There are growing concerns among buyers of commercial cloud services that the security provisions offered by the products may not be up to standard, a new report has found.
Compiled by Gartner, the research indicated that software as a service (SaaS) contracts in particular often contain ambiguous terms that relate to the maintenance of data confidentiality.
As a result, this makes it difficult for services providers to maintain their risk management strategies, as well as defend their position when questioned by regulators and auditors.
Gartner believes that cloud services users need to make sure that SaaS contracts give way to an annual security audit and third-party certification, as well as the option to terminate the agreement in the event of a breach.
Vice-president at the group Alexa Bona said: "As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting on-site audits and/or monitoring the cloud services provider."
Not only this, users of cloud services are encouraged not to assume that SaaS contracts include the necessary service levels for security and recovery, which may make them even more vulnerable to attack.
IT procurement professionals who are expecting their data to be protected in the event of an attack – or to be restored should an incident occur – need to ensure their providers are under a contractual obligation to meet these beliefs.
Ms Bona pointed out that with SaaS, the failure of just one service provider has the potential to impact thousands of customers at the same time, therefore presenting a "portfolio of risk for the provider".
In light of this, the majority of cloud services will not offer any contractual obligation for compensation – but this should not deter SaaS users from negotiating.
Gartner believes that 24 to 36 months of free liability limits should be on offer, as well as extra liability insurances wherever possible – 12 months is often the standard offer made by providers.
The group predicts that over the next two years alone, 80 per cent of IT procurement professionals will be unhappy with the language presented in SaaS contracts, as well as the protections that relate to security.
This could put organisations at risk that use these products without fully understanding their implications, especially if the compensation on offer is unlikely to mitigate the effects of a breach.