What are your concerns with the cloud? As businesses, including construction, around the globe continue to make the migration to the cloud the question arises whether or not there should be long-term concerns associated with the contracts, associated with data security, access, and control.
A report from Gartner, www.gartner.com, Stamford, Conn., last week suggested buyers of commercial cloud services have issues with security provisions. According to the analyst firm, these contracts often have ambiguous terms related to the maintenance of data confidentiality, data integrity, and recovery after a data loss incident. Furthermore, Gartner believe this could make it more difficult for service providers to manage risk and defend their risk position to auditors and regulators.
This is a trend Gartner believes could be on the downside for the next few years, saying through 2015, 80% of IT procurement professionals will remain dissatisfied with contract language and protections that relate to security.
So what are the steps companies can take to ensure cloud services remain satisfactory? Gartner says companies should ensure SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure. Also, Gartner believes it is reasonable for cloud service buyers to ask a provider to respond to the findings of assessment tools.
It points to the CSA (Cloud Security Alliance), www.cloudsecurityalliance.org, as one example of the type of resources that companies can turn to for assistance. The CSA has its Cloud Controls Matrix in the form of a spreadsheet containing control objectives deemed by participants in the CSA to be important for cloud computing.
Alexa Bona, vice president and analyst, Gartner, says as buyers demand it, and as the standards mature, it will become increasingly common practice to perform such assessments. This includes reviewing third-party audit statements, conducting an on-site audit, or monitoring the cloud services provider, says Bona.
The topic is indeed highly relevant in construction as more and more contractors and builders migrate their IT environment to one in the cloud. The migration is underway, as results from the 2013 Constructech IT Playbook indicate the construction industry will be moving to a more cloud-heavy IT environment in the coming years.
Results show that currently only 12% of respondents have more than 50% of their applications running in the cloud. However, the next 12 months should be telling as a large majority of respondents are looking to migrate multiple applications to the cloud. Primary among those they are looking to move include project management, document management, and scheduling.
Furthermore, things like data security, data access, and data ownership are among the primary concerns respondents had to moving applications to the cloud in construction, according to the results.
The report from Gartner sheds like on the idea companies should not assume SaaS contracts include adequate service levels for security and recovery. “Whatever term is used to describe the specifics of the service-level agreement (SLA), IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations,” says Bona. “We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed.”