2. 8
Full Cyber & Business
Continuity Protection
Proactive Reactive
Proactive solutions are not enough
Vendor neutrality, transparency, and integration is required
Working together, true per application & automated Recovery-as-a-Service can emerge
What does a real BCDR strategy look like?
Threat monitoring &
mitigation
Disaster Recovery & IT
Resiliency Orchestration
3. 3
Production environments are complex. DR Strategy must match.
Disaster Recovery is strategy. Consider:
➢ Production workloads
➢ Security
➢ 3rd party services
➢ Hybrid & Multi-cloud
➢ Accountability, ownership, appetite, and recourse for failure
➢ Possibly “All or Nothing”
Disaster Recovery is not:
➢ Replication software that you purchase
➢ “Set it and forget it”
➢ Static
➢ About replicating data…
4. 4
Disaster Recovery Ownership Models
➢Customer to Customer (Secondary NOC)
➢Customer to Managed Cloud Provider
➢Customer to IaaS public clouds
➢Managed Cloud Provider with DRaaS
➢IaaS public to IaaS public
➢Hybrid: Colocation + Managed Cloud + Network + More..
5. 17
Business Considerations
Ownership & Accountability:
➢ Buy vs Build
➢ Recourse should the solution not work?
➢ Recourse should a data breach occur?
➢ SLAs for RTO/RPO?
➢Provider: Contract/SLA/BAA
➢ Monitoring / Alerting integrations
➢ Who owns failback?
➢ HW/SW - Capex/Opex
Testing considerations
➢ “Application Centric”
➢ Runbook per application
➢ Shift testing to application owners, not IT
➢ “Real test”
➢ Preparation time
6. 17
Fully Inclusive Disaster Recovery Considerations
HV Replication
Data Copy
Storage Native Replication
Physical Servers
non-x86 platforms (IBM i, P, Z)
Application based replication
Always-on Infrastructure (Authentication & Applications)
Network Integration & Consumption - VPN, MPLS, 3rd party, DNS
IT Resiliency Orchestration - Data Loss Prevention - Ransomware Recovery
7. 17
➢ Recovery site integration:
➢ Site-to-Site, Site-to-Client VPN
➢ MPLS / VPLS integration
➢ Point-to-Point, L2 stretch (e-line), L3, possible encryption
➢ SD-WAN
➢ Interconnection Fabric
➢ Internal traffic shift
➢ iBGP/eBGP swing
➢ Internal route injection
➢ DNS
➢ Subnet alignment
➢ Network Overlay via SDP / NAC software
➢ External traffic shift
➢ DNS
➢ Proxy services
➢ BGP swing
Full DR - (The Weeds)
➢Cybersecurity considerations
➢ Security at recovery site “as-good” as production?
➢ If not, new attack vector(s) at recovery
➢ Is existing security monitoring inclusive of recovery site?
➢ Is MSSP fully accountable for recovery site?
➢ Any network exposure when failed over?
➢Storage
➢Vendor native replication
➢ NFS/CIFS replication
➢ RDMs / non-VM
8. 25
DRaaS: More than just VM Replication
“Bring me your legacy, your insecure, your flat network design…”
9. 17
Match Application Criticality to Solution
Tier 0 Applications
Tier 1 Applications
Tier 2 Applications
Tier 3 Applications
48 Hours+ $
24 Hours $$
1 Hour $$$
Synchronous $$$$
Common Components (Network, Runbook, Integrations, Accountability, Contract)
Recovery Point & Recovery Time Objectives Application Criticality
10. 17
Tier 0 Applications
Tier 1 Applications
Tier 2 Applications
Tier 3 Applications
Backups-as-a-Service
Disaster-Recovery Lite
Disaster-Recovery
Ransomware-Recovery
Service <-> Criticality
Match Application Criticality to Solution
Common Components (Network, Runbook, Integrations, Accountability, Contract)
11. 27
Webair BCDR Offerings
• Backups-as-a-Service
• Backups-as-a-Service to Azure
• Disaster-Recovery-as-a-Service
• Disaster-Recovery-as-a-Service to Azure
• Ransomware-Recovery-as-a-Service
• IBM DRaaS Services
12. 27
BCDR Services
➢Backups-as-a-Service
➢ Offsite data / backup requirement
➢ Long term retention requirements, or:
➢ Single copy offsite (in the cloud)
➢ Insurance policy to “spin up” via DR-Lite service
➢ Disaster-as-a-Service
➢ Ability to instantly recovery from Ransomware and issues related to Humans, Applications, Infrastructure
➢ Fully managed failover AND fallback (confidence)
➢ Per Application functionality
➢ Max 30 days of “instant-on” capability
➢ Ransomware-Recovery-as-a-Service
➢ Integration with existing cybersecurity initiatives, software, services
➢ Automated failover based upon intrusion detection
➢ Utilize Replica to improve production environment’s security
13. 17
Offsite Backups Considerations
➢ Local Backups Platform & Support - Vmware, HyperV, Physical Servers, NFS/CIFS
➢Costs
Software
Storage Frontend/Backend
Restores & Data transfer
Operations
Infrastructure (Always on)
➢ Connectivity
Latency - Duration of Backup & Restores
Capacity - Acceleration & Synthetics
➢ DIY Infrastructure or Managed Service - Accountability
➢ Number of copies
➢Security
Encryption + Dedup,
Contracts, BAAs & SLAs
Private Connectivity, Air Gapped - “Data center within a data center”
14. 17
Backups-as-a-Service is not Disaster Recovery!
➢ Webair DR-Lite Add-on for BaaS
➢ Ability to spin up backed up VMs on-demand
➢ 15 Minute RPO / 24 hour RTO
➢ Yearly testing
➢ Self Service Portal:
Spin up / Shutdown VMs
Console VMs & manage networks
Download / Restore backups for failback
➢Always-on Networking:
Reduces RTO to minutes to on-demand (minutes)
Network pre-planning and pre-configuration
➢Cost Metric: Storage only
15. 17
True Disaster-Recovery Considerations
➢ Application consumption (Network)
➢ Failback
➢ Application Consistency
➢ “Managed”assistance?
➢ Multiple Platforms on same LAN
➢ “Managed Testing” ?
➢ Journal and Change Data
➢ On-Demand testing & access
➢ Infrastructure Performance
➢ Utilization of Replica
➢ Security - SLA / BAA / MSA / Encryption
➢ Cost Metrics - Per server, storage, data transfer, operations, infrastructure, declaration of DR, failback, network..
16. 17
➢ True DRaaS gets us:
➢ Per Application Failover/Failback
➢ Network Consumption Automation
➢ “Rewind” Ability via journal
➢ Use of replica environment
➢ Confidence to use it
➢ API & Automation
➢Still needed..
➢Security at Recovery site must be as good as production:
➢ Ownership from 1 security firm
➢ Same SIEM, firewalls, tools, procedures
➢ DDoS Monitoring & Mitigation
➢ Reduce security event exposure
➢ Non-intrusive to production
DRaaS for Automated Ransomware-Recovery
18. 25
Hybrid Configurations
➢ Utilize existing hardware, licenses
➢ Shift legal/security ownership where needed
➢ Reduce demands on internal teams
➢ Take advantage of partner experience
➢ Shared runbook responsibilities
➢ “Future-proof” investment - mix/match later as needed
➢ “Hardware appliance and management as a service”
20. 17
➢Network topology a blocker to DR strategy?
➢ Leapfrog the network and overlay..
➢ Utilize NAC (Network Access Control) or SDP tools to shift traffic per endpoint
➢ SDP: Software Defined Permiter
➢ “Zero Trust” model - endpoint software locks down all traffic
➢ All traffic is routed through Gateway
➢ Gateway enforces network security
➢“Tag” users, applications, device types, locations
➢ Build global security policies via single pane of glass for entire organization
➢ Think of a specific tunnel being built to per use-case / flow
➢ Global visibility into user & application consumption
➢ API / Automation available
Shifting traffic: A better way
21. 17
➢ Cool. What’s that have to do with DR?
➢ “Shift” application traffic from location A —> B via software defined policies
➢ Physical network agnostic
➢ Future proof - Network, locations, clouds can all change
➢ Part of automated runbook, APIs
➢ Alignment issues, network topology issues go away
➢ Security solution - May be part of larger organization security
➢Requirements
➢ Organization must adopt the solution
➢ DR Solution or DRaaS provider must support it (Webair does!! :) )
➢ Internal traffic only - Doesn’t help with internet facing applications
Shifting Traffic: A better way
23. 25
Fully managed web apps
& cloud infrastructure
Business Continuity & Disaster Recovery
Our History: Down the Stack
24. Webair maintains a global network of state-of-the-art data center facilities that offer top-tier Colocation
solutions featuring modular power options, superior architecture and access to DDoS-protected
bandwidth, as well as superior connectivity to a multitude of leading carriers.
Hong Kong
9
Hong Kong
Data Center Locations
25. Tier 3 rated, SOC1, SOC2, CJIS, HIPAA, PCI-DSS, NYS DFS 500, Open-IX Compliance
400 Cabinet / 8MW Capacity
3 Generators / 7+ days fuel runtime
AWS, Azure, Google on-premises
DDoS monitoring and mitigation on-premises
Eco-system of managed services on-premises
Tax-Exempt and Hydro-Electric “green” power allocation from NYPA
Outside 25 mile NYC “blast zone” with Manhattan Bypass fiber routes
BCDR seats on-premises
LIRR train station on-premises
10
Webair NY1
26. Hybrid Colocation
10
➢Coloation is not about space and power
➢ Ecosystem of managed services behind the firewall
➢ Mix & match based on risk, capex/opex, platform changes
➢ Revenue Portability - Phased approach to cloud & future proof
27. 20
Dedicated Private Cloud
➢Completely dedicated and physically segmented hypervisors and networking
➢Direct vCenter access to manage cloud environment
➢VMware Orchestrator configured to allow for API-based automation and control
➢Connect cluster to on-premises vCenter, allowing for seamless workload moves
➢Options for physically dedicated SAN storage
➢Connect to customer networks via MPLS, direct connectivity & cross-connects, bypassing the internet
➢Customize hardware on request
➢Higher levels of encryption available
➢Ability to customize hypervisors and versions
Enterprise Virtual Private Cloud (E-VPC)
➢Dedicated resource pool with ability to burst
➢Compliance reporting of compute configuration
➢Historical and real-time resource utilization
➢Console access
➢Ability to create custom templates
Public & Private Compliance Cloud & Storage
28. 13
On premise vs Public cloud: A better way
Webair Direct Access Cloud Erate Eligible