Home » Data Protection » Network Security

Sevice Level Agreements: Tying the Knot

Service-level agreements are at the heart of most managed information security contracts. But they don't guarantee that buyer and seller are pulling in the same direction.

Massachusetts' own contract with managed security services provider Genuity, for example, calls only "for the vendor to make best efforts to provide the most up-to-date version," he says. Even so, Ritter can see the advantages of a tighter approach: "There's no real reason why such stipulations couldn't be in place, provided that the lawyers understood both the need and the technicalities to phrase a sensible contract," he says.

Managed security services providers aren't too sure, thoughand not just because they're objecting in principle to something that attempts to pin them down. "The speed with which patches and upgrades are updated is easy to talk about but much harder to do in practice," observes Patrick Cain, security advocate in the CTO's office at Genuity. "Patches can break what you've already got or just not work with it."

And in any case, he adds, there's nearly always more than one way to skin a cat. With many known threats, for example, it's perfectly possible to program the firewall to look for particular data packets and filter out the threat that waywithout running the risk of breaking anything until the stability of a patch or upgrade is well-understood.

In short, if such apparently simple issues can't be readily decided one way or another, it's difficult for any chief security officer to know if the deal he gets from his managed security services provider is a good one or not.

The mist is clearingbut slowly. Amit Yoran, vice president of global managed security services at Symantec (and another former DoD CERT alumnus) concedes that customer pressure is forcing change. "Users are getting more sophisticated in their RFIs and RFPs, and are getting to better understand the various value propositions on offer," he says.

For his part, Massachusetts' Ritter points to draft initiatives developed by the Massachusetts Information Technology Division's Cyber Law E-Government Advisory Roundtable with respect to website and software development. If there's a way forward, it might be there, he believes. With page after page of legalese leavened with healthy dollops of good business sense, they're not documents for the fainthearted. And nor, yet, do they deal with managed security services. But as a modelwell, yes, here's a bunch of lawyers with some sensible-sounding things to say about IT procurement.

Absent such progress, the business of managing your relationship with a managed security services provider will remain like nailing Jell-O to a wall. In which case, as the Romans used to say: caveat emptorlet the buyer beware.