Security Basics mailing list archives
RE: About Operating Systems security
From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Tue, 3 Jun 2003 10:51:53 -0500
You've fallen into the basic assumption, which makes all of these TCO calculations bogus: Upgrades Linux - $0 There's no way that's true. At a minimum, SOMEBODY in the organization is going to have to subscribe to, read, understand AND ACT UPON the 100s of daily messages on the vulnerability lists. See, for that Nokia Device - free first three years then $1000/yr $1000 a year, Nokia does the heavy lifting for you, and pushes (via email, quarterly update CDs, whatever) the fixes out to you. You apply them (at some cost to the organization for your time) upon some schedule that's appropriate to the organization. If they tell you 'major security risk, must apply today', then you do so. If they tell you, 'Quarterly update, includes some security fixes', well, you should apply it, but there's some flex in the schedule. But for Linux, you're on your own. Yes, there are dozens of services, mailing lists, etc. that will HELP you - and RedHat's RedHat Network with it's automatic up2date will download to the box the requisite patches, but you still have to apply them. More to the point, you still have to make the critical decisions about which ones TO apply. If they push you something for cups, because it's part of the default install, and yet you're not printing from the box, do you apply it? Or tell RH to ignore that package?? The reality is that it may well cost you MORE, or LESS. Why? Because instead of paying one highly skilled engineer to make a single decision for everyone, everyone - almost of necessity less skilled simply because they don't know the product as well as the engineer who does nothing else - has to make their own decisions. It may well cost the INDUSTRY more - 1000s x $10 vs 1 x $100 say. But that's only part of the decision process - whether the benefits from that additional cost help or hurt the organization probably depends upon what business you're in and a whole host of factors unique to your organization. -----Burton -----Original Message----- From: Jimi Thompson [mailto:jimit () myrealbox com] Sent: Sunday, June 01, 2003 7:47 PM To: yannick'san; security-basics () securityfocus com Subject: Re: About Operating Systems security You stated in one of your later e-mails that you want to move certain things in your company toward open source products - fire walls, web servers, and databases. In any case, the way to make your point is TCO - total cost of ownership. You must take the cost of procurement as the starting point. What does the software cost? What does the hardware it will require cost? Next, what is the cost of managing this and keeping it running? What do you have to pay an engineer or DBA that can administer the product? How much are upgrades? What about vendor support? Will you have to retrain people to manage this product? What is the projected life span of the product? TCO = [(procurement cost) + (management cost) x life span ] x number of units If you can run the numbers for the commercial package and compare them to the open source package, you should be able to see this to your managers. Example - fire wall Linux vs. Nokia Checkpoint Device Procurement Costs Linux - software = $0 - hardware = $0 (assuming cast off workstation recycled as firewall) Nokia Device = software & hardware come bundled $15,000 ____________________________________________________________ Management Costs Engineer to run linux firewall competently - $85,000 Engineer to run Nokia Device competently - $75,000 Upgrageds Linux - $0 Nokia Device - free first three years then $1000/yr Vendor Support RedHat - $2500/year (24x7 support) Nokia Device - free first three years then $1000/yr Retraining Employees (3 employees) RedHat - $1000 per employee Nokia - Limited training available from sales staff ____________________________________________________________ Lifespan 5 years Number of Units 2 (external and DMZ) _____________________________________________________________ Linux TCO = [(0) + 3*1000+ (85000+ 2500) x 5 ] x 2 = $881,000 Nokia TCO = [(15000)+(75000)x5+2*1000{2 additional years of updates}+2*1000{2 additional years of support}]x2 = $788,000 That's how you make your case to management if you want to do it based on TCO. -- Thanks, Ms. Jimi Thompson, CISSP, Rev. "Those who are too smart to engage in politics are punished by being governed by those who are dumber." --Plato --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: About Operating Systems security yannick'san (Jun 02)
- <Possible follow-ups>
- Re: About Operating Systems security Chris Berry (Jun 02)
- Re: About Operating Systems security Jimi Thompson (Jun 02)
- RE: About Operating Systems security Burton M. Strauss III (Jun 03)