Data Center is our focus

We help to build, access and manage your datacenter and server rooms

Structure Cabling

We help structure your cabling, Fiber Optic, UTP, STP and Electrical.

Get ready to the #Cloud

Start your Hyper Converged Infrastructure.

Monitor your infrastructures

Monitor your hardware, software, network (ITOM), maintain your ITSM service .

Our Great People

Great team to support happy customers.

Friday, June 23, 2017

Make Sense of Endpoint Malware Protection Technology

Make Sense of Endpoint Malware Protection Technology

Published: 25 April 2017 ID: G00320339


The goal of endpoint malware protection is a solution that offers low administrative overhead, low end-user impact and the best available protection. Security and risk management leaders can make educated trade-offs within endpoint protection to achieve two of these three aims.


Key Challenges

  • The marketing hype around "next-gen AV" and the IT industry's fascination with machine learning distracts from and creates confusion about the real value provided by different protection techniques.
  • Unclear perceptions turn up constantly, as many techniques have similar names or umbrella terms like "application control," which can vary wildly in terms of actual capabilities.
  • Blending technologies from multiple vendors risks agent bloat and software conflicts, resulting in disabled protection features and less-than-optimal configurations.
  • Not all malware requires an exploit. Users can simply be tricked into downloading and running malware that does not require an exploit.


Security and risk management leaders overseeing endpoint and mobile security should:
  • Design an endpoint protection strategy that consists of good security hygiene, layered protection and detection technologies, and end-user education.
  • Avoid duplication of security capabilities across multiple solutions; instead, fully deploy existing protection and then begin to identify specific areas to augment.
  • Avoid knee-jerk reaction purchases by mapping new purchases to gaps and taking the time to run a useful proof of concept to ensure the technology can fit or enhance existing workflows.
  • Use a combination of internal testing and third-party effectiveness tests to verify vendor claims. Vendor-sponsored or -commissioned comparisons can be useful data points, but should not be given the same weight as impartial tests.


Endpoint protection is not simple. Security and risk management leaders struggle to find the right balance between threat coverage, administrative overhead and end-user impact. Table 1 illustrates, at a high level, the impact that the most common anti-malware techniques can have for most organizations.
Table 1.   Common Anti-Malware Techniques
Threat Coverage
Admin. Requirement
End-User Impact
Machine Learning
Application Control
Application Isolation
Behavioral Analysis
Exploit Mitigation
Source: Gartner (April 2017)
These technologies each carry different capabilities and, importantly, limitations. Although some technologies appear to offer similar functions, they are often marketed as the ideal solution for malware prevention. The hype around artificial intelligence and machine learning is adding more confusion to the matter.
In practice, a combination of technologies will provide the widest protection against malware attacks. Most attacks exploit well-known unpatched vulnerabilities, use social engineering to trick users to install malware, or use interpreted code such as Java to download and install malware. Fileless malware is becoming more and more prevalent in the threat landscape. To address such challenges, security and risk management leaders have a range of options from both established and emerging vendors. Most buyers continue to consider emerging solutions to be complementary, rather than outright endpoint protection platform (EPP) replacements. These options are covered from a technical perspective in "Comparing Endpoint Technologies for Malware Protection."
The expansion of malware protection technologies in EPPs over the past five years has delivered various advantages, including fewer updates and less administrative overhead, and provided for better protection at specific stages of the kill chain or for specific classes of malware.
It is important to consider education as a key part of the fight against malware. Users remain the weak links — they are impressionable, and subject to deception and coercion. Security awareness programming plays an important part in informing staff and partners of their responsibility in limiting vulnerable behavior.
Signature-based detection is the most well-known approach to malware detection. Because signatures and heuristics use pattern matching to identify malicious files — meaning the vendor must have seen the file to create the signature — it is also the most criticized. Of course, no modern malware protection solution relies solely on malware signatures. Modern endpoint protection platforms will also include one or more of the following technologies:
  • Application control limits the applications and processes that may execute on an endpoint. The goal is to apply a "default deny" enforcement model, whereby everything that is not known or trusted is not executed.
  • Isolation or containment solutions allow installed endpoint applications to process potentially malicious files (such as web pages or downloaded documents) safely by isolating the processing of those files from the rest of the system.
  • Behavior analysis provides rule-based monitoring where applications and processes are observed for particular indicators of intrusions that may be blocked or detected.
  • Endpoint detection and response (EDR) technologies monitor endpoint activities and aid in the detection, containment, investigation and remediation of malicious behavior.
  • Exploit technique mitigation prevents software exploits by enforcing in-memory protection. It guards against memory overflow attacks and against other attack methods that take advantage of software vulnerabilities.
By themselves, none of these technologies are a panacea to the intricacies of malware intrusion. Some technologies carry their own weaknesses. Security and risk management leaders should assess new malware protection solutions by discerning what distinguishes these technologies and how the various solutions can combine to form a more formidable malware prevention plan.


Include Signature Technology in a Layered Protection and Detection Strategy

The majority of anti-malware solutions, such as EPPs, secure web gateways (SWGs), secure email gateways and unified threat management (UTM) solutions, include some form of signature detection — a fundamental piece of endpoint protection. A purely signature-based detection method has low success rates against sophisticated malware because, by its nature, it can only match to known malware and minor variants. Signature detection is easy to evade and signatures may take a while to develop. They require every endpoint to update frequently or to use cloud-based signature look-ups. For these reasons, it is uncommon to find EPPs that solely rely on signatures.
Most solutions use the cloud to look up the latest reputation information for a previously unseen file; however, the cloud is not available to systems that aren't connected to the internet but are nonetheless vulnerable to malware.
Signature-based detection is strong at blocking common attacks without using more resource-intensive or end-user-impacting technology, but some security vendors incorrectly frame this method of detection as an indicator of outdated technology. Despite some marketing claims to the contrary, signatures and heuristics do have advantages:
  • Proactive protection against known malware. Scanning a file prior to execution prevents infection, assuming a signature exists for that threat. There is no need to utilize more resource-intensive inspection techniques if a file is known to be bad.
  • Very low false-positive rates (FPRs). False positives do occur, especially with more aggressive heuristics engines, but most solutions have a very low FPR. Having a low FPR is critical for EPP solutions that are expected to protect endpoints autonomously. Almost every traditional vendor has at one time incorrectly convicted critical Windows files as malicious, rendering operating systems unusable.
  • Prevents false positives in other, more aggressive techniques. Signatures can be used to help mitigate false positives in more aggressive detection techniques. When used as a method to "protect" known good files instead of purely to detect known bad, signature-based detection is a strong addition to a solution's technology stack.

Use Machine Learning to Reduce the Reliance on the Distribution of Signature Updates

The technology community in general is thrilled by the potential of machine learning, and machine learning has the potential to play an even greater part in the malware prevention space than it does today. Vendors use supervised machine learning engines to process large numbers of malicious files and large numbers of prevalent but known good. The resulting algorithm can be run locally on the endpoint device or in the cloud, and it can test a file for similarities to good or malicious files.
The advantages of this form of detection include:
  • No malicious code is run. The detection is usually made in the pre-execution phase, before running code.
  • No signatures are used when run on the endpoint. A mathematical model is used instead of the traditional signature database, removing the dependence on large disk and memory footprint along with the struggles associated with updating endpoint devices.
  • New malware can be detected by the same model. Predictive models can use the statistical scoring to detect malware that has not been analyzed before.
  • No internet connection is required. All scanning is local, and no cloud-based look-ups are required.
However, security and risk management leaders should also recognize the limitations and current weaknesses of machine learning as a stand-alone anti-malware resource.
The use of packer and encryption technologies limits the inspection model's coverage of the actual malware. Solutions running a purely predictive machine learning model on the endpoints suffer the risk that malware authors will: (1) study the detection behavior of the model on the endpoint, (2) adapt their malware code, and (3) attempt to evade detection.
Solutions should be able to avoid false positives, but it is inevitable that there will be files that are very close to the good and the bad model, resulting in both false positives and false negatives. EPP solutions solely relying on machine-learning-based detection can carry a high false-positive rate. EPP solutions generally combat false positives by adding other techniques, such as whitelisting known good files or cloud lookups for files that are too close to call, or by using signature-based whitelisting. With mathematical models that are infrequently updated, organizations may find themselves building an extremely long and hard-to-manage whitelist.
  • Ignore biased claims by endpoint security vendors that signatures are useless.
  • Update to the latest version of the incumbent EPP, as newer releases are less dependent on signatures and supplemented by additional protection techniques.
  • Ensure the vendor provides a solid workflow to manage false positives and false negatives — be wary of solutions relying on a manual whitelist and blacklist capability.

Improve Visibility With EDR or EPP Tools That Focus on Applications and Processes

Security analysts cannot truly begin to harden systems and infrastructure without a solid understanding of what is running in an environment. EDR and EPP tools that report on applications and processes will provide data points that can be used to strategize a plan to reduce the attack surface.

Application Control/Whitelisting

Application control and application whitelisting apply a default deny enforcement model, where an application or process that is not explicitly whitelisted is deemed to be untrusted. Untrusted processes can be blocked outright or, with solutions that provide for dynamic decision making, can run with extra protection or scrutiny.
As a malware protection technology, application control has various strengths:
  • Provides strong default deny prevention. If tight policies are used, application control provides strong protection against malware, especially when used in concert with technology that prevents legitimate processes from acting maliciously.
  • Incurs low machine overhead. Application control solutions do not have a significant impact on endpoint resources.
  • Offers broad platform support. Application control can be used to keep unsupported and/or unpatched systems secure. Legacy systems that still run on Windows 2000 or Windows XP only, for example, can be locked down by using a restrictive application control policy, typically in combination with some form of memory protection.
  • Requires no signature files/updates. Application control is independent of malware signature files that require frequent updates. However, more advanced use, such as relying on file reputation in a more dynamic environment, requires access to the latest file reputation databases, typically over the internet.
  • Applies to all potentially unwanted programs. Application control catches categories of applications that are not technically malware but might compromise security. Such categories include consumer remote access control applications, and file sync and share agents.
There are several considerations that security and risk management leaders must take into account when exploring application control for wide endpoint deployment. There are notable impacts on users and operations.
Application control can be very successful for fixed-function devices such as servers, where their applications and workloads are predictable. Users with well-defined work styles (for example, call center employees) are also ideal candidates for a successful deployment. For other user types, such as mobile workers or developers, the default deny approach may not provide an acceptable experience, unless workflow procedures can minimize approval delays for unknown, untrusted software.
In terms of operations, managing exceptions introduced from untrusted sources can incur substantial overhead. Organizations should plan for such overhead and provide administrators with the proper tooling. Such tooling will allow administrators to streamline the exception management process and to make the right decisions in the least amount of time. Allowing trusted sources of change minimizes the number of exceptions necessary.
Managing fine-grained application control policies in a dynamic endpoint environment is operationally complex. Leading solutions solve this problem by allowing more lenient policies: Trusted publishers, locations, installers and users may be allowed to install new software, automatically updating the application control policy. However, lenient policies may compromise security.
The strength of application control, as a protection technology against malware, greatly depends on the policy and the additional technology deployed on the endpoint. Malware authors have been able to release digitally signed malware using stolen certificates, exploit legitimate applications in memory and launch fileless malware, thus lowering the effectiveness of application control against sophisticated attackers.
Security and risk management leaders should carefully consider vendor claims around application control features. Simply blacklisting executables by name or file path is not considered a strong application control capability.

Application Isolation

Application containment solutions, also known as isolation solutions, implement malware protection using a paradigm best expressed as: Run risky processes and content, but isolate them from the rest of the system.
Security and risk management leaders should consider several strengths of application isolation, beginning with the provision of unrestricted user access. Malware containment does not block users from accessing sites or from downloading and processing potentially harmful content. In the most extreme form of application containment, users, should they choose to do so, may run malware in the isolated environment.
Some solutions discard the isolated environment and reset it to a clean state at launch or at regular intervals. Others do so when malicious behavior is detected in the isolated environment.
Isolation is valuable as a safeguard against a malware author's evasion techniques. The actual suspicious code runs on the endpoint, but in a contained environment. Even though the code runs, its ability to cause damage is limited by the sandbox. Organizations interested in deploying application containment solutions must be aware of the following cautions:
  • User impact. By design, containment solutions limit interaction between isolated and nonisolated environments, which may impact the user experience.
  • Operational impact. Administrators must manage trusted sites, applications, file locations and policies for moving files between zones of different trust levels.
  • Lack of application support. The isolated environment may not support all preferred applications and versions.
  • Hardware support. Some solutions depend on specific CPUs and chipsets, and the RAM requirements for a successful isolation deployment can be larger than the amount of memory found in typical corporate endpoints.
  • Large differences in implementation. Solutions differ greatly in terms of policy control options, technologies used to enforce isolation, support for multiple zones, supported applications, management and reporting, and malware behavior analysis in the sandbox.
  • Limited protection. Applications that run outside of the contained environment are not protected by the containment solution. Some vendors have started to extend their solutions by offering EDR technologies both inside and outside of the contained environment.
  • Prepare for increased help desk calls, and put a well-tested and well-documented exception workflow in place, as additional administrative overhead is inevitable with a default deny implementation.
  • Enforce default deny only for a subset of devices that have predictable workloads. For other types of users who have a less rigid set of requirements, like developers, use the client in monitoring mode to identify suspicious-looking behavior.
  • Verify the hardware requirements can be met with your devices, and that critical applications are fully supported.
  • Plan to deploy isolation technology to the group of users that are most at risk, rather than attempting to deploy for every single user.

Reduce the Attack Surface With Technologies That Look for Signs of a Malicious Outcome

While there are a steady stream of new vulnerabilities and attack vectors, the outcome is almost always the same. Consider the case of ransomware, where the goal is to encrypt the data — if technologies can detect the behavioral intent behind malware, the method of compromise is less important. That said, mitigating known vulnerabilities should be near the top of all organizations' priority lists.

Behavioral Analysis

Behavioral analysis within endpoint protection has several strengths, even when used as an isolated technology. Such analysis can provide runtime protection against attack activity. The solutions not only provide point-in-time detection, but also monitor the behavior of all, or at least all suspicious, processes over time to generate a greater understand of the context of the behavior.
For example, an Outlook.exe process spawning a Word.exe process is typical behavior for an information worker that receives documents by email. However, when the Word.exe process begins to connect to the internet, or to spawn other processes, the behavior becomes more and more suspicious.
EPP solutions using behavior analysis can also detect and block previously unknown malware without the need for resource-intensive scanning or inspection. This detection is not dependent on the malware code, but rather on the behavior, which means that vendors with a focus on this type of detection do not require any signature databases or file scanning. Behavioral analysis can detect multiple stages of the kill chain, such as droppers, network-borne attacks and some exploit techniques.
Some cautions are associated with deploying behavior analysis as a malware protection technology:
  • Potentially high FPR. There is a fine line between malicious and normal behavior, so any behavior-based blocking technology incurs a risk of false positives. What appears to be malicious behavior is not always malicious. Kernel hooks and OS API calls that seem malicious may be legitimate.
  • Detection instead of prevention. Sophisticated malware that does not trigger clear malicious-behavior-blocking rules will, at best, be detected after it runs, instead of being prevented before execution.
  • Requires tuning, expertise and updates. Behavior-based malware protection requires organizations to carefully select rules, specify actions to take after detection, and whitelist trusted applications or digital certificates.
  • May impact users. Because behavior analysis continuously monitors all activity on the endpoint, it may incur a performance penalty to the endpoint device.

Exploit Technique Mitigation

Exploit technique mitigation aims to stop malicious code from running in memory and, thus, make it more difficult for attackers to exploit software vulnerabilities. It does so by protecting the memory allocated to a process or application. It does not necessarily block the attacker from putting the malicious code into memory; it can also use techniques to prevent the code from being executed. This technology enforces security mechanisms already supported by the operating system, and adds capabilities beyond basic protection.
Security and risk management leaders can expect several benefits for organizations, including low management overhead, as the focus is on a small number of exploit techniques and does not rely on signatures or updates. Solutions generally incur limited performance overhead and operate transparently to the user. Microsoft provides a free Enhanced Mitigation Experience Toolkit (EMET) for free. It is officially supported by Microsoft until mid-2018, can be managed through Group Policy and makes for a good baseline of exploit mitigations.
For more details and recommendations on exploit mitigation, see "Get Ready for 'Fileless' Malware Attacks."
  • Use third-party effectiveness tests to verify vendor claims. Vendor-sponsored or -commissioned comparisons can be useful data points but should not be given the same weight as impartial tests.
  • Ensure that incident response tools are adequate, as behavioral analysis is largely a detect-after-execution technology.


This research is based on 1,505 client and vendor inquiries on endpoint security across Gartner for IT Leaders and Gartner for Technical Professionals analysts since January 2016.

Selamat Hari Raya Idul Fitri 1438H

Thursday, June 22, 2017

Magic Quadrant for Disaster Recovery as a Service - 2017


Magic Quadrant for Disaster Recovery as a Service

Published: 19 June 2017 ID: G00311593




The disaster-recovery-as-a-service market consists of hundreds of providers, all with different approaches and capabilities. This creates immense complexity around vendor selection. I&O leaders should use this Magic Quadrant to help them evaluate providers of DRaaS services.

Market Definition/Description

This document was revised on 20 June 2017. The document you are viewing is the corrected version. For more information, see the Correctionspage on

Gartner defines disaster recovery as a service (DRaaS) as a service offering that includes replication of server workloads and recovery of such workloads, as needed, to a cloud with which the provider ultimately has fiscal responsibility. The service may be fully managed or self-service; replication and recovery may be high-touch or automated via software; and the target location and cloud infrastructure with which the workloads are replicated and recovered may be owned by the provider or a third party, such as a hyperscale public cloud provider. The key differentiating service attribute is that all elements must be included in the offering.

Current Market

As stated in the 2016 iteration of this Magic Quadrant, DRaaS is now a mainstream offering. In fact, Gartner estimates it to be a $2.02 billion business currently, and it is expected to reach $3.73 billion by 2021. Yet, just because it is mainstream does not make it less complex for potential customers to choose which offering is best for them.

Assessing the complexity of the DRaaS market starts with the number of providers in this space. If one merely looks at the number of "cloud partners" of commonly used replication products used by DRaaS providers (such as Zerto, Veeam, Carbonite DoubleTake, Asigra, Acronis and StorageCraft) as a proxy to determine the number of DRaaS providers, the number of providers is well north of 500. Zerto alone has over 300 cloud partners using its products for recovery.

Compounding that, each provider varies significantly across nine attributes:

  1. Market size targeted by the provider: In this Magic Quadrant alone some providers' customer bases are 80% small businesses (with less than $10 million in annual revenue); while some focus on different tiers of midmarket companies (ranging from lower tier at $10 million to $49 million; to midtier at $50 million to $249 million; to upper tier at $250 million to $999 million). Others are focused on 70% midsize enterprises ($1 billion to $3 billion) to large enterprises (more than $3 billion). Enterprise size often ties into the price points, likely degree of focus with respect to DRaaS, and degree of direct intimacy in the sales experience.

  2. Sales channel: Continuing with sales experience, some vendors sell directly to customers only, where some sell through channel partners only, and many have a mix. As a customer, there are benefits and issues to look out for each (see "Survey Analysis: Learn From Existing Disaster-Recovery-as-a-Service Customers" for some examples).

  3. Replication: Some providers utilize their own intellectual property built from the ground up, others utilize intellectual property adopted through acquisition, and others do so via commercial off-the-shelf products (e.g., Zerto and Carbonite DoubleTake). This has implications for potential customers with respect to how pricing is typically established, level of control for the creation of future enhancements, flexibility toward utilizing different approaches that best suit the customer's needs, and likelihood of focus on other tangential value-adds such as business impact assessments (BIAs) and differentiated network-related enablers.

  4. Recovery orchestration: Similarly, when it comes to the orchestrated recovery of underlying servers, data and network components, and related applications for both failover and failback, vendors differ in approach. Some vendors have their own intellectual property, and some utilize commercial off-the-shelf (COTS) products. More often than not, this tends to follow the vendor's replication approach — as more and more products perform both replication and orchestrated recovery (see "Market Guide for IT Resilience Orchestration Automation" ).

  5. Data centers/recovery targets: Some vendors own their own data center locations and network-related elements such as dark fiber. For many providers, this proves to be a differentiator. For others, it can be an anchor that drains investment specific to DRaaS and/or limits the degree to which a provider is likely to champion other recovery target options such as hyperscale public cloud providers. Others utilize colocation providers such as Equinix, Interxion, CoreSite or Switch to quickly maximize geographically dispersed options (see"Innovation Insight for Data Center Colocation" ). Meanwhile, other providers may leverage hyperscale public cloud providers for many of the same reasons, while also freeing up investments required in infrastructure as well.

  6. Infrastructure used to recover: For vendors that have or are in the process of pivoting toward more use of hyperscale public cloud providers (such as Amazon Web Services [AWS], Microsoft Azure or Google Compute Platform [GCP]) to customers, prices are often attractive and allow recovery target options. But this approach can also dilute the vendor's overall value proposition, to the point where potential customers may question whether it is smarter over the long term to simply purchase software and manage disaster recovery themselves. Meanwhile, DRaaS providers that own their own infrastructure often have different degrees of shared or dedicated compute and storage options. Finally, some providers also supplement one or both of the approaches above with on-site devices (either hardware or software), which allow for localized recovery (note that 82% of unplanned downtime is attributed to application failures, hardware failures or operational errors and may not truly require off-site restoration).

  7. Recovery beyond x86 workloads: When it comes to non-x86 server workloads (e.g., AIX, IBM System i, IBM System p, HP-UX, Oracle Solaris and mainframe), support greatly varies among DRaaS providers. This may range from: providers that do not support these workloads at all; providers that will only back them up; vendors that only provide colocation; and vendors that will integrate the commercially separate colocation workloads into the overall recovery plan; to vendors that offer recovery of those workload types as a specific DRaaS offering. Beyond server-based applications, some DRaaS providers have offerings that are tangential to DRaaS, yet complementary from a business recovery perspective. For example, some providers offer managed services, backup options, or recovery options for desktops, virtual desktops, mobile devices, SaaS, unified communications or office space itself.

  8. Support service options: Some vendors only provide self-service options for customers; some provide self-service following a light onboarding process; some only provide fully managed service options; while others offer a mix of choices. These options have underpinning implications with regard to recovery responsibility, price points, SLA guarantees, frequency for testing, costs related to recovery, and ability for customers to use the environment for other purposes beyond disaster recovery. For context, the percentage of customer base for vendors in this Magic Quadrant is: 27% is self-service of some kind; 65% is some variation of fully managed; and 8% is a light support version.

  9. Primary focus: For some vendors, the focus might be primarily disaster recovery and DRaaS. But for many, DRaaS is not the overarching focus. And, although technically categorized as a stand-alone offering, in reality DRaaS would be better characterized as an add-on service for colocation services or infrastructure as a service (IaaS), a "tip of the spear" service with which the intended sales motion is to upsell to fully managed services, or an add-on capability following the sale of an appliance or software. In reality, this is a good thing. No one approach is better than the others as they can all meet different customer needs in various ways with different degrees of effectiveness.

There is no "one size fits all" answer. Consequently, this Magic Quadrant, alongside the associated "Critical Capabilities for Disaster Recovery as a Service," is intended to help IT leaders select which vendors to engage based on matching organizational requirements and overarching strategy.

Key Differences in This Year's Magic Quadrant

There has been some significant movement among some providers in terms of placement on this year's Magic Quadrant. Collectively this movement is a result of three evolving vectors.


Change is the only constant in life — and the DRaaS market is no exception. What were once differentiating attributes only a couple years ago are now considered the bare essentials. Meanwhile, customer expectations have increased with respect to the ability to perform more granular recovery of workloads and address a variety of triggers that cause disasters, including ransomware.

Provider Progress and Advancements

Some vendors have continued to build upon prior momentum, and some have pivoted in terms of strategic direction regarding DRaaS in their portfolios. Some did not put forth the level of investment or make the progress expected in the past 12 months; while yet others have made investments or acquisitions but need time to further mature and capitalize on them.

Magic Quadrant Scoring Emphasis

As the market continues to evolve, so has the scoring criteria for the Magic Quadrant over the past three years. This year is no different. The specific attributes and weightings associated with the scoring can be found at the end of this document. However, eight areas in particular are highlighted immediately below to reflect some of the largest shifts in emphasis:

  1. Value for the Money: One major driver for customer adoption of DRaaS is cost reduction or cost avoidance. In fact, 61% of Magic Quadrant customer references surveyed stated as such. At the same time, prices vary significantly from provider to provider. Analysis performed in October 2016 of Gartner's pre-existing fact base of vendor proposals showed a wide range of DRaaS prices — spanning $19 to $281 per server per month. This makes it challenging for customers to know to what degree market-relevant value is being offered by a prospective vendor, and whether the customer's cost targets will truly be achieved. Consequently, sales execution/pricing as an Ability to Execute criterion increased in weighing from medium in 2016 to high in 2017. In addition, as part of the Magic Quadrant process, DRaaS providers were asked to submit sales collateral, pricing, and terms and conditions for different scenarios. Interestingly, the range of prices submitted by vendors during the Magic Quadrant evaluation process closely mirrored the aforementioned analysis. For example, in one scenario, after including upfront fees (if applicable) and monthly recurring fees, vendor proposal effective costs ranged from $17 to $383 per server per month. In another scenario, vendor proposal effective costs ranged from $43 to $505 per server per month. This, of course, was put into context with service attributes the provider delivers, such as self-service versus fully managed, service levels provided, recovery time objective (RTO)/recovery point objective (RPO) provided, costs for testing or disaster recovery declaration, and contract terms. Value for the money, with respect to near-term importance for potential DRaaS customers, is obvious; again, there is an expectation of lower costs. But value for the money is potentially much more significant over the longer term for customers, especially if the vendor's business model is not aligned. For example, DRaaS vendors with higher prices than peers will unlikely be able to sustain those prices. Without a strong business model, market pressures will squeeze margins and hamper the DRaaS provider's ability to reinvest in areas that will improve features and customer service. Meanwhile, DRaaS providers on the lower end of the value-for-the-money cost spectrum have smaller discrete margins to reinvest. Thus, a strong volume-centric business model is required in order to create the funding needed for continuous improvement for paying customers. Taking all this into consideration, more than in years past, value for money was highly emphasized in DRaaS Magic Quadrant scoring.

  2. Minimum Viable Product: A couple of years ago, a DRaaS provider's capabilities in areas such as seamless heterogeneous workload support and orchestrated recovery, as well as failback, could have been positioned as differentiating attributes. But the DRaaS market is reaching a level of maturity where such capabilities are essentials. Consequently, poorer scores resulted if vendor solutions lacked in areas like those mentioned above.

  3. Degree of Vendor Focus: DRaaS, for some providers, might be positioned more as an add-on service for colocation or IaaS; for others it is a "tip of the spear" service with which the intent is to upsell to data center outsourcing services. For yet others, it is an optional add-on capability following the sale of an appliance or software. Meanwhile, some vendors may use DRaaS as one tool in their toolbox toward enabling larger, complex engagements that involve platform transformation, data center consolidation, or cloud migrations. Collectively, all these core business traits and capabilities are of tremendous value to many customers. That said, a vendor's Ability to Execute and Completeness of Vision in areas tangential to DRaaS had little influence on this year's Magic Quadrant scoring — especially if essentials related to value for money and minimum viable product were lacking. For Gartner clients with requirements where disaster recovery is only one aspect, other Magic Quadrants or Market Guides, such as "Magic Quadrant for Public Cloud Infrastructure Managed Service Providers, Worldwide" and "Market Guide for Managed Hybrid Cloud Hosting, North America" will be more appropriate.

  4. Offering (Product) Strategy: As various DRaaS offering attributes continue to become commoditized across the market, the offering (product) strategy criterion has become more important. Consequently, this Completeness of Vision category weighting, as a whole, was increased from medium to high.

  5. Compliance and Global Reach: Due to increased geopolitical concerns and the fact that many clients look to DRaaS to meet an urgent regulatory need, greater emphasis was placed on DRaaS providers' global reach and breadth and depth with respect to experience helping their customers meet industry-relevant needs. To the former point, geographic strategy as an overall DRaaS Magic Quadrant criterion was increased from a weighting of medium in 2016 to high in 2017. To the latter point, 34% of the collective customer base in this year's DRaaS Magic Quadrant is in either the financial services or the healthcare industry. Consequently, in addition to having an increased weight in scoring, DRaaS providers' industry-related credentials (e.g., PCI for finance and HIPAA for healthcare) were also listed within the associated"Critical Capabilities for Disaster Recovery as a Service" document as well.

  6. Security: Unlike several years ago when natural disasters ruled most discussions around disaster recovery, now these conversations more often revolve around security-related triggers, such as a ransomware attack. Consequently, providers who have differentiated elements in their offerings or offering roadmaps in this area benefited in their scoring.

  7. Portal Functionality for Self-Managed Versus Fully Managed: Portal functionality is important for all providers as it pertains to their ability to enable orchestrated recovery of workloads underpinning business processes. And it remains highly important for those who specialize in x86 workloads and especially so for those offerings that are self-service in nature. However, portal functionality is less critical at this juncture with respect to fully managed service offerings where more complex heterogeneous environments are involved. 2017 Magic Quadrant scoring reflects this nuance.

  8. End Users Versus Managed Providers: The DRaaS Magic Quadrant is intended to help end customers determine which DRaaS providers may be a good match. However, many DRaaS providers have become increasingly sales-channel-partner-centric (i.e., working through managed service providers [MSPs] versus engaging directly with end customers). But, since every sales channel partner will differ in some shape or form, determining the likelihood that a customer will have a positive experience can be problematic. At the same time, service attributes in the DRaaS market have improved drastically over the past few years — from onboarding to pricing to portal usability — and DRaaS offerings themselves have fluctuated significantly. In fact, 83% of the vendors in the DRaaS Magic Quadrant have announced acquisitions or new DRaaS service offerings in the past couple of years. Consequently, interviews of customers who bought services from the DRaaS provider many years ago might not be completely representative of what a new customer would experience. Customers that were onboarded a while ago had different expectations, and providers had fewer capabilities. With that in mind, several elements were invoked in this year's Magic Quadrant in order to dissect these nuances. For starters, Magic Quadrant vendor participants were required to provide a minimum number of references that were onboarded within the past 12 months, as well as a minimum number that were end users versus MSPs. In addition, other areas, such as roles and responsibilities between the provider and MSP from the viewpoint of the end user, were scrutinized — as were other areas such as vendors' approaches toward ensuring consistent pricing, service levels and contract terms through the MSP.

Context for Details Provided in Vendor Descriptions

Typical customer details within each of the vendor write-ups are not intended to suggest the vendor cannot or does not support other organizational sizes or implementations within DRaaS itself or via other managed services. Typical customer figures are specific to DRaaS and based on averages across the vendor's entire DRaaS customer base as of the beginning of the year. These figures are merely averages and may not be indicative of the median customer size or reflect trends related to recently onboarded customers.

Similarly, primary workloads supported are not intended to suggest the vendor's capabilities are in all cases limited to only those listed. Rather, it is intended to highlight the types of workloads typically supported through the provider's DRaaS offerings. In addition, the vendor may provide related options for other workloads such as colocation, traditional DR, managed hosting, or support through other third parties.

Magic Quadrant

Figure 1. Magic Quadrant for Disaster Recovery as a Service
Research image courtesy of Gartner, Inc.

Source: Gartner (June 2017)

Vendor Strengths and Cautions


Acronis, founded in 2003, has provided cloud-related recovery services for more than seven years and data recovery products for more than 14 years. Headquartered in Singapore, it operates 14 data centers globally and is primarily a partner-driven business with a focus on manufacturing, automotive, public sector and education-related markets. In addition to disaster recovery, much focus is related to unified data protection for backup of personal devices, archiving, e-discovery, file sync and share, and notary. The products are utilized by partners in 294 other data centers of their own.

  • Primary Support Approaches: Fully managed via partner, but some are supported via self-service after initial onboarding by partner.

  • Primary Workloads Supported: Physical and virtual x86, with backup capabilities for non-x86.

  • Regional Recovery Presence: Global presence with DRaaS customers primarily in the U.S. and the U.K.

  • Typical Customer: Small and midsize businesses with fewer than 25 servers, although it has at least one customer with more than 200 servers under management.

  • Recommended Use: Noncomplex server implementations where a broad-based solution is desired, including backup for desktops and mobile devices and notary-related functions.

  • Acronis was in the top three in terms of the number of partial disaster recoveries performed.

  • It issued 70 patents in the past year, with a continued focus on unified data protection.

  • Clients praised the implementation teams and their willingness to be creative in solution approach. And, even when not ultimately selected, customer surveys revealed Acronis was frequently considered.

  • Areas such as onboarding assistance, whether by a partner or as a separate Acronis professional service engagement, will involve additional fees. And disaster recovery declaration fees are significant and only obvious in the contractual details.

  • Automated and orchestrated failback is not yet available.

  • Existing clients reported issues related to a lack of features and ongoing customer support after initial onboarding.


Founded in 2006, Axcient provides a single solution that includes data protection, disaster recovery, archiving, and test/dev — eliminating the need for multiple solutions, data centers, or silos of infrastructure by extending the value of copy data management to the cloud. Axcient makes two self-service platform options available. Axcient Business Recovery Cloud is its original; and Axcient Fusion, launched in 2016, is positioned as the next-generation platform built to run on public cloud and able to meet the needs of midsize organizations with hundreds of servers. Both offer one-hour and eight-hour RTO options and can be managed from a single user.

  • Primary Support Approaches: Fully managed via partner, or self-service after initial onboarding by Axcient.

  • Primary Workloads Supported: Physical and virtual x86, with backup capabilities for non-x86.

  • Regional Recovery Presence: Primarily in the U.S., and with customers in Canada, the U.K. and Western Europe as well.

  • Typical Customer: Small and midsize businesses with fewer than 25 servers, although it has a minimum of one customer with at least 200 servers and at least one MSP with at least 1,000 servers under management.

  • Recommended Use: Axcient Business Recovery Cloud for smaller physical and virtual x86 environments and Axcient Fusion for larger VMware environments.

  • Axcient service's copy data management approach allows for multiple uses of the replicated data — including backup, data recovery, data archival, and testing and development. The latter two are optional add-on services.

  • Current Fusion prices are competitive and involve no hidden fees with regard to the number of restore points, retention (up to seven years), testing (four times per year), disaster declaration, public cloud network charges.

  • Axcient has its own intellectual property, including DirectRestore for granular application recovery (such as Microsoft Exchange), which came to Axcient via an acquisition in 2014. Axcient also licenses the DirectRestore technology to other companies in the data protection market.

  • The Fusion service offering does not provide recovery for physical machines or perform automated failback. And pricing for Business Recovery Cloud is above average as compared to similar peers.

  • Revenue growth from 2016 to 2017 was in the bottom five among the vendors in this year's Magic Quadrant.

  • Given its roots with Business Recovery Cloud and small businesses, Axcient's number of average servers per customer is on the lower end of providers in the DRaaS Magic Quadrant. Prospective Axcient customers with larger deployment needs should request similar-sized Fusion references.


Bluelock was founded in 2006 initially as a managed hosting and IaaS provider. In the past three years, the company has primarily invested in and focused on its DRaaS offerings for U.S.-based midsize and large companies. Bluelock is neither large in terms of scale nor significant with respect to technological differentiators. However, where it stands out is its very hands-on and consultative, business-focused approach. Dubbed the "Bluelock Experience," the organization helps clients gain constituent alignment, recovery assurance and colocation recovery integration.

  • Primary Support Approaches: Fully managed via Bluelock, or assisted after initial onboarding by Bluelock.

  • Primary Workloads Supported: Virtual x86 with integrated colocation capabilities for non-x86 workloads.

  • Regional Recovery Presence: Two locations in the U.S. — Indianapolis, Indiana, and Las Vegas, Nevada.

  • Typical Customer: Companies with fewer than 50 servers, although it has a minimum of one customer with at least 500 servers under management.

  • Recommended Use: U.S. companies that desire a business-related, high-touch approach toward DRaaS and have heterogeneous workloads that require not only colocation but integration into a recovery plan as well.

  • Bluelock has experienced and capable professional services related to onboarding, training and run book development processes — all demonstrated through its Recovery Assurance program.

  • Bluelock helps IT teams set realistic expectations via a very consultative approach, which focuses on discussing not only recovery tiers but also "recovery waves." The point of this approach is to separate technical capabilities related to replication from human realities during an actual disaster event.

  • Bluelock has positive customer survey responses, including from those who have recently onboarded, especially related to the degree of partnership and trust in the solution.

  • Bluelock has only two recovery centers — both of which are in the U.S.

  • Bluelock is in the bottom third with respect to the number of x86 servers supported among DRaaS providers in this Magic Quadrant. Meanwhile, two-thirds of its volume is anchored by its four largest customers.

  • To date, nearly 50% of its current clients are small and lower-midtier companies. But Bluelock's intended target markets are now primarily midsize and large organizations. Given Bluelock's high-touch approach, this could impact the sales experience for smaller organizations in the future.

C&W Business

C&W Business operates in 42 countries in the Caribbean, Latin American and North American regions. Its customer support centers offer both Spanish and English interactions. Technical support services are also provided in both languages. The company operates as a subsidiary of Liberty Global, being part of the 2016 purchase of Cable & Wireless Communications. The foundation for much of C&W's differentiation with respect to DRaaS is rooted in its network connectivity capabilities and in its investment in the Geminare platform to integrate recovery of x86 workloads and IBM-based platforms.

  • Primary Support Approaches: Fully managed, although self-service is an option.

  • Primary Workloads Supported: Physical and virtual x86, Unix (AIX, Solaris) and IBM System i.

  • Regional Recovery Presence: Seven regional data centers — Miami, the Cayman Islands, Panama (two), Curacao, and Bogota, Colombia (two).

  • Typical Customer: Midmarket customers with fewer than 25 servers; it has a minimum of one customer with at least 100 servers under management.

  • Recommended Use: When regional needs, especially network connectivity and hybrid recovery, are priorities for low- to medium-complexity environments. And when there is a desire for complete data center outsourcing.

  • Customers purchase access to a virtual data center, which can be utilized across any of their physical locations and changed as a result of business needs.

  • C&W is one of the few vendors that has integrated recovery support for IBM-based platforms. And via its Oracle Standard Edition DRaaS, it is able to save customers money on Oracle license fees.

  • Customer references were very satisfied with C&W Business' ability to support low- to medium-complexity architectures, repeatedly citing an easy implementation process.

  • Self-service prices for simple deployments are significantly higher than the average among peers in this Magic Quadrant. Taking over production support adds only approximately 20% in costs to customers; hence, the recommendation for clients with a desire for complete data center outsourcing.

  • C&W is limited with respect to compliance certifications, geographic reach and enablement of the use of public hyperscale cloud providers.

  • Customer references revealed issues with initial service configuration sizing. Validate any sizing assumptions that you may have prior to finalizing contracts.


Carbonite was founded in 2005 and is headquartered in the U.S. out of Boston, Massachusetts. Carbonite's Cloud Disaster Recovery (formerly EVault) DRaaS offering supports recovery of virtual machines (VMs), bare-metal system images and production data inside a managed cloud. Recovery testing and recovery operations are largely provider-managed. And, although not part of the scoring for this Magic Quadrant due to timing, the recent acquisition of Double-Take Software (now rebranded as Carbonite DoubleTake) can be a boon to the company and customers in terms of capabilities over time.

  • Primary Support Approaches: Fully managed via Carbonite.

  • Primary Workloads Supported: Physical and virtual x86 as well as Unix and IBM System i.

  • Regional Recovery Presence: Three recovery centers in the U.S.

  • Typical Customer: Small and midsize businesses that have the need to recover non-x86 environments.

  • Recommended Use: U.S. companies that desire a full-service offering or have IBM System i workloads.

  • Carbonite is one of the few vendors in this Magic Quadrant that has recovery of non-x86 workloads formally integrated as part of its actual DRaaS offering.

  • Guaranteed service tiers, with corresponding RTO- and RPO-based service-level targets, are available from Carbonite.

  • Customer surveys suggested that Carbonite was at least considered by many during the selection process, even if not always ultimately chosen — this is meaningful with respect to brand awareness and overall viability.

  • Carbonite had poor customer survey scores for DRaaS, especially for more complex implementations. Issues ranged from meeting SLAs with high-data-change-rate implementations to responsiveness of the portal.

  • For simple implementations, prices for Carbonite are 37% higher than average among peers with fully managed offerings in this Magic Quadrant.

  • The portfolio as a whole is in a state of transition. For example, although now targeting the midmarket for DRaaS, 75% of Carbonite's current customer base is small or lower-tier midmarket companies. And in terms of the number of x86 machines per customer, Carbonite ranks in the bottom third among the vendors in this Magic Quadrant.


CloudHPT is the cloud solutions division of BIOS Middle East Group. It is headquartered in the United Arab Emirates and principally serves the Gulf Cooperation Council (GCC) region. It was founded in 2002, and its business is focused on cloud services for IaaS, DRaaS and backup as a service (BaaS).

  • Primary Support Approaches: Fully managed.

  • Primary Workloads Supported: Physical and virtual x86.

  • Regional Recovery Presence: Data center locations in Dubai and Abu Dhabi, with sales into the GCC region.

  • Typical Customer: Small and midsize businesses with fewer than 50 servers, although it has a minimum of one customer with at least 200 servers under management.

  • Recommended Use: When low latency of services is the priority for clients in the Middle East region.

  • CloudHPT supports multiple tiers of services using distinct technologies for each tier to deliver costs in line with the needed capabilities.

  • The vendor has a strong focus on disaster avoidance through proactive security information and event management (SIEM) capabilities.

  • Although CloudHPT currently reaps the benefits of a specific regional advantage, the roadmap is forward-thinking and includes integration capabilities with respect to hyperscale public cloud providers.

  • Currently, CloudHPT services have only two recovery locations and are only available in the Middle East region.

  • The pricing of services is higher than would be seen in other regions. This sentiment was echoed via several customer interviews as well.

  • Although CloudHPT was near the top with respect to growth of DRaaS customers and revenue in 2016, some of this is attributed to the fact that it is in the bottom 25% with respect to the number of customers and number of virtual x86 machines currently supported.


Daisy Group is one of the largest business communications and IT service providers in the U.K. It was founded in 2001, and offers network services, nine data centers, and 18 worksite recovery locations consisting of over 30 office locations in the U.K.

  • Primary Support Approaches: Fully managed, light support.

  • Primary Workloads Supported: Physical and virtual x86, minor support for Unix and IBM System i.

  • Regional Recovery Presence: The U.K.

  • Typical Customer: Small and midsize businesses with fewer than 100 servers under management.

  • Recommended Use: When located within the U.K., and when additional capabilities such as office space recovery services are needed.

  • Daisy is focused on the needs of small and midsize businesses in the U.K. for overall IT and network services, with add-on capabilities for DRaaS.

  • Protection of on-premises, colocation and cloud-based data can be provided via a variety of technologies, which can result in very competitive pricing. In fact, with respect to costs for simple scenarios, Daisy was in the lowest third among Magic Quadrant peers offering fully managed services.

  • Daisy allows support of heterogeneous recovery environments with subscription hardware access to complement its cloud-based recovery services.

  • Costs can vary greatly. Customer interviews reported undersized initial configurations that caused them to have overage charges on a regular basis. Ratios in relation to Daisy's DRaaS revenue against the number of DRaaS customers and the number of x86 servers supported are far higher than most vendors with respect to average costs.

  • Contract terms stipulate that Daisy can substitute virtual servers in place of physical servers at its discretion, and testing is limited to the number of days subscribed to in advance.

  • Daisy offers a wide variety of services centered on data services for mobile devices, endpoints, managed hosting and custom customer deployments — less focus is on DRaaS specifically.


Databarracks was founded in the U.K. in 2002 as a full-service MSP, but, in 2016, it retired some non-continuity-related services completely and now focuses on only three areas: disaster recovery as a service, backup, and resilient cloud-based infrastructure design. Its business is entirely focused on U.K. clients and it has a concentration of clients related to legal, government and nonprofit organizations.

  • Primary Support Approaches: Fully managed.

  • Primary Workloads Supported: Physical and virtual x86.

  • Regional Recovery Presence: The U.K.

  • Typical Customer: Midsize businesses with fewer than 50 servers under management.

  • Recommended Use: U.K.-based companies where reliable service delivery is the priority for low- to medium-complexity environments.

  • Databarracks' singular focus is on its home market and building out workable disaster recovery solutions for its clients. And in 2016, it launched its Cyber-DRaaS solution, which includes security value-adds such as detection, reporting and recursive scanning.

  • Databarracks is incubating and developing additional tools and processes that it uses internally as well as commercially, such as BackupChecks, which is integrated with Asigra and Kazoup and allows file analytics and archiving for SaaS data sources.

  • Repeated statements from Databarracks' customers indicate that the services provided were exceptional.

  • Hyperscale public cloud support is currently limited to AWS and is related to managed services — not yet specific to disaster recovery.

  • Lack of focus on integration with client tools for IT service management (ITSM), cloud management platform (CMP) or DevOps may be an issue for clients that are using those IT operations processes.

  • Databarracks does not support Unix or applications such as SAP or Oracle at the application level.


Datto, headquartered in Connecticut in the U.S., is a provider of backup and disaster recovery appliances, SaaS data protection, and managed networking products. It was founded in 2007 and has more than 5,000 managed service provider partners that market its products worldwide.

  • Primary Support Approaches: Fully managed via partners.

  • Primary Workloads Supported: Physical and virtual x86.

  • Regional Recovery Presence: Nine data center locations worldwide in the U.S., Canada, Iceland, the U.K., Germany, Singapore and Australia.

  • Typical Customer: Small businesses with fewer than 25 servers, although it has a minimum of one customer with at least 100 servers and at least one MSP with at least 750 servers under management.

  • Recommended Use: When utilizing an MSP for day-to-day IT operations in low-complexity environments.

  • Datto is cost-effective and has the most DRaaS customers and the most x86 servers supported of any provider in this Magic Quadrant.

  • Datto's appliances perform backup and local virtualization for DR, and replication to its cloud-based DR sites. It utilizes its Inverse Chain Technology to reduce the amount of data that needs to be transmitted per backup point, and uses its SpeedSync to ensure it is transmitted, received, and verified efficiently.

  • Partners are the front line for support and operations for Datto's products, which leads to very personalized services for clients. Satisfaction scores from its providers were much improved in the past year.

  • Datto is 100% channel-driven. In order to allow flexibility for providers to bundle it into other services, Datto does not mandate pricing control mechanisms. Consequently, prospective Datto customers may want to vet more than one MSP as each will vary in approach and cost.

  • Datto service levels to MSPs are limited to support response time based on incident severity. There are no guarantees with respect to uptime or recovery times. End users should be aware of this when discussing SLAs with the chosen MSP.

  • Datto does not restrict the number of vCPU and vRAM in the cloud; however, there is a limit of 8 vCPU and 16 GB vRAM per machine on the portal. Going beyond this threshold requires customization via Datto support.

Evolve IP

Evolve IP was founded in 2006 and is headquartered in Wayne, Pennsylvania. It leads with its OneCloud solution, which allows organizations to migrate multiple cloud computing and cloud communications services onto a single, unified platform. This includes virtual data centers/servers, disaster recovery, virtual desktops, IP phone systems/unified communications, and contact centers. Following a majority investment by Great Hill Partners in June 2016, EvolveIP made its fourth acquisition in the past three years — Xtium, a healthcare-focused competitor in the Wayne area.

  • Primary Support Approaches: Self-service; and fully managed was added in 2016.

  • Primary Workloads Supported: Physical and virtual x86.

  • Regional Recovery Presence: Five recovery centers in the U.S. that serve 99% of its customers, and a location in the U.K. and one in Australia.

  • Typical Customer: U.S.-based companies with fewer than 25 servers, although it has a minimum of one customer with at least 200 servers under management.

  • Recommended Use: U.S. companies with noncomplex server footprints, but whose complexity comes in the form of wanting a single provider to manage other platforms such as virtual desktops and VoIP systems as well.

  • Service offerings are well-articulated with respect to different DRaaS types and backup options.

  • Evolve IP has a holistic approach to services beyond DRaaS, such as unified communications, as well as an industry focus.

  • Existing clients scored customer satisfaction high and pointed to Evolve IP's organizational focus and additional managed service capabilities as some reasons for its selection.

  • Although its recovery centers are geographically dispersed, to date most customers are in the U.S., concentrated in the mid-Atlantic region.

  • Planned offering enhancements specific to DRaaS are less pronounced on Evolve IP's roadmap than most other vendors in this Magic Quadrant. And the longer-term impact on the company and its customers as a result of the Great Hill Partners investment is yet to be determined.

  • Prices were slightly above average for simple virtual environments among peers with fully managed offerings in this Magic Quadrant, and were on the higher side for more complex scenarios that did not involve discounting associated with consumption of multiple services.


Expedient is a cloud and data center infrastructure-as-a-service provider headquartered in the Pittsburgh, Pennsylvania. It was founded in 2001, and it provides DRaaS both to clients hosted within its data centers as well as separately as a service for customers hosting their production workloads on-premises or in other locations.

  • Primary Support Approaches: Fully managed.

  • Primary Workloads Supported: Physical and virtual x86.

  • Regional Recovery Presence: Midwest, mid-Atlantic and Northeastern portions of the U.S.

  • Typical Customer: Small and midsize businesses with fewer than 25 servers, although it has at least one customer with more than 200 servers under management.

  • Recommended Use: Organizations that prefer Expedient's regional location along with dedicated, nonoversubscribed resources that can be utilized for more than just DR.

  • Expedient does not oversubscribe capacity and has incorporated network microsegmentation within its offering by way of VMware NSX.

  • Expedient offers direct uplink to hyperscale providers from its facilities to ease integration of hybrid IT scenarios for customers that also use public cloud hosting. And it partners with Nutanix to provide hyperconverged integrated system (HCIS) as a service for both primary and DR uses.

  • Expedient's sales proposals for the requested scenarios were attentively detailed yet easily consumable. Customer interviews frequently echoed similar sentiments with regard to Expedient's onboarding approach and ongoing support.

  • Expedient has a limited choice of technologies for DR replication. This, in turn, limits its abilities for physical workload recovery and limits the degree to which pricing can be rightsized for customers who require less aggressive RTOs or RPOs.

  • Expedient's service offering development focuses more on providing customers with private enterprise virtualization that includes production (e.g., private cloud either on the customer premises or hosted by Expedient with add-on DRaaS options), more so than DRaaS specifically.

  • Expedient's Push Button DR 2.0 service offering, which is based on Zerto technology, was only just released on 30 August 2016. Until that time, only a storage-based replication option was provided.


IBM Resiliency Services offers DRaaS as well as a full breadth of resiliency and high-availability-related professional and managed services, including consulting, design, migration, implementation, business continuity management and cloud backup. IBM Resiliency Services also includes site, facilities and data center operation services, which collectively provide data center best-practice strategies; design, build, relocation and consolidation; and data center management for resiliency from the ground up. In 2016, IBM purchased Sanovi to complement its IT resiliency orchestration capabilities. Additionally, IBM's Watson remains a potential differentiator when it comes to disaster avoidance.

  • Primary Support Approaches: Fully managed.

  • Primary Workloads Supported: Physical and virtual x86, Unix (AIX, Solaris, HP-UX), IBM System i, IBM System z, storage area network (SAN) replication and database appliances.

  • Regional Recovery Presence: Sixteen countries spanning North America, Latin America, Europe, the Middle East, Africa, Japan, Asia/Pacific and China.

  • Typical Customer: Businesses with fewer than 25 servers, although it has a significant number of customers with much larger volumes under management — including some with at least 1,000 servers.

  • Recommended Use: When recovery of heterogeneous and diverse platforms are priorities, with medium to high complexity in the environment.

  • IBM is one of three vendors in this Magic Quadrant with significant non-x86 workload and mainframe recovery experience. Moreover, IBM has supported more than 1,000 recoveries since 1989.

  • IBM has a long-standing history in disaster recovery, which it continues to improve on with new capabilities and acquisitions. The recent Sanovi acquisition is the latest example.

  • Flexibility in terms of both length of contracts (four months or longer) and size (two to 15,000 VMs) are viewed as positives. And, in comparison to others in the Magic Quadrant who proposed fully managed services for the slightly more complex scenarios, IBM's prices were slightly below the median.

  • For virtualized workloads, IBM uses many of the same technologies that are available from other providers. At the same time, in comparison to others in the Magic Quadrant who proposed fully managed services for much simpler scenarios, IBM's prices were significantly higher than the median.

  • IBM leverages Watson internally to help optimize shared asset management across locations. And IBM offers Watson for its Data Recovery Services offering and The Weather Co. for its Resiliency Communications as a Service offering. However, specific to DRaaS, utilization of Watson or other strategic assets is currently limited and more vision-oriented.

  • IBM's customer reference satisfaction scores were low, and areas for improvement cited included expectation gaps between those set by sales versus the ability of technical teams to meet them.


Founded in 1994 initially as a website development company and headquartered in Houston, Texas, and London, iland created its colocation and managed hosting offerings around 2000. It first delivered its VMware-based IaaS offering in 2008, with coinciding cloud-based recovery offerings. Today, the portfolio is global in nature and primarily consists of iland Secure Cloud (IaaS), iland Secure Disaster Recovery (DRaaS), and iland Secure Cloud Backup.

  • Primary Support Approaches: Self-service or full service via a partner.

  • Primary Workloads Supported: Physical and virtual x86.

  • Regional Recovery Presence: Five recovery centers in the U.S.; two in the U.K.; and one in Singapore.

  • Typical Customer: Medium-complexity environments with fewer than 100 VMware-based servers, although it has a minimum of one customer with at least 500 servers under management.

  • Recommended Use: U.S. or U.K. companies with compliance and/or network complexities who desire VMware-based IaaS as well as DRaaS in a self-service manner.

  • Iland has depth with respect to compliance credentials in both the U.S. and the U.K. And, iland provides customers direct access to Level 2 technicians — every iland engineer and support team member is certified for VMware, Cisco, Zerto, Veeam and/or Carbonite DoubleTake.

  • Iland has a sustainable approach with respect to product strategy and feature enhancements for customers. It has expertise on staff with respect to both DevOps and compliance. The result is material that is both concise and easily consumable, but not constrained due to automation capabilities.

  • Iland had solid customer survey satisfaction scores, and existing customers applauded support, the portal, and the underpinning Zerto-based solution.

  • While not an issue entirely unique to iland or iland's customers, for those planning to migrate some workloads to other IaaS or SaaS over time, more contractual flexibility is desired — particularly if there is a need to reserve compute resources for recovery or compliance reasons.

  • Iland is more DevOps-oriented than most vendors in this Magic Quadrant; however, it is not appropriate for organizations with immediate plans for migration to hyperscale public cloud providers such as AWS, Azure or Google because iland's focus is on its own IaaS.

  • Some existing customers made mention of wanting more visibility and control of the underlying hardware or network design. For customers with larger volumes who might benefit from using different recovery options (e.g., Zerto and Veeam), iland is not yet integrated for self-service consumption.


Founded in 2011, Infrascale is primarily focused on DRaaS and leads with its mission statement, "eradicate downtime and data loss." Using its own technology, it allows for recovery of heterogeneous workloads via self-service or via a combination of partner and Infrascale support. Infrascale brings a cloud-agnostic approach that allows for recovery at one of its 16 recovery centers; hyperscale providers such as IBM SoftLayer/Bluemix, Azure, AWS and GCP; or one of its partners — spanning, in total, 23 countries.

  • Primary Support Approaches: Self-service or fully managed by Infrascale or a partner.

  • Primary Workloads Supported: Physical and virtual x86.

  • Regional Recovery Presence: Infrascale has 16 recovery centers with data centers in the U.S., Canada, the U.K., Germany, Australia and South Africa. Including hyperscale cloud providers and partners, a total of 23 countries are covered.

  • Typical Customer: Small and midmarket companies with fewer than 50 servers, although it has a minimum of one customer with at least 200 servers under management.

  • Recommended Use: Companies with a hybrid infrastructure, but that do not include mainframe or that have requirements outside of backup for Unix or IBM System i servers.

  • Pricing is straightforward by way of a storage-based monthly fee, and the service includes unlimited recovery testing and disaster declarations, with no additional charges beyond the initial setup fee. It is marketed as "hot or warm recovery at the price of tape backup."

  • Infrascale's primary focus is DRaaS, which is evident based on documentation, competitive positioning and roadmap. In January 2017, a formal partnership between Infrascale and GCP was announced.

  • Current customers touted the ease of implementation, customer support and the excellent price point.

  • Like most vendors in this Magic Quadrant, automated failback between dissimilar hypervisors or hardware is not yet available.

  • In-motion improvements will need to be executed upon to maximize channel partner vision — including MSP desires for increased reporting and alert management capabilities and branding options.

  • Infrascale customer survey responses had the greatest number of cautions — ranging from needing to upgrade networks, and the time it takes to expand storage and have new appliances ready for backup to Infrascale's cloud, to concerns about backup queues and needing to reboot appliances.


Microsoft provides infrastructure, platform and software services as well as DRaaS through its Azure Cloud Services. Azure Site Recovery (ASR) is part of the Operations Management Suite. Microsoft built ASR by integrating the InMage technology it acquired in 2014 and now provides DR to Azure for VMware, Hyper-V and physical workloads.

  • Primary Support Approaches: Self-service — direct, assisted or fully managed via a partner.

  • Primary Workloads Supported: Physical and virtual x86.

  • Regional Recovery Presence: Global with 26 locations including the U.S., Canada, the U.K. and Germany.

  • Typical Customer: Small and midsize businesses with fewer than 25 servers, although it has a minimum of one customer with at least 200 servers under management.

  • Recommended Use: When low costs and unlimited, pay-as-you-go testing are priorities for low-complexity, x86-only environments.

  • Pricing for all testing and data storage is based on actual utilization.

  • The availability of ASR in every major Azure site allows clients to protect data globally.

  • Customer satisfaction surveys showed ASR was among the highest for this Magic Quadrant with respect to how often it was considered during the selection process.

  • There are few, if any, customers of ASR who are not also Office 365 customers.

  • Planned failover for VMware-based VMs is not supported currently. And physical x86 workloads, following a DR event, can only be failed back as a virtual workload.

  • Due to the complexity of setup and operations for ASR, many customers utilize partners for initial onboarding or long-term operations. Microsoft is in the midst of major overhauls for documentation and support to increase their usefulness and capabilities.

NTT Communications

NTT Communications (hereafter "NTT Com"), an NTT Group company, is a separate operation from NTT Data and Dimension Data. Its primary focus is on network and data center operations, and it offers services for cloud, data center, network, security and governance, and professional and managed services. DRaaS is one of its managed service offerings.

  • Primary Support Approaches: Fully managed and self-service after initial onboarding.

  • Primary Workloads Supported: Physical and virtual x86.

  • Regional Recovery Presence: The U.S., Asia/Pacific, Japan, the U.K. and Australia.

  • Typical Customer: Businesses with fewer than 25 servers, although it has a minimum of one customer with at least 200 servers under management.

  • Recommended Use: When already utilizing or strongly interested in other NTT Com services.

  • NTT Com has a strong global networking presence with private networks in 196 countries and offerings to complement DRaaS managed services.

  • The Geminare-based Cloud Management Platform (CMP) can integrate with multiple replication and backup technologies (e.g., Arcserve and Veeam) as well as Microsoft Azure.

  • NTT Com has a large presence in the Asia/Pacific region.

  • NTT Com is in the midst of a shift where most of its focus is on multicloud management (i.e., other public clouds such as Microsoft Azure) and consultative transformation — little focus is on DRaaS specifically.

  • Of NTT Com's current customers, 85% are fully managed and most via its IaaS. Yet, due to the aforementioned shift, customers may receive self-service proposals with unneeded complexity — such as splitting up some workloads for recovery on NTT Com's infrastructure and others on Microsoft Azure.

  • NTT had low marks in customer survey scoring, with issues that included onboarding timeliness and slow cloud service response times. With respect to the contractual details submitted with scenario proposals, service levels for DRaaS were limited to uptime and measured only during the time of actual disaster recovery failover or failback.

Peak 10

Peak 10 is based in the Southeastern United States, with 16 data centers located across 10 cities in seven states in the Southeast and Midwest. In addition to DRaaS, it offers data center and network services, managed services, and cloud-based infrastructure and object storage services.

  • Primary Support Approaches: Fully managed.

  • Primary Workloads Supported: Physical and virtual x86, with partner-managed colocation capabilities for non-x86.

  • Regional Recovery Presence: Primarily within the Southeastern U.S., but with customers in 23 states.

  • Typical Customer: Small and midsize businesses with fewer than 25 servers, although it has a minimum of one customer with at least 100 servers under management.

  • Recommended Use: When fully managed services with a low RPO are priorities for low- to medium-complexity fully virtualized or physical x86 environments.

  • Peak 10 has three tiers of RTO, all of which feature Zerto-based continuous data protection with a low RPO. These three tiers can be combined into a tailored solution in order to rightsize requirements and costs.

  • Peak 10 has high levels of operational automation, which improve consistency in its service delivery.

  • Customer references spoke very highly of the technical talent at Peak 10.

  • Peak 10's research and development investments are significantly lower than many other providers within this Magic Quadrant. Consequently, its track record for adoption of new capabilities is slower than many of its competitors.

  • Peak 10 only supports virtualized workloads for DRaaS, and doesn't have a true hybrid recovery environment configuration.

  • The vendor's pricing model has high fixed costs and prepaid instances, which inflates the costs for small configurations and could be wasteful if unused.


Headquartered in San Jose, California, Quorum is centered on its patented onQ technology. Introduced commercially in 2010, onQ was originally developed for U.S. Naval combat systems. Through the years, it has evolved in terms of abilities for backup, deduplication, replication, one-click instant recovery, automated DR testing, sandbox testing, migration and archiving. DRaaS services are provided via its three recovery centers in the U.S. and the U.K.

  • Primary Support Approaches: Self-service after initial onboarding and the first 30 days of support.

  • Primary Workloads Supported: Physical and virtual x86; SAN, iSCSI, Network File System (NFS), and network-attached storage (NAS).

  • Regional Recovery Presence: Three recovery centers and data centers in the U.S. and the U.K.

  • Typical Customer: Small and midmarket companies with fewer than 25 servers, although it has a minimum of one customer with at least 100 servers under management.

  • Recommended Use: Small businesses or lower-tier midmarket businesses with fewer than 50 servers; where self-service is preferred; and where there is a willingness to pay a premium for a local higher-performing device.

  • onQ offers a range of failback options from bare-metal restore to incremental failback — including to similar or different hardware; from physical to virtual; virtual to virtual; or virtual to physical hardware.

  • The appliance itself can perform automated DR testing after snapshots to ensure recoverability. And the provider is thoughtful with respect to recovery options, especially in the use of the appliances when customer requirements involve several small sites.

  • Existing customers tout both the performance of the devices as well as onQ's customer service.

  • Much of Quorum's focus is on the onQ appliances themselves and associated use cases. Less focus is on the DRaaS or onQ cloud portions of the portfolio. Meanwhile, the ability to leverage hyperscale public cloud providers as a replication target is currently limited.

  • The lack of API to allow integration for value-added partners limits future colocation capabilities or additional geographic expansion capabilities.

  • Costs, particularly for implementations of fewer than fifty virtualized servers, are significantly higher than most others offering self-service (60% to 80% higher than the median proposal price submitted by vendors in this Magic Quadrant). And, due to the breakout of the device purchase from the DRaaS offering, much of the costs are front-loaded.

Recovery Point

Recovery Point began in business under the auspices of its now wholly owned subsidiary, First Federal in 1982. Its client base consists of commercial, civilian and secure federal agencies, and state and local governments. Its primary focus is helping customers deal with complex heterogeneous environments that include physical systems and servers, such as IBM z Systems, IBM System i, IBM System p and Oracle Solaris.

  • Primary Support Approaches: Most are fully managed or assisted; 20% of customers are self-service after initial onboarding.

  • Primary Workloads Supported: Physical and virtual x86; Unix (AIX, HP-UX, Solaris); IBM System i, and mainframes.

  • Regional Recovery Presence: Three data centers in the U.S.

  • Typical Customer: Organizations based in the U.S. with complex heterogeneous environments and fewer than 100 servers, although it has a minimum of one customer with at least 200 servers under management.

  • Recommended Use: U.S.-based organizations that desire self-service for straightforward virtualized x86 environments, or that desire fully managed services for more complex deployments.

  • Recovery Point is one of three vendors in this Magic Quadrant that have significant experience providing recovery for non-x86 workloads and mainframes. And its services are competitively priced, as illustrated by the fact that scenario quotes were 40% less than the median of providers in this Magic Quadrant that offer fully managed services.

  • Recovery Point's private network infrastructure functions as a national network hub with the ability to cross connect inexpensively to more than 700 WAN providers. Additionally, it has direct cross connects, at 1G to 200G, to backbones of AWS Direct Connect and Azure ExpressRoute.

  • Recovery Point is very strong with respect to compliance and security, and rather than carve out separate enclaves, it provides enhanced Federal Information Security Management Act (FISMA)-level protection to all customers. Meanwhile, existing customers touted employee expertise and degree of flexibility and collaboration.

  • Service availability is currently limited to the U.S.

  • The portal is a landing page for access to native tools versus being completely integrated; however, Gartner believes this is less relevant in the immediate term for more complex environments where multiple replication tools are required — particularly when recovery is fully managed by the provider.

  • Recovery Point does not have its own consulting arm for performing business impact analysis (BIA) like similar providers in this Magic Quadrant, but it does have capabilities via a third-party partnership.


StorageCraft is a storage and services company headquartered in Draper, Utah. It was founded in 2003, and its business is entirely focused on data protection and restoration services that are offered through value-added and channel partners. It also offers cloud services that can be utilized for disaster recovery by its managed partners.

  • Primary Support Approaches: Fully managed via partners or self-service after initial onboarding via partners.

  • Primary Workloads Supported: Physical and virtual x86.

  • Regional Recovery Presence: The U.S., Canada, Ireland, Germany and Australia.

  • Typical Customer: Small businesses with fewer than 25 servers, although it has a minimum of one MSP with at least 100 servers under management.

  • Recommended Use: When utilizing managed services from small value-added partners for low-complexity environments.

  • StorageCraft has localized language support for German, French, Italian, Spanish, Portuguese and Japanese.

  • StorageCraft requires high levels of training in order for partners to achieve Platinum partner certification. This helps ensure consistent customer satisfaction.

  • Partners are very satisfied with the ease of implementation and simplicity of the product.

  • StorageCraft's cloud-based disaster recovery capabilities are only offered with its highest-level bundle of cloud-based services, which accounts for a small subset of its overall customer base.

  • StorageCraft's support for application and non-x86 platform recovery is significantly lower compared to other providers in this Magic Quadrant.

  • Although StorageCraft will take direct end-user calls, partners are chiefly responsible for any and all testing and executing during actual disaster recovery events.

Sungard Availability Services

Although it offers a variety of services, Sungard AS has offered disaster recovery services for more than 30 years and considers it a core competency. In addition to DRaaS, it offers subscription hardware-based recovery, workplace recovery, and, uniquely in this space, it also has its own business continuity management planning software. In addition to its own recovery locations, Sungard AS now offers Recover 2 Cloud using AWS.

  • Primary Support Approaches: Fully managed.

  • Primary Workloads Supported: Physical and virtual x86, Unix (AIX, Solaris, HP-UX) IBM System i and IBM System z.

  • Regional Recovery Presence: The U.S., Canada, the U.K., Western Europe and Northern Europe.

  • Typical Customer: Businesses with fewer than 25 servers, although it has a significant number of customers with much larger volumes under management — including some with at least 1,000 servers.

  • Recommended Use: When hybrid cloud and heterogeneous workload capabilities are priorities for medium- to high-complexity environments.

  • Sungard AS is one of three vendors in this Magic Quadrant that have significant experience providing recovery for non-x86 workloads and mainframes.

  • The vendor has a well-established track record of successfully providing recovery services, even during large regional disasters. In fact, it has supported well over 3,000 recoveries since 1990.

  • Sungard AS uses automation not only to provision cloud resources, but also to manage the availability and usage of physical resources to support hybrid recovery scenarios.

  • Innovations for Sungard AS' services are not consistently presented to customers during the contract period and potentially even during renewal discussions.

  • Customer reference scores and sentiment have declined over the past year, with Sungard's contractual processes for changes and high costs at contract renewal highlighted as especially troubling. Along those same lines, prices offered by Sungard AS for the scenarios averaged 46% higher than the median price of other fully managed providers in this Magic Quadrant.

  • Elasticity of its services is dependent on hardware-provisioning capacity, which could lead to delays in recovery activation relative to other providers.


TierPoint was formed in 2010 when Cequel Data Centers started purchasing smaller regional companies (Colo4 and Perimeter Technology in 2011, TierPoint in 2012, Windstream Hosted Solutions in 2015 and Cosentry in 2016), and, as a result now has over 40 facilities dispersed across 20 cities in the U.S. It provides a full set of disaster recovery services, including workspace recovery in some of its locations, in addition to offering cloud and colocation solutions to enable hybrid IT and hybrid resiliency.

  • Primary Support Approaches: Fully managed and self-service.

  • Primary Workloads Supported: Physical and virtual x86, Unix (AIX, Solaris, HP-UX), as well as SAN and database replication.

  • Regional Recovery Presence: The U.S. — locations spread from the Northwest to the East Coast.

  • Typical Customer: Small to midsize clients with fewer than 25 servers under management.

  • Recommended Use: When flexibility in technology choices and multiple tiers of services are priorities for medium-complexity environments.

  • TierPoint utilizes a wide mix of technologies to deliver on customer requirements. And TierPoint was in the top three of all providers in this Magic Quadrant with respect to the number of Unix and IBM systems under DRaaS management.

  • The vendor is willing to take on complex solutions that require boutique technologies. In 2016, it introduced an offering where it designs and orchestrates multicloud environments between the TierPoint cloud and the Azure infrastructure.

  • TierPoint's distributed denial of service (DDoS) attack prevention involves the use of two dedicated scrubbing centers with failover to Radware's cloud for additional capacity as needed.

  • TierPoint utilizes commercially available solutions and has not developed its own technologies.

  • TierPoint's willingness to support a wide variety of technologies comes at the expense of its ability to industrialize these processes, which may result in higher prices relative to other self-service providers.

  • Most of the vendor's customer references were unresponsive to survey requests. But some feedback included poor documentation and inaccurate ordering information that resulted in delays during projects. With limited references, it is difficult to know if these are isolated incidents or systemic issues.


Headquartered out of Burlington, Massachusetts, Unitrends has created multiple channel-driven recovery-related products and offerings. At the core are Unitrends' Recovery Series appliances, which include replication and orchestration, and automated recovery capabilities that are branded ReliableDR. Unitrends' Forever Cloud and Recovery Assurance are add-on services for DRaaS customers. The latter provides a one-hour recovery guarantee. In addition, its Unitrends Boomerang product allows customers to replicate workloads to hyperscale public cloud providers in a self-service manner.

  • Primary Support Approaches: Fully managed, self-managed after light onboarding, or fully managed via a partner.

  • Primary Workloads Supported: Specific to DRaaS, x86 workloads are provided with recovery and backup of other workloads.

  • Regional Recovery Presence: Seven recovery centers and data centers, with three in the U.S., and one each in the U.K., Germany, Canada and Australia.

  • Typical Customer: Small and midsize companies with fewer than 25 servers, although it has a minimum of one customer with at least 200 servers under management.

  • Recommended Use: Organizations with a small number of x86 virtualized servers or Windows-based physical servers, and that have some physical Linux servers and non-x86 servers where backups will suffice.

  • Unitrends' services are competitively priced and include automated, monthly full validation tests along with Recovery Time Actual (RTA) compliance reports.

  • Unitrends has a strong roadmap to build upon its Recovery Assurance mantra with respect to both proactive security features and configuration management sprawl, knowing that customer landscapes are always changing.

  • In 2016, internal cultural changes were implemented, including a "grok" engine to optimize and improve real-time market responsiveness. And free tools, such as the RTA Calculator, can be downloaded to help estimate recovery times for VMware-based workloads prior to purchasing.

  • Self-service products such as Unitrends' Boomerang offering can be appropriate and cost less over the long term for organizations with parallel hyperscale public cloud initiatives. However, Unitrends' Boomerang offering is not, by Gartner definition, DRaaS because the customer is responsible for the hyperscale public cloud costs incurred for recovery.

  • Unitrends offers a one-hour RTO guarantee with its Premium DRaaS option; however, prospective customers should request details on how it is measured in lieu of contractual declaration provisions, and ensure remedies are understood in the event the guaranteed RTO was to ever be missed.

  • Customer survey responders cited opportunities for improvement related to initial presales proof of concept (POC) testing and sizing requirements, first-level customer support and the newer GUI. Unitrends made changes to address these items in the latter half of 2016; however, end users are encouraged to validate via recently onboarded references and POCs.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor's appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.








Verizon — Regarding the Degree of Vendor Focus section in the Magic Quadrant Scoring Emphasis section, Verizon has DRaaS capabilities but better serves customers with other requirements that include DRaaS versus those that have a desire for a DRaaS-only offering.

VMware — VMware's vCloud Air business unit had been a focused offering of cloud services for DRaaS, data center extension and data center replacement. On 8 May 2017, VMware's vCloud Air business and associated operational services (including DRaaS) were acquired by OVH. Because VMware is no longer a significant player in the DRaaS market, it has been dropped from the Magic Quadrant.

Inclusion and Exclusion Criteria

  1. The vendor must offer one or more services consistent with the Gartner definition of DRaaS.

  2. The vendor must have publicly offered its DRaaS service(s) for at least three years, as of 1 January 2017.

  3. The vendor must be a significant player in the market via visible market presence and/or technology innovation, or have uniquely differentiated service offerings, as reflected in Gartner client and news media inquiries.

Notable Vendors

CloudEndure provides low RPO and RTO capabilities for physical and virtual x86 workloads via continuous replication, orchestration and automated machine conversion technologies. Through the console, customers can perform the initial sync to a cloud target of choice (e.g., AWS, Azure, Google or on-premises), perform disruptive tests, and trigger both failover and failback. Because it is software, versus DRaaS, it is not a candidate for this Magic Quadrant.

Webair is a solid choice for prospective companies who need not only x86 recovery capabilities, but IBM System i as well. Although it has historically focused on the Long Island, New York, and New York City metro areas, it also has recovery locations in Los Angeles, Montreal and Amsterdam. Commercially, it provides excellent value for the money, has experience with many different replication approaches, and has several healthcare-related customers with signed business associate agreements (BAAs).

Druva created its DRaaS offering only a little more than a year ago and is becoming an increasingly viable option for AWS from more of a SaaS, self-service perspective. The offering will soon allow protection for physical workloads, enable multiple uses of the data such as analytics, and provide for automated failback.

Evaluation Criteria

Ability to Execute

Ability to Execute considers the provider's ability to provide a DRaaS offering that meets customer feature/function requirements, as well as the provider's ability to operate the tool with a high level of service guarantee and customer support.


This criterion refers to core goods and services that compete in and/or serve the defined market. This includes current product and service capabilities, quality, feature sets, skills, etc. This can be offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Important aspects include:

  • Breadth and depth of industrialized DRaaS service offerings toward meeting different needs with respect to workload types for Mode 1 customers.

  • Breadth and depth of industrialized DRaaS service offerings toward meeting different RPO, RTO, and retention needs for Mode 1 customers.

  • Breadth and depth of industrialized DRaaS service components that help mitigate against different triggers for disaster recovery.

  • Degree to which the vendor enables Mode 2 initiatives.

  • Investment in automation and skill sets.

  • Ability to meet customer compliance needs.

Overall Viability (Business Unit, Financial, Strategy, Organization): Financials

Viability includes an assessment of the organization's overall financial health as well as the financial and practical success of the business unit. It views the likelihood of the organization to continue to offer and invest in the product, as well as the product's position in the current portfolio. Important aspects include:

  • Overall financial health of the company.

  • Indicators of business success in this particular market, such as revenue, number of customers, and amount of infrastructure under management.

  • Level of investment in this market.

Sales Execution/Pricing

This criterion examines the organization's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support and the overall effectiveness of the sales channel. Important aspects include:

  • Proposal quality.

  • Clarity as to what is included in the base services, what are optional add-ons, and what are custom-made capabilities.

  • Value for the money.

  • Contract transparency.

  • Commercial flexibility.

  • Sales team quality.

  • Approach for ensuring consistency among channel partners.

Market Responsiveness and Track Record

This criterion refers to the organization's ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve, and market dynamics change. This criterion also considers the vendor's history of responsiveness to changing market demands. Important aspects include:

  • Track record for identifying changes in market dynamics.

  • Track record of rapidly delivering new services in response to changes in targeted markets.

  • Approach toward ensuring competitive value — benefits and service costs.

Marketing Execution

Marketing execution describes the clarity, quality, creativity and efficacy of programs designed to deliver the organization's message in order to influence the market, promote the brand, increase awareness of products and establish a positive identification in the minds of customers. This "mind share" can be driven by a combination of publicity, promotional, thought leadership, social media, referrals and sales activities. Important aspects include:

  • Brand awareness.

  • Prospective customers' understanding of the vendor's value proposition in the targeted market.

  • Quality of marketing campaigns and other efforts such as social media participation.

Customer Experience

This criterion refers to products and services and/or programs that enable customers to achieve anticipated results with the products evaluated. Specifically, this includes the quality of supplier/buyer interactions, technical support, or account support. This may also include ancillary tools, customer support programs, availability of user groups, service-level agreements and others. Important aspects include:

  • Disaster declaration process.

  • Disaster recovery testing approach.

  • Service-level agreement effectiveness.

  • Contract quality.

  • Service experience with regard to customer expectations.

  • Service quality assurance put in place for customers who primarily engage through a partner/managed service provider.


The operations criterion is the ability of the organization to meet goals and commitments. Factors include the quality of the organizational structure, skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently. Important aspects include:

  • Onboarding effectiveness.

  • Maintaining adequate staffing and personnel expertise.

  • Documented internal processes and procedures.

  • Track record for providing recovery for actual disaster events.

  • External support documentation for customers and/or channel partners to facilitate areas where they may have support requirements.

Table 1.   Ability to Execute Evaluation Criteria

Evaluation Criteria


Product or Service


Overall Viability


Sales Execution/Pricing


Market Responsiveness/Record


Marketing Execution


Customer Experience




Source: Gartner (June 2017)

Completeness of Vision

Market Understanding

This criterion evaluates the vendor's ability to understand customer needs and translate them into products and services. Vendors that show a clear vision of their market listen, understand customer demands, and can shape or enhance market changes with their added vision. Important aspects include:

  • Clear understanding of today's market and where the vendor will and will not compete.

  • Understanding of primary selection criteria for targeted customer segments within the overall DRaaS market and how the vendor meets those needs.

  • Self-awareness in terms of both strengths and weaknesses.

  • In the case where many service offerings are made available under DRaaS, crisp translation as to which is best for which situations.

  • Future vision of the market and how the vendor will compete.

Marketing Strategy

This criterion assesses a vendor's clear, differentiated messaging consistently communicated internally, externalized through social media, advertising, customer programs, and positioning statements. Important aspects include:

  • Clear, cogent, differentiated market positioning for customer segments that are targeted.

  • When more than one DRaaS offering is offered, clear articulation as to when each is recommended.

  • Market strategy for reaching targeted buyers.

Sales Strategy

This criterion refers to a sound strategy for selling that uses the appropriate networks including direct and indirect sales, marketing, service, and communication, as well as partners that extend the scope and depth of market reach, expertise, technologies, services and their customer base. Important aspects include:

  • Sales strategy for reaching each target customer segment.

  • Partner and channel strategy.

Offering (Product) Strategy

This criterion covers an approach to product development and delivery that emphasizes market differentiation, functionality, methodology and features as they map to current and future requirements. Important aspects include:

  • Service roadmap.

  • How the vendor will meet needs for reducing total cost of ownership for clients in context of other options — other DRaaS providers, cloud and do-it-yourself alternatives.

  • Strategy for meeting needs of customers who have a mix of on-premises and cloud-based architectures and/or buy SaaS services such as CRM.

  • Approaches used to identify and prioritize backlog for new services and enhancements.

Business Model

This criterion refers to the design, logic and execution of the organization's business proposition to achieve continued success. Important aspects include:

  • Evidence of a sound business plan.

  • Adaptability and scalability.

  • Market disruption capabilities.

  • Level of Investment.

  • Intellectual property.

  • Key technical capabilities.

  • Key nontechnical capabilities.

Vertical/Industry Strategy

This criterion covers the strategy to direct resources (sales, product, and development), skills and products to meet the specific needs of individual market segments, including verticals. Important aspects include:

  • Regulated workloads and verticals, such as healthcare, government and PCI-compliant e-commerce.

  • Differentiated experience or coverage for specific industries.


This criterion assesses direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Important aspects include:

  • Extent to which improved resiliency will be provided to customers.

  • Mode 2 enablement.

  • Strategy related to ITSM, CMP and DevOps tools.

  • Automation.

  • Personnel training and certification.

  • Unique partnerships and mergers/acquisitions.

Geographic Strategy

This criterion covers the vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market. Important aspects include:

  • Sales reach.

  • Service reach.

  • Ability to meet country-specific customer requirements in a way that is differentiated.

  • Marketing strategies and positions that are clearly aligned to the different geographies being targeted.

Table 2.   Completeness of Vision Evaluation Criteria

Evaluation Criteria


Market Understanding


Marketing Strategy


Sales Strategy


Offering (Product) Strategy


Business Model


Vertical/Industry Strategy




Geographic Strategy


Source: Gartner (June 2017)

Quadrant Descriptions


Leaders have large, mature DRaaS practices. These players have significant industry experience, global capabilities, a focus on DRaaS as a stand-alone offering, and industry-leading vision with respect to meeting the needs of its intended target customer segments.


Challengers have substantial experience and focus on DRaaS, but have not yet contributed enough thought-leading differentiation to be considered a Leader.


Visionary providers tend to be less experienced or have smaller volumes of customers and/or number of servers protected under its DRaaS offerings than Leaders. However, they have the potential to disrupt the market as a whole or, on a smaller scale, the markets they target. The manner in which it is demonstrated varies. For some, it is intellectual property or regional differentiation, and for others it may be unique and differentiated ways to fulfill the needs of customers.

Niche Players

Niche Players tend to have smaller volumes of customers and/or number of servers protected under their DRaaS offerings supported, less focus on DRaaS itself as a stand-alone offering (as opposed to a sales entry point for a larger managed service deal), or have some areas that will require additional work with respect to DRaaS-specific offering capabilities, customer satisfaction, or differentiated vision.


As more of the analog world becomes digitized, so downtime affects more of the world. However, infrastructure and operations (I&O) leaders must, in many cases, now shift their thinking away from internally facing DR strategies toward strategies for sustaining externally facing IT service continuity. This is especially true for I&O leaders who already are, or soon will be, tasked with supporting digital business and the Internet of Things (IoT), because the effectiveness of their strategies will be directly measured by the quality of the external customer experience and, ultimately, by the impact of that experience on both revenue and profitability.

Because digital business moments will typically be realized in very compressed time frames, the primary service-level metrics of traditional DR — RTOs and RPOs — no longer apply, as supporting web services must be continuously available. As a result, IT leaders will be increasingly challenged to enable a broader level of IT service continuity.

There are several reasons for this, including:

  • Customers can, and will, switch providers in competitive markets, should a service go down and if switching is easy.

  • Customers will also be vocal about a negative service experience through the use of social media, resulting in a damaged organizational reputation and brand image.

  • Service arbitrage logic, at both the originating and intermediate processing points of a digital business moment, will contain increasingly sophisticated brokering logic that will transparently bypass fulfillment points whose availability is less than a predefined threshold.

The current state of DRaaS constitutes a significant inflection point between the more traditional DR management (which was typically very inwardly focused) and the world of digital business in which outwardly focused managed availability will become a critical success factor. The initial market shift — toward an increasingly managed availability focus and the support for hybrid data center operation — represents the important beginnings of this transition. Within the next five years, cloud-based DR will increasingly transition to managed data center resilience across the premises and the cloud, thereby resulting in recovery and availability either becoming attributes of the managed infrastructure or being directly managed by the applications themselves.

Market Overview

DRaaS vendors include a mix of service providers that also support communications services, subscription-based recovery services, colocation, managed hosting, IaaS and managed backup services. Initially, these providers' services were attractive primarily to small or midsize businesses (SMBs). This was because DRaaS freed up the time of the IT staff in these businesses and because they lacked a secondary recovery data center.

Today, Gartner estimates the size of the DRaaS market to be approximately $2.01 billion, and we expect it to grow to $3.7 billion through 2021. DRaaS growth will be strongest in areas where customers have limited public cloud options, in highly regulated industries, and where business processes consist of IT systems beyond virtualized x86 environments (e.g., bare metal and Unix).

Although the DRaaS market is growing and vendors offer a wide range of services, DRaaS customers still face several challenges:

  • The number of DRaaS options on the market causes confusion for potential customers as to which might be best for their situation. For example, in this Magic Quadrant there are vendors that have their own replication intellectual property and have grown from origins of selling software or appliance-based backup products; others have evolved from the traditional disaster recovery space; and others have added DRaaS capabilities to existing colocation IaaS options. For additional context, for providers without their own replication products, offerings are typically underpinned by commercial off-the-shelf replication products, such as Zerto, Veeam, Asigra, Carbonite DoubleTake, Commvault, StorageCraft and Acronis. Zerto alone has more than 300 cloud partners.

  • The level of complexity in the market is challenging. Each of the aforementioned choices have different restoration capabilities, service support models, prices and pricing approaches, service levels, networking capabilities, and regional capabilities. Even with any provider, different terms will likely be in play depending on configuration size and required computing platforms.

  • Use of a DRaaS provider does not mean that the internal IT is no longer responsible and accountable for successful recoveries. This means that DRaaS customers will still need to actively work with the provider in order to manage recovery assurance.

  • Regular exercising ensures recovery predictability and sustainability. This does not change with the implementation of DRaaS.

  • Heterogeneous recovery configurations beyond x86 often require a custom service agreement, especially for SLA definitions.

  • Declaration policy (that is, how many recovery exercises per year and how much time per exercise is allowed) varies by DRaaS provider.

  • COTS products used by many DRaaS providers are becoming more intuitive and including more options — creating more complicated build versus buy decisions.


Evidence for this analysis was obtained from vendor questionnaire submittals, customer reference surveys, Gartner inquiries and publicly available data.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.


Fanky Christian
IT Infrastructure Specialist

Ketua DPD DKI APKOMINDO (Asosiasi Pengusaha Komputer Indonesia) 2016-2019
Ketua DPD DKI APTIKNAS (Asosiasi TIK Nasional) 2017-2021
Waketum APOI (Asosiasi Pebisnis Online Indonesia) 2016-2020
Waketum ASISINDO (Asosiasi System Integrator & Sekuriti Indonesia) 2017-2021
Sekretaris Jenderal ACCI (Asosiasi Cloud Computing Indonesia) 2017-2021