Why can’t security have SLAs?

Sure 100 percent uptime is a pipe dream, but some vendors believe it is unrealistic to even place parameters on security.

abstract image business handshake cityscape 100708907 large
Credit: Thinkstock

You always hear about the five-nines. The typical amount of time laid out in a service-level agreement that a network should be online. Can that same premise pertain to security?

Vendors said no.

“It would be extremely difficult to set specific service levels relating to security. I can’t think of the parameters that you would apply,” said Danny Allan, vice president of Cloud & Alliance Strategy at Veeam.

Despite that sentiment, lets play a game of what-if. What if a parameter could be placed on a third party for security? What would it look like?

What’s the issue first of all. According to a Veeam-sponsored report written by Enterprise Strategy Group, four out of five organizations recognize that they have an “Availability Gap. In this year’s research, 82 percent of respondents recognized the inadequacies of their recovery capabilities when compared with SLA expectations of their business units. 

If a network were to go down for security issues, the report showed that the average financial cost of availability to an enterprise is $21.8 million. Almost two-thirds of respondents said digital transformation initiatives are being held back by unplanned downtime.

Jason Buffington, principal analyst for data protection at the Enterprise Strategy Group, said even large, international enterprises, continue to struggle with fundamental backup/recovery capabilities, which along with affecting productivity and profitability are also hindering strategic initiatives like Digital Transformation. In considering the startling Availability and Protection gaps that are prevalent today, IT is failing to meet the needs of their business units, which should gravely concern IT leaders and those who answer to the Board.”

The report goes on to say that six out of seven organizations lack a high level of confidence in their ability to reliably protect/recover data within their virtual environments. Seventy-two percent of respondents this year are unable to protect their data frequently enough to ensure that their business units’ expectations against data loss are met.

Peter McKay, President and COO of Veeam Software, said “our report states such ubiquitous access is merely a pipedream for many organizations, suggesting new questions need to be asked of transformation plans and a different conversation started about existing infrastructure. Enterprises are facing a major crisis from competitors that are able to offer this uptime and combine that with user experience.”

So with that picture set, what could a security SLA do?

Alton Kizziah, vice president, global managed services, Kudelski Security, admits there is no 100 percent effective security control, process or technology. “Even air-gapped systems have recently been shown vulnerable to certain types of attacks. As such, it’s impossible and disingenuous for a MSSP to guarantee 100 percent security. Whether in a SLA, or marketing material, it just isn’t a good practice to believe that security measures are infallible,” he said.

He said he prefers to measure items which provides an idea how effective companies are at helping clients manage and mature their security posture. There are several SLAs Kudelski provides as part of its client agreements including response and triage time for security events, health issues, quiet data sources, etc.

“We offer our clients service credits and monetary guarantees in the unfortunate case where we have a violation. There are also more subtle mechanics we like to follow, such as % of false positives which helps us make ongoing improvements to our monitoring and ensuring data sources are properly configured to provide the appropriate relevant, contextualized data via a specific use case, and how many of our threat hunting findings can be translated into new monitoring alerts,” he said.

He added that effective security is difficult to measure but a reasoned, pragmatic approach to evaluating and measuring effectiveness is required to steadily improve a vendor’s capability in a rapidly evolving threat landscape.

Allan suggested some security service commitments could be:

  • Documented secure architecture (perimeter, hardening, processes, etc)
  • End to end encryption for both data-at-rest and data-in-motion
  • Security insurance that covered breaches or costs relating to exposure
  • Industry related certifications

“However, these are not service level agreements and having security in the SLA doesn’t immediately make sense to me,” he said. “There is rarely, if ever, any kind of security SLA – mostly because security is applied in layers rather than a checkbox. The approach that most providers use is to achieve a compliance certification with attestation from a third party (HIPAA, PCI, etc). Those that are more mature will document a public security architecture model which they leverage at both the physical and operational side.”

He said a security SLA would almost always cover the five core areas only – hardware, software, availability, reporting and notification, and incident response times.

Cybersecurity market research: Top 15 statistics for 2017