WHITE PAPER The Business Case for Cloud-Based Resiliency Services Gold Partner Service Provider 1 White Paper The Business Case for Cloud-Based Resiliency Services Security and business continuity continue to evolve in the face of increasingly serious security threats, outages and their impacts. Companies today face more exposure to attacks and disruptive events than ever before. Downtime has also grown more costly than ever. In response, some enterprises are implementing a new “Cloud-Based Resiliency Services” approach to mitigating these risks. Cloud-based Resiliency Services integrate such solutions as Disaster-Recovery-as-a-Service (DRaaS), managed security services, and Backup-as-a-Service (BaaS) with professional services to reduce the business impact of potentially catastrophic incidents. This paper looks at the business case for cloud based Resiliency Services and their implementation. 2 White Paper The Business Case for Cloud-Based Resiliency Services WHITE PAPER The Business Case for Cloud-Based Resiliency Services Overview The challenges of maintaining continuity of core business IT solutions, technological platforms and professional services that services grow with every passing year. Security threats multiply help enterprises maintain resiliency of critical IT systems in the while the costs of downtime and security incidents increase. Yet, face of an array of threats. The cloud-based Resiliency Services as the task of ensuring recovery of critical IT assets becomes portfolio includes guided implementations for cloud Backup-as-a- more difficult, new solutions are appearing that smooth the way Service (BaaS), High Availability, managed security services, and for better management of disruption events. This paper looks Disaster Recovery-as-a-Service (DRaaS). This paper explores how at the landscape of business continuity from the perspective to evaluate an investment in cloud-based Resiliency Services of the emerging field of “Cloud-Based Resiliency Services.” from a business perspective. Cloud-based Resiliency Services are security and recovery The Increasing Scope of Serious Security and Business Continuity Risks The threat level is rising. This frightening trend provides context for 30000 25,566 discussing the business case for cloud-based Resiliency Services. A slew of studies underscore the new reality. As Figure 1 shows, the number of US Federal Network Breaches climbed from 22,156 20000 10,481 in 2009 to 25,566 in 2013. Vulnerabilities are increasing, as revealed in Figure 2, with operating system and application vulnerabilities doubling from 2011 to 2014. In a disturbing parallel, 10,481 13,028 15,584 10000 as shown in Figure 3, it is getting easier for a hacker to exploit these vulnerabilities. Accenture reports that 63% of firms are under significant daily attack, based on a survey of 959 executives.1 Vectors of attack include viruses, worms, malware, botnets and phishing. Hackers are constantly launching Denial of Service 2009 2011 2012 2013 Figure 1 US Federal Network Breaches (Source GAO analysis of US-CERT data: https://www. viewfinity.com/Blog/post/2014/07/17/Summing-up-a-brief-history-Data-breaches-areincreasing-steadily-in-the-Federal-networke280a6-and-everywhere-else.aspx ) (DoS) attacks, phishing schemes directed at employees of major corporations. Stolen corporate devices, such as mobile phones, are also used to attack the enterprise they came from. Going beyond these numbers, recent history tells the human side of the story. Some of the biggest brand names in the US have suffered breaches affecting tens of millions of people. Other notorious breaches have publicly revealed embarrassing personal information about many individuals. 3 2010 White Paper The Business Case for Cloud-Based Resiliency Services On the good news/bad news front, the length of downtime incidents is decreasing, having fallen 11.3% from 2010 to 2013. The average annual time for total data center outage fell from 134 minutes to 119.2 At the same time, the average cost of data center down time has gone from $5,600 a minute in 2010 to $7,900 per minute in 2013, a 41% increase. Doing the math, a 119 minute outage in 2013 will cost a business $940,100, compared to $750,400 for a 134 minute outage in 2010. The annual worldwide cost of data loss and downtime was estimated to be a remarkable $1.7 trillion, per EMC’s Global Protection Index in 2015.3 The surprisingly high toll from data loss and downtime comes from a variety of threats. Malicious actors seek to steal data for 8000 7000 6000 5000 4000 3000 2000 1000 0 7,038 4,794 4,258 2010 3,532 2011 4,347 2012 2013 2014 Figure 2 Increasing Vulnerabilities (Source National Vulnerabilities Database: NIST http://www. gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/) profit or to embarrass corporations and government entities. Threats can be local or even national, with a new breed of sovereign cyber armies aiming to disrupt national economies through digital sabotage. Simple outages can be quite 30 destructive, too, with routine hardware and network failures 25 causing havoc for enterprises that lack a coherent plan for 20 responding to them. Software problems, such as a “mirroring storm” in a large data center can shut systems down for hours or even days. Unpredictable acts of nature can have the 33 35 28 13 15 11 10 same effect, with events such as hurricanes and earthquakes 5 disrupting IT functions, with businesses scrambling to respond. 0 16 0 1 2 1 2005 2006 2007 2008 2009 2010 2011 2012 2013 Figure 3 Vulnerabilities are easier to exploit - (Source RAND National Security Research Division: Markets for Cybercrime Tools and Stolen Data http://www.rand.org/content/ da m/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf) Understanding the Business Impact of an Outage The business continuity stakes are high today. In addition to response. These include loss of productivity, which can also affect costing nearly a million dollars per incident, the broader business employee morale. Revenue can take a hit. Customer and partner impact of an outage can be severe. In the worst case scenario, loyalty may wane if systems are unreliable. Business impacts can 90% of business without a plan go out of business after a major also include serious reputation damage and collapse of market outage.4 That statistic should frighten any business manager. Short valuation, depending on the nature of the incident. In many cases, of actual bankruptcy, though, there can still be a number serious senior executives face personal career repercussions or even business consequences from an outage that lacks an adequate personal legal liability from serious incidents. 4 White Paper The Business Case for Cloud-Based Resiliency Services The Need for a Resiliency-Oriented Approach The high business impact of outages and security incidents is disruptions to its IT capabilities. System and data availability behind a shift in thinking about disaster recovery and security. forms the central tenet of resiliency. Business resiliency must A number of disparate approaches to protecting IT services, provide continuous availability for mission critical applications. such as High Availability systems, DR systems, backup Less critical apps, such as those that may have longer recovery systems, and cyber-security systems are all converging into a time objectives (RTOs) or recovery point objectives (RPOs), single consolidated approach to unified threat management or also need to be resilient. The investment required for RTOs for “Business Resiliency” mindset. It’s a unified resiliency approach. lower priority systems is typically less than that needed for critical apps, however. At the same time, business resiliency The word resiliency means being able to return to an original solutions need to be sensitive to various security and compliance form or position after being bent or knocked out of place. It also requirements. For example, a healthcare business must comply connotes the ability to recover fully from an illness. Business with HIPAA when it backs up its data, even if the backup site is resiliency is about enabling a business to recover from serious not under the company’s direct control. Quantifying Resiliency Risks How can one place a dollar value on resiliency? A standard risk Threat analysis formula, shown in Figure 4, offers an answer. Risk is equal to the likelihood of an incident occurring multiplied by its cost. This should make intuitive sense, but it’s a good exercise to x Likelihood x Cost = RISK Figure 4 Risk analysis formula map out the actual values involved. Threat Likelihood Cost of Incident from the Threat Financial Exposure of Risk Infrastructure- outage 0.1000% $1,000,000 $1,000 Massive data exfiltration 0.010% $1,000,000,000 $100,000 The table above uses the formula in Figure 4 to compare the This risk exposure thought process can guide decisions about risks inherent in two different threats. The infrastructure outage the wisdom and cost of managing resiliency internally. Resiliency carries a cost of $1 million and has a likelihood of .1 %. The depends on coordinating High Availability, disaster recovery, financial exposure from the risk is $1,000. A massive data backup, intrusion prevention and detection, anti-malware, access exfiltration, such as the one that occurred at Sony Pictures, control and penetration testing. It’s a complex picture with many carries a billion dollar cost. While its likelihood is far lower at moving parts. The risk analysis formula can put a price tag on .01%, its higher cost makes its risk exposure worth 100 times accidentally exposing a gap in resiliency. Indeed, internally, most more than that of the infrastructure outage. companies struggle with the expense of redundant infrastructure that is not frequently used. Managing all of these systems and The risk analysis formula provides a simple, approximate way related workflows with solutions in siloes is costly to implement to measure the costs of resiliency risks. It also exposes the and manage. Customization of systems also adds cost. Staff potential cost of gaps in resiliency planning. If a gap in resiliency resource utilization will likely be poor and inevitably, there will be increases a company’s exposure to a high-risk incident, it’s worth gaps in resiliency. exploring the return on an investment in resiliency to close that gap. In the example just described, the $100,000 exposure for the massive data exfiltration risk might justify an expenditure of $100,000 to mitigate the risk. 5 White Paper The Business Case for Cloud-Based Resiliency Services The Resiliency Services Approach By their nature, cloud-based Resiliency Services will vary from one enterprise to the next. The basic formulation, however, is Professional DRaaS Services a synergistic combination of Disaster Recovery-as-a-Service Professional Services Disaster Recovery Disaster Recovery DRaaS (DRaaS), managed security services, Backup as-as-Service (BaaS) and High Availability. Risk assessment and professional services steer the design and implementation processes. TheHigh Backup BaaS Backup Availability High Availability BaaS specific way these components are implemented will depend on each enterprise’s unique requirements. However, the end result will be the same if the cloud-based Resiliency Services are executed properly: unifying DR, Risk Assessment Managed Risk backup and securitySecurity will move Security Assessment Services the enterprise close to cost-effective continuous availability of key systems. DRaaS Managed Security Services Security Figure 5 Cloud-based Resiliency Services - a synergistic combination of DRaaS, BaaS, High Availability, risk assessment and managed security services systems and applications up to date and integrated so they can perform as expected in a disaster. SRN SafeHaven SRN DRaaS, as implemented with CenturyLink Cloud, functions somewhat like a “mirror site,” but with more elastic capacity, lower costs as well as automated configuration and provisioning. As depicted in Figure 5, the CenturyLink Cloud SafeHaven technology uses virtual appliances as replication nodes (SRNs) which receive Active Group constant administrative burden required to keep operating Active Group involves dedicated remote recovery sites. And, there is a Active Group faced in traditional disaster recovery. The standard DR approach Active Group DRaaS helps organizations overcome a number of difficulties CMS Customer Premise CenturyLink Cloud Figure 6 DRaaS as implemented on CenturyLink Cloud using SafeHaven technology. This approach creates complete replicas of applications and data in the cloud. mirrored updates from active servers and data drives in the client’s production site. The virtual appliances continuously transmit these Managed Security Services updates to peers within the CenturyLink Cloud. Managed security services augment resiliency by simplifying the security manager’s job. Cloud-based managed security can Another SafeHaven virtual appliance, the “Central Management provide perimeter management, such as firewall and VPN but Server” (CMS) resides on a CenturyLink Cloud server. It with a lighter administrative load and capital investment than is monitors for failure conditions, sends alerts to administrators and required on-premises. There can be a managed security service relays commands to the SRNs. The CMS acts like a command for event monitoring, detection of DoS attacks and anomalies and control station for the company’s entire disaster protection that might signify penetration attempts. CenturyLink offers environment. As a turnkey solution, SafeHaven approach is these managed security services, as well as penetration testing, relatively easy to use and manage. compliance monitoring and log management. 6 White Paper The Business Case for Cloud-Based Resiliency Services BaaS BaaS means using a cloud-based service to handle backup tasks instead of performing back-ups on-premises. There are several advantages to BaaS from the perspective of resiliency. It lifts some of the administrative burden off of backup managers who no longer have to set up and maintain the backup system. There is flexibility in providers, which reduces the risk of vendor lockin. Backup capacity can also be scaled without making an investment in new infrastructure. When coordinated with cloud-based Resiliency Services, BaaS can be a highly effective tool of continuous availability. CenturyLink Cloud’s Approach to Cloud-Based Resiliency Services CenturyLink Cloud has extensive experience with cloud-based CenturyLink makes a variable RTO approach to resiliency Resiliency Services. The CenturyLink approach leverages the possible. Near real time recovery is possible with SafeHaven, company’s cloud platform to enable streamlined implementation, which is suitable for lossless recovery in as little as 30 seconds management and modification of the services. This reduces in catastrophic incidents. SafeHaven provides inter-site migration, the risk of fragmentation that can occur when companies try failover, failback, test failover, rollback, failure detection and audit to create and manage their own cloud-based resiliency with a reporting. For less critical applications, the use of VMware’s bundle of independent services. Without unified management, vCloud Air solution enables a recovery point of about 15 minutes. which CenturyLink’s platform provides, there can be CenturyLink’s professional services round out the cloud-based inefficiencies and resiliency gaps that expose the enterprise to Resiliency Services offering. CenturyLink consultants can help costly risks and negate the impact of the whole process. with business impact analysis (BIA), disaster recovery readiness, disaster protection design and implementation, and testing CenturyLink Cloud is able to offer resiliency based on a hybrid services. As experienced business continuity managers know, cloud model. A single platform manages deployments of the recovery plan is often as important as the specific recovery Resiliency Services that span multiple technologies on-premises, measures and technologies that are in place. CenturyLink has on private cloud and multi-tenant public cloud infrastructure. the ability to bring together planning, technologies such as The result is more efficient use of redundant infrastructure and SafeHaven and the CenturyLink Cloud platform with recovery increased agility in resiliency service design. readiness and testing to deliver a complete resiliency capability. Conclusion Thinking about the business impact of security incidents and manage than comparable, piecemeal on-premises disaster outages offers a way to evaluate the financial pros and cons recovery, backup and security solutions. They also come together of adopting cloud-based Resiliency Services. Each individual synergistically to offer a higher level of resiliency — closing enterprise will find its own distinct economic formula for gaps that expose businesses to potentially massive losses. The making the decision to move in that direction or not. However, business case for cloud-based Resiliency Services is strong. the increasing severity and cost of incidents should encourage Managers who are concerned about resiliency are well-advised to business managers to consider cloud-based Resiliency Services. research their applicability in their particular organizations. These services are more cost-effective to implement and 7 White Paper The Business Case for Cloud-Based Resiliency Services 1 https://www.accenture.com/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Dualpub_18/Accenture-Business-Resilience-Infographic.pdf 2 Emerson Network Power / Ponemon Institute: http://www.emersonnetworkpower.com/en-US/About/NewsRoom/NewsReleases/Pages/Emerson-Ponemon-Cost-Unplanned-DataCenter-Outages.aspx 3 EMC Global Data Protection Index: http://www.cioinsight.com/it-management/slideshows/the-trillion-dollar-cost-of-downtime-and-data-loss.html#sthash.LCQ8LPFX.dpuf 4 Emerson Network Power / Ponemon Institute: http://www.emersonnetworkpower.com/en-US/About/NewsRoom/NewsReleases/Pages/Emerson-Ponemon-Cost-Unplanned-DataCenter-Outages.aspx Global Headquarters Monroe, LA (800) 784-2105 EMEA Headquarters United Kingdom +44 (0)118 322 6000 Asia Pacific Headquarters Singapore +65 6768 8098 Canada Headquarters Toronto, ON 1-877-387-3764 ©2015 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product names are the property of CenturyLink. All other marks are the property of their respective owners. Services not available everywhere. Business customers only. CenturyLink may change or cancel services or substitute similar services at its sole discretion without notice. 744111915 - the-business-case-cloud-based-resiliency-services-whitepaper-WP151005