Cloud service contracts should be more transparent
Source: Internet
Author: User
KeywordsCloud Services Gartner
Gartner said there are often ambiguous clauses in SaaS contracts, especially those related to data confidentiality, data integrity and recovery after data loss. All this has led to dissatisfaction with cloud service users, while increasing the difficulty of service providers for risk management. Cloud service providers, and in particular SaaS service buyers, have started to investigate the lack of contractual terms of security.
Gartner said that by 2015, 80% of IT procurement staff will be dissatisfied with the terms and protections related to security in the SaaS contract. Alexa Bona, Gartner vice president and noted analyst, said: "At the moment, users are somewhat dissatisfied with the format and transparency of cloud service providers."
At a minimum, users of cloud services are required to ensure that there is an annual third-party security monitoring and certification requirement in the SaaS contract, and users can terminate the contract if it is a security issue caused by a vendor. In addition, the user requirements for using the assessment tool are also reasonable. For example, participants in the CSA (The Cloud Security Alliance) have developed CCMs (Cloud Controls Matrix) in the form of spreadsheets that set out the control objectives for cloud services. Ms. Bona said: "As more buyers' needs and standards mature, multiple assessment methods will become more common, including reviewing responses to surveys, reviewing third-party monitoring reports, conducting on-site audits of cloud service providers And testing, etc. "
In addition, cloud service users should not assume that SaaS contracts already provide adequate security and recovery services. Ms Bona said: "Regardless of how SLA (Service Level Agreement) is worded, IT procurement staff must ensure that the services provided by the vendors ensure that the data is protected from attacks and that the services under the incidents are recoverable.We recommend that SLA Adding recovery time and recovery point objectives and data integrity standards related to the relevant provisions, and can not meet these requirements related to compensation issues. "
As each SaaS provider did not agree on the terms of the contract, most SaaS providers promised to be kept to a minimum. Some forms of service, such as protecting your services from unauthorized third-party access, annual safety standards certification, and regular vulnerability testing are all important and require written commitment.
Financial compensation for security, service or data loss also lacks relevant provisions and is a potential risk in SaaS contracts. SaaS is a one-to-many scenario where the failure of a single service provider immediately affects thousands of users. As a result, most cloud service providers will avoid referring to compensation in their contracts. SaaS users should negotiate a 24- to 36-month liability period instead of 12 months, with additional liability coverage as much as possible.
In view of the risk of cloud computing, in addition to IT procurement staff, more roles, including security, recovery, privacy, relevant personnel should participate in the purchase of cloud services. They should periodically review the contracts for cloud computing to ensure that IT purchasing staff make purchasing plans that mitigate risks.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.