|
"It is impossible for ideas to
compete in the marketplace if no forum for The Business Forum Journal
The True Cost of Strong Authentication for SSL VPN Access Cutting Costs with On-Demand VPN Authentication
Overview As the global workforce becomes increasingly mobile and virtual, more employees are accessing corporate resources from remote locations. Companies need strategies to offer secure, remote access, whether to support telecommuting, mobile employees, remote offices or external contractors. For many companies, Secure Socket Layer (SSL) VPNs are the answer to the remote access dilemma. Businesses can easily deploy web-based clients for SSL VPNs, while limiting remote access to specific applications. Lacking complex client configuration, SSL VPN deployment is rapid and cost-effective. However, the SSL VPN incurs an additional cost to the business: strong authentication for access. Because security is typically the driving factor for SSL adoption, access to the SSL VPN must itself be protected. Relying on a password alone to protect accounts has been proven to be ineffective, no matter how �strong� you make your password policies. Most businesses that depend on SSL VPNs to secure access to critical resources also insist on strengthening authentication with a second factor. The true price of an SSL VPN deployment includes the cost of the strong authentication solution deployed along with the VPN, both in upfront costs and operational costs over time. Most organizations give their SSL VPN users a second authentication factor using One Time Password (OTP) tokens. OTP token solutions are available from a number of vendors. Most require enterprise software deployment and ongoing management. Physical device management adds another layer of complexity. The token deployment and management increases the real Total Cost of Ownership of the SSL VPN effort considerably. TriCipher offers an alternative: strong authentication delivered completely as an on-demand service, without any enterprise software or token hardware to manage. myOneLogin VPN Authentication is quick to deploy and incurs a low, fixed subscription fee. If you are contemplating an SSL VPN deployment or looking for ways to expand SSL VPN usage and reduce token costs, you need to carefully consider your options. This paper examines the total cost of ownership for token solutions, using data from analysts, users and other public sources. It also discusses and compares the total cost of OTP token solutions with on-demand strong authentication using myOneLogin VPN Authentication. Calculating the True Costs of Tokens In the sections that follow, we will analyze the total cost of ownership for OTP token deployments. The different tasks and costs are based on research from analysts and pricing information available from major token vendors. Your specific costs will vary based on a number of factors, including:
The negotiated pricing you have arranged with a token vendor The behavior of your users Your help desk cost infrastructure The final section of this paper points you to a TCO calculator that you can personalize with your business� actual costs. The information below simply explains and categorizes the various upfront and ongoing costs of tokens. For the example, we will use costs based on a 500-seat OTP token license. Upfront costs of tokens Upfront token costs include:
On-boarding costs Token deployment Purchase cost: The purchase cost of the various tokens can only be accurately defined by negotiations with the vendor, based on the number of seats you need. The following figures should serve as rough guidelines only, based on tokens for 500 users. The cost estimates include software, server hardware, token hardware, per-seat licensing and maintenance contracts. ActivIdentity Entrust RSA Security $44,453 $66,548 $265,699 On-boarding: On-boarding is the process of registering and creating an account for a user for the token solution. You can either outsource the on-boarding process to a service provider, or handle the process internally through the Help Desk and manual efforts by an administrator. Typical costs are:
Internal on-boarding: $85 per user Token deployment: Deployment costs include storing the token hardware, managing the inventory, shipping or distributing the devices, and distributing PINs. Your costs may vary depending on the shipping requirements. (If overnight shipping is required, expenses can be high.)
Ongoing token costs Once the solution is deployed, you�re not done paying for tokens. Users come and go. They lose tokens, leave them at home, or run them through the washing machine. Ongoing token management costs include token replacement, temporary access, and token synchronization issues. Token replacement: The world being an imperfect place, some percentage of your tokens will need to be replaced on a regular basis. How often depends on a number of variables, including:
How many tokens are damaged or have dead batteries Employee turnover and new hires Contractor usage and turnover Percentage of employees/contractors that return tokens To determine your true token replacement costs, you need to estimate values for these variables. Employee turnover deserves a discussion. Theoretically, when employees leave, they will return the token, which you can give to a new employee replacing them. In practice, we find departing employees rarely think to return tokens. Many businesses decide that recovering the token is more costly and difficult than simply replacing it. In our sample cost case, we will make the following assumptions:
Given our pricing examples, we found that our typical token installation for 500 users incurs a token replacement cost of $1,250 per year, which grows as the installed base of token users grows. Temporary access: Users need to gain temporary access to the SSL VPN when they do not have their OTP token devices with them, or are in a location where they cannot use external token hardware. The variables in determining the costs of temporary access include:
Using a conservative estimate of $25 per help desk call for temporary access and 1.8 calls per use per year, the total temporary access cost for 500 users is $22,500 per year. This number can vary widely based on users� habits. Token synchronization: Occasionally, tokens will become out of synch with the OTP server and the user login fails. Time-synchronous tokens (such as RSA�s OTP tokens) can experience synchronization problems due to temperature fluctuations (including being run through the laundry). Event-based OTP tokens can become out-of-synch if the event button is pushed too many times (a young child gets the token, or it presses up against something in a purse or pocket). Unfortunately, troubleshooting and correcting a token synchronization typically requires two Help Desk calls: one to the general Help Desk about the login failure and another to an OTP specialist that resynchronizes the token. The variables to determine your costs here include:
Assuming a conservative 1% of tokens have synchronization problems and the two Help Desk calls together cost your organization $45, then the yearly cost of synchronization issues for a 500-token installation is $225. Other factors Relying on tokens has other costs that are not easily quantifiable. These are not included in our cost estimates, but may be relevant to your business:
myOneLogin VPN Authentication: The On-Demand Alternative myOneLogin VPN Authentication is an on-demand service that adds a second authentication factor without the cost and inconvenience of traditional token deployments. Using myOneLogin VPN Authentication minimizes the additional costs of strong authentication and speeds your SSL VPN deployment. How it works myOneLogin VPN Authentication uses TriCipher�s unified authentication technology, which offers patented multi-factor authentication using a variety of methods. myOneLogin VPN Authentication currently supports the following authentication methods:
One part of the credential resides on the user�s computer, the other part securely in the myOneLogin service. Both parts are necessary for authentication. From the user�s perspective, the experience of authenticating is as simple as providing a user ID and password. The secondary factor exchange occurs in the background. If the user is connecting from another device without the secondary factor (such as a kiosk), they can gain a one-time authorization by answering personalized security questions that they select during the self-provisioning process, or by having a security key sent to a phone number registered for that account. You can choose how to integrate your directory information. myOneLogin can validate passwords against your current corporate user store, while validating the secondary authentication factor on the myOneLogin service. Or, the myOneLogin service can maintain the user directory information and validate both factors. myOneLogin offers tight integration with Juniper Secure Access SSL VPNs and Microsoft IAG 2007, using SAML federation standards. With this tight integration, you can ensure that users only connect to the SSL VPN with strong authentication. myOneLogin supports all other SSL VPNs as well, but without the SAML integration capabilities it is more difficult to ensure that users do not bypass the strong authentication service and connect directly to the SSL VPN. Total costs The cost of myOneLogin VPN Authentication is a simple and straightforward $1 per user per month. Combining VPN Authentication with the myOneLogin Secure Single Sign-On service creates a single portal for connecting securely to your SSL VPN as well as webbased applications for only $3 per month. There are no upfront costs; deployment is quick and simple. The only ongoing cost is the $1 per user per month (or $3 for the broader single sign-on service). You do not need to purchase hardware or manage tokens. Comparing Tokens and myOneLogin Costs The first section of this paper used a sample installation with 500 token users to illustrate the total cost of tokens. Given the assumptions established in that section, the total token costs for the various solutions are outlined in the table below.
In contrast, the cost of myOneLogin for 500 users for one year is a simple equation: $12 per year times 500 users, or $6,000 per year. If you have a different number of users or want to adjust the assumptions made about help desk costs or other factors, you can use an interactive calculator at: http://www.myonelogin.com/vpn_tco_calculator.html
Use the Customize button, or click on the green information buttons by the different fields, to examine the assumptions and adjust the values for your specific business environment. You can adjust most of the variables, including:
When you look at the calculator results, keep the following in mind:
Summary When calculating the true cost of an SSL VPN deployment for your business, you must include the strong authentication technology used to secure access through the SSL VPN. Traditional token solutions add upfront cost and complexity to the SSL VPN deployment, and continue to incur costs over time for token management, replacement and support. myOneLogin VPN Authentication offers a cost-effective, on-demand alternative to OTP tokens, without the implementation and ongoing management costs of tokens. For a simple $12 per user per month, myOneLogin VPN is a fast and flexible way to provide strong authentication to the SSL VPN. Because it is an on-demand service, it is quick to implement and scale if your needs for secure remote access grow.
Visit the Authors Web Site
Search the ENTIRE Business
Forum site. Search includes the Business
|
||||||||||||||||||||||||||||||||||||||||||||
