Shadow IT is the bane of CISOs' existence. Employees, or even whole departments, adopt software as a service applications with little input from security.
Security is not always included in negotiating SaaS agreements, pandemic or not, which leaves security guessing what rules the vendor can make.
"It's a bit like playing chess for the first time. You and your opponent are not on a level playing field," said Luke Ellery, senior director analyst at Gartner, while speaking during the virtual Gartner 2020 Security & Risk Management Summit.
Typically by the time security is invited into the agreement process, and throws up red flags, the business has already "fallen in love with a new shiny toy and they're not so interested in hearing about your risk and security," said Ellery.
If employees engage, despite the red flags, non-security employees may just ask for a retroactive acceptance of risk, which fails to address the underlying issue: an application outside of a company's risk appetite. Financial organizations, for example, might need their data encrypted while stored and in transit — a requirement needed in the pre-qualification phase of vendor agreements that maybe only CISOs are aware of.
Security takes on clauses
Ellery recommends the security organization take stock of each security requirement it would need to OK a tool and hand that list over to the procurement team. "Get procurement to do this work on our behalf before the business gets to see the new shiny toys that aren't suitable for them."
From there, the security team needs to know what, who, and where the application will be used. If use cases are known before an agreement is drawn, the security team can highlight potential failure points and narrow down vendor selection.
To do this, security and IT need to get in front of the business, according to Ellery. Security needs to be aware of clauses in SaaS agreements because they're fundamentally different from clauses in traditional software.
Some clauses are non-negotiable, like a vendor's subcontractors, but that list of subcontractors should be available for review. "Some vendors that provide software as a service don't actually do things such as hosting themselves," said Ellery."You might be able to request that they host on your preferred system."
SaaS vendors rely on a multitude of third-party vendors that security needs tabs on, especially when 11% of data breaches were caused by an intrusion on a third party's network, according to Gartner. "Your vendor is your third party and their third party, your fourth parties and so on," said Ellery.
A price certainty clause may be more top-of-mind during the pandemic. Most SaaS is "on a fixed term for a fixed volume. It's seldom provided on a consumption basis," like infrastructure as a service is, said Ellery. "As a result, if you started off with 50,000 users at the start of the year, and because of [COVID-19], you've now got 30,000," the company must pay for the original 50,000 users.
Other clauses, while not as important as subcontractors or price certainty, still need attention. "One of the clauses that was traditionally low priority but is starting to increase is force majeure," which highlights "events that excuse vendor behavior," said Ellery, such as catastrophic natural disasters or pandemics.
Similar to price certainty, the pandemic might have influence on force majeure clauses. Security and risk leaders want to pay closer attention to force majeure clauses because they're good indicators of vendor maturity.
"If they have a heap of excuses like pandemics and floods," or denial of service attacks, security breaches and third-party failure, "then you might question their maturity and factor that into your control assessment," said Ellery.
Service credit clauses factor into vendors' reportable revenue, making them harder to budge. "If the vendors got a high percentage of service credits, then they're not able to book that forward revenue," said Ellery.
Those reasons escalate into audited reports pertaining to the vendor's security control assessment. One Gartner client had a vendor experience a security outage. Upon reflection of their audit, the client determined that the outage was within the vendor's stated security controls. The vendor had to acknowledge the controls were in place for North America but not for operations in Asia.
"Ensure that the audit reports cover the services that you're looking to acquire," said Ellery.
Some clauses are high stakes in negotiating, others are deal-breakers.
If security has to say, "'We're going to have to walk away from this deal because of risk and security issue' — these clauses are walk away clauses," said Ellery.
Having the right to terminate a business relationship is standard, but the transition assistance clause is where companies should zoom in. "Transition assistance calls out the ability to continue the agreement after it's been terminated," but they're generally considered commercial because "the vendor is still being paid for the service and sometimes at a small premium," said Ellery.
Even at termination, some contracts might have lingering security issues.
"Inside the agreement, we have the termination provisions that set out what happens and how you get your data back," said Ellery. "But outside of the agreement, there [are] activities there that might actually impact the clauses that you need."
Contract terminations could impact business continuity, retraining staff and data retrieval. Ellery had a government client with a SaaS implementation overseas. When a government policy forced it to move data back to its native country, it estimated it would take at least three to four days to relocate the data.
The transition required "a whole heap of planning, which is why planning out your transition is so important before you sign the agreement," said Ellery.
Transition assistance clauses usually hold up for 18 months, but companies need to be test backup capabilities outside the agreement too. Ellery posed the question, "are you actually testing getting your data back," after a contract is terminated?
Some organizations backup SaaS data in-house or on another cloud because many SaaS termination agreements state customer data will be returned or destroyed.
Another Gartner client was assured that the vendor regularly backed up data. When an outage occurred, the client lost six weeks' worth of data. Gartner advises companies to make sure their business continuity plans are complementary to their vendors.