Security Market Segment LS
Friday, 02 August 2013 13:39

‘Inadequate’ security concerns for cloud service buyers


Inadequate security provisions in commercial cloud service, especially Software-as-a-Service (SaaS) are causing concerns for buyers of the services, according to a new report from one global analyst.

Gartner says that Australian organisations are forecast to spend $542.7 million on cloud application services or SaaS across the different software categories in 2013, up 27.7% from $424.9 million in 2012, with SaaS expected to have a compound annual growth rate of 25% in Australia from last year to 2017.

Gartner says SaaS contracts often have ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident.

According to Alexa Bona, Vice President and distinguished analyst at Gartner, this leads to dissatisfaction among cloud services users and “makes it harder for service providers to manage risk and defend their risk position to auditors and regulators.”

The Gartner report says that through 2015, 80 percent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections that relate to security.

“We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers,” Bona said.

Gartner says that, at a minimum, cloud services users need to ensure that SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure.

In addition, it is reasonable for cloud service buyers to ask a provider to respond to the findings of assessment tools, Bona says.

“The Cloud Security Alliance (CSA), for example, has a Cloud Controls Matrix in the form of a spreadsheet containing control objectives deemed by participants in the CSA to be important for cloud computing.

“As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting on-site audits and/or monitoring the cloud services provider.”

Bona also cautions that cloud users should not assume that SaaS contracts include adequate service levels for security and recovery.

“Whatever term is used to describe the specifics of the service-level agreement (SLA), IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations.

“We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed.”

According to Bona, as no consensus exists about how commitments to security services should be described contractually, most SaaS vendors choose to commit to as little as possible. She warns, however, that it is crucial that some form of service, such as protection from unauthorised access by third parties, annual certification to a security standard, and regular vulnerability testing, is committed to in writing.

Gartner says that the lack of meaningful financial compensation for losses of security, service or data also represents an “undesirable form of risk exposure” in SaaS contracts.

“SaaS is a one-to-many situation in which a single service provider failure could impact thousands of customers simultaneously, so it represents a significant form of portfolio risk for the provider.

“Therefore, the majority of cloud providers avoid contractual obligation for any form of compensation, other than providing service in kind or penalties in the event that they miss a service level in the contract. SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where possible.

“Concerns about the risk ramifications of cloud computing are increasingly motivating security, continuity, recovery, privacy and compliance managers to participate in the buying process led by IT procurement professionals. They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation,” Bona concludes.

Co-author of the Gartner report on security in cloud services, Jay Heiser, will be speaking on the topic of ‘Practicing Safe SaaS’ at the Gartner Security & Risk Management Summit in Sydney from 19 to 20 August.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Peter Dinham

Peter Dinham - retired in 2020. He is a veteran journalist and corporate communications consultant. He has worked as a journalist in all forms of media – newspapers/magazines, radio, television, press agency and now, online – including with the Canberra Times, The Examiner (Tasmania), the ABC and AAP-Reuters. As a freelance journalist he also had articles published in Australian and overseas magazines. He worked in the corporate communications/public relations sector, in-house with an airline, and as a senior executive in Australia of the world’s largest communications consultancy, Burson-Marsteller. He also ran his own communications consultancy and was a co-founder in Australia of the global photographic agency, the Image Bank (now Getty Images).

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News