|
“Bank A” purchased a software-based WAM solution. It paid a per-user licensing fee of $1.50. Therefore, the total initial cost was $750,000 covering 500K users. The competitive product was software-based -- it included both Web agents (software plug-ins that run on the Web servers) and policy servers (the program that communicates with the Web agents regarding policy information).
Hardware Costs
Since the competitive product is software-based, hardware is also needed in order to run the policy server software. The vendor-recommended server platform was Sun V490. Based on internal performance testing, Bank A concluded that they needed 65 V490s. Their discounted price from the manufacturer was $60,000 each, for a total cost of $3,900,000.
Initial Purchase Price Savings
The maXecurity Enterprise appliances (the top of the line), are able to handle 10,000 simultaneous connections each. maXecurity appliances are priced based on performance, not number of seats, Only six appliances were needed to net Bank A equivalent performance as previously. Since they load-balanced all of the appliances together, it was decided that eight appliances would be ideal, so that there would always be some redundancy in case of failure; plus it gave them the flexibility to handle any extra demand that may be incurred during normal and peak use, and expected growth.
Eight maXecurity Enterprise appliances have a retail price of $250,000 each. Since the appliances include both the hardware and policy server-equivalent software, and eliminated the need for Web agents, the total initial cost for Bank A’s maXecurity-based solution was $2,000,000. Again, the competing product they had in place cost $750,000 for the software licensing fees and $3,900,000 in hardware to run the policy server software, or $4,650,000 -- a premium of $2,650,000.
Annual Administrative Personnel Costs
Centralized vs. Delegated Administration
Like almost all WAM products on the market today, Bank A’s competitive product had a centralized administration console. That meant that there was a single application interface, or more importantly, login for administering the product. Since there was a single login, a team was formed at Bank A to handle all administration requests, and each user shared the “master” password to make changes to policies. With over 1,000 Web applications to maintain, this team consisted of 10 people whose full time responsibilities were to:
- monitor and maintain the policy server infrastructure (monitor the software processes on all 65 servers, perform policy server software upgrades, etc.)
- translate Web application security requirements into policies that are configured in the policy servers for all 1,000+ Web applications across the enterprise
At an “actual cost” of $200,000 per year, per employee (including salary, benefits, real estate costs, etc.), Bank A was paying $2,000,000 per year for a centrally-administered infrastructure. Before WAM products came into existence, each Web application developer group would code and configure their own access policies. It is logical to conclude that developers would understand their access control needs best, because they understood their Web application and user needs.
A key feature of the maXecurity product line is delegated administration. Therefore, with maXecurity, Web application developer groups administer their own access control policies. This results in not only more efficient development and maintenance cycles, but also obviates the need for any additional policy administration personnel.
A common requirement (as well as an industry-determined best practice) is to segregate roles to administrative functions. Sarbanes-Oxley requires such controls, and maXecurity includes it right out of the box. Two roles (in addition to the application developer) are Infrastructure Administrator and Security Administrator. These roles allow control over the configuration and operation of maXecurity appliances to be segregated and delegated to the appropriate groups, while preventing unauthorized users from accessing functions outside the scope of their job functions. Bank A reallocated a total of 6 employees to manage and secure the maXecurity appliances.
Software vs. Appliance-Based Maintenance
Software products offer the flexibility to run on a variety of hardware platforms which customers may already own. However, for something as critical to an enterprise as Web Access Management, software-based products are inefficient both from a performance and security point of view. As described earlier, Bank A was able to reduce the number of machines that need to be monitored by a factor of ten.
|
