RE: About Operating Systems security

["Burton M. Strauss III" <BStrauss () acm org>]

You've fallen into the basic assumption, which makes all of these TCO
calculations bogus:

Upgrades
Linux - $0

There's no way that's true.  At a minimum, SOMEBODY in the organization is
going to have to subscribe to, read, understand AND ACT UPON the 100s of
daily messages on the vulnerability lists.

See, for that

Nokia Device - free first three years then $1000/yr

$1000 a year, Nokia does the heavy lifting for you, and pushes (via email,
quarterly update CDs, whatever) the fixes out to you.  You apply them (at
some cost to the organization for your time) upon some schedule that's
appropriate to the organization.  If they tell you 'major security risk,
must apply today', then you do so.  If they tell you, 'Quarterly update,
includes some security fixes', well, you should apply it, but there's some
flex in the schedule.


But for Linux, you're on your own.  Yes, there are dozens of services,
mailing lists, etc. that will HELP you - and RedHat's RedHat Network with
it's automatic up2date will download to the box the requisite patches, but
you still have to apply them.  More to the point, you still have to make the
critical decisions about which ones TO apply.  If they push you something
for cups, because it's part of the default install, and yet you're not
printing from the box, do you apply it?  Or tell RH to ignore that package??


The reality is that it may well cost you MORE, or LESS.

Why?  Because instead of paying one highly skilled engineer to make a single
decision for everyone, everyone - almost of necessity less skilled simply
because they don't know the product as well as the engineer who does nothing
else - has to make their own decisions.

It may well cost the INDUSTRY more - 1000s x $10 vs 1 x $100 say.  But
that's only part of the decision process - whether the benefits from that
additional cost help or hurt the organization probably depends upon what
business you're in and a whole host of factors unique to your organization.


-----Burton




-----Original Message-----
From: Jimi Thompson [mailto:jimit () myrealbox com]
Sent: Sunday, June 01, 2003 7:47 PM
To: yannick'san; security-basics () securityfocus com
Subject: Re: About Operating Systems security


You stated in one of your later e-mails that you want to move certain
things in your company toward open source products - fire walls, web
servers, and databases.  In any case, the way to make your point is
TCO  - total cost of ownership.

You must take the cost of procurement as the starting point.

What does the software cost?  What does the hardware it will require cost?

Next, what is the cost of managing this and keeping it running?

What do you have to pay an engineer or DBA that can administer the product?
How much are upgrades?
What about vendor support?
Will you have to retrain people to manage this product?

What is the projected life span of the product?

TCO = [(procurement cost) + (management cost) x life span ] x number of
units

If you can run the numbers for the commercial package and compare
them to the open source package, you should be able to see this to
your managers.

Example - fire wall

Linux vs. Nokia Checkpoint Device

Procurement Costs

Linux - software = $0
         - hardware = $0 (assuming cast off workstation recycled as
firewall)

Nokia Device = software & hardware come bundled $15,000
____________________________________________________________
Management Costs

Engineer to run linux firewall competently - $85,000
Engineer to run Nokia Device competently - $75,000

Upgrageds
Linux - $0
Nokia Device - free first three years then $1000/yr

Vendor Support
RedHat -  $2500/year (24x7 support)
Nokia Device -  free first three years then $1000/yr

Retraining Employees  (3 employees)
RedHat - $1000 per employee
Nokia - Limited training available from sales staff
____________________________________________________________

Lifespan 5 years

Number of Units 2 (external and DMZ)

_____________________________________________________________

Linux TCO = [(0) + 3*1000+ (85000+ 2500) x 5 ] x 2 = $881,000

Nokia TCO = [(15000)+(75000)x5+2*1000{2 additional years of
updates}+2*1000{2 additional years of support}]x2 = $788,000



That's how you make your case to management if you want to do it based on
TCO.


--
Thanks,

Ms. Jimi Thompson, CISSP, Rev.

"Those who are too smart to engage in politics are punished by being
governed by those who are dumber." --Plato




---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------