Our services
← To Service descriptions

EOSL Policy for IaaS i Braathe Cloud

EOSL Policy for IaaS i Braathe Cloud

Purpose

The purpose of the End Of Service Life Policy is an overall framework for deliveries when equipment and systems pass the End Of Service Life (EOSL) as defined below. EOSL has as a consequence that one must identify and deal with increased risk, take the necessary measures, as well as take reservations and limitations so that operation of the systems can continue within frameworks that are acceptable to the Customer and the Supplier.

The supplier assists the customer in a responsible manner so far in developing solutions for EOSL operation if it would mean significant inconvenience for the customer to change the system or upgrade to a supported system. In some cases, unfortunately, it will not be possible to reach a solution based on the nature of the system and upgrading/replacement will be the only possible way. Assistance in connection with EOSL implementation is delivered in accordance with the Service description "Hourly-based Consulting Services".

EOSL Policy

The supplier's definition of "End Of Service Life" (EOSL)

When the operating system, applications, software, equipment or components no longer receive necessary technical and security updates, or other conditions that may affect the ability to operate the system according to known best practice and with an acceptable level of risk.

In the industry terms such as End of Life, End of Support etc. are often used. The supplier's EOSL definition is understood as synonymous with such terms. As a rule, the status and EOSL dates are announced by the original manufacturer or other responsible body, for example the Open Source source code manager.

Risk picture

From and including the product's EOSL date, new and existing vulnerabilities pose an ever-increasing risk of compromise as these will often not be corrected or risk reduced in some other way. Compromise poses a further risk of lateral movement to the Customer's other systems and further to the Supplier's joint systems and platforms.

EOSL Measures

Primary measure is always to upgrade systems to versions that are still supported and receive technical and security updates from the Manufacturer. We therefore recommend our customers of the strongest to upgrade in good time before the EOSL date.

Costs for necessary version upgrades, system changes or other necessary measures are covered by the Customer in accordance with applicable agreements and conditions.

In some cases, updating or changing the system can be demanding for the Customer. In this situation, risk-reducing measures will have to be implemented:

  • Operation of EOSL systems is moved away from the Supplier's common platforms to the Customer's dedicated platform
    • See Service description "Dedicated IaaS Platform"
  • Reduction of attack surface
    • For example, removal from the Internet
    • Analysis and review of traffic to and from the system
    • Closing/blocking unnecessary port openings
  • Isolation of system
  • Change of usage pattern for system
  • Other necessary measures

The list of measures above is not necessarily exhaustive.

The supplier must notify EOSL of recommended measures in a reasonable time and facilitate the process in consultation with the customer.

Establishing EOSL measures

Investigations for preparation, design and implementation of EOSL measures are carried out in accordance with the Service description "Hourly-based Consulting Service". Such projects can be extensive and cause interruptions to systems and subsystems during implementation.

It is reserved that further developments in the risk situation could lead to the need for further measures.

The supplier's obligations

The supplier must notify the customer in a reasonable time when the EOSL dates are known. Normally, this will apply to versions of Operating Systems, but may also apply to server applications if the information is freely available to the Supplier.

Customer's obligations

The customer is obliged to comply with reasonable EOSL recommendations and requirements from the Supplier. Such recommendations and requirements may also include measures as mentioned above, necessary changes and restrictions in the Customer's access and 3rd party suppliers' access, operating routines and more.

The customer has a heightened requirement of care when accessing and using EOSL systems. The customer's users and any third parties who gain access to EOSL systems must, if necessary, undergo training and follow up security measures and routines that are established.

The customer has an independent responsibility to know the EOSL time for its own 3rd party systems that are installed on systems operated by the Supplier, or in direct contact with systems operated by the Supplier on behalf of the Customer. The Customer must notify the Supplier in writing in a reasonable time before the upcoming, or on the passed EOSL date when this becomes known to the Customer.

Reservations and restrictions

The supplier's recommended Secondary Measures are off risk-reducing and damage-limiting character and in no way constitutes a guarantee against compromise.

The measures are to be regarded as temporary and can be changed at any time if a change in risk assessment indicates this.

In any case, the supplier reserves the right to shut down, suspend or terminate operation of the EOSL system if the customer does not comply with recommended measures, breaches its duty of care, or there is a further increased risk of compromise. Suspension or termination must normally be notified in writing with a minimum of 10 working days. If there is an acutely increased risk based on the Supplier's assessment, shutdown and suspension can nevertheless be implemented without further notice. Otherwise see the Security SLA as published on the Supplier's website.

Measures taken by the Supplier do not change the Customer's obligations, or grounds for termination.