Summary:

Gartner is finding cloud users are unhappy with security provisions they find in the contracts they sign. It’s offering some pointers on what customers should ask for.

It’s one thing for security vendors to scare people into thinking the cloud isn’t secure and their products can save the day: that’s been part of the security business forever. It’s a whole other thing when companies realize the security features included in Software-as-a-Service (SaaS) contracts are subpar.

That’s just what Gartner is finding, according to a statement the analyst group released on Thursday.

Gartner’s Alexa Bona said SaaS customers ought to push for terms on data recovery time and data integrity in the contracts they sign. And contracts should also ideally make it clear the services will be subject to regular vulnerability testing and won’t be accessed by unauthorized third parties. On top of that, if a service gets hacked and data is stolen as a result, the vendor should have to compensate its customers.

At the very least, contracts should say the service will get a security audit each year and maintain legitimate security certification. And it should let customers jump out of a contract if a security breach happens.

It’s not hard to understand the concerns about security. Developers or marketing people have been eager to circumvent the traditional IT buying process and instead pull out their credit cards to pay for new cloud services. While those people might be checking for substantial uptime promises in service-level agreements, they might gloss over security guarantees and only think about them after it’s too late.

In the aftermath of this report, it wouldn’t be surprising to see some SaaS vendors modifying their contracts to appease customers. But they aren’t the only ones having to talk more, if not do more, on the security front. Following revelations on the National Security Agency’s PRISM program, it appears that companies have made security a higher-priority focus — something we’ll be delving into at Structure:Europe next month — when they consider Infrastructure-as-a-Service (IaaS) offerings.

The absence of important security clauses in contracts might not occur to the marketing people whom Gartner expects to be such big IT spenders, but it presents a good opportunity for CIOs to weigh in and protect the company. That could help businesses become more agile while at the same time not leading to situations they will regret later.

Feature image courtesy of Flickr user Jason Saul.

Comments have been disabled for this post