by Jay Heiser | April 26, 2012 | Comments Off
When you buy SaaS, you get what is written on the box. Well, you get what is written on the virtual box. That text may consist of page after page of dense legalese that puts a higher level of emphasis on what you do NOT get than what you DO get. Consumer-oriented agreements often amount [...]
Comments Off
Category: Cloud IT Governance Policy risk management security Vendor Contracts Tags: Cloud, contracts, lawyers, legalese, SaaS, SLA, SLAs
by Jay Heiser | February 15, 2012 | Comments Off
Other than some analysis and speculation about how the takedown changed traffic patterns without actually reducing global piracy, and regular reports about the legal status of Kim Dotcom, the Megaupload drama hasn’t provided much in the way of news for a couple of weeks. On the theory that putting the string ‘Megaupload’ into the title of [...]
Comments Off
Category: Cloud risk management Vendor Contracts Tags: continuity, recovery, SaaS escrow
by Jay Heiser | November 28, 2011 | 2 Comments
With the understanding that I am not a lawyer, and Gartner is not a law firm, here’s my brief summary of the contractual language dealing with SaaS security as provided by a prominent vendor: We believe that we obey the law. If there are any questions pertaining to how your data is handled within our [...]
Category: Cloud risk management security Vendor Contracts Tags: disaster recovery
by Jay Heiser | November 17, 2011 | 2 Comments
An SLA from a public cloud service promising some sort of recoverability is a crow feather, clutched in the trunk of the enterprise elephant, providing them the false courage to be willing to fly in the public cloud.
Category: Cloud risk management Vendor Contracts Tags: continuity, contract, Dumbo, feather, recovery, SLA
by Jay Heiser | July 5, 2011 | 1 Comment
I get a never-ending stream of questions that usually amounts to something like “What control tasks do I need to do to be sure that this SaaS service we are going to use will be adequately secure?” Unfortunately, at this point in time, SaaS providers offer relatively little support for enterprise control over anything. Assuming that the [...]
Category: Applications Cloud IAM IT Governance risk management security Vendor Contracts Tags: backups, BCP/DR, Cloud, cloud security, continuity, disaster recovery, information security, malware, phishing, Trojan horse, vendor risk
by Jay Heiser | May 23, 2011 | 1 Comment
Its not surprising that as a technology approaches the top of the Hype Cycle, some of the vendors turn their Spin Cycle up to 11, which means there are going to be some disappointed buyers, especially those with high expectations for data encryption, and data recovery.
Category: Cloud IT Governance risk management security Vendor Contracts Tags: Cloud, cloud security, continuity, disaster recovery, information security, infosec, outsourcing, risk management, security, Security-Summit-NA, vendor risk
by Jay Heiser | May 11, 2011 | Comments Off
Your company will usually do whatever it needs to do to survive—so will your supplier. They are not marching to your music, they are not heading towards the same goal line, they are not thinking your thoughts, and their ultimate loyalty is to themselves, not to you.
Comments Off
Category: Cloud risk management Vendor Contracts Tags: contracts, outsourcing, Security-Summit-NA, service providers, sourcing, vendor lockin, vendor risk
by Jay Heiser | July 5, 2010 | 4 Comments
SAS 70 is a) not a certification, b) not a standard, and c) isn’t meant to be applied the way it is being applied now. To be fair, all service providers are under huge customer pressure to provide SAS 70, but instead of explaining their security, continuity, and recovery capabilities in more appropriate terms, most [...]
Category: Cloud IT Governance risk management security Vendor Contracts Tags: AICPA, certification, SAS 70, SAS70, standards
by Jay Heiser | June 30, 2010 | 4 Comments
Ideally, there would be no sensitive data in email, or it would be encrypted. Email is an unsafe, and unreliable service, and it leaks like a sieve. It was never meant to be ‘secure’, and it is not. While careful administration and reliable technology can protect stored email from unauthorized access, hacking into PST files [...]
Category: Applications Cloud risk management security Vendor Contracts Tags: 25999, 27001, certification, email, SaaS, SAS70, security
