Upload
syed-ratchford
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
What Drives TCO?
• Networks Grow in Size and Complexity
• Scope of Operations Increases• Skilled IT labor grows scarce• New applications require new
solutions
What Drives TCO in Security?
• Vendors produce in-secure applications
• Vulnerabilities proliferate• Business processes depend on
applications• System availability drives profit
Components to Consider
• Initial Cost of Product (25% of life cycle)
• Vendor Support Services• Deployment Services• Time for Staff to Install and
Configure• Training Cost• Post Deployment Support
How to Reduce TCO?
• Simplify Infrastructure (KISS)• Upgrade Infrastructure When
Timing is Right• Minimize Labor Intensive Activities• Consider Remote Management• Know Your Assessment Parameters
Security Risk LOWHIGH
LOW
HIGH
Budget Line
Acc
epta
ble
Ris
k
Option 1 Option 2Option 3
TCO
Ideal Soln
Evaluating the Options
• Option 1– FIREWALL At Gateway Only
• Option 2– DMZ Firewall Architecture– Anti Virus Software on all DMZ machines
• Option 3– DMZ, AV S/W on DMZ Machines– VPN Access to all DMZ Machines– AV S/W and Firewalls on all Clients
Evaluating Architectures
• Option 1 - Screening Router• Option 2 - Dual Homed Host• Option 3 - Bastion Host• Option 4 – Screened subnet (DMZ)
Which one cost more relative to risk?
Option 4: Screened Subnet
Internet
Screened subnet Architecture—aka DMZ
Internal Network
Perimeter Network
Exterior Router
Interior Router
FIREWALL
Assumptions
• Cost of Router: $3000• Cost of Firewall: $5000• Cost of Security Administrator--$75K/year• Managed Security Service Provider(MSSP)--
$24K/year
Things to Consider
• Which Option Would You Choose?
• Is cost the only driver?• Could You Determine TCO for
the different architectures?• Given a Set of Devices Could You
Compute TCO?
Difficulties with ROI
• Investment decisions based on ability to demonstrate positive ROI
• ROI traditionally difficult to quantify for network security devices
• Difficult to calculate risk accurately due to subjectivity involved with quantification
• Business-relevant statistics regarding security incidents not always available for consideration in analyzing risk
Option Cost—In-house
• Manpower cost constant: $75K• Option 1 - Screening Router: $78K
– HW Cost: $3K (cost of 1 router)
• Option 2 - Dual Homed Host: $80K– HW Cost: $5K (FW cost)
• Option 3 - Bastion Host: $83K– HW cost: $8000 (router + FW)
• Option 4 – Screened subnet (DMZ): $86K– HW cost: $11000 (2 routers + FW)
Option Cost—MSSP
• Manpower cost constant: $24K• Option 1 - Screening Router: $27K
– HW Cost: $3K (cost of 1 router)
• Option 2 - Dual Homed Host: $29k– HW Cost: $5K (FW cost)
• Option 3 - Bastion Host: $32K– HW cost: $8000 (router + FW)
• Option 4 – Screened subnet (DMZ): $35K– HW cost: $11000 (2 routers + FW)
New Paradigm Needed?• TJ Maxx Credit Card Theft: $450M
– Wonder if they had an ROI?
• Why not a TCS: Total Cost of Security?– What would one short-term outage cost?– What would one long-term outage cost?– Could we survive losing customer data?– What is it worth not to experience any of this?– Could we make money off our security
expenses via marketing, branding