Cloud is everywhere now, but it's often unexplored territory for CISOs. Still, if an organization decides to work...
with a cloud service provider, the CISO will have to manage and oversee the security side. So what should enterprises know about composing and reviewing cloud service-level agreements? Let's look at how CISOs should create an SLA for cloud service or cloud security providers when they're not cloud experts, and what should be incorporated into SLAs with cloud providers.
Service-level agreements, or SLAs, are necessary for enterprises, but their effectiveness depends on whether they address key areas in coverage, availability and security. SLA terms and conditions should also include financial penalties or credits to the customer if SLAs are not met because of a lack of delivery of service. The enterprise legal team can ensure the SLA uses appropriate language to adequately protect the company's concerns.
The cloud has introduced a different approach to the SLA process, especially in data protection and cloud security. Conventional controls such as access control, user provisioning and administration, database controls, remote access, server operating system hardening, patching, vulnerability management and network security all have a different approach to its management and administration in cloud services.
The Payment Card Industry Standards Security Council published the PCI DSS Cloud Computing Guidelines in February 2013 that described the level of control and responsibility for clients and cloud service providers (CSP) across different service models. Depending on the service model, the client bears responsibility for the control and security in the cloud environment. Cloud service-level agreements need to align with the cloud service model and clearly delineate unique and shared responsibilities in cloud security.
What to include in cloud service-level agreements
A recent Wired article titled "Service Level Agreements in the Cloud: Who Cares?" offers a list of criteria for cloud service-level agreements. These included "Availability (e.g. 99.99% during work days, 99.9% for nights/weekends); Security / privacy of the data (e.g. encrypting all stored and transmitted data); and access to the data (e.g. data retrievable from provider in readable format)." For data security, enterprises should look at encryption measures that are either native to the cloud service or provided through third-party firms, and access control for all stored data and data in transit, including role-based access control. Other factors in this article include location of data, change management and an exit strategy required for a smooth transition.
Clients should ensure that the cloud service-level agreements are written as they relate to the enterprise. Many times the cloud SLA is written to encompass regional availability and not availability specifically for an enterprise. Consequently, an outage that adversely affects one enterprise but not others within that region might still allow the CSP to state they fall within the SLA requirements. The same would apply for disaster recovery, problem resolution and change management.
Cloud service-level agreements should also include limitation of liability clauses, termination clauses and audit clauses. This provides greater independence and clout when validating the accuracy of agreed upon service-level agreements. The CSP might resist or charge additional fees but negotiate these clauses and SLAs. Remember, competing CSPs will make concessions to get the business.
Become educated in cloud security. Become a member of the Cloud Security Alliance, seek training in cloud security, and attain cloud security certifications from reputable firms such as the SANS Institute or (ISC)2. Overall, maintain proper focus of data protection in the cloud environment. No one will care about cloud security for your enterprise more than you.
Find out if your SLA in cloud computing is negotiable
Learn the difference between SLA and SLO
Discover ways to avoid cloud SLA traps