The 7/7 Virtualization Security Podcast with Steve Kaplan, Vice President of INX’s Data Center Virtualization Practice and well known ROI/TCO expert within the virtualization and cloud space, joined us to talk about the ROI and TCO of virtualization and cloud security. We discussed someways to view virtualization and cloud security, but mostly the fact that many people may not think ROI or TCO even applies until a problem occurs and you need to rush in and find and fix the leak that lead to a break-in. In essence, the ROI of proper security tools is your entire business.It is definitely an interesting view of virtualization and cloud security where TCO could be high for complete security, but the ROI of such security is in effect the survival of your business. Because of this, security tools is considered to be insurance against attacks. This is a mindset that could often lead to the purchase of just one tool, or perhaps even the wrong tools for your environment.
To get the most out of your investment in security tools, you must first start with a good security policy that covers all the areas that need protecting, you must first outline what needs protecting and why. What is the risk to your business of the data gets out to others. Once you know this, then you can start to architect a solution to meet those requirements. Once you know your architecture, you can start your design and plugin tools to meet the needs of your security requirements and architecture. Never start with the tool, start with architecture, which was a major point of discussion at the recent RSA Techfest, as well and I can only assume it will continue to be a point of discussion. Bolt on security does not work. Security is needed from inception of a project, not after the fact.
This is why in many ways, ROI does not come into play with security. ROI for security is only measured when there is a failure, and in that case the ROI is so high that we are reacting. The best ROI of security products occur when there are no incidents and the tools, policies, and procedures for security work as expected. However, TCO of security tools does come into play almost immediately. Security tools are not inexpensive but are a necessity. So in many ways security is a discussion of TCO, and this is why many people who look at virtualization and cloud security tools only want to purchase one tool and assume it does everything. This is a bad judgement. Just security in the physical world, there is no one tool that does everything, you need multiple tools to cover all aspects of security.
Tools that seem similar are not, and as such should not be competing with each other within the market, but instead are complimentary tools. Such tools are those provided by HyTrust (of which at the moment there are no competitors) which is a complementary tool to all the various network tools provided by Trend Micro, VMware, Catbird, Reflex Systems, etc. In turn, these are complementary to Anti-Virus and Anti-Malware tools, which are complementary to Data Loss Prevention Tools, which are complementary to IDS/IPS tools. And all these tools are complementary to log management and analysis tools. You really need all these types of tools, of course dependent on your architecture.
TCO is the cost of the tools to meet your security goals within the virtual and cloud environments, while ROI is measured by the proper response of these tools and a reduction in incidents.