Why can’t security have SLAs?
We always hear about the five-nines (99.999%). The typical amount of time laid out in a service-level agreement that a network should be online. Can that same premise apply to security?
Vendors say no.
“It would be extremely difficult to set specific service levels relating to security. I can’t think of the parameters that you would apply,” said Danny Allan, vice president of Cloud & Alliance Strategy at Veeam.
Despite that sentiment, let us play a game of what-if. What if a parameter could be placed on a third party for security? What would it look like?
What is the issue, first of all? According to a Veeam-sponsored report written by Enterprise Strategy Group, four out of five organisations recognise that they have an “Availability Gap. In this year’s research, 82% of respondents recognised the inadequacies of their recovery capabilities when compared with SLA expectations of their business units.
If a network were to go down for security issues, the report showed that the average financial cost of availability to an enterprise is $21.8 million (€19.5 million). Almost two-thirds of respondents said digital transformation initiatives are being held back by unplanned downtime.
Jason Buffington, principal analyst for data protection at the Enterprise Strategy Group, said even large, international enterprises, continue to struggle with fundamental back-up/recovery capabilities, which along with affecting productivity and profitability are also hindering strategic initiatives like Digital Transformation. In considering the startling Availability and Protection gaps that are prevalent today, IT is failing to meet the needs of their business units, which should gravely concern IT leaders and those who answer to the Board.”
The report goes on to say that six out of seven organisations lack a high level of confidence in their ability to reliably protect/recover data within their virtual environments. Seventy-two% of respondents this year are unable to protect their data frequently enough to ensure that their business units’ expectations against data loss are met.
Peter McKay, president and COO of Veeam Software, said “our report states such ubiquitous access is merely a pipedream for many organisations, suggesting new questions need to be asked of transformation plans and a different conversation started about existing infrastructure. Enterprises are facing a major crisis from competitors that are able to offer this uptime and combine that with user experience.”
So, with that picture set, what could a security SLA do?
Alton Kizziah, vice president, global managed services, Kudelski Security, admits there is no 100% effective security control, process or technology. “Even air-gapped systems have recently been shown vulnerable to certain types of attacks. As such, it’s impossible and disingenuous for a MSSP to guarantee 100% security. Whether in a SLA, or marketing material, it just isn’t a good practice to believe that security measures are infallible,” he said.
He said he prefers to measure items which provides an idea how effective companies are at helping clients manage and mature their security posture. There are several SLAs Kudelski provides as part of its client agreements including response and triage time for security events, health issues, quiet data sources, etc.
“We offer our clients service credits and monetary guarantees in the unfortunate case where we have a violation. There are also more subtle mechanics we like to follow, such as % of false positives which helps us make ongoing improvements to our monitoring and ensuring data sources are properly configured to provide the appropriate relevant, contextualised data via a specific use case, and how many of our threat hunting findings can be translated into new monitoring alerts,” he said.
He added that effective security is difficult to measure but a reasoned, pragmatic approach to evaluating and measuring effectiveness is required to steadily improve a vendor’s capability in a rapidly evolving threat landscape.
Allan suggested some security service commitments could be:
- Documented secure architecture (perimeter, hardening, processes, etc)
- End to end encryption for both data-at-rest and data-in-motion
- Security insurance that covered breaches or costs relating to exposure
- Industry related certifications
“However, these are not service level agreements and having security in the SLA doesn’t immediately make sense to me,” he said. “There is rarely, if ever, any kind of security SLA—mostly because security is applied in layers rather than a checkbox. The approach that most providers use is to achieve a compliance certification with attestation from a third party (HIPAA, PCI, etc). Those that are more mature will document a public security architecture model which they leverage at both the physical and operational side.”
He said a security SLA would almost always cover the five core areas only—hardware, software, availability, reporting and notification, and incident response times.