Tag Archives: Cyber Security

Influencing the Quality of Services by Focusing on Service Level Agreements 

Service Level Agreements (SLAs) are enterprise life lines on the Internet. CIOs cannot plead ignorance of the clauses. First, the SLA is often written in plain English, and second, the SLA represents the “consensus” reached between the contracting parties. A focus on the SLA is an imperative; a necessity. So, what does one look for in an SLA?

This paper purports to help readers focus on SLAs for Cloud services and understand the what, why and how of it.

 

Table of Contents

  1. Introduction
  2. Definition of Services
  3. Performance Measurements
  4. Problem Management
  5. Customer Duties – Roles and Responsibilities
  6. Warranties and Remedies
  7. Disaster Recovery and Business Continuity
  8. Security
  9. Termination of Agreement
  10. Conclusion
  1. Introduction

CIOs can not plead ignorance of the clauses in the SLA if enterprise data suddenly vanishes into cyberspace! SLAs are often set out in plain English and a focus on the SLA is an imperative; a necessity for the survival of the organization in this digital age. A focus on the SLA, an understanding of the provisions and sections of the document is a must.

Service level agreements are formal, legally binding documents that are drawn up by the contracting parties. They formally set out the level of service that will be provided by the contractor under the terms of the contract. All Cloud services providers include SLAs that detail the level of service that will be provided for the duration of the contract.

A service level agreement is an “agreement”. It signifies consensus between the contracting parties. It assumes that there is a common understanding about services, guarantees and warranties, responsibilities and priorities. It defines levels of serviceability, availability, operation, performance or other attributes of the service, including billing. It details where and when a customer can expect “minimum” service and how it can be measured or what the target value is.

A few contracts may even contain clauses detailing penalties for failure to meet minimum expected levels of service. To get the right level of service, customers must examine the different sections of the service level agreement in detail.

At a minimum, a typical Cloud service level agreement includes the following sections:

  • Definition of services
  • Performance Measurements
  • Problem Management
  • Customer Duties
  • Warranties
  • Disaster Recovery and Business Continuity
  • Termination of Agreement
  1. Definition of Services

Cloud Service SLAs, like all utility service SLAs are output based. By this, we mean that the level of service that will be provided to the customer is defined in measurable terms. The service provider demonstrates value to the customer by expounding how knowledge, capability, and ingenuity are innovatively organized to deliver the requisite output or service to the customer. This emphasis on the delivery mechanism shifts the risk to the service provider.

The definition of services under the SLA may vary according to the type of service, the type of organization and the needs of the organization. A corporate level SLA may provide generic services to all parts of the enterprise. Multi-level SLAs may split services so that the service provider can cater to the specific service needs of different parts of the organization. Customer level SLAs may provision for services relevant to a particular industry. Service level SLAs may cover specific service requirements of specific service groups.

SLAs may offer layered services. The service provider may define the basic package(s), that will be made available at different prices. Customers can select from a list of “add-ons” (at pre-defined costs) or other specific features that they would like to include in their package. For instance, the basic package may offer the customer 2 GB of space for storage. The customer may choose to “add-on” additional storage by signing up for 20GB of space. The service user may also opt for an email system for the entire organization in addition to the other services being offered as part of the regular package.

All terminology proposed to be used in the SLA are also set out and explained in this section of the document.

  1. Performance Measures

That which is not monitored is not done. SLAs are drawn up to ensure that Cloud service delivery performance can be measured and the customer has the ability to monitor the performance of the service provider on the basis of a pre-defined set of standards and norms. The service provider also commits to a minimum level of service under this section of the SLA and has the opportunity to define the standards and norms that are to be used to evaluate the performance of the service delivery. For instance, “latency” is a term that describes the time taken for data to be recovered to the client machine from the storage server in the Cloud. “Uptime” is a measure that helps both the customer and the service provider understand whether the services are being delivered as promised. Uptime is usually expressed in 9s. As a client, one needs to think thoroughly on the level of uptime. Uptime can be incorporated with much accuracy by determining the number of 9s in the SLA. For example, the table below shows the co-relation between the number of 9s a client might target and the duration of downtime, which may vary from 5 minutes to over 36 days in a given year.

If your availability target is a mere 90%, there will be 36.5 days of downtime in a year (i.e. 10% of 365 days). If, however, your availability target is 99.999% (dubbed as five nines), then you will only have about 5 minutes of downtime in the entire year!

Availability Target Downtime Per Year (Approx.)
90 percent 36.5 days
99 percent 3.65 days
99.9 percent 8.8 hours
99.99 percent 52.6 minutes
99.999 percent 5.3 minutes

Table: Comparison of Downtime Vs Availability Target, using “one to five nines”

  1. Problem Management

This section of the SLA focuses attention on problem-handling systems integrated into the service. The purpose is to minimize the impact of events, incidents, and problems on the customer’s business. For instance, the Cloud vendor may provision for alerts to be generated whenever a backup or recovery fails or unauthorized entities attempt to access the data. The SLA may detail error handling procedures and set out escalation protocols for handling unexpected problems. Time frames for the resolution may be specified. Stipulations may include activation of audit trails and maintenance of logs and records for all types of incidents that may cause failures in delivery of service.

  1. Customer Duties – Roles and Responsibilities

The SLA is not a one-way street. The Cloud vendor has some expectations from customers. The service will work effectively only if the organization collaborates regularly with the vendor for technical and support contract issues. The organization must clearly indicate and designate the license administrator. The administrator is responsible for receiving and administrating the software product licenses, updates and upgrades and payment of all bills due or assigning rights and permissions to other users, who are authorized to access the online storage account. Though they may appoint secondary administrators in multi-level contracts, all secondary administrators must report to the primary administrator, who must remain a single point of contact for the Cloud vendor.

  1. Warranties and Remedies

The Cloud vendor provides the user details of any warranties and remedies under this section of the SLA. This is perhaps one of the most important sections for the customer. The warranties may cover service quality, indemnities, third party claims, remedies for breaches, exclusions and force majeure.

  1. Disaster Recovery and Business Continuity

Recovery is the raison d’etre for online Cloud backup and storage. The Cloud vendor describes in this section, the disaster management protocols that have been put in place by the company to safeguard against disaster.

The disaster recovery and business continuity guarantees may broadly include:

  • Provisioning of geographically dispersed servers for safeguarding against natural disasters such as Tsunamis, earthquakes or tornados
  • Continuous data replication or data mirroring to ensure high availability of information at all times
  • Seamless failover systems
  • Simultaneous creation of local copies of data using the Cloud vendor’s proprietary application even as data is being streamed to the online server over the Internet
  • Provisioning for bare-metal restores to any part of the world
  • Provisioning for data security with impregnable cryptographic modules, both during transmission and storage
  1. Security

This section of the SLA elaborates upon the security systems that the Cloud vendor promises to use. Any certifications obtained by the company for its cryptographic module or the type of encryption that is used (bank grade/military grade) is generally specified here. The encryption protocol may be used only for data in transition and not in storage or for both. If the vendor permits the customization of the encryption key, the fact will find a mention here with suitable warnings that the loss of the key could well mean the loss of data as the vendor does not retain copies of the customized keys.

Further, the vendor urges the customer to ensure that the user management systems provided is exploited to ensure that only authenticated and authorized personnel has access to data and enterprise policies are being adequately implemented through the interface settings.

  1. Termination of the Agreement

The last section naturally talks of when and how the contract can be terminated. The rights and responsibilities of the vendor and the customer are generally detailed in this section. Termination can occur at the end of the initial term, for convenience, and/or for a cause. However, whatever the type of termination, the vendor must undertake to delete all customer information from all primary and secondary servers in which the data has been stored. Some vendors even specify what they will do with the information that is stored by them in their archives and disaster recovery sites. Wherever interoperability of services is possible, the vendor may agree to transfer all customer data and applications to the new Cloud service provider.

  1. Conclusion

It must be reiterated that the SLA is a binding legal document. Both parties to the contract can enforce it and hence, it must be drawn up after both parties are satisfied that they have clarity on promises and expectations. Imperfect understanding on any side can lead to confusion, dissatisfaction and probable loss of business. Therefore, both parties must negotiate the different clauses before signing on the dotted lines and committing themselves to the contract.

In some cases, despite your due diligence, SLAs might not be met; and you won’t discover this until the unexpected happens and disaster strikes. Therefore, it is highly advisable that you understand and get comfortable with the SLA and that you anticipate disasters and plan accordingly. Sometimes, disasters are not fully understood; and administrators might define them vaguely. For instance, disasters that are defined as small instances may have just as big of an impact as the larger, less likely ones.

 

Home Office Invest 4 Million to Help Educate Businesses and Consumers

Cyber security has become more important within recent years and is set to become more important in the forthcoming years as cyber criminals are continuously developing their methods of attack. This has already resulted in many companies suffering from a data breach and suffering financially because of it.

The UK Home Office has acknowledged the increased threat that companies in the UK now face from cyber criminals and have therefore invested 4 million to launch a new information security awareness scheme. The first stage of this campaign is set to get underway in autumn and is designed to help educate businesses and consumers about the ever increasing threat that cyber criminals now pose.

The new scheme is set to help improve the governments National Cyber Security Programme as it is set to complement other well-established initiatives such as Get Safe Online. In order to get the scheme up and running, the Home Office are inviting bids from media, PR and creative agencies to create a campaign that will help educate small business and consumers about methods that will help them avoid becoming a victim of a cybercriminal.

Security Minister James Brokenshire stated, The digitisation of the UK economy has made our lives easier and has created huge opportunities, but it has also created individual security risks as well. If we are to meet these new challenges its essential we step up our efforts to stay safe online. The threat of cybercrime is real and the criminals involved are organised and driven by profit. By making small changes British businesses can remain competitive in the global economy and consumers can have greater confidence using the internet.

Mark James who is the Technical Director at ESET UK emphasised the importance of educating and training for small businesses as they are often overlooked in other security programmes.

James stated, SMEs form the backbone of the UK economy and without the resources always available to larger enterprises basic cracks in security measures can appear. When breaches in security can cripple a company in terms of both financial and reputational damage, its encouraging to see the government taking a lead in helping businesses build up resistance to threats by equipping them with the skills and confidence to adequately educate staff on the ways to spot malware and hacker threats.”

Is this a sensible investment by the Home Office?Do you believe that this scheme will be effective?

Latin America and Caribbean Becoming Haven For CyberCrime

A recent report by Trend Microhas highlighted the steep rise in cyber crime originating and targeting Latin America and the Caribbean. The report was prompted by what TrendMicro call “incomplete” knowledge of the cyberthreat landscape in the two regions.

The report, which comes as the use oftechnology and the internet has increased in these regions over recent years, brought to light the opportunistic tactics of cyber criminals who prey on newly emerging technologies before they have been adequately protected. It also highlighted that many countries in the two regions do not have adequate security threat detection or defences and so many incidents go either unnoticed or unabated.

The study threw up some interesting results. For example, between the countries included in the study, the increase in incidents from 2011 to 2012 ranged from 8% to 40%, however, some countries reported a decreased number of incidents overall. Some countries’ national cyber security organisations stated that their individual results may have been skewed in many cases by improved detection results, this is emphasised by the fact that countries with newly established cyber security agencies have some of the highest increases in threats detected. Trend Micro stated that these types of results “reinforced the notion that attacks had been occurring all along but had simply gone undiscovered or undocumented”.

The main emphasis of the report is on the relatively underdeveloped cyber security setup of the two regions. This is not altogether surprising as you would expect from two regions largely made up of developing nations. As computers and other types of technology, such as mobile devices, become more popular, more and more people are becoming exposed to what is already a very sophisticated and developed cybercrime landscape. The techniques being used to target business, such as banks, and individual users are nothing new, and have been seen in many developed countries for a number of years. The crucial difference is many governments and institutionsin the Caribbean and Latin America have not invested in their cyber security strategy as much as other parts of the world, either because of a perceived lack of threat, or lack of resources.

However, the report does mention that threats from hacktivist groups did in fact inspire some governments to rapidly invest in their internet defences. The report mentions two participating countries were threatened with action by political groups, which “motivated both governments to implement plans of action to mitigate and respond to potential attacks.” These threats were never carried out but they did bring about cooperation between what Trend Micro call “key stakeholders”, namely law enforcement agencies, ISPs and an infrastructure operator which helped improve the countries’ “national cyber resilience”.

As a whole, hacktivism was still relatively low as motivation for hacking and general misuse of the internet. Monetary gain was still the most common reason for cybercrime, with hackers targeting financial and personal details to be used on the international black market. The report does make a startling claim, that in 2012 the “economic impact and loss hacking caused…is likely greater than the loss caused by any other form of crime, including drug trafficking.”

The report concludes by saying that all of these factors, as well as many others detailed in the report lead to an inadequate “awareness of the problem” and “continued vulnerability” for the two regions. There is no doubt that in time more investment will be made in the cyber security strategies of these regions but until this is done, the regions will continue to be hit with wave after wave of hacking attack.

 

 

 

Cambridge First Year Wins GCHQ Cyber Security Challenge

Jonathan Millican from North Yorkshire has been named the UKs Cyber Security Champion after winning a GCHQ competition which has been running for the last 6 months.

The competition included a series of challenges ranging from attacks on webservers, defacement and mail spam. It was then up to contestants to make their suggestions of how they would defend against such instances.

Mr Millicans team actually finished second but as an individual Milican stood out throughout the tournament and was therefore awarded first prize.

Understandably there is now a large push to encourage young people to pave a career in cyber security. This has become especially apparent with the recent acknowledgement that there is a lack of expertise overriding the issue of lagging technology.

Judy Baker, director of the Cyber Security Challenge had this to say:

We want train to train and recruit more cyber security experts because theres a real need in the workplace. This was apparent in the list of sponsors which included BT, PWC, Cassidian, HP and QinetiQ, all trying to get a slice of the action by offering various internships, educational sponsorship and training.

Further work done by UK Cyber Security has involved increasing awareness through working with educational bodies to develop better courses.

Milicans prize presented him with 100,000 worth of fantastic opportunities including a sponsored masters course at the University of London. Last years winner Dan Summers went from being a Postman at the Royal Mail to working at the centre of its cyber security team.

The Director General for Cyber Security at the UK Government stated:

It is through initiatives such as this that organisations can continue to develop and maintain our leading edge in cyber space be being able to recruit the right people with the right skills.

With much scandal around hacking at the moment, particularly with the recent LulzSec arrests it would seem a good career choice and indeed Milican stated that he would now seriously consider such a route.

Next year the plan is to let security professionals go head to head with students. That could be embarrassing with wiz kids like Mr Milican around.

Tightened Cyber Security Required for Digital Healthcare Adoption

The U.S. government is encouraging healthcare organisations to utilise electronic healthcare records. However this will mean much more is required to be spent on Cyber Security.

As no organisation can afford to ignore the potential consequences of a data breach, according to the American National Standards Institute.

Of the 100 healthcare executives surveyed 60 of them cited lack of funding as the primary reason for not securing digital records.

However Obama is attempting to mitigate this and spur the adoption of digital health records through increasing incentive payments to doctors and hospitals. The economic stimulus legislation, established in 2009 may reach $27.4 billion.

The problem with the increasing adoption of electronic health records however is that it is leading to an increased frequency of data breaches. In 2011 breaches of healthcare data increased by 32%, costing the industry a collective $6.5 billion.

To successfully mitigate data breach threats and risks, leaders of organisations in the healthcare sector must understand the evolving healthcare ecosystem, American National Standards Institute.

A Bloomberg study which spoke to healthcare providers, pharmaceutical and medical device companies estimated that spending on cyber security would rise from $23 to $155 million in order to stop 95% of hacking attacks.

The report released by The American National Standards Institute offered a five-step model to help top executives invest in protecting health records. What we want to demonstrate is the work that the private sector can do on a key national priority, James McCabe senior director at the institute.

The emphasis which is being placed on encouraging private service adoption is similar to what is now taking place in the UK with the G-Cloud rollout and certainly helps level the playing field for SME service providers.

Cyber warfare hits UK hard

In 2009 it has been revealed that the UK was subject to almost daily attacks from groups of international hackers, many of whom were either partly or wholly sponsored by foreign states or terrorist organisations with backing from unknown global powers.

In an interview with The Observer, security expert Lord West of Spithead revealed that 300 notable attacks were launched against UK businesses and organisations in 2009, but a far greater number of lower grade attacks were fended off each and every day.

The vast majority of the high level attacks remain unpunished, as the groups that perpetrate them are usually working for intelligence agencies with foreign funding. Tracing the attackers is virtually impossible according to Lord West, who said that the lack of online regulation made clandestine hacks and data theft relatively simple to carry out.

Lord West revealed that data detailing secret designs for aerospace engineering projects and other hugely expensive and sensitive undertakings had been stolen by third party groups. He went on to say that other states would only deny involvement when asked about the thefts, leaving the UK authorities with little to act upon.

Lord West also suggested that the UK had the means to retaliate in the online cold war that appears to be being waged between a number of global entities. He said that although the UK is not currently involved in any kind of counter-attacks, it would certainly be willing to consider the viability of such a strategy if matters continue to worsen.

Heads of industry and leaders in positions of power in the West are beginning to approach the threat of data security with increased attention and gravity. The Office of Cyber Security has been created by the UK government and is aimed at tackling the threat head-on, whilst in the USA President Obama has called upon the services of Howard Schmidt to ensure that America is better prepared for international digital espionage.

The immense cost of data security and protection for businesses has been revealed by various studies and reports, with some believing that central intervention and counter-measures may be necessary to restore the balance.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal