoid contractual obligation for any form of compensation, other than providing service in kind or penalties in the event that they miss a service level in the contract. SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where possible.

"Concerns about the risk ramifications of cloud computing are increasingly motivating security, continuity, recovery, privacy and compliance managers to participate in the buying process led by IT procurement professionals. They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation," said Ms Bona.

More detailed analysis is available in "Cloud Contracts Need Security Service Levels to Better Manage Risk", a report available on Gartner's web site at http://www.gartner.com/document/2372720?ref=QuickSearch&sthkw=g00247574.

Gartner analysts will discuss cloud pricing models and contracting in more detail at the Gartner IT Financial, Procurement & Asset Management Summit 2013 in London on 11-12 September, and at the Gartner IT Financial, Procurement & Asset Management Summit 2013 in Orlando, Florida on 25-27 September. To register for the Summit in London, please contact laurence.goasduff@gartner.com. For the US Summit, please contact janessa.rivera@gartner.com.

You can also follow the event on Twitter at http://twitter.com/Gartner_inc using #GartnerITAM.

About Gartner IT Financial, Procurement & Asset Management Summit 2013

The Nexus of Forces - mobile, social, cloud and big data - is rewriting the rules of IT. Major trends such as the transition to the cloud, "bring your own device" and the explosion of "smart" everything cannot be avoided or even slowed down. At the Summit, Gartner analysts will identify how to optimise costs, maximise the value of existing investments, minimise risk and make informed decisions about new purchases.

Website Promotion

Website Promotion

Gartner Deutschland GmbH

Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is a valuable partner in more than 13,000 distinct organizations. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 5,500 associates, including 1,402 research analysts and consultants, and clients in 85 countries. For more information, visit www.gartner.com.

The publisher indicated in each case (see company info by clicking on image/title or company info in the right-hand column) is solely responsible for the stories above, the event or job offer shown and for the image and audio material displayed. As a rule, the publisher is also the author of the texts and the attached image, audio and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.
Important note:

Systematic data storage as well as the use of even parts of this database are only permitted with the written consent of unn | UNITED NEWS NETWORK GmbH.

unn | UNITED NEWS NETWORK GmbH 2002–2024, All rights reserved

The publisher indicated in each case (see company info by clicking on image/title or company info in the right-hand column) is solely responsible for the stories above, the event or job offer shown and for the image and audio material displayed. As a rule, the publisher is also the author of the texts and the attached image, audio and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.