When it Comes to SaaS, Make Sure to Check the Fine Print
“We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers,” said Alexa Bona, Vice President and Analyst at Gartner. According to surveys from the research firm, Gartner predicts that through 2015, 80 percent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections that relate to security. While this will in no way lower the ever-growing adoption rate of cloud-based services by enterprises, it does require IT departments to be more careful when reviewing the clauses that relate to cloud security.
Here are some specific recommendations on what to look for when evaluating cloud security in contracts from enterprise-level SaaS applications.
Education on Cloud Security
The critical first step in moving towards better cloud security is to understand what it looks like. A great place to start your research is the Cloud Security Alliance (CSA), a not-for-profit organization that promotes the use of best practices for providing security assurance within cloud computing. The CSA offers a very detailed Cloud Control Matrix that provides specific criteria to keep in mind when evaluating SaaS contracts. Keep this document for future reference to evaluate other cloud-based services as well.
Third Party Certification
“As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting an on-site audits and/or monitoring the cloud services provider,” pointed out Bona. The Statement on Auditing Standards No. 70 (SAS 70) is a widely used compliance audit for assessing the internal control framework from organizations that provide critical outsourcing activities for other entities.
Cloud-computing providers have adopted the SAS 70 Type I and Type II audits to certify their services. The SAS 70 Type II Audit is the more stringent out of the two because it includes a description of the service auditor’s tests of operating effectiveness and the results of those tests. Therefore, a vendor that meets SAS 70 Type II certification is much more desirable.
Clear Terms in Case of Loss or Breach
This is a no-brainer. It is crucial that some form of service, such as protection from unauthorized access by third parties, is committed to in writing. If your vendor commits to a security standard, then it will continuously audit itself and conduct regular vulnerability testing.
Bona explicitly points this out, “whatever term is used to describe the specifics of the service-level agreement, IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations. She added, we recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed. While it may be difficult to pin down a vendor to commit contractually to these terms, it is important to have a clear expectation of what will happen in case of loss or breach. The bottom line is that your company needs to avoid any ambiguity or loose contract language for these scenarios.
While SaaS applications, such as contract management software, offer several benefits to companies, they require certain necessary measures to keep them operating efficiently and to prevent service outages. Your company needs to be concerned about the risk ramifications of using SaaS applications and how to mitigate those risks.