As virtualized environments become more commonplace, many organizations are turning many aspects of their IT management over to cloud service providers. “Security as a service,” or SaaS, has created an environment in which many of the functions that were once managed by in-house IT staff, including security monitoring, are now handled by outside vendors.
However, many SaaS contracts fail to adequately address the security needs of many organizations, especially those dealing with massive amounts of sensitive data. Not only are the terms regarding security measures unclear, there’s generally little by way of guarantees or reimbursement when things go wrong.
But there are a few things SaaS procurement professionals can do to ensure these important contracts meet their security needs. Getting the right people involved, negotiating better provisions and requiring certain security measures are all steps toward ensuring better contracts and data security.
Include More IT Security Professionals in the Buying Process
In many organizations, the task of procuring SaaS contracts is managed by the purchasing department or IT managers with limited input from security personnel. Rather, the security team is usually expected to work in the parameters of the service and the contract, and develop security protocols and solutions after the fact, in a framework that may not actually meet the organization’s demands.
However, to better ensure the SaaS contract has adequate provisions for risk mitigation and meets requirements for privacy, compliance with data storage and use laws and standards and protocols for handling data breaches, data loss and downtime, it’s important for more IT security professionals to get involved with the procurement process. Getting the perspective of the people who will be responsible for protecting the virtualized environment and the data it contains before the purchase will help prevent serious security issues after the purchase.
Require Regular Third-Party Security Audits
When it comes to maintaining security, transparency among providers is vital; it is simply not enough to rely on the word of the cloud service provider that it is maintaining adequate server security protection from Trend Micro. For that reason, buyers should insist on a contract that allows for annual third-party security audits and certification. A third party will honestly identify security strengths and weaknesses, and ensure the SaaS provider is maintaining the security measures as promised.
Negotiate Better Contract Terms
According to research firm Gartner, almost 80 percent of all SaaS procurement professionals are not happy with the language and provisions in their SaaS contracts. For example, many contracts are difficult to modify or cancel; even if a serious data breach occurs or the servers go offline for significant periods of time, a business may be locked into contract terms that prevent them from canceling without significant fees or other consequences. Other common complaints include automatic contract renewal provisions that are unclear or difficult to manage, a lack of transparency in terms of where the servers are specifically stored and a lack of accountability or reimbursement provisions when there is a data breach or downtime.
Because most SaaS providers offer services to many customers at once, when things go wrong, they generally impact many customers. Should they provide compensation when things go awry, the costs could quickly become unmanageable. However, as a customer, you should negotiate for fee limits that provide some form of remediation in the event of an issue; Gartner recommends fee limits that range from 24 to 48 months rather than the standard 12 months. Additional contract provisions — which are often not included in current contracts — should include guarantees of protection from unauthorized access, regular vulnerability tests, and security audits and certifications.
Maintain Multiple Vendor Relationships
As the old saying goes, you should never put all of your eggs in one basket. That certainly applies to your SaaS vendor contracts. When all of your critical data is stored and managed in one place, a data breach or service interruption can be devastating. By maintaining relationships with multiple vendors, that downtime risk is reduced, as you can seamlessly transition to another service as necessary.
Maintaining advanced network security in your business requires a commitment to strong defenses on every front, including your contract negotiations with outside vendors. Do not accept the status quo, but insist on contracts that effectively meet your needs and, most importantly, protect your data.