Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
5/18/2016
10:52 AM
Jamie Tischart
Jamie Tischart
Partner Perspectives
50%
50%

Cloud SLAs: What Everyone Should Know

13 questions to ask your service providers to better understand their service offerings and your risks.

When you sign up with a cloud provider for computing, storage, or application functionality, you should get a service level agreement that describes what the provider promises to deliver. An SLA should be fully transparent to customers and published on the provider’s website for prospective customers to review.

Unfortunately, SLAs are often difficult to find and can be even more difficult to decipher. SLAs are not really there to protect you, the customer. While they may provide some customer protection as a byproduct, they are really a marketing tool and a method to limit service provider responsibility in the event of an outage. This should not be viewed as negative. Every cloud provider I have worked for, talked to, and evaluated wants to provide their customers with 100% uptime and great service. But the complexity of software, infrastructure, humans, and reliance on third-party technologies and infrastructures makes 100% attainment near impossible.

I believe in the benefits, security, and financial opportunities that cloud services provide, but there are also risks that you should fully understand. In my last blog, I wrote about data disclosure and what you needed to ask your providers. This article is focused on service level agreements and what general questions to ask your providers to better understand their service offerings and your risks. Here are some practical questions to ask:

  1. Do you publish SLAs, and how are these documents accessed?
  2. If you do not publish SLAs, do you publish service level objectives (SLOs)?
  3. How do your SLA targets differ from your competitors? You may be surprised that SLAs do no vary that much.
  4. Why were your SLA targets chosen? Targets are often defined competitively or based on the best or worst capability of the underlying products.
  5. How often have you violated your SLAs in the last three months, six months, 12 months?
  6. Do you publish your SLA results openly? How frequently?
  7. Which SLA metrics do you fail at most often, even if it has no impact on your customers?
  8. How often do you increase or decrease your SLA targets, and what has the trend been? Any reduction or removal of a target may mean scalability challenges.
  9. What SLA metrics have been removed in the last 12 months?
  10. How often do you test your own SLAs? You really want to hear that the metrics are continuously tested.
  11. How are SLA claims validated? How am I compensated for an SLA violation? Your provider should be doing the work here, not requiring you to prove a failure.
  12. Do I receive detailed incident response information? This is necessary to fully inform your organization or customers of the problem and the solution. Never waste a failure; make sure your provider is identifying the root cause and resolving it.
  13. Do you use any third parties to monitor your SLAs? This can provide additional validation of the seriousness of SLA measurement.

One final word on compensation for SLA violations: I believe that neither the customer nor the provider wants to focus on compensation. The customer wants the level of service they contracted for, not a lower level of service with some credits. The provider wants to deliver the contracted service, not disappoint and pay their customers. Compensation is currently seen as a stick to hold providers accountable, but it may be having the opposite effect and inadvertently causing providers to limit or withhold their SLAs. Having clear, accessible, and realistic SLAs published by the service provider and reviewed by the customer helps to reduce the focus on compensation.

In my next blog, I will explore questions to ask your provider about specific SLA measures.

Jamie Tischart is the CTO for Cloud/SaaS (Security as a Service) and is responsible for leading the creation of Intel Security's future generation cloud solutions and creating sustainable competitive advantage. He has been with Intel Security for more than 10 years in a wide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27610
PUBLISHED: 2021-06-16
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious u...
CVE-2021-34801
PUBLISHED: 2021-06-16
Valine 1.4.14 allows remote attackers to cause a denial of service (application outage) by supplying a ua (aka User-Agent) value that only specifies the product and version.
CVE-2021-34803
PUBLISHED: 2021-06-16
TeamViewer before 14.7.48644 on Windows loads untrusted DLLs in certain situations.
CVE-2020-8299
PUBLISHED: 2021-06-16
Citrix ADC and Citrix/NetScaler Gateway 13.0 before 13.0-76.29, 12.1-61.18, 11.1-65.20, Citrix ADC 12.1-FIPS before 12.1-55.238, and Citrix SD-WAN WANOP Edition before 11.4.0, 11.3.2, 11.3.1a, 11.2.3a, 11.1.2c, 10.2.9a suffers from uncontrolled resource consumption by way of a network-based denial-o...
CVE-2020-8300
PUBLISHED: 2021-06-16
Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must b...