Calculating TCO: The Real Cost of Cloud Security

This post examines the total cost of ownership (TCO) of a cloud security system, not in terms of the actual dollars and cents cost of a system, but in terms that will help you identify and understand the many hidden costs associated with accurately calculating the TCO for cloud security.

In essence, we want to show you some of the areas that would require a significant investment if you were to build, operate, and maintain a system with capabilities similar to Threat Stack’s Cloud Security Platform®. This, in turn, should help you make an informed decision as you go about selecting a cloud security solution that is appropriate for your organization.

Note: We use “build” in a broad sense in this post, from building a system from scratch, to leveraging open source tools, to creating integrations among multiple point solutions.

Finding The Right Approach

There’s a great deal of confusion in the marketplace about how to approach security in the cloud and where to get started with a cloud security solution. Here are some of the questions you might face:

  • Use Open Source Tools?
    Should you use free, open source tools? Free doesn’t necessarily mean trouble free. Keep in mind that these tools often require extensive adaptation at the outset and can be management intensive throughout their lifecycles. Some of the questions you should ask yourself are: Do these tools fit into your larger, strategic architecture? Do you understand what type of adaptation you’ll need in order to get up and running? Do you have the surrounding tooling to effectively manage them?
  • Build From Scratch?
    Should you consider building a solution totally from scratch? Why not, right? Using a cloud provider like AWS means cheap infrastructure; with a ton of high-level languages available it’s never been easier to code; a variety of frameworks means rapid development; and storing data is super easy so scaling shouldn’t be an issue . . . (STOP!!!  In a moment we’ll discuss how the above line of thinking can get you in a lot of trouble and cost your organization more than you ever anticipated.)
  • Use a Comprehensive Security Platform?
    Should you work with a trusted partner in the space who has a single, comprehensive and supported platform that addresses the majority of your security needs and provides deep insight into your environments?

Our position is this: Based on our own calculations and a great deal of customer and industry feedback, there is ample evidence to suggest that buying security products is much easier and considerably less expensive than building them. And buying a comprehensive, integrated solution is less expensive than buying and integrating a number of point solutions. On top of this, the security products you buy are, generally speaking, a lot more effective because they’re built by people who do this for a living.

Consider The Hidden Costs

Threat Stack’s growing list of customers is full of talented organizations that build incredible new platforms. So the discussion here shifts from could you build something to solve a security problem to should you.

Well, should you?

Before you answer, consider these two questions:

  • Do you want to be a security company, or do you want to be a secure company?
  • Do you understand all the issues that are involved — all the elements that go into the TCO?

The Cost of Going Down a Rabbit Hole

When making security decisions, it’s important to think things all the way through BEFORE getting started. We’ve all been in that scary, frustrating place where a seemingly easy task quickly overwhelms you.  When you had the 10,000 foot view of the project, the solution couldn’t have been easier. But now that you’re looking at the details and unforeseen problems and issues start revealing themselves, the decisions on whether to move forward or scrap entirely get harder and harder — especially when you start to consider the sunk costs that you’ve already poured into the project.

Do thorough research upfront, seek advice from industry experts, and instead of thinking about creating short-term “band-aid” solutions, think about how this fits into your overall security strategy and how it will help you meet long-term goals while you grow and scale.

It’s never as easy as you think . . .

mathowie-tweet.png

The Cost of All the “ilities”

Availability, scalability, reliability, etc.

If you’re going to build, you will need to consider all the “ilities”. Your security application won’t be much help if you can’t login because it’s overwhelmed with users, it can’t handle large-scale use, or it can’t grow in size and complexity to keep pace with your company as it grows. If you’re working with a vendor, there could still be problems related to scaling. If you end up using a vendor who requires an AMI to run your product on, for example, your ability to operate could require forklift upgrades, dependence on the vendor, and there might be hidden associated costs as usage or growth increase on their platform.

To deal with challenges like these, Threat Stack has assembled a deep bench of engineering talent whose sole focus is building for availability, scalability, and reliability. These people ensure that Threat Stack works as it is intended so customers get a platform they can trust to deliver the audit, monitoring, and investigate capabilities they need to stay protected.

The Cost of Talent

We have found that one of the great myths of building anything internally is “We could probably do it using one or two engineers.” While that’s theoretically possible, those engineers would need an incredible depth and breadth of knowledge in a large number of specialized areas.

Your expertise would need to include languages like JavaScript, Python, Go, and Scala, application components, multiple databases like RDS and PostGreSQL, integrations using WSDLs and Python, UI and UX — and don’t forget QA for all sorts of user and reliability testing.

Even if you’re bundling multiple point solutions rather than building one from the ground up, you’ve still got to factor in the cost and expertise required for integration.

The Cost of Care and Feeding

Assuming that you have actually built an application and have all the site reliability and scaling issues under control, ongoing maintenance is going to be your next big issue. TCO really takes off when it comes to ongoing costs, and here are some of the things you need to put a price on:

  • Bugs: It is a fact of every developer’s life that their work will contain some bugs, and dealing with them will require ongoing vigilance, attention to detail, ongoing release cycles, and further QA.
  • Vulnerabilities: Your code will contain vulnerabilities, or you will discover vulnerabilities in the other applications you’ve adopted in order to build your platform. You will need to fix your code and update your contributing sources continually as new vulnerabilities are discovered.
  • Features: Your application will need to grow over time to do more things. Feature requests will appear all over your application, from the UI to how the database commits changes. These will make your app better, but will also cost time, money, and resources to develop and test. And your application will be more complex and therefore, more expensive to manage.
  • Support: One of the biggest reasons for going with a vendor’s product is to get access to dedicated support. And the fewer the vendors, the more centralized the support issues will be. Because customers use Threat Stack in very diverse environments, our dedicated team of Customer Success Engineers is able to provide guidance on a wide range of challenging deployments and handle them successfully.

Again, while the preceding comments apply to building a solution from the ground up, many of them also apply to creating and maintaining one built on a number of point solutions.

So What Does a Cloud Security Solution Really Cost?

When we discuss security systems with prospects here at Threat Stack, we come back to the question we asked earlier: Do you want to be a security company, or do you want to be a secure company?

If you want to be a secure company, we feel you should weigh all the points we’ve raised above. Then calculate:

  • How long it would take to build a system (and consider how you would protect your organization while you did so)
  • How many resources you would need (not only to build, but to test, maintain, and enhance the system)
  • How this activity would possibly (likely) divert attention and resources from your corporate mission and goals

Even if you want to take the route of buying and integrating point solutions, a lot of the “build” overhead still remains.

Also consider how you would deal with compliance issues if you are in a regulated industry, and how you would respond to due diligence questions if you were to engage in M&A discussions. (The list of things you need to factor in never seems to end!)

In the long run, from a total cost of ownership point of view, there is ample evidence to suggest that a unified, supported platform is the best way to go because, quite simply, you’ll get the best solution for your organization’s needs for the best price.

And Finally . . .

If you are just starting out in cloud security, be sure to download a free copy of Jump Starting Cloud Security. This playbook is a hands-on guide that has everything you need to get on the fast track to securing your AWS cloud infrastructure.