Calculating availability is a fairly well-worn path. It is a matter of dividing up time and then applying cost values.
| Percent Uptime | Downtime/day | Downtime/month | Downtime/year |
|---|---|---|---|
| 95 | 72.00 minutes | 36 hours | 18.26 days |
| 99 | 14.40 minutes | 7 hours | 3.65 days |
| 99.9 | 86.40 seconds | 43 minutes | 8.77 hours |
| 99.99 | 8.64 seconds | 4 minutes | 52.60 minutes |
| 99.999 | 0.86 seconds | 26 seconds | 5.26 minutes |
I often hear large enterprise architects arguing that building to three nines (99.9% Uptime) is a necessity to avoid the high cost of outages. However, the cost of building a highly available infrastructure must also be weighed against the risk of confidentiality loss. In other words, how much will they increase the risk of sensitive data exposure in order to get from 99.5% to 99.9%? Regulations should help companies more clearly weigh the options (e.g. a $250,000 minimum fine for each incident in California is higher than a $100,000 outage).
This is not to suggest that confidentiality is more valuable than availability but rather, confidentiality should not be sacrificed for a particular architecture to achieve availability. The best solution is one that provides high confidentiality and availability, but it is likely to cost more than a solution that sacrifices one to achieve the other.