Home » Data Protection » Network Security

Sevice Level Agreements: Tying the Knot

Service-level agreements are at the heart of most managed information security contracts. But they don't guarantee that buyer and seller are pulling in the same direction.

Perhaps. Poke a little deeper, though, and this seemingly straightforward view quickly becomes murkier. How is a vendor performing? Look no further than the plethora of reports that it issues to its customers. Different vendors provide different reports, but most are variations on a similar theme. How quickly were threats detected and resolved? What kind of threats were they? Were they random or deliberately targeted? Which parts of the system were under attack? Is the trend in attacks of a particular nature rising, holding or falling?

At face value, such metrics appear very sensible, and they, of course, are the measures lovingly enshrined in the standard SLA. The tricky part is determining whose purpose the metrics in service-level agreements really serve.

Fess up: Certainly CSOs and their security organization have a vested interested in them. An armful of freshly delivered statistics always comes in handy when you need to justify jobs and budgets: "We've not been hacked latelybut look what might have happened!"

As it turns out, the same logic that applies to you persuading your executive team equally applies when your vendor is selling you. That's one reason why managed security services providers appear to accept metric-laden SLAs with almost open arms. "We want our customers to see exactly how we're doing in protecting them," enthuses Pete Privateer, vice president of protection services for Atlanta-based Internet Security Systems. His customers are thus provided with a portal, protected by both password and token, that contains up-to-the-minute information about the company's performance in meeting the specified SLA standards. "If they want, customers can drill down through the data to see information on the specific threats that are pertinent to themdata on the incidence of port scans or distributed denial-of-service attacks over the last month, for example," Privateer says. "Or even firewall logs, if they want to go into that level of detail."

Again, this tidal wave of metrics contains a generous dollop of self-interest. They also indisputably serve the handy double-purpose of persuading customers that they're getting a good dealpossibly to the extent of encouraging them to upgrade to the next level of service. (Internet Security Systems, for example, offers four levels of service as standard: basic, silver, gold and platinum.)The Greater ProblemBut even taking the motive in providing (or receiving) the metrics at face value, a bigger question remains: Which metrics really matter? The answer, it seems, depends on the business.

Daniel Piggott, group IT manager with Benson Group, a British construction company, was perfectly happy to sign up to the standard service-level agreement offered by U.S.-based Via Net Works. Via provides most of the company's telecommunications and Internet access, he explains, and opting to sign up to Via's managed security services provision offered economies of scale. When structuring the contract, though, Piggott went along with the service-level agreement that Via proposed. "They said, 'Here's our standard terms,' and we felt we could live with it," he says. "You have to be reasonable. We're not a financial services company; we're a construction company and didn't feel that we couldn't survive if a security issue meant an hour's outage."