Lesson 15

Total Cost of Ownership

What Drives TCO?

• Networks Grow in Size and Complexity

• Scope of Operations Increases• Skilled IT labor grows scarce• New applications require new

solutions

What Drives TCO in Security?

• Vendors produce in-secure applications

• Vulnerabilities proliferate• Business processes depend on

applications• System availability drives profit

Components to Consider

• Initial Cost of Product (25% of life cycle)

• Vendor Support Services• Deployment Services• Time for Staff to Install and

Configure• Training Cost• Post Deployment Support

How to Reduce TCO?

• Simplify Infrastructure (KISS)• Upgrade Infrastructure When

Timing is Right• Minimize Labor Intensive Activities• Consider Remote Management• Know Your Assessment Parameters

Security Risk LOWHIGH

LOW

HIGH

Budget Line

Acc

epta

ble

Ris

k

Option 1 Option 2Option 3

TCO

Ideal Soln

Evaluating the Options

• Option 1– FIREWALL At Gateway Only

• Option 2– DMZ Firewall Architecture– Anti Virus Software on all DMZ machines

• Option 3– DMZ, AV S/W on DMZ Machines– VPN Access to all DMZ Machines– AV S/W and Firewalls on all Clients

Evaluating Architectures

• Option 1 - Screening Router• Option 2 - Dual Homed Host• Option 3 - Bastion Host• Option 4 – Screened subnet (DMZ)

Which one cost more relative to risk?

Option 1: Screening Router

Internet

Screening Router

Option 2: Dual-homed Host

Internet

Dual-homed host Architecture

Dual-homed host

Option 3: Bastion Host

Internet

X

Screened host Architecture

Bastion Host

Screening Router

Option 4: Screened Subnet

Internet

Screened subnet Architecture—aka DMZ

Internal Network

Perimeter Network

Exterior Router

Interior Router

FIREWALL

Assumptions

• Cost of Router: $3000• Cost of Firewall: $5000• Cost of Security Administrator--$75K/year• Managed Security Service Provider(MSSP)--

$24K/year

Things to Consider

• Which Option Would You Choose?

• Is cost the only driver?• Could You Determine TCO for

the different architectures?• Given a Set of Devices Could You

Compute TCO?

Difficulties with ROI

• Investment decisions based on ability to demonstrate positive ROI

• ROI traditionally difficult to quantify for network security devices

• Difficult to calculate risk accurately due to subjectivity involved with quantification

• Business-relevant statistics regarding security incidents not always available for consideration in analyzing risk

Option Cost—In-house

• Manpower cost constant: $75K• Option 1 - Screening Router: $78K

– HW Cost: $3K (cost of 1 router)

• Option 2 - Dual Homed Host: $80K– HW Cost: $5K (FW cost)

• Option 3 - Bastion Host: $83K– HW cost: $8000 (router + FW)

• Option 4 – Screened subnet (DMZ): $86K– HW cost: $11000 (2 routers + FW)

Option Cost—MSSP

• Manpower cost constant: $24K• Option 1 - Screening Router: $27K

– HW Cost: $3K (cost of 1 router)

• Option 2 - Dual Homed Host: $29k– HW Cost: $5K (FW cost)

• Option 3 - Bastion Host: $32K– HW cost: $8000 (router + FW)

• Option 4 – Screened subnet (DMZ): $35K– HW cost: $11000 (2 routers + FW)

New Paradigm Needed?• TJ Maxx Credit Card Theft: $450M

– Wonder if they had an ROI?

• Why not a TCS: Total Cost of Security?– What would one short-term outage cost?– What would one long-term outage cost?– Could we survive losing customer data?– What is it worth not to experience any of this?– Could we make money off our security

expenses via marketing, branding

Summary

• What Drives TCO? • Reducing TCO• Option Analysis• Assumptions and Considerations• Difficulties with ROI