The Business Case for Cloud-Based Resiliency

WHITE PAPER
The Business Case
for Cloud-Based
Resiliency Services
Gold
Partner
Service Provider
1
White Paper The Business Case for Cloud-Based Resiliency Services
Security and business continuity continue to evolve in the face of
increasingly serious security threats, outages and their impacts.
Companies today face more exposure to attacks and disruptive
events than ever before. Downtime has also grown more costly
than ever. In response, some enterprises are implementing a new
“Cloud-Based Resiliency Services” approach to mitigating these
risks. Cloud-based Resiliency Services integrate such solutions as
Disaster-Recovery-as-a-Service (DRaaS), managed security services,
and Backup-as-a-Service (BaaS) with professional services to reduce
the business impact of potentially catastrophic incidents. This paper
looks at the business case for cloud based Resiliency Services and
their implementation.
2
White Paper The Business Case for Cloud-Based Resiliency Services
WHITE PAPER
The Business Case for
Cloud-Based Resiliency Services
Overview
The challenges of maintaining continuity of core business IT
solutions, technological platforms and professional services that
services grow with every passing year. Security threats multiply
help enterprises maintain resiliency of critical IT systems in the
while the costs of downtime and security incidents increase. Yet,
face of an array of threats. The cloud-based Resiliency Services
as the task of ensuring recovery of critical IT assets becomes
portfolio includes guided implementations for cloud Backup-as-a-
more difficult, new solutions are appearing that smooth the way
Service (BaaS), High Availability, managed security services, and
for better management of disruption events. This paper looks
Disaster Recovery-as-a-Service (DRaaS). This paper explores how
at the landscape of business continuity from the perspective
to evaluate an investment in cloud-based Resiliency Services
of the emerging field of “Cloud-Based Resiliency Services.”
from a business perspective.
Cloud-based Resiliency Services are security and recovery
The Increasing Scope of Serious Security
and Business Continuity Risks
The threat level is rising. This frightening trend provides context for
30000
25,566
discussing the business case for cloud-based Resiliency Services.
A slew of studies underscore the new reality. As Figure 1 shows,
the number of US Federal Network Breaches climbed from
22,156
20000
10,481 in 2009 to 25,566 in 2013. Vulnerabilities are increasing,
as revealed in Figure 2, with operating system and application
vulnerabilities doubling from 2011 to 2014. In a disturbing parallel,
10,481
13,028
15,584
10000
as shown in Figure 3, it is getting easier for a hacker to exploit
these vulnerabilities. Accenture reports that 63% of firms are under
significant daily attack, based on a survey of 959 executives.1
Vectors of attack include viruses, worms, malware, botnets and
phishing. Hackers are constantly launching Denial of Service
2009
2011
2012
2013
Figure 1
US Federal Network Breaches (Source GAO analysis of US-CERT data: https://www.
viewfinity.com/Blog/post/2014/07/17/Summing-up-a-brief-history-Data-breaches-areincreasing-steadily-in-the-Federal-networke280a6-and-everywhere-else.aspx )
(DoS) attacks, phishing schemes directed at employees of major
corporations. Stolen corporate devices, such as mobile phones,
are also used to attack the enterprise they came from.
Going beyond these numbers, recent history tells the human
side of the story. Some of the biggest brand names in the US
have suffered breaches affecting tens of millions of people. Other
notorious breaches have publicly revealed embarrassing personal
information about many individuals.
3
2010
White Paper The Business Case for Cloud-Based Resiliency Services
On the good news/bad news front, the length of downtime
incidents is decreasing, having fallen 11.3% from 2010 to 2013.
The average annual time for total data center outage fell from
134 minutes to 119.2 At the same time, the average cost of data
center down time has gone from $5,600 a minute in 2010 to
$7,900 per minute in 2013, a 41% increase. Doing the math, a 119
minute outage in 2013 will cost a business $940,100, compared to
$750,400 for a 134 minute outage in 2010. The annual worldwide
cost of data loss and downtime was estimated to be a remarkable
$1.7 trillion, per EMC’s Global Protection Index in 2015.3
The surprisingly high toll from data loss and downtime comes
from a variety of threats. Malicious actors seek to steal data for
8000
7000
6000
5000
4000
3000
2000
1000
0
7,038
4,794
4,258
2010
3,532
2011
4,347
2012
2013
2014
Figure 2
Increasing Vulnerabilities (Source National Vulnerabilities Database: NIST http://www.
gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/)
profit or to embarrass corporations and government entities.
Threats can be local or even national, with a new breed of
sovereign cyber armies aiming to disrupt national economies
through digital sabotage. Simple outages can be quite
30
destructive, too, with routine hardware and network failures
25
causing havoc for enterprises that lack a coherent plan for
20
responding to them. Software problems, such as a “mirroring
storm” in a large data center can shut systems down for
hours or even days. Unpredictable acts of nature can have the
33
35
28
13
15
11
10
same effect, with events such as hurricanes and earthquakes
5
disrupting IT functions, with businesses scrambling to respond.
0
16
0
1
2
1
2005 2006 2007 2008 2009 2010 2011 2012 2013
Figure 3
Vulnerabilities are easier to exploit - (Source RAND National Security Research
Division: Markets for Cybercrime Tools and Stolen Data http://www.rand.org/content/
da m/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf)
Understanding the Business
Impact of an Outage
The business continuity stakes are high today. In addition to
response. These include loss of productivity, which can also affect
costing nearly a million dollars per incident, the broader business
employee morale. Revenue can take a hit. Customer and partner
impact of an outage can be severe. In the worst case scenario,
loyalty may wane if systems are unreliable. Business impacts can
90% of business without a plan go out of business after a major
also include serious reputation damage and collapse of market
outage.4 That statistic should frighten any business manager. Short
valuation, depending on the nature of the incident. In many cases,
of actual bankruptcy, though, there can still be a number serious
senior executives face personal career repercussions or even
business consequences from an outage that lacks an adequate
personal legal liability from serious incidents.
4
White Paper The Business Case for Cloud-Based Resiliency Services
The Need for a Resiliency-Oriented Approach
The high business impact of outages and security incidents is
disruptions to its IT capabilities. System and data availability
behind a shift in thinking about disaster recovery and security.
forms the central tenet of resiliency. Business resiliency must
A number of disparate approaches to protecting IT services,
provide continuous availability for mission critical applications.
such as High Availability systems, DR systems, backup
Less critical apps, such as those that may have longer recovery
systems, and cyber-security systems are all converging into a
time objectives (RTOs) or recovery point objectives (RPOs),
single consolidated approach to unified threat management or
also need to be resilient. The investment required for RTOs for
“Business Resiliency” mindset. It’s a unified resiliency approach.
lower priority systems is typically less than that needed for
critical apps, however. At the same time, business resiliency
The word resiliency means being able to return to an original
solutions need to be sensitive to various security and compliance
form or position after being bent or knocked out of place. It also
requirements. For example, a healthcare business must comply
connotes the ability to recover fully from an illness. Business
with HIPAA when it backs up its data, even if the backup site is
resiliency is about enabling a business to recover from serious
not under the company’s direct control.
Quantifying Resiliency Risks
How can one place a dollar value on resiliency? A standard risk
Threat
analysis formula, shown in Figure 4, offers an answer. Risk is
equal to the likelihood of an incident occurring multiplied by its
cost. This should make intuitive sense, but it’s a good exercise to
x
Likelihood
x
Cost
=
RISK
Figure 4
Risk analysis formula
map out the actual values involved.
Threat
Likelihood
Cost of Incident from the Threat
Financial Exposure of Risk
Infrastructure- outage
0.1000%
$1,000,000
$1,000
Massive data exfiltration
0.010%
$1,000,000,000
$100,000
The table above uses the formula in Figure 4 to compare the
This risk exposure thought process can guide decisions about
risks inherent in two different threats. The infrastructure outage
the wisdom and cost of managing resiliency internally. Resiliency
carries a cost of $1 million and has a likelihood of .1 %. The
depends on coordinating High Availability, disaster recovery,
financial exposure from the risk is $1,000. A massive data
backup, intrusion prevention and detection, anti-malware, access
exfiltration, such as the one that occurred at Sony Pictures,
control and penetration testing. It’s a complex picture with many
carries a billion dollar cost. While its likelihood is far lower at
moving parts. The risk analysis formula can put a price tag on
.01%, its higher cost makes its risk exposure worth 100 times
accidentally exposing a gap in resiliency. Indeed, internally, most
more than that of the infrastructure outage.
companies struggle with the expense of redundant infrastructure
that is not frequently used. Managing all of these systems and
The risk analysis formula provides a simple, approximate way
related workflows with solutions in siloes is costly to implement
to measure the costs of resiliency risks. It also exposes the
and manage. Customization of systems also adds cost. Staff
potential cost of gaps in resiliency planning. If a gap in resiliency
resource utilization will likely be poor and inevitably, there will be
increases a company’s exposure to a high-risk incident, it’s worth
gaps in resiliency.
exploring the return on an investment in resiliency to close that
gap. In the example just described, the $100,000 exposure for
the massive data exfiltration risk might justify an expenditure of
$100,000 to mitigate the risk.
5
White Paper The Business Case for Cloud-Based Resiliency Services
The Resiliency Services Approach
By their nature, cloud-based Resiliency Services will vary from
one enterprise to the next. The basic
formulation, however, is
Professional
DRaaS
Services
a synergistic combination of Disaster
Recovery-as-a-Service
Professional
Services
Disaster
Recovery
Disaster
Recovery
DRaaS
(DRaaS), managed security services, Backup as-as-Service
(BaaS) and High Availability. Risk assessment and professional
services steer the design and implementation
processes. TheHigh
Backup
BaaS
Backup
Availability
High
Availability
BaaS
specific way these components are implemented will depend
on each enterprise’s unique requirements. However, the end
result will be the same if the cloud-based Resiliency Services are
executed properly: unifying DR,
Risk
Assessment
Managed
Risk
backup
and securitySecurity
will move Security
Assessment
Services
the enterprise close to cost-effective continuous availability of
key systems.
DRaaS
Managed
Security
Services
Security
Figure 5
Cloud-based Resiliency Services - a synergistic combination of DRaaS, BaaS,
High Availability, risk assessment and managed security services
systems and applications up to date and integrated so they can
perform as expected in a disaster.
SRN
SafeHaven
SRN
DRaaS, as implemented with CenturyLink Cloud, functions
somewhat like a “mirror site,” but with more elastic capacity, lower
costs as well as automated configuration and provisioning. As
depicted in Figure 5, the CenturyLink Cloud SafeHaven technology
uses virtual appliances as replication nodes (SRNs) which receive
Active Group
constant administrative burden required to keep operating
Active Group
involves dedicated remote recovery sites. And, there is a
Active Group
faced in traditional disaster recovery. The standard DR approach
Active Group
DRaaS helps organizations overcome a number of difficulties
CMS
Customer Premise
CenturyLink Cloud
Figure 6
DRaaS as implemented on CenturyLink Cloud using SafeHaven technology.
This approach creates complete replicas of applications and data in the cloud.
mirrored updates from active servers and data drives in the client’s
production site. The virtual appliances continuously transmit these
Managed Security Services
updates to peers within the CenturyLink Cloud.
Managed security services augment resiliency by simplifying
the security manager’s job. Cloud-based managed security can
Another SafeHaven virtual appliance, the “Central Management
provide perimeter management, such as firewall and VPN but
Server” (CMS) resides on a CenturyLink Cloud server. It
with a lighter administrative load and capital investment than is
monitors for failure conditions, sends alerts to administrators and
required on-premises. There can be a managed security service
relays commands to the SRNs. The CMS acts like a command
for event monitoring, detection of DoS attacks and anomalies
and control station for the company’s entire disaster protection
that might signify penetration attempts. CenturyLink offers
environment. As a turnkey solution, SafeHaven approach is
these managed security services, as well as penetration testing,
relatively easy to use and manage.
compliance monitoring and log management.
6
White Paper The Business Case for Cloud-Based Resiliency Services
BaaS
BaaS means using a cloud-based service to handle backup tasks instead of performing back-ups on-premises. There are several
advantages to BaaS from the perspective of resiliency. It lifts some of the administrative burden off of backup managers who
no longer have to set up and maintain the backup system. There is flexibility in providers, which reduces the risk of vendor lockin. Backup capacity can also be scaled without making an investment in new infrastructure. When coordinated with cloud-based
Resiliency Services, BaaS can be a highly effective tool of continuous availability.
CenturyLink Cloud’s Approach to Cloud-Based Resiliency Services
CenturyLink Cloud has extensive experience with cloud-based
CenturyLink makes a variable RTO approach to resiliency
Resiliency Services. The CenturyLink approach leverages the
possible. Near real time recovery is possible with SafeHaven,
company’s cloud platform to enable streamlined implementation,
which is suitable for lossless recovery in as little as 30 seconds
management and modification of the services. This reduces
in catastrophic incidents. SafeHaven provides inter-site migration,
the risk of fragmentation that can occur when companies try
failover, failback, test failover, rollback, failure detection and audit
to create and manage their own cloud-based resiliency with a
reporting. For less critical applications, the use of VMware’s
bundle of independent services. Without unified management,
vCloud Air solution enables a recovery point of about 15 minutes.
which CenturyLink’s platform provides, there can be
CenturyLink’s professional services round out the cloud-based
inefficiencies and resiliency gaps that expose the enterprise to
Resiliency Services offering. CenturyLink consultants can help
costly risks and negate the impact of the whole process.
with business impact analysis (BIA), disaster recovery readiness,
disaster protection design and implementation, and testing
CenturyLink Cloud is able to offer resiliency based on a hybrid
services. As experienced business continuity managers know,
cloud model. A single platform manages deployments of
the recovery plan is often as important as the specific recovery
Resiliency Services that span multiple technologies on-premises,
measures and technologies that are in place. CenturyLink has
on private cloud and multi-tenant public cloud infrastructure.
the ability to bring together planning, technologies such as
The result is more efficient use of redundant infrastructure and
SafeHaven and the CenturyLink Cloud platform with recovery
increased agility in resiliency service design.
readiness and testing to deliver a complete resiliency capability.
Conclusion
Thinking about the business impact of security incidents and
manage than comparable, piecemeal on-premises disaster
outages offers a way to evaluate the financial pros and cons
recovery, backup and security solutions. They also come together
of adopting cloud-based Resiliency Services. Each individual
synergistically to offer a higher level of resiliency — closing
enterprise will find its own distinct economic formula for
gaps that expose businesses to potentially massive losses. The
making the decision to move in that direction or not. However,
business case for cloud-based Resiliency Services is strong.
the increasing severity and cost of incidents should encourage
Managers who are concerned about resiliency are well-advised to
business managers to consider cloud-based Resiliency Services.
research their applicability in their particular organizations.
These services are more cost-effective to implement and
7
White Paper The Business Case for Cloud-Based Resiliency Services
1 https://www.accenture.com/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Dualpub_18/Accenture-Business-Resilience-Infographic.pdf
2 Emerson Network Power / Ponemon Institute: http://www.emersonnetworkpower.com/en-US/About/NewsRoom/NewsReleases/Pages/Emerson-Ponemon-Cost-Unplanned-DataCenter-Outages.aspx
3 EMC Global Data Protection Index: http://www.cioinsight.com/it-management/slideshows/the-trillion-dollar-cost-of-downtime-and-data-loss.html#sthash.LCQ8LPFX.dpuf
4 Emerson Network Power / Ponemon Institute: http://www.emersonnetworkpower.com/en-US/About/NewsRoom/NewsReleases/Pages/Emerson-Ponemon-Cost-Unplanned-DataCenter-Outages.aspx
Global Headquarters
Monroe, LA
(800) 784-2105
EMEA Headquarters
United Kingdom
+44 (0)118 322 6000
Asia Pacific Headquarters
Singapore
+65 6768 8098
Canada Headquarters
Toronto, ON
1-877-387-3764
©2015 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product names are the
property of CenturyLink. All other marks are the property of their respective owners. Services not available everywhere. Business
customers only. CenturyLink may change or cancel services or substitute similar services at its sole discretion without notice.
744111915 - the-business-case-cloud-based-resiliency-services-whitepaper-WP151005