SLAs - the onus is on you

By Ilva Pieterse, ITWeb contributor
Johannesburg, 30 Aug 2016
Claude Schuck, Veeam.
Claude Schuck, Veeam.

A company can no longer shy away from the responsibility that comes with the security of customer data. Laws such as the recently passed Protection of Personal Information (POPI) act won't let them get away it, which means an organisation's service level agreements (SLAs) need to be water-tight. And many will be surprised to realise this doesn't just apply to cloud services.

"IT security remains the responsibility of the board and is delegated to the CIO/CISO, whether the IT services that you consume are in the cloud or not," says Pink Elephant's operations manager Andre van der Merwe.

He states that the SLA, which was traditionally used as an upfront, once-off static agreement on the requirements of IT security between the organisation and the cloud provider, is no longer a sustainable option and needs to fundamentally change. "It's extremely important that the SLA be regarded as a living document, if the organisation is to adequately safeguard its customers, and itself, against today's multiple threats to the protection of data.

This is especially true in light of the dynamic business and user requirements that have been accelerated with disruptive technologies like the Internet of Things (IoT) and Bring Your Own Device (BYOD). "These disruptive technologies have made it so that the SLA requires continual updating based on the latest technology within the South African landscape," Van der Merwe says.

According to many industry expert views at this year's ITWeb Security Summit, South Africa is increasingly becoming a target for cyberattacks. "Cloud providers are finding it more and more difficult to prevent, detect and correct a cybercrime. It's not possible for cloud providers to deliver an SLA that is granular enough to speak to business needs, including IoT, BYOD and other disruptive technologies. The SLA in itself has now become a critical IT security control," Van der Merwe adds.

Security in itself

Veeam's regional manager for Africa, Claude Schuck, believes being connected 24x7, using virtually any device, means businesses have to rethink their security strategy. "Let me put this into context with a simple example: take away an individual's smartphone for a minimum of four hours, and they will be lost, frustrated and feel completely unproductive; that is the reality of 24x7," he says.

The SLA in itself has now become a critical IT security control.

Andre van der Merwe, Pink Elephant

He believes at the moment, security presents a massive pain point with companies and even countries at risk of being severely compromised by vulnerabilities and malicious users. "Being proactive around security becomes one of the most fundamental building blocks companies need to put in place," he says.

Cybercrime fourth-most reported crime in SA Source: PwC

Cybercrime is now the fourth most reported economic crime in SA, PwC's 2016 Global Economic Crime Survey has found. Almost a third (32%) of the 232 South African organisations that took part in the survey reported cybercrimes in the last 24 months. This puts local companies on par with their international counterparts when it comes to this type of crime.

Some of the other relevant statistics include:

* SA leads the global stats for economic crimes, with 69% of local companies having experienced economic crime during the past two years, compared with the global average of 36%.

* Cybercrime was the only area that showed an increase (from 26% of respondents in 2014 to 32% in 2016).

* Globally, cybercrime is the second-most reported economic crime.

* France (68%), Zambia and Kenya (both 61%), the United Kingdom and Spain (both 55%), Australia (52%), the Russian Federation (48%), and the Netherlands and Belgium (both 45%) make up the rest of the top ten nations that are victims to economic crimes.

* Economic crime is as much a private sector as a public sector problem - only 17% of respondents were from government and state-owned enterprises. That means 83% of respondents were in the private sector and should also take responsibility for reducing economic crimes.

* Around 25% of South African companies that suffered an economic crime in the last 24 months had lost more than $1 million, while the global average was 13%.

He believes the SLA, especially in terms of business continuity, is not simply defining uptime. Rather, attention should be shifted to what happens when there is a failure or disaster. After all, no service provider can guarantee complete uptime.

"When business continuity is needed, that is where the SLA comes into play. The business needs to decide which of its systems (and data) need to be available within minutes of going down. Prioritising data makes not only for a more cost-effective approach, but also guides the business through the process of understanding the important elements of its information," he says.

There are specific security opportunities that organisations can utilise in the modern datacentre. Virtualisation, for instance, allows technologies like a virtual lab to be used to leverage the data of the datacentre to avoid deployment risks and perform security tests in an isolated environment. "Compliance drives what needs to happen and, fortunately, with each security exploit and cases of companies being attacked making the news, there is an increasing awareness around the importance of security and data," he adds.

Respondents in the 2016 Veeam Availability Report stated that the average written SLAs for recovery time objectives (RTOs) in an organisation for its mission-critical and non-mission-critical applications are three and nine hours, respectively. "When it comes to South African respondents, the results were six hours for mission-critical applications and ten hours for non-mission-critical applications."

When it comes to the SLA, requirements change over time. Van der Merwe refers to the critical elements as the CIA of data: confidentiality, integrity, availability.

"Cloud computing has already started to evolve beyond availability, and into the IoT and all its ensuing data points that can be captured. The next phase of data management will be from the data profile stemming from IoT wearables and other smart devices," Schuck says.

Van der Merwe agrees that new technologies change the scope of the risk profile. "Technology is becoming smart, and no longer necessitates human interaction to connect to things. Where everything talks to everything, we sit with a case of digital spaghetti," he says.

The explosion of data has seen security taking on a new level of importance. "With everything being connected, all devices and even appliances are targets. In the world of the IoT, hackers can take over anything from televisions to fridges and even self-driving cars," says Schuck. However, this connected environment does not necessarily mean that organisations need to reinvent their SLAs and the rules around backup. "At its most basic, companies should have multiple copies of their data, keep it encrypted, and store it off-site wherever possible," he says.

Being proactive around security is one of the most fundamental building blocks.

Claude Schuck, Veeam

In order to stay ahead of the risk that comes with new technologies, Van der Merwe cautions that companies will need to start thinking further than what they are used to.

"We are already living in the future with the connectedness of things around us. The need to have an effective disaster recovery plan in place is even more critical than before. But the amount of data that needs to be secured and included in such a plan means that companies have to examine the cost of losing data versus the fees they need to pay for an available environment," Schuck concludes.

This article was first published in the August 2016 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.