Disaster-Recovery-As-A-Service Providers – Forrester Wave

The Forrester Wave: Disaster-Recovery-As-A-Service Providers, Q2 2017
Cloud-Based Recovery Providers Focus More On Virtual Infrastructure
Than Heterogeneous Enterprise Deployments

Article writtent by analysts Naveen Chhabra, with Glenn O’Donnell, Stephanie Balaouras, Michael Caputo, Bill Nagelon, Forrester Research, Inc., April 20, 2017

In our 26-criteria evaluation of disaster-recovery-as-a-service (DRaaS) providers, we identified the 10 most significant players – Bluelock, Daisy, HPE Enterprise Services, IBM, iland, NTT Communications, Plan B, Recovery Point, Sungard Availability Services (Sungard AS), and TierPoint – and researched, analyzed, and scored them.

This report shows how each provider measures up against the set of criteria and where they stand in relation to each other. This report helps infrastructure and operations (I&O) professionals select the right partner for their resiliency and recovery needs.

Key Takeaways

Sungard AS, Bluelock, IBM, And iland Lead The Pack
Thiss research uncovered a market in which Sungard Availability Services, Bluelock, IBM, and iland lead the pack. HPE Enterprise Services, Recovery Point, Daisy, Plan B, and TierPoint offer competitive options. NTT Communications lags behind.

Seek Platform Support, Scale, Consulting, And A Secure,
Reliable Infrastructure
I&O pros are adopting DRaaS services as the foundation for cost-effective resiliency. They increasingly trust DRaaS providers to provide secure and reliable infrastructure as well as BC consulting, industry certifications, proven scale, wide platform support, and application knowledge to automate recovery when required.

Application Orchestration, Security, And Recovery Readiness Key Differentiators
As hypervisor-based replication technology becomes standard across providers, higher-order value capabilities such as application orchestration, recovery readiness view, and recovery infrastructure security dictate which providers lead the pack. Vendors that provide these can position themselves successfully to deliver managed DRaaS to customers.

Resiliency Is Top Priority  for Both I&O and S&R Leaders

In today’s digital business era, great customer experiences depend on technology more than ever. Customers, employees, partners, and regulatory authorities expect business services to be available always, no matter what. Incidents such as infrastructure failures or ransomware attacks can render firms inoperable, making resiliency a top priority for both I&O and security and risk (S&R) pros. Service disruptions are a cause of worry for business executives, as today’s customers operate in very short-lived mobile or digital moments. If business services are unavailable in those moments, customers will waste no time switching their providers – and their loyalty. Traditional recovery practices requiring hours or days won’t work anymore.

I&O leaders are increasingly responsible for supporting their firms’ digital businesses and are often measured by the effectiveness of customer engagement. DRaaS promises to help I&O pros build a resilient technology infrastructure so they can deliver always-on services where downtimes are either imperceptible or last just a few seconds.

Forrester defines disaster-recovery-as-a-service as:
A pay-per-use managed service that uses cloud-based infrastructure and continuous replication technologies and orchestrates the transition of applications to recovery infrastructure in case of an outage to deliver a resilient business service.

Enterprise DRaaS adoption has grown steadily in recent years; currently, 40% of enterprises have adopted it, with another 24% planning to do so.

Shorter Recovery Objectives Are No Longer The Differentiators

Thanks to advancements in data replication technologies, critical application recovery objectives have shrunk from days or hours down to minutes or seconds. The democratization of replication technology ensures that almost every DRaaS provider can offer short recovery objectives. However, that’s not sufficient for a DRaaS provider to differentiate itself from the pack. I&O pros look for:

Support for heterogeneity. Until recently, DRaaS providers primarily served the virtualized infrastructure at SMBs and application silos at large firms. Large enterprises tend to have more heterogeneity in their compute infrastructure; as their tech leaders start to gain interest in DRaaS, they increasingly expect a common recovery management platform that can support a heterogeneous infrastructure of virtual and physical servers, including proprietary systems.
 
Application orchestration. Most providers limit recovery to the OS and virtualization layers. No provider claims to ensure application recovery, although firms expect it: In a digital-led business, applications are interdependent, and recovering VMs – even a thousand – adds little value. Before releasing applications to production, I&O professionals must perform validations such as checking database consistency and updating domain name system (DNS) records. They’ll either do this for individual applications or place validation tasks in the orchestration layer.

A recovery readiness view. Risk management pros and I&O leaders expect to know immediately whether they’re ready to recover. If they are, they want to know how ready; if not, they want to know where the gaps are so they can remediate. This can depend on a lot of factors, such as technology infrastructure coverage, historical failure of each infrastructure element, and historical mean time to recovery. A ‘recovery readiness’ view is best delivered through the self-service console, removing personnel and service ticket dependencies.

Security infrastructure. One potential use of DRaaS services is to perform nondisruptive offline security tests on the primary infrastructure replica. Few providers propose that customers use their DRaaS services in the event of security breaches or intrusions into the primary environment. It’s surprising that these providers don’t offer security infrastructure for the recovery environment themselves. I&O pros must appreciate the security infrastructure requirement for DR: During the time that the recovery infrastructure runs the production workload, it temporarily becomes the primary infrastructure and needs no less security than the original primary infrastructure.

Self-managed drills and test results. Most DRaaS providers offer white-glove support to perform drills and require a few days or weeks of notice to align resources for the drill; they deploy orchestration tools to support speedier recovery. Assuming that these orchestration tools capture all possible failure options and that infrastructure resources are available on demand, providers can enable I&O pros to perform self-drills – albeit under supervision. Upon successful completion, drill results can be made available to clients for internal audits or other purposes. Granular test results can serve recovery process improvement objectives.

DRaaS Providers Evaluation Overview

To assess the state of the DRaaS provider market and see how the vendors stack up against each other, Forrester evaluated the strengths and weaknesses of top DRaaS providers. After examining past research, user needs assessments, and vendor and expert interviews, we developed a comprehensive set of evaluation criteria. We evaluated vendors against 26 criteria, which we grouped into three high-level buckets:

Current offering. To assess each provider’s current offering, we developed six groups of criteria. Core DRaaS offerings evaluate providers’ recovery options. Recovery objective capability evaluates tiers of RTOs and RPOs. Technology support includes platform and application support, data transfer technologies, change management, data resiliency, and risk mitigation. Security includes data security, security infrastructure, industry certifications, and certified test results. Self-service evaluates the portal and the management interface. Consulting services evaluate a provider’s ability to support client requirements to develop a BC plan as well as performing risk assessment and business impact analysis.

Strategy. We assessed each vendor’s strategic positioning using two evaluation criteria. Service strategy includes value proposition and vision, planned service enhancements, and supported disaster declarations. Corporate strategy includes proven scale, pricing, service levels, and contract terms.

Market presence. Our assessment of each vendor’s market presence included six factors: number of customers, DRaaS service revenue, revenue growth rate, geographic coverage, customer feedback, and technology vendor partnerships. Revenue and growth rates are Forrester estimates, unless the vendor publicly reports revenue derived solely from the cloud platform services included in our evaluation.

Evaluated Vendors And Inclusion Criteria

Forrester included 10 vendors in the assessment: Bluelock, Daisy, HPE Enterprise Services, IBM, iland, NTT Communications, Plan B, Recovery Point, Sungard Availability Services, and TierPoint.

Each of these vendors has:
Its own cloud-based infrastructure. Each provider has its own cloud-based recovery infrastructure not hosted by an infrastructure-as-a-service provider like Amazon Web Services, Google Cloud, IBM SoftLayer, or Microsoft Azure. The provider must run customers’ production environments out of its cloud during disaster situations and tests.
Support for at least two replication technologies. Each provider supports at least two replication technologies that power DRaaS services. Replication technologies could be hypervisor-based, host-based, application-based, or storage-based.
A self-service portal for its clients. Each service provider offers a self-service portal that helps enterprises review their consumption, readiness for recovery, achievement of recovery objectives, results of historical tests, issues identified, and other parameters.
Consulting services to help clients establish resilience plans. Each provider offers technology consulting services, either from its own BC consulting practice or through a partnership with a vendor that offers this service.
At least two data center locations from which it renders services. Each provider has at least two data center locations to provide redundancy; each location can act as a failover site for others.

Figure 1: Evaluated Vendors: Vendor Information And Selection Criteria

Vendor Profiles

We intend this evaluation of the DRaaS market to be a starting point only. We encourage clients to view detailed product evaluations and adapt criteria weightings to fit their individual needs through

the Forrester Wave Excel-based vendor comparison tool (see Figure 2).

Figure 2: Forrester Wave: DRaaS Providers, 2Q17

Leaders

Sungard Availability Services
DR services from Sungard AS support replication and recovery for a wide range of physical and virtual infrastructure and SAN-based replication. Sungard AS manages the recovery exercise; its technical support staff is responsible for ensuring successful test execution and ongoing performance improvements. It enables orderly, large-scale infrastructure recovery using application discovery and dependency mapping, automated change management, and advanced orchestration tools that can automate recovery tasks at a business application level. Sungard AS has a BC consulting team to help customers identify business processes and technology elements at risk and develop a risk mitigation strategy. In addition to IT recovery, it offers continuity strategy and planning, risk assessment, and business impact analysis (BIA) services; for BIA, it uses its own suite of continuity management tools called Assurance. The Sungard Availability Services Managed Recovery Program provides fully managed recovery to the application level to complement the infrastructure OS and virtualization-level cloud-based recovery capabilities. Sungard AS’s future strategy includes enhanced automation and orchestration of application-level recovery.

Sungard AS could be even better with improved dashboards and self-service. It currently lacks a readiness for recovery view. Its self-service GUI for testing, provisioning, DR invocation, and DR runbooks is not very intuitive.

Bluelock
Bluelock’s automated recovery includes machine startup, resource provisioning, success/failure assessment, and hierarchy-based and group-based recovery of systems based on their dependencies or RTO/RPO requirements. Bluelock Portfolio is a consolidated decision support system for a client’s entire recovery environment, allowing for recovery, testing, and documentation. Its unique Recovery Health feature is an automated real-time assessment of a client’s recovery environment. Bluelock offers historical test results on the self-service portal. The vendor has built most of its processes around ServiceNow, so a client’s IT service management (ITSM) environment can actually send production changes in real time to Bluelock’s ITSM for real-time change tracking. Bluelock offers a comprehensive RACI matrix that very clearly delineates the responsibility and accountability between itself and the client. It has strong professional services to support friction-free onboarding and runbook development. Bluelock deploys a host of security infrastructure like two-factor authentication, a high-availability (HA) firewall, an intrusion detection system (IDS), and automated and manual penetration testing. Clients can bring their own security infrastructure for additional security requirements like application firewall, patch management, real-time alerting, and distributed denial of service.

Bluelock could be even better with improved heterogeneous platform support. Its primary challenge – owing to its client base and exposure – is that it delivers recovery services for Intel platforms and lacks support for heterogeneous platforms.

IBM
IBM offers three service levels – gold, silver, and bronze – with associated recovery times from a few minutes to 6 hours. IBM recently acquired Sanovi Technologies, whose orchestration technology augments IBM’s existing resiliency portfolio with a solution that simplifies and automates the DR process, manages recovery workflows, and reduces recovery time, operating costs, and DR drill testing time. (see endnote 7) The addition of Sanovi gives IBM the ability to orchestrate, with more than 450 predefined recovery automation patterns in its library. IBM’s portfolio also includes services like BC planning, risk assessment, consulting, design, and implementation. Its broader BC consulting services are noteworthy. From a central dashboard, resiliency professionals can automate and monitor RPOs and RTOs in their DR environments by application, server, or database to work toward business-driven recovery outcomes.

IBM could be even better if it improves its self-service; the vendor’s primary challenges are in the area of self-service portal unification. With the Sanovi acquisition, IBM will have to bring all capabilities into a single portal for ease of management and navigation.

Iland
The vendor delivers its iland Secure DRaaS using Double-Take, Veeam Software, and Zerto. Its self-service console integrates the underpinning replication solutions and makes it easy for customers to perform all operations on a single console. The iland Secure Cloud Console automatically measures the RPO and displays it over time – customers can set alerts in the event of a breach of a preset service-level agreement – and offers embedded security and compliance reporting. Once failover is executed, systems are scanned regularly for viruses, vulnerabilities, file integrity, firewall events, web reputation, application control, and intrusions. Upon failover, customers immediately gain access to built-in seven-day backups, providing additional resiliency. The vendor works with BC consultants that evaluate DRaaS options and provider recommendations. It also has an impressive roadmap.
 
With expanded platform support, iland could be even better. Like many providers, iland lacks complete coverage of enterprises’ heterogeneous technology infrastructure. Orchestration at the hypervisor level serves this purpose, but enterprise customers also need business application orchestration, which iland currently lacks.

Strong Performers

HPE Enterprise Services (now DXC Technology)
HPE Enterprise Services uses the Veritas Resiliency Platform (VRP) and Microsoft Azure Site Recovery for replication and the administrator portal. The VRP self-service portal has an intuitive interface for administrative tasks and procedures, including a front end to the orchestration engine, individual task planning, execution, and reporting. Its dashboard displays the high-level status of all protected data centers and gives visibility into the achievement of RTOs and RPOs. VRP performs patch management and vulnerability scanning and has firewalls for security controls and access. VRP’s orchestration capabilities are quite comprehensive compared with those of other vendors in this evaluation. HPE’s Continuity Consulting services help clients align business with technology via a robust continuity plan and managed implementation. HPE Enterprise Services recently merged with CSC to form DXC Technology.

HPE Enterprise Services – and its successor, DXC Technology – could be even better with broader replication and message clarity. HPE Enterprise Services’ DRaaS portfolio lacks key replication capabilities like SAN replication.

Recovery Point
Recovery Point supports physical and virtual environments, including complex, heterogeneous environments installed across hybrid data center configurations. It offers a comprehensive RACI chart that outlines all of the possible activities and tasks for all phases of recovery as well as assisted and managed services. Recovery Point partners with Avalution Consulting for BC planning. Clients can order a Cisco ASA firewall or bring in their own physical or virtual security devices. One of Recovery Point’s unique differentiators is customer obsession; as part of the onboarding process, every customer receives a clear escalation hierarchy going up to the executive management. Clients have to navigate through many portals to ensure that the right recovery solution is developed.

Recovery Point could be even better by simplifying its interface. Its manual, document-based runbook is quite comprehensive but can be cumbersome for a client with a complex, heterogeneous environment — a potential impediment to shorter recovery times. Recovery Point depends on built-in orchestration from Zerto but has not integrated it with the rest of its technology infrastructure. The provider’s client portal, INcloud Service Catalog, acts as a landing page and redirects clients to independent portals from technology partners like Capital Continuity, vCloud Director, and Zerto.

Daisy
Daisy uses cloud-based recovery technologies such as Double-Take, Asigra, Veeam, VMware, and Zerto. It also supports NetApp-based storage replication technology. Daisy’s Partner Portal offers an intuitive spiderweb graph to demonstrate the readiness, rehearsals, last rehearsal date, number of active customer sites, and number of sites covered. All of Daisy Group’s Daisy Cloud data centers are tier 3-aligned and ISO 27001-accredited. It performs physical and soft penetration testing at least annually, and its customers are free to perform their own physical penetration testing. Daisy rotates among three different penetration test companies to avoid complacency and routine. Its portfolio offers solutions that encrypt customer data in flight and at rest to FIPS 140-2 standards. Daisy supports clients when they bring their own security devices into its recovery data centers. It also employs a team of BC consultants.

Daisy could be even better by improving its interface. Daisy’s self-service portal acts as a landing page and redirects users to independent portals from technology vendors like Asigra and Zerto. All administrative actions, including protection group formation, runbook creation, and testing, are performed at the Zerto portal. Daisy has a very basic RACI matrix; clients need to work with the Daisy team to drill down to microlevel tasks and activities and assign responsibilities.

Plan B
Plan B’s core offering is fully managed DRaaS that takes full responsibility for recovering a customer’s infrastructure to the application level. It offers two different methods of replicating customer data using Zerto and Microsoft Volume Shadow Copy Service that provide an RTO between 6 seconds and 24 hours. By default, Plan B stores customer data in multiple geographically separate locations in tier 3 data centers in the UK. Customers may choose to store data in a single location should they want to reduce data storage costs. Plan B provides services from ISO 27001- and PCI-accredited data centers. In-flight data is always encrypted, either by an IPsec VPN or an SSL connection. By default, firewalls and VPNs terminate either on Cisco ASA firewalls or on vyOS-based software firewalls. Plan B accommodates specific or bespoke customer requirements, including the provisioning of dedicated infrastructure. It recently launched a new line of business for BC consulting.

Plan B could be even better by greatly improving its interface. Plan B offers a very primitive self-service portal that certainly needs a boost. It does report operational statistics like RTO, RPO, and network traffic, but the representation could be more intuitive. It reports these statistics by server or VM but not by application or application group.

TierPoint
TierPoint, a data center provider with 40 locations across the US, developed its recovery management portal (RMP) using the Geminare cloud management stack. Geminare helps TierPoint ingest multiple replication and recovery tools into the platform and manages multiple technologies from a single portal. TierPoint supports Microsoft Azure Site Recovery and Zerto for replication, storage-based replication, and Oracle and SQL log shipping for keeping records up to date. It offers an assessment of the readiness of individual servers or VMs. TierPoint uses Geminare’s built-in runbook automation to orchestrate recovery tasks. It supports clients that bring their own security infrastructure. TierPoint offers consulting services around BC, risk assessment, and business impact analysis.

TierPoint could be even better with a stronger portal. Service Health in the Geminare portal is based on whether Windows services are running on the protected machines or not. TierPoint may hit a roadblock, as it depends on Geminare to infuse additional functionality into the self-service portal.

Contenders

NTT Communications
NTT Communications supports the VMware Site Recovery Manager, Veeam Backup & Replication, Microsoft Azure Site Recovery, and EMC RecoverPoint replication technologies. It uses the Geminare RMP to display the protection of the recovery environment. RMP has built-in orchestration that integrates task automation at the hypervisor layer. Data stored in the NTT Enterprise Cloud is further backed up at the infrastructure (hypervisor) level via snapshot technology to local data vaults. Security services include complete perimeter protection featuring firewalls, web application firewalls, and IDS and intrusion prevention systems in both physical and virtual environments. Coupled with a security information and event management solution, intelligent correlation, and escalation solutions, it offers a global threat response, mitigation, and remediation service. Its data centers have SSAE 16, ISO 27001, PCI DSS, and HIPAA certifications. Recently, the vendor established a DRaaS technical account manager role to support DRaaS deployments. NTT Communications has technical solution planning, implementation, and support capabilities and engages its security line of business for BC expertise.

NTT Communications could be even better with a stronger portal. Service Health in the Geminare portal is based on whether Windows services are running on the protected machines or not. NTT Communications will get better by supporting recovery through the application layer; it also needs to improve its recovery readiness view to give I&O pros a business application view.

Cable & Wireless Is Notable But Was Not Included
One provider, Cable & Wireless (C&W), is worth noting in this report despite failing our inclusion criteria. It has developed and established significant capabilities in the DRaaS space, including a self-service portal. C&W primarily delivers services for Intel platforms and has limited support for non-Intel platforms. From the customer requirements and technology perspectives, it has developed strong market understanding and has a good overall solution. C&W primarily serves markets in South America and Europe; we didn’t evaluate it here because its exposure to the North American market is very limited. It could qualify for a future Forrester Wave evaluation if it makes some additional improvements.