To help ease the concerns of cloud security, which Gartner says is still a chief inhibitor to enterprise public cloud adoption, buyers are looking to contracts and service-level agreements to mitigate their risks.
But Gartner cloud security analyst Jay Heiser says SLAs are still "weak" and "unsatisfying" in terms of addressing security, business continuity and assessment of security controls.
"A lot of these things are getting a lot of attention, but we're seeing little consistency in the contracts," he says, especially in the infrastructure-as-a-service (IaaS) market. Software-as-a-service (SaaS) controls are "primitive, but improving."
Below are some of the common and recommended security provisions in cloud contracts and how common and effective they are.
Customer audits on demand
These clauses allow customers to audit vendors.
Effectiveness: Partial, depending on how much the vendor allows the customer to inspect.
How common? Sometimes.
Data deletion certificate
Proof that data is deleted when service expires.
Effectiveness: High, legally defensible.
How common? Never.
Many vendors claim cloud services, by their nature, equate to disaster recovery, but that cannot always be the case. If, for example, data is only stored in a single location of a cloud provider without an offline backup, that creates a single point of failure.
Effectiveness: High, but difficult to verify. While vendors may claim they have robust systems, they are often reticent to provide evidence, citing security concerns.
How common? Not typically in contract clauses.
These provide the user credits or some sort of reimbursement in case of downtime.
Effectiveness: Partial. While a credit may be helpful, it is a post-factor remedy and does not prevent an outage from happening in the first place.
How common? Often found in contracts.
Effectiveness: Varies. There are multiple encryption methods. If encryption is done by the vendor when the data reaches the provider's cloud, it is less expensive and less secure compared to if the user encrypts the data before sending it to the cloud. Important factor is who stores and has access to the encryption keys. The more copies of the keys, the less secure it is. Beware of vulnerabilities related to losing keys.
How common? Varies by provider. Third-party tools can also be used to provide encryption as a service.
Many buyers use third-party security services to verify their providers' security controls, such as ISO27001 or SOC1 and SOC2 audits. But, a vendor simply reporting that it complies with these audits in many cases does not provide end users with the information they need to evaluate the provider's system for their specific security needs.
Effectiveness: Believed insufficient.
How common? Common.
Full indemnification for security failure impact
In this situation, a contract would outline that if there is a security breach that the provider would be responsible for losses of the customer.
Effectiveness: Theoretically high.
How common? Never.
Insurance by a third party, or by the vendor could help displace costs resulting from a security or data loss issue.
Effectiveness: Potentially helpful, but like the downtime credits, does not necessarily create incentive for provider to avoid a breach.
How common? Rare, but growing.
Negotiate security clauses
These allow customers to negotiate higher levels of security for certain programs or data.
Effectiveness: Potentially high.
How common? Mostly for large customers only.