Security SLAs/SLOs

Hello TSIA community,

we saw the pandemic accelerating the digital transformation and with this also the concerns related to security on the products have either hosted on-prem or public cloud.

Customers are requesting very aggressive SLAs/SLOs which is quite challenging as demands from R&D not only a quick fix but also certify the product against the fix in a short time, risking quality.

How are you handling such demands? What is negotiated with the customers? What is offered? Which typical commitments are reached?

Just want to understand what is happening in this front.

Answers

  • StevenForth
    StevenForth Founding Partner | Expert ✭✭✭

    Hi Goncalo - Can you share a bit more about what type of SLA you are referring to?

    • Availability and uptime
    • Time in which system errors are corrected (bug fixing)
    • Data recovery time when the system has to go to backups
    • Security issues

    All of these are important and customer demands on each of them are becoming more severe. They are not all the same though and require different legal frameworks and technical solutions.

  • GoncaloPereira
    GoncaloPereira Member | Enthusiast ✭

    Hi Steven,

    Thank you for your message.


    I am referring to SLAs related to security only, for example, when a security vulnerability is found, customers are demanding SLAs for temporary resolution and permanent resolution depending on the CVSS score.

    In terms of the timeframe for such SLAs are you noticing a pattern on the requests or it's more on a case by case basis?


    Thanks!

  • StevenForth
    StevenForth Founding Partner | Expert ✭✭✭

    @Goncalo Pereira I am seeing people want to tighten up on these and shorten response times. Shorten doesn't do it justice, our clients expect security flaws to be addressed immediately. Close the service in minutes and have it back up with the service issue addressed in 24 hours. We have stepped up investments in security and to date (knock on wood) have had no security issues. For a sobering moment, ask your team how many penetration attacks you get each hour.

  • GoncaloPereira
    GoncaloPereira Member | Enthusiast ✭

    @Steven Forth Thanks for the reply.

    Ok, so it's indeed a trend.

    As we fully understand the concern, on the other hand, having such tight SLAs is a challenge for R&D teams if a product patch/workaround needs to be delivered plus certifying the product towards that change.

    This is why i am asking this community how these requests are being handled and/or negotiated because if a vulnerability is discovered, fixing it might not be that simple

  • StevenForth
    StevenForth Founding Partner | Expert ✭✭✭

    @Goncalo Pereira I feel your concern. TSIA should develop some shared best practices on this.

    It is possible that a three step response is needed here ...

    1. Acknowledge and plug
    2. Preliminary patch
    3. Fully validated and tested patch

    Or something like that.

  • GoncaloPereira
    GoncaloPereira Member | Enthusiast ✭

    @Steven Forth thanks for your comment.


    I wanted to measure the pulse on this community on how everyone is dealing with this issue. We understand the pressure created by security issues nowadays, but we must be reasonable on how to effective handle them.

    Personally, this is the type of things where the imaginary line of customer-supplier fades. It has to be addressed in a partnership and collaboration to ensure both sides are up to date.


    Thanks for sharing your views.