for cloud-based resiliency services - centurylink · 5 hite paper the business case for cloud-based...
TRANSCRIPT
White Paper The Business Case for Cloud-Based Resiliency Services1
The Business Case for Cloud-Based Resiliency Services
WHITE PAPER
GoldPartner
Service Provider
White Paper The Business Case for Cloud-Based Resiliency Services2
Security and business continuity continue to evolve in the face of increasingly serious security threats, outages and their impacts. Companies today face more exposure to attacks and disruptive events than ever before. Downtime has also grown more costly than ever. In response, some enterprises are implementing a new “Cloud-Based Resiliency Services” approach to mitigating these risks. Cloud-based Resiliency Services integrate such solutions as Disaster-Recovery-as-a-Service (DRaaS), managed security services, and Backup-as-a-Service (BaaS) with professional services to reduce the business impact of potentially catastrophic incidents. This paper looks at the business case for cloud based Resiliency Services and their implementation.
White Paper The Business Case for Cloud-Based Resiliency Services3
WHITE PAPER
The Business Case for Cloud-Based Resiliency ServicesOverview
The challenges of maintaining continuity of core business IT
services grow with every passing year. Security threats multiply
while the costs of downtime and security incidents increase. Yet,
as the task of ensuring recovery of critical IT assets becomes
more difficult, new solutions are appearing that smooth the way
for better management of disruption events. This paper looks
at the landscape of business continuity from the perspective
of the emerging field of “Cloud-Based Resiliency Services.”
Cloud-based Resiliency Services are security and recovery
solutions, technological platforms and professional services that
help enterprises maintain resiliency of critical IT systems in the
face of an array of threats. The cloud-based Resiliency Services
portfolio includes guided implementations for cloud Backup-as-a-
Service (BaaS), High Availability, managed security services, and
Disaster Recovery-as-a-Service (DRaaS). This paper explores how
to evaluate an investment in cloud-based Resiliency Services
from a business perspective.
The Increasing Scope of Serious Security and Business Continuity Risks
The threat level is rising. This frightening trend provides context for
discussing the business case for cloud-based Resiliency Services.
A slew of studies underscore the new reality. As Figure 1 shows,
the number of US Federal Network Breaches climbed from
10,481 in 2009 to 25,566 in 2013. Vulnerabilities are increasing,
as revealed in Figure 2, with operating system and application
vulnerabilities doubling from 2011 to 2014. In a disturbing parallel,
as shown in Figure 3, it is getting easier for a hacker to exploit
these vulnerabilities. Accenture reports that 63% of firms are under
significant daily attack, based on a survey of 959 executives.1
Vectors of attack include viruses, worms, malware, botnets and
phishing. Hackers are constantly launching Denial of Service
(DoS) attacks, phishing schemes directed at employees of major
corporations. Stolen corporate devices, such as mobile phones,
are also used to attack the enterprise they came from.
Going beyond these numbers, recent history tells the human
side of the story. Some of the biggest brand names in the US
have suffered breaches affecting tens of millions of people. Other
notorious breaches have publicly revealed embarrassing personal
information about many individuals.
Figure 1 US Federal Network Breaches (Source GAO analysis of US-CERT data: https://www.viewfinity.com/Blog/post/2014/07/17/Summing-up-a-brief-history-Data-breaches-are-increasing-steadily-in-the-Federal-networke280a6-and-everywhere-else.aspx )
10000
20000
30000
2009 2010 2011 2012 2013
10,48113,028
15,584
22,15625,566
White Paper The Business Case for Cloud-Based Resiliency Services4
On the good news/bad news front, the length of downtime
incidents is decreasing, having fallen 11.3% from 2010 to 2013.
The average annual time for total data center outage fell from
134 minutes to 119.2 At the same time, the average cost of data
center down time has gone from $5,600 a minute in 2010 to
$7,900 per minute in 2013, a 41% increase. Doing the math, a 119
minute outage in 2013 will cost a business $940,100, compared to
$750,400 for a 134 minute outage in 2010. The annual worldwide
cost of data loss and downtime was estimated to be a remarkable
$1.7 trillion, per EMC’s Global Protection Index in 2015.3
The surprisingly high toll from data loss and downtime comes
from a variety of threats. Malicious actors seek to steal data for
profit or to embarrass corporations and government entities.
Threats can be local or even national, with a new breed of
sovereign cyber armies aiming to disrupt national economies
through digital sabotage. Simple outages can be quite
destructive, too, with routine hardware and network failures
causing havoc for enterprises that lack a coherent plan for
responding to them. Software problems, such as a “mirroring
storm” in a large data center can shut systems down for
hours or even days. Unpredictable acts of nature can have the
same effect, with events such as hurricanes and earthquakes
disrupting IT functions, with businesses scrambling to respond.
Figure 2 Increasing Vulnerabilities (Source National Vulnerabilities Database: NIST http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/)
010002000300040005000600070008000
2010 2011 2012 2013 2014
4,794
7,038
4,258 3,532 4,347
Figure 3 Vulnerabilities are easier to exploit - (Source RAND National Security Research Division: Markets for Cybercrime Tools and Stolen Data http://www.rand.org/content/da m/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf)
0
5
10
15
20
25
30
35
2005 2006 2007 2008 2009 2010 2011 2012 2013
0 1 12
11
13 16
28
33
Understanding the Business Impact of an Outage
The business continuity stakes are high today. In addition to
costing nearly a million dollars per incident, the broader business
impact of an outage can be severe. In the worst case scenario,
90% of business without a plan go out of business after a major
outage.4 That statistic should frighten any business manager. Short
of actual bankruptcy, though, there can still be a number serious
business consequences from an outage that lacks an adequate
response. These include loss of productivity, which can also affect
employee morale. Revenue can take a hit. Customer and partner
loyalty may wane if systems are unreliable. Business impacts can
also include serious reputation damage and collapse of market
valuation, depending on the nature of the incident. In many cases,
senior executives face personal career repercussions or even
personal legal liability from serious incidents.
White Paper The Business Case for Cloud-Based Resiliency Services5
The Need for a Resiliency-Oriented Approach
The high business impact of outages and security incidents is
behind a shift in thinking about disaster recovery and security.
A number of disparate approaches to protecting IT services,
such as High Availability systems, DR systems, backup
systems, and cyber-security systems are all converging into a
single consolidated approach to unified threat management or
“Business Resiliency” mindset. It’s a unified resiliency approach.
The word resiliency means being able to return to an original
form or position after being bent or knocked out of place. It also
connotes the ability to recover fully from an illness. Business
resiliency is about enabling a business to recover from serious
disruptions to its IT capabilities. System and data availability
forms the central tenet of resiliency. Business resiliency must
provide continuous availability for mission critical applications.
Less critical apps, such as those that may have longer recovery
time objectives (RTOs) or recovery point objectives (RPOs),
also need to be resilient. The investment required for RTOs for
lower priority systems is typically less than that needed for
critical apps, however. At the same time, business resiliency
solutions need to be sensitive to various security and compliance
requirements. For example, a healthcare business must comply
with HIPAA when it backs up its data, even if the backup site is
not under the company’s direct control.
Quantifying Resiliency Risks
How can one place a dollar value on resiliency? A standard risk
analysis formula, shown in Figure 4, offers an answer. Risk is
equal to the likelihood of an incident occurring multiplied by its
cost. This should make intuitive sense, but it’s a good exercise to
map out the actual values involved.
Threat Likelihood Cost of Incident from the Threat Financial Exposure of Risk
Infrastructure- outage 0.1000% $1,000,000 $1,000
Massive data exfiltration 0.010% $1,000,000,000 $100,000
The table above uses the formula in Figure 4 to compare the
risks inherent in two different threats. The infrastructure outage
carries a cost of $1 million and has a likelihood of .1 %. The
financial exposure from the risk is $1,000. A massive data
exfiltration, such as the one that occurred at Sony Pictures,
carries a billion dollar cost. While its likelihood is far lower at
.01%, its higher cost makes its risk exposure worth 100 times
more than that of the infrastructure outage.
The risk analysis formula provides a simple, approximate way
to measure the costs of resiliency risks. It also exposes the
potential cost of gaps in resiliency planning. If a gap in resiliency
increases a company’s exposure to a high-risk incident, it’s worth
exploring the return on an investment in resiliency to close that
gap. In the example just described, the $100,000 exposure for
the massive data exfiltration risk might justify an expenditure of
$100,000 to mitigate the risk.
This risk exposure thought process can guide decisions about
the wisdom and cost of managing resiliency internally. Resiliency
depends on coordinating High Availability, disaster recovery,
backup, intrusion prevention and detection, anti-malware, access
control and penetration testing. It’s a complex picture with many
moving parts. The risk analysis formula can put a price tag on
accidentally exposing a gap in resiliency. Indeed, internally, most
companies struggle with the expense of redundant infrastructure
that is not frequently used. Managing all of these systems and
related workflows with solutions in siloes is costly to implement
and manage. Customization of systems also adds cost. Staff
resource utilization will likely be poor and inevitably, there will be
gaps in resiliency.
Threat Likelihood Cost RISKx x =
Figure 4Risk analysis formula
White Paper The Business Case for Cloud-Based Resiliency Services6
The Resiliency Services Approach
By their nature, cloud-based Resiliency Services will vary from
one enterprise to the next. The basic formulation, however, is
a synergistic combination of Disaster Recovery-as-a-Service
(DRaaS), managed security services, Backup as-as-Service
(BaaS) and High Availability. Risk assessment and professional
services steer the design and implementation processes. The
specific way these components are implemented will depend
on each enterprise’s unique requirements. However, the end
result will be the same if the cloud-based Resiliency Services are
executed properly: unifying DR, backup and security will move
the enterprise close to cost-effective continuous availability of
key systems.
DRaaSDRaaS helps organizations overcome a number of difficulties
faced in traditional disaster recovery. The standard DR approach
involves dedicated remote recovery sites. And, there is a
constant administrative burden required to keep operating
systems and applications up to date and integrated so they can
perform as expected in a disaster.
DRaaS, as implemented with CenturyLink Cloud, functions
somewhat like a “mirror site,” but with more elastic capacity, lower
costs as well as automated configuration and provisioning. As
depicted in Figure 5, the CenturyLink Cloud SafeHaven technology
uses virtual appliances as replication nodes (SRNs) which receive
mirrored updates from active servers and data drives in the client’s
production site. The virtual appliances continuously transmit these
updates to peers within the CenturyLink Cloud.
Another SafeHaven virtual appliance, the “Central Management
Server” (CMS) resides on a CenturyLink Cloud server. It
monitors for failure conditions, sends alerts to administrators and
relays commands to the SRNs. The CMS acts like a command
and control station for the company’s entire disaster protection
environment. As a turnkey solution, SafeHaven approach is
relatively easy to use and manage.
Professional Services DRaaS
BaaS HighAvailability
RiskAssessment
ManagedSecurityServices
Backup
Security
DisasterRecovery
Professional Services DRaaS
BaaS HighAvailability
RiskAssessment
ManagedSecurityServices
Backup
Security
DisasterRecovery
Managed Security ServicesManaged security services augment resiliency by simplifying
the security manager’s job. Cloud-based managed security can
provide perimeter management, such as firewall and VPN but
with a lighter administrative load and capital investment than is
required on-premises. There can be a managed security service
for event monitoring, detection of DoS attacks and anomalies
that might signify penetration attempts. CenturyLink offers
these managed security services, as well as penetration testing,
compliance monitoring and log management.
Figure 5 Cloud-based Resiliency Services - a synergistic combination of DRaaS, BaaS, High Availability, risk assessment and managed security services
Customer Premise CenturyLink Cloud
Act
ive
Gro
up
Act
ive
Gro
up
SRN
Act
ive
Gro
up
Act
ive
Gro
up
SRN
CMS
SafeHaven
Figure 6 DRaaS as implemented on CenturyLink Cloud using SafeHaven technology. This approach creates complete replicas of applications and data in the cloud.
White Paper The Business Case for Cloud-Based Resiliency Services7
BaaSBaaS means using a cloud-based service to handle backup tasks instead of performing back-ups on-premises. There are several
advantages to BaaS from the perspective of resiliency. It lifts some of the administrative burden off of backup managers who
no longer have to set up and maintain the backup system. There is flexibility in providers, which reduces the risk of vendor lock-
in. Backup capacity can also be scaled without making an investment in new infrastructure. When coordinated with cloud-based
Resiliency Services, BaaS can be a highly effective tool of continuous availability.
CenturyLink Cloud’s Approach to Cloud-Based Resiliency Services
CenturyLink Cloud has extensive experience with cloud-based
Resiliency Services. The CenturyLink approach leverages the
company’s cloud platform to enable streamlined implementation,
management and modification of the services. This reduces
the risk of fragmentation that can occur when companies try
to create and manage their own cloud-based resiliency with a
bundle of independent services. Without unified management,
which CenturyLink’s platform provides, there can be
inefficiencies and resiliency gaps that expose the enterprise to
costly risks and negate the impact of the whole process.
CenturyLink Cloud is able to offer resiliency based on a hybrid
cloud model. A single platform manages deployments of
Resiliency Services that span multiple technologies on-premises,
on private cloud and multi-tenant public cloud infrastructure.
The result is more efficient use of redundant infrastructure and
increased agility in resiliency service design.
CenturyLink makes a variable RTO approach to resiliency
possible. Near real time recovery is possible with SafeHaven,
which is suitable for lossless recovery in as little as 30 seconds
in catastrophic incidents. SafeHaven provides inter-site migration,
failover, failback, test failover, rollback, failure detection and audit
reporting. For less critical applications, the use of VMware’s
vCloud Air solution enables a recovery point of about 15 minutes.
CenturyLink’s professional services round out the cloud-based
Resiliency Services offering. CenturyLink consultants can help
with business impact analysis (BIA), disaster recovery readiness,
disaster protection design and implementation, and testing
services. As experienced business continuity managers know,
the recovery plan is often as important as the specific recovery
measures and technologies that are in place. CenturyLink has
the ability to bring together planning, technologies such as
SafeHaven and the CenturyLink Cloud platform with recovery
readiness and testing to deliver a complete resiliency capability.
Conclusion
Thinking about the business impact of security incidents and
outages offers a way to evaluate the financial pros and cons
of adopting cloud-based Resiliency Services. Each individual
enterprise will find its own distinct economic formula for
making the decision to move in that direction or not. However,
the increasing severity and cost of incidents should encourage
business managers to consider cloud-based Resiliency Services.
These services are more cost-effective to implement and
manage than comparable, piecemeal on-premises disaster
recovery, backup and security solutions. They also come together
synergistically to offer a higher level of resiliency — closing
gaps that expose businesses to potentially massive losses. The
business case for cloud-based Resiliency Services is strong.
Managers who are concerned about resiliency are well-advised to
research their applicability in their particular organizations.
©2015 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product names are the property of CenturyLink. All other marks are the property of their respective owners. Services not available everywhere. Business customers only. CenturyLink may change or cancel services or substitute similar services at its sole discretion without notice.744111915 - the-business-case-cloud-based-resiliency-services-whitepaper-WP151005
1 https://www.accenture.com/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Dualpub_18/Accenture-Business-Resilience-Infographic.pdf 2 Emerson Network Power / Ponemon Institute: http://www.emersonnetworkpower.com/en-US/About/NewsRoom/NewsReleases/Pages/Emerson-Ponemon-Cost-Unplanned-Data-
Center-Outages.aspx 3 EMC Global Data Protection Index: http://www.cioinsight.com/it-management/slideshows/the-trillion-dollar-cost-of-downtime-and-data-loss.html#sthash.LCQ8LPFX.dpuf 4 Emerson Network Power / Ponemon Institute: http://www.emersonnetworkpower.com/en-US/About/NewsRoom/NewsReleases/Pages/Emerson-Ponemon-Cost-Unplanned-Data-
Center-Outages.aspx
Global Headquarters Monroe, LA (800) 784-2105
EMEA Headquarters United Kingdom +44 (0)118 322 6000
Asia Pacific Headquarters Singapore +65 6768 8098
Canada Headquarters Toronto, ON 1-877-387-3764