White Paper The Business Case for Cloud-Based Resiliency Services1

The Business Case for Cloud-Based Resiliency Services

WHITE PAPER

GoldPartner

Service Provider

White Paper The Business Case for Cloud-Based Resiliency Services2

Security and business continuity continue to evolve in the face of increasingly serious security threats, outages and their impacts. Companies today face more exposure to attacks and disruptive events than ever before. Downtime has also grown more costly than ever. In response, some enterprises are implementing a new “Cloud-Based Resiliency Services” approach to mitigating these risks. Cloud-based Resiliency Services integrate such solutions as Disaster-Recovery-as-a-Service (DRaaS), managed security services, and Backup-as-a-Service (BaaS) with professional services to reduce the business impact of potentially catastrophic incidents. This paper looks at the business case for cloud based Resiliency Services and their implementation.

White Paper The Business Case for Cloud-Based Resiliency Services3

WHITE PAPER

The Business Case for Cloud-Based Resiliency ServicesOverview

The challenges of maintaining continuity of core business IT

services grow with every passing year. Security threats multiply

while the costs of downtime and security incidents increase. Yet,

as the task of ensuring recovery of critical IT assets becomes

more difficult, new solutions are appearing that smooth the way

for better management of disruption events. This paper looks

at the landscape of business continuity from the perspective

of the emerging field of “Cloud-Based Resiliency Services.”

Cloud-based Resiliency Services are security and recovery

solutions, technological platforms and professional services that

help enterprises maintain resiliency of critical IT systems in the

face of an array of threats. The cloud-based Resiliency Services

portfolio includes guided implementations for cloud Backup-as-a-

Service (BaaS), High Availability, managed security services, and

Disaster Recovery-as-a-Service (DRaaS). This paper explores how

to evaluate an investment in cloud-based Resiliency Services

from a business perspective.

The Increasing Scope of Serious Security and Business Continuity Risks

The threat level is rising. This frightening trend provides context for

discussing the business case for cloud-based Resiliency Services.

A slew of studies underscore the new reality. As Figure 1 shows,

the number of US Federal Network Breaches climbed from

10,481 in 2009 to 25,566 in 2013. Vulnerabilities are increasing,

as revealed in Figure 2, with operating system and application

vulnerabilities doubling from 2011 to 2014. In a disturbing parallel,

as shown in Figure 3, it is getting easier for a hacker to exploit

these vulnerabilities. Accenture reports that 63% of firms are under

significant daily attack, based on a survey of 959 executives.1

Vectors of attack include viruses, worms, malware, botnets and

phishing. Hackers are constantly launching Denial of Service

(DoS) attacks, phishing schemes directed at employees of major

corporations. Stolen corporate devices, such as mobile phones,

are also used to attack the enterprise they came from.

Going beyond these numbers, recent history tells the human

side of the story. Some of the biggest brand names in the US

have suffered breaches affecting tens of millions of people. Other

notorious breaches have publicly revealed embarrassing personal

information about many individuals.

Figure 1 US Federal Network Breaches (Source GAO analysis of US-CERT data: https://www.viewfinity.com/Blog/post/2014/07/17/Summing-up-a-brief-history-Data-breaches-are-increasing-steadily-in-the-Federal-networke280a6-and-everywhere-else.aspx )

10000

20000

30000

2009 2010 2011 2012 2013

10,48113,028

15,584

22,15625,566

White Paper The Business Case for Cloud-Based Resiliency Services4

On the good news/bad news front, the length of downtime

incidents is decreasing, having fallen 11.3% from 2010 to 2013.

The average annual time for total data center outage fell from

134 minutes to 119.2 At the same time, the average cost of data

center down time has gone from $5,600 a minute in 2010 to

$7,900 per minute in 2013, a 41% increase. Doing the math, a 119

minute outage in 2013 will cost a business $940,100, compared to

$750,400 for a 134 minute outage in 2010. The annual worldwide

cost of data loss and downtime was estimated to be a remarkable

$1.7 trillion, per EMC’s Global Protection Index in 2015.3

The surprisingly high toll from data loss and downtime comes

from a variety of threats. Malicious actors seek to steal data for

profit or to embarrass corporations and government entities.

Threats can be local or even national, with a new breed of

sovereign cyber armies aiming to disrupt national economies

through digital sabotage. Simple outages can be quite

destructive, too, with routine hardware and network failures

causing havoc for enterprises that lack a coherent plan for

responding to them. Software problems, such as a “mirroring

storm” in a large data center can shut systems down for

hours or even days. Unpredictable acts of nature can have the

same effect, with events such as hurricanes and earthquakes

disrupting IT functions, with businesses scrambling to respond.

Figure 2 Increasing Vulnerabilities (Source National Vulnerabilities Database: NIST http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/)

010002000300040005000600070008000

2010 2011 2012 2013 2014

4,794

7,038

4,258 3,532 4,347

Figure 3 Vulnerabilities are easier to exploit - (Source RAND National Security Research Division: Markets for Cybercrime Tools and Stolen Data http://www.rand.org/content/da m/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf)

0

5

10

15

20

25

30

35

2005 2006 2007 2008 2009 2010 2011 2012 2013

0 1 12

11

13 16

28

33

Understanding the Business Impact of an Outage

The business continuity stakes are high today. In addition to

costing nearly a million dollars per incident, the broader business

impact of an outage can be severe. In the worst case scenario,

90% of business without a plan go out of business after a major

outage.4 That statistic should frighten any business manager. Short

of actual bankruptcy, though, there can still be a number serious

business consequences from an outage that lacks an adequate

response. These include loss of productivity, which can also affect

employee morale. Revenue can take a hit. Customer and partner

loyalty may wane if systems are unreliable. Business impacts can

also include serious reputation damage and collapse of market

valuation, depending on the nature of the incident. In many cases,

senior executives face personal career repercussions or even

personal legal liability from serious incidents.

White Paper The Business Case for Cloud-Based Resiliency Services5

The Need for a Resiliency-Oriented Approach

The high business impact of outages and security incidents is

behind a shift in thinking about disaster recovery and security.

A number of disparate approaches to protecting IT services,

such as High Availability systems, DR systems, backup

systems, and cyber-security systems are all converging into a

single consolidated approach to unified threat management or

“Business Resiliency” mindset. It’s a unified resiliency approach.

The word resiliency means being able to return to an original

form or position after being bent or knocked out of place. It also

connotes the ability to recover fully from an illness. Business

resiliency is about enabling a business to recover from serious

disruptions to its IT capabilities. System and data availability

forms the central tenet of resiliency. Business resiliency must

provide continuous availability for mission critical applications.

Less critical apps, such as those that may have longer recovery

time objectives (RTOs) or recovery point objectives (RPOs),

also need to be resilient. The investment required for RTOs for

lower priority systems is typically less than that needed for

critical apps, however. At the same time, business resiliency

solutions need to be sensitive to various security and compliance

requirements. For example, a healthcare business must comply

with HIPAA when it backs up its data, even if the backup site is

not under the company’s direct control.

Quantifying Resiliency Risks

How can one place a dollar value on resiliency? A standard risk

analysis formula, shown in Figure 4, offers an answer. Risk is

equal to the likelihood of an incident occurring multiplied by its

cost. This should make intuitive sense, but it’s a good exercise to

map out the actual values involved.

Threat Likelihood Cost of Incident from the Threat Financial Exposure of Risk

Infrastructure- outage 0.1000% $1,000,000 $1,000

Massive data exfiltration 0.010% $1,000,000,000 $100,000

The table above uses the formula in Figure 4 to compare the

risks inherent in two different threats. The infrastructure outage

carries a cost of $1 million and has a likelihood of .1 %. The

financial exposure from the risk is $1,000. A massive data

exfiltration, such as the one that occurred at Sony Pictures,

carries a billion dollar cost. While its likelihood is far lower at

.01%, its higher cost makes its risk exposure worth 100 times

more than that of the infrastructure outage.

The risk analysis formula provides a simple, approximate way

to measure the costs of resiliency risks. It also exposes the

potential cost of gaps in resiliency planning. If a gap in resiliency

increases a company’s exposure to a high-risk incident, it’s worth

exploring the return on an investment in resiliency to close that

gap. In the example just described, the $100,000 exposure for

the massive data exfiltration risk might justify an expenditure of

$100,000 to mitigate the risk.

This risk exposure thought process can guide decisions about

the wisdom and cost of managing resiliency internally. Resiliency

depends on coordinating High Availability, disaster recovery,

backup, intrusion prevention and detection, anti-malware, access

control and penetration testing. It’s a complex picture with many

moving parts. The risk analysis formula can put a price tag on

accidentally exposing a gap in resiliency. Indeed, internally, most

companies struggle with the expense of redundant infrastructure

that is not frequently used. Managing all of these systems and

related workflows with solutions in siloes is costly to implement

and manage. Customization of systems also adds cost. Staff

resource utilization will likely be poor and inevitably, there will be

gaps in resiliency.

Threat Likelihood Cost RISKx x =

Figure 4Risk analysis formula

White Paper The Business Case for Cloud-Based Resiliency Services6

The Resiliency Services Approach

By their nature, cloud-based Resiliency Services will vary from

one enterprise to the next. The basic formulation, however, is

a synergistic combination of Disaster Recovery-as-a-Service

(DRaaS), managed security services, Backup as-as-Service

(BaaS) and High Availability. Risk assessment and professional

services steer the design and implementation processes. The

specific way these components are implemented will depend

on each enterprise’s unique requirements. However, the end

result will be the same if the cloud-based Resiliency Services are

executed properly: unifying DR, backup and security will move

the enterprise close to cost-effective continuous availability of

key systems.

DRaaSDRaaS helps organizations overcome a number of difficulties

faced in traditional disaster recovery. The standard DR approach

involves dedicated remote recovery sites. And, there is a

constant administrative burden required to keep operating

systems and applications up to date and integrated so they can

perform as expected in a disaster.

DRaaS, as implemented with CenturyLink Cloud, functions

somewhat like a “mirror site,” but with more elastic capacity, lower

costs as well as automated configuration and provisioning. As

depicted in Figure 5, the CenturyLink Cloud SafeHaven technology

uses virtual appliances as replication nodes (SRNs) which receive

mirrored updates from active servers and data drives in the client’s

production site. The virtual appliances continuously transmit these

updates to peers within the CenturyLink Cloud.

Another SafeHaven virtual appliance, the “Central Management

Server” (CMS) resides on a CenturyLink Cloud server. It

monitors for failure conditions, sends alerts to administrators and

relays commands to the SRNs. The CMS acts like a command

and control station for the company’s entire disaster protection

environment. As a turnkey solution, SafeHaven approach is

relatively easy to use and manage.

Professional Services DRaaS

BaaS HighAvailability

RiskAssessment

ManagedSecurityServices

Backup

Security

DisasterRecovery

Professional Services DRaaS

BaaS HighAvailability

RiskAssessment

ManagedSecurityServices

Backup

Security

DisasterRecovery

Managed Security ServicesManaged security services augment resiliency by simplifying

the security manager’s job. Cloud-based managed security can

provide perimeter management, such as firewall and VPN but

with a lighter administrative load and capital investment than is

required on-premises. There can be a managed security service

for event monitoring, detection of DoS attacks and anomalies

that might signify penetration attempts. CenturyLink offers

these managed security services, as well as penetration testing,

compliance monitoring and log management.

Figure 5 Cloud-based Resiliency Services - a synergistic combination of DRaaS, BaaS, High Availability, risk assessment and managed security services

Customer Premise CenturyLink Cloud

Act

ive

Gro

up

Act

ive

Gro

up

SRN

Act

ive

Gro

up

Act

ive

Gro

up

SRN

CMS

SafeHaven

Figure 6 DRaaS as implemented on CenturyLink Cloud using SafeHaven technology. This approach creates complete replicas of applications and data in the cloud.

White Paper The Business Case for Cloud-Based Resiliency Services7

BaaSBaaS means using a cloud-based service to handle backup tasks instead of performing back-ups on-premises. There are several

advantages to BaaS from the perspective of resiliency. It lifts some of the administrative burden off of backup managers who

no longer have to set up and maintain the backup system. There is flexibility in providers, which reduces the risk of vendor lock-

in. Backup capacity can also be scaled without making an investment in new infrastructure. When coordinated with cloud-based

Resiliency Services, BaaS can be a highly effective tool of continuous availability.

CenturyLink Cloud’s Approach to Cloud-Based Resiliency Services

CenturyLink Cloud has extensive experience with cloud-based

Resiliency Services. The CenturyLink approach leverages the

company’s cloud platform to enable streamlined implementation,

management and modification of the services. This reduces

the risk of fragmentation that can occur when companies try

to create and manage their own cloud-based resiliency with a

bundle of independent services. Without unified management,

which CenturyLink’s platform provides, there can be

inefficiencies and resiliency gaps that expose the enterprise to

costly risks and negate the impact of the whole process.

CenturyLink Cloud is able to offer resiliency based on a hybrid

cloud model. A single platform manages deployments of

Resiliency Services that span multiple technologies on-premises,

on private cloud and multi-tenant public cloud infrastructure.

The result is more efficient use of redundant infrastructure and

increased agility in resiliency service design.

CenturyLink makes a variable RTO approach to resiliency

possible. Near real time recovery is possible with SafeHaven,

which is suitable for lossless recovery in as little as 30 seconds

in catastrophic incidents. SafeHaven provides inter-site migration,

failover, failback, test failover, rollback, failure detection and audit

reporting. For less critical applications, the use of VMware’s

vCloud Air solution enables a recovery point of about 15 minutes.

CenturyLink’s professional services round out the cloud-based

Resiliency Services offering. CenturyLink consultants can help

with business impact analysis (BIA), disaster recovery readiness,

disaster protection design and implementation, and testing

services. As experienced business continuity managers know,

the recovery plan is often as important as the specific recovery

measures and technologies that are in place. CenturyLink has

the ability to bring together planning, technologies such as

SafeHaven and the CenturyLink Cloud platform with recovery

readiness and testing to deliver a complete resiliency capability.

Conclusion

Thinking about the business impact of security incidents and

outages offers a way to evaluate the financial pros and cons

of adopting cloud-based Resiliency Services. Each individual

enterprise will find its own distinct economic formula for

making the decision to move in that direction or not. However,

the increasing severity and cost of incidents should encourage

business managers to consider cloud-based Resiliency Services.

These services are more cost-effective to implement and

manage than comparable, piecemeal on-premises disaster

recovery, backup and security solutions. They also come together

synergistically to offer a higher level of resiliency — closing

gaps that expose businesses to potentially massive losses. The

business case for cloud-based Resiliency Services is strong.

Managers who are concerned about resiliency are well-advised to

research their applicability in their particular organizations.

©2015 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product names are the property of CenturyLink. All other marks are the property of their respective owners. Services not available everywhere. Business customers only. CenturyLink may change or cancel services or substitute similar services at its sole discretion without notice.744111915 - the-business-case-cloud-based-resiliency-services-whitepaper-WP151005

1 https://www.accenture.com/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Dualpub_18/Accenture-Business-Resilience-Infographic.pdf 2 Emerson Network Power / Ponemon Institute: http://www.emersonnetworkpower.com/en-US/About/NewsRoom/NewsReleases/Pages/Emerson-Ponemon-Cost-Unplanned-Data-

Center-Outages.aspx 3 EMC Global Data Protection Index: http://www.cioinsight.com/it-management/slideshows/the-trillion-dollar-cost-of-downtime-and-data-loss.html#sthash.LCQ8LPFX.dpuf 4 Emerson Network Power / Ponemon Institute: http://www.emersonnetworkpower.com/en-US/About/NewsRoom/NewsReleases/Pages/Emerson-Ponemon-Cost-Unplanned-Data-

Center-Outages.aspx

Global Headquarters Monroe, LA (800) 784-2105

EMEA Headquarters United Kingdom +44 (0)118 322 6000

Asia Pacific Headquarters Singapore +65 6768 8098

Canada Headquarters Toronto, ON 1-877-387-3764