Service Level Agreement (SLA) refers to a document that outlines the level of service that a customer should get from a service provider, the terms and conditions of the delivery of the services, the advantages in the measurement of the services and penalties if any should an agreed upon service level not be achieved.
SLAs can be implemented either by service providers and their customers or by two different departments of an organization.
Why you need to know a cloud storage SLA
SLAs provide information about the contracted services for a customer. It is important to know how to read them so that the customer can have an understanding of what they entail. In this way, the customer can know the right protocol to follow while taking a legal action for a breach on contracted cloud storage services. They provide a clear description of the responsibilities, expectations, and advantages of the contract. This ensures that the involved parties are not ignorant of the contract and hence providing an understanding for both the provider and the customer.
A contract without an SLA is vulnerable to misinterpretation. It is easy for one party to plead ignorantly and hence not responsible for a breach. SLAs are meant to protect the involved parties of a contract. Failure to know the SLAs can lead to a downtime in business and also cause massive loss of significant data.
An understanding of the SLA will give a customer a chance to know the basic procedure of compensation for data breaches by the service provider with service credits as the most appropriate solution. The customer is also made to understand that the breaches as a result of natural calamities and terrorist attacks are beyond the control of the provider and hence will not be an act of ignorance to compensation by the provider.
The risk of a breach in cloud storage is real
2015 experienced massive numbers of data breaches than the previous years. Reports by the Identity Theft Resource Centre (ITRC) indicated that by January of the year 2016 the number of tracked data violations of 2015 was 781 making 2015 as the second highest year in the ITRC data breach track record.
During this year, hacking cases represented 37.9 percent which is an increase of 8.4 percent from 2014.The compromised areas included: The business sector was on top of the breach list with a significant 40 percent of the breach cases. The medical sector recorded 35.5 Percent of the breaches. However, this was a drop from the value achieved in 2014. In the third position was the financial sector which had 9.1 percent. This represented almost double the number of breaches reported in 2014. The military sector took the fourth place with a significant 8.1 percent and the education sector closed the top five lists with 7.4 percent. Some of the possible sources of data compromisation included; Accidental exposure of sensitive information through the internet which had 13.7 percent, physical theft with 10.5 percent, Insider Theft with 10.6 percent and other third parties which made 9.0 percent. Transmitted data was the last which was a drop from a high record back in 2007.
Other examples of cloud storage breaches include:
In this breach, a total of thirty-seven million records for customers were attacked. This included a huge number of account passwords that were easily broken due to a weak implementation of the MD5 hash function. Although this is ranked as one the major breaches of 2015, it is unclear how the hackers got access to the data, how long they took to compromise it (it was only discovered it July 12, 2015).The breach was realized when hackers made an impact team that invented the screen that enabled its detection. It made enormous social impacts as it comprised of personally sensitive information such as that of extramarital affairs. This information was disclosed, and this led to embarrassment, and two reported suicide cases.
Office of Personnel Management
This went undetected for 343 days and compromised a total of twenty-two records of former and current employees. The attackers used stolen contractor credentials and incorporated malware software that was used to pilfer the data in the network. The breach was discovered through forensic investigation of the SSL data where a decryption device was noticed in the network. This breach made the 2015 breach list because it was viewed as a data mining technique of obtaining data for intelligence purposes.
This is a known collaboration environment in which organizations work to solve critical security problems in most important projects. The breach on this platform was undetected for four days and the mode of detection has since remained a misery. It involved a compromise of data on the database which contained usernames, hashed passwords, phone numbers, Skype IDs and email addresses.
In this case, attackers bombarded multiple requests to the IRS system. The IRS IT team considered it as a DDoS. They, in turn, investigated it and to find solutions. It featured in the breach list 2015 since the attackers used stolen credentials and some authentication techniques to steal a large sum of dollars.
The attackers were able to sabotage the Hacking Team system through an engineer’s personal computer that logged into the network. They discovered his password as Passw0rd and used it to compromise the data amounting to 400GB of sensitive company information. The period of the attack was unknown. It was discovered when the attackers made an announcement of it on Twitter and renamed it “Hacking Team.” It exposed important information about the Hacking Team, its products and their way of selling to their customers.
2015 ended with a huge hit on a misconfigured database server which left data of 191 million voters exposed over the internet. This incident proved to be the largest data breach with a huge volume of compromised data compared to Anthem’s 80 million compromised records. Exposed information included addresses, email addresses, birthdates names and phone numbers. As a remedy, the database was immediately taken offline to avoid further attacks.
Data Breach incidents are expected to be on the rise due to the advancement of the current technological standards and the massive improvement of the internet. The year 2016 is likely to report more data cases. It is, therefore, important to have appropriate SLAs for the integrity, confidentiality, and availability of data.