1. Define Your Environment

    Network Environment

    Show and Modify Assumptions & Calculations

    Assumptions

    Revert
    appliance_gateway Close

    The industry standard is two appliances setup in an active-passive topology, so that if one experiences a failure, the other will take over.

    And not all appliance-delivered security solutions even support high availability without additional 3rd-party load balancers or WCCP-based routers, which is not factored into our calculations.

    And if an entire gateway location experiences a disaster, off-premises users or other backhaul locations will lose Internet connectivity unless a disaster recovery site is setup.

    Revert
    enforcement_management Close

    Each appliance that enforces policies and protections has an on-box database to log Internet usage data for reports. Most appliances also individually stores the policy configuration.

    To propagate policies and aggregate report data for the entire organization, not per location, usually requires a separate management appliance. And vendors often specify how many enforcement appliances can be centralized per management appliance to retain logs for an adequate period of time.

    Calculations

    Revert
    gateways Close

    Some network environments are set up to backhaul all Internet traffic from some office locations to others in order to minimize the number of security appliances deployed, or because systems such as databases and app servers are centrally hosted.

    If the calculated value based on the slider is inaccurate, enter your custom value here.

    1 + INT ( ABS ( [locations] x [decentralized] - .999 ) )
    Revert
    backhaul_gateway Close

    Locations without Internet gateways and off-premises users with VPN turned on will need to backhaul their traffic over WANs through locations with Internet gateways using MPLS or VPN connections.

    For simplicity, we evenly distribute this backhauled traffic per gateway. It may not exactly match your network topology, which if large, may be very complex to specify the exact traffic routes between all locations.

    ROUNDUP ( ( ( [large_locations] - [large_gateways] ) x [large_location_traffic] + ( [small_locations] - [small_gateways] ) x [small_location_traffic] + [off_prem_backhaul] ) / [gateways] , 0 )
    Revert
    large_gateways Close

    To more accurately calculate the volume of traffic backhauled from locations without Internet gateways to those with them, we cannot assume that your users are evenly distributed.

    So there is a question about the User Distribution in the next section, which calculates how many “large” and “small” locations users work at.

    We assume that gateways are located where the majority of users are located.

    MIN ( [gateways], [large_locations])
    Revert
    small_gateways Close

    If there are more gateways than “large” locations then the remaining gateways will be at “small” locations.

    [gateways] - [large_gateways]
    Revert
    large_appliances Close

    “Large” gateways will have a higher volume of traffic (relative to “small” gateways), and hence the appliances deployed at these gateways will have higher throughput requirements.

    [large_gateways] x ( if HA="X", then { [appliance_gateway] }, else { 1 } )
    Revert
    small_appliances Close

    “Small” gateways will have a lower volume of traffic (relative to “large” gateways), and hence the appliances deployed at these gateways will have lower throughput requirements.

    [small_gateways] x ( if HA="X",then { [appliance_gateway] }, else { 1 } )
    Revert
    large_appliance_traffic Close

    In the next User Location section, we calculate the traffic volume generated by on-premises users at “large” locations.

    Here we combine to that the traffic backhauled through the “large” gateway and appliances at these locations.

    [large_location_traffic] + [backhaul_gateway]
    Revert
    small_appliance_traffic Close

    In the next User Location section, we calculate the traffic volume generated by on-premises users at “small” locations.

    Here we combine to that the traffic backhauled through the “small” gateway and appliances at these locations.

    Note that if there are no “small” gateways, then the value will be 0 Mbps.

    if [small_gateways]>0, then { [small_location_traffic] + [backhaul_gateway] }, else { "n/a" }
    Revert
    management_appliances Close

    If the centralized management feature is checked, then there will be additional manage appliances used to centrally propagate policies and aggregate report data from all the individual appliances deployed for enforcement.

    IF ( [large_appliances] + [small_appliances] ) = 1 then {0} else { if [CMR]="X", then { 1 + INT [ ( [large_appliances] + [small_appliances] ) / [enforcement_management] }, else { 0 } }

    Total Locations Help

    locations Close

    Please include all locations even if you do not deploy appliances within some offices' local networks.

    The next question on Internet Traffic Flow will determine the locations that require appliances or do not.

    Enter the number of all multi-user offices, but exclude single-user home offices.

    Internet Traffic Flow Help

    decentralized Close

    Internet gateways require an appliance to enforce policies and protections, whereas MPLS/VPN backhauls do not.

    More gateways will increase your hardware/software costs, whereas more backhauls will increase your networking costs.

    You may specify your exact number of Internet gateways by clicking the blue button to modify our calculations if the slider's values are too coarse.

    For multiple locations, use the slider to adjust the # of locations with ISP connections and local security appliances VS. the # of locations that lack local security appliances and instead routes its traffic to another location.

    Internet Gateways

    LAN traffic passes thru local security appliances [min=1]

    MPLS/VPN Backhauls

    WAN traffic routed to remote security appliances

    Features Help

    HA, CMR, & ATP Close

    High availability requires two (default assumption) appliances deployed per Internet gateway for reliable policy and protection enforcement in case of failures or disasters. We're assuming an active-passive topology; not load-balanced.

    Centralized management requires an additional appliance per every 10 (default assumption) appliances deployed for policy and protection enforcement. If your solution centralizes policy propagation and report aggregation without a separate appliance, or can support more or less enforcement appliances, please click the blue button to modify the assumptions and calculations.

    Enforcement over HTTPS requires a higher performance appliance to decrypt SSL-encoded HTTP traffic, and will increase the hardware/software costs per appliance.

    Keep these features checked to lower the managed risk costs from lost productivity, reduce support time, and to improve efficacy.

    User Location

    Show and Modify Assumptions & Calculations

    Assumptions

    Revert
    concurrency Close

    Depending on your type of organization and user behavior, devices will be connected to the Internet more or less frequently. However, with more corporate and personal cloud-hosted apps constantly maintaining Internet connections, the user concurrency rate continues to increase.

    Revert
    traffic_user Close

    Internet Traffic Growth 2012-16 (Source: https://www.ciscovni.com)

    North America Averages 2012 2013 2014 2015 2016
    Internet User Data (GB/month) 28.4 34.3 41.5 50.2 60.7
    Sustained Internet Traffic (Mbps) During Working Hours 0.37 0.44 0.54 1 0.78
    Other Data Points for Reference
    Mobile Connection Data (GB/Month) 0.6 0.9 1.4 2.4 3.9
    Mobile Connection Speed (Mbps) 1.6 2.3 3.3 4.6 6.6
    Business Fixed Internet Data (relative) 1x 1.16x 1.35x 1.56x 1.81x
    Business Mobile Data (relative) 1x 1.74x 3.03x 5.23x 9.17x
    Revert
    peak_ave Close

    The volume of traffic generated by users, their devices, and their apps requesting content will ebb and flow throughout the day. To prevent bottlenecks and high latency during peak use times, a 1.6 : 1 ratio is a conservative industry standard.

    Calculations

    Revert
    on_prem_users Close

    If the calculated value based on the slider is inaccurate, enter your custom value here.

    ROUNDUP ( [users] x [on_prem], 0 )
    Revert
    off_prem_users Close

    If the calculated value based on the slider is inaccurate, enter your custom value here.

    ROUNDUP ( [users] x ( 1 - [on_prem] ) , 0 )
    Revert
    on_prem_traffic Close

    If the volume of traffic generated by concurrent on-premises users is different than the calculated value, enter your custom value here.

    ROUNDUP ( [on_prem_users] x [concurrent] x [traffic_user] x [peak_ave] , 0 )
    Revert
    off_prem_traffic Close

    If the volume of traffic generated by concurrent off-premises users is different than the calculated value, enter your custom value here.

    ROUNDUP ( [off_prem_users] x [concurrency] x [traffic_user] x [peak_ave] , 0 )
    Revert
    large_locations Close

    Most organizations have an uneven distribution of their users across their locations. To estimate the volume of traffic backhauled from locations that lack a gateway to locations with a gateway, it can result in more accurate calculations to assume that there are “large” and “small” locations. Based on the slider position between “distributed across offices” and “concentrated at headquarters”, the # of large locations is calculated.

    If you prefer to enter your custom value instead of the calculated value, do not exceed the # of small locations.

    The higher # of large locations, the lower volume of traffic per large location. If this value is too high, the “large” locations could have less traffic throughput requirements than the “small” locations.

    IF ( [locations] = 1 then {1} else { 1 + INT ( ABS ( [locations] x ( 1 - [distributed] ) - 1 ) ) }
    Revert
    small_locations Close

    Most organizations have an uneven distribution of their users across their locations. To estimate the volume of traffic backhauled from locations that lack a gateway to locations with a gateway, it can result in more accurate calculations to assume that there are “large” and “small” locations. Based on the slider position between “distributed across offices” and “concentrated at headquarters”, the # of small office locations is calculated.

    If you prefer to enter your custom value instead of the calculated value, do not go below the # of large locations, and ensure that the sum of “large” and “small” locations is equal to your # of total locations.

    The lower # of small office locations, the higher volume of traffic per small office location. If this value is too low, the “small” locations could have more traffic throughput requirements than the “large” locations.

    [locations] - [large_locations]
    Revert
    large_location_traffic Close

    Based on the slider position between “distributed across offices” and “concentrated at headquarters”, 50 to 90% of your on-premises traffic is distributed across only your large office locations.

    Rather than modifying this calculated value, it is recommended to enter custom values for other variables used in the formula.

    IF ( [small_locations] = 0 then { [on_prem_traffic] / [large_locations] } else { ROUNDUP ( [on-prem_traffic] x [distributed] / [large_locations] , 0 ) }
    Revert
    small_location_traffic Close

    Based on the slider position between “distributed across offices” and “concentrated at headquarters”, 10 to 50% of your on-premises traffic is distributed across only your small office locations.

    Rather than modifying this calculated value, it is recommended to enter custom values for other variables used in the formula.

    IF ( [small_locations] = 0 then {0} else { ROUNDUP ( [on-prem_traffic] - [large_location_traffic] x [large_locations] ) / [small_locations] , 0 ) }
    Revert
    off_prem_backhaul Close

    If the volume of traffic backhauled from concurrent off-premises users to locations with Internet gateways is different than the calculated value, enter your custom value here.

    ROUNDUP ( [off_prem_traffic] x [VPN_on] , 0 )
    Revert
    unprotected_users Close

    Current endpoint security solutions (e.g. AV, HIPS, NAC) provides diminishing levels of protection from malware, and little to no protection from phishing or botnets.

    If an off-premises user's device does not always use a VPN connection, they cannot gain access to an organization's secure network perimeter. Therefore, they are relatively unprotected from advanced malware, botnets and phishing threats.

    ROUNDUP ( [off_prem_users] x ( 1- [VPN_on] ) , 0 )

    Total Users Help

    users Close

    Please include all users despite the fact that not every user is concurrently accessing the Internet. There is a variable assumption labeled User Concurrency Rate (default value is 30%). Click the blue button to modify this assumption.

    Enter the number of employees and average number of guests.

    Where Users Work Help

    on_prem Close

    Changes in the technology landscape, such as ubiquitous connectivity and cloud computing, has enabled users to work from anywhere, anytime.

    Do any users work remotely all or some of the time?

    Do users ever connect to cloud-hosted, Web-based CRM systems (e.g. SalesForce), ticketing systems (e.g. ZenDesk), source code repositories (e.g. GitHub), or various other systems (e.g. WorkDay) from locations outside your network environment?

    You may specify a more exact number of on- or off-premises users by clicking the blue button to modify our calculations if the slider's values are too coarse.

    For all users throughout all hours of the day, do they work on-premises (at the office) or off-premises (at home or on-the-go) or a mix of both?

    On-Premises

    Common for users with stationary desktops and where BYOD is not supported.

    User Distribution Help

    Calculates the # of large vs. small locations, gateways & appliances. (click help to see slider values).

    distributed Close
    50% of your users are distributed at 50% of your locations, and the other 50% of users are distributed at the other 50% of locations.

    To more accurately calculate the volume of traffic backhauled from locations without Internet gateways to those with them, we cannot assume that your users are evenly distributed.

    Locations with Internet gateways likely have more users than the locations without them. Since it may be time consuming to specify the exact number of users at each location, the following method offers an approximation.

    By using the slider, we classify locations as either “large” or “small”. Combined with how many locations have Internet gateways, we determine the number of “large” and “small” gateways in regards to its traffic throughput (aka. bandwidth). And depending on the number of appliances deployed per gateway, we can estimate the hardware/software cost per appliance to support the large or small volume of traffic throughput.

    You may specify a more exact number of large or small locations, gateways or even appliances, by clicking the blue button to modify our calculations.

    Distributed Across Offices

    Concentrated At Headquarters

    Off-Premises

    Common for users with roaming laptops & mobile devices; especially if BYOD is supported.

    VPN Backhaul Help

    For all devices throughout all hours of the day, is a VPN used to backhaul traffic?

    vpn_on Close

    Other than endpoint-layer security solutions such as antivirus, most enterprise-grade security is deployed at the network-layer using security appliances. And to fully protect off-premises users, many organizations require users to connect through their network environment via a VPN client.

    Considering that more and more of our business-critical systems are cloud-hosted (e.g. SalesForce, GitHub, Workday, Google Drive, Box, DropBox, ZenDesk, Base Camp, etc.), the need for users to turn VPN on to complete their work while off-premises is diminishing. And BYOD programs often allow non-managed devices without VPN clients to access this cloud-hosted data.

    Combining these two factors, estimate how often users elect (or are forced) to have VPN turned on or off. The more VPN is turned on, the higher your networking costs. The more VPN is turned off, the higher your managed risk costs.

    VPN On Backhaul traffic to office

    VPN Off Traffic direct-to-internet

  2. Review Your Costs

    Hardware/Software

    Show and Modify Assumptions & Calculations

    Assumptions

    Revert
    admin_salary Close

    2012 Average: Datamation, http://bit.ly/2012-IT-Salary-Guide

    Revert
    burdened_unburdened Close

    Employer-paid taxes, benefits, overhead, etc.

    Revert
    working_hours Close

    49 weeks/year x 5 days/week x 8 hours/day

    Revert
    workloads_admin Close

    Average number of network devices (e.g., appliances) that can be supported during the year.

    Revert
    provision_time Close

    Average time to procure, install in rack, and connect to network infrastructure.

    Revert
    reduction_bonus Close

    Only applicable if centralized management was checked & multiple appliances.

    Revert
    rack_size Close

    42 is the industry standard.

    Revert
    rack_usage Close

    Small appliances are 1 RU, large chassis-based appliances are more.

    Revert
    footprint_rack Close

    7 ft² is the industry standard.

    Revert
    facility_rate Close

    Building ownership/lease/rent and overhead administration

    Revert
    operating_hours Close

    52 weeks/year x 7 days/week x 24 hours/day

    Revert
    passive_power Close

    For passive redundant appliances in high-availability environments.

    Revert
    cooling_power Close

    The industry standard is a 1.3 to 1 ratio to power the additional facility systems that dissipate the heat from appliances.

    Revert
    electricity_rate Close

    Current Average: Energy Information Administration, http://bit.ly/US-DOE-Electric-Power-Monthly

    Revert
    support_hardware Close

    Vendor's charge annual fees for hardware warranties, and software maintenance.

    Calculations

    Revert
    support_time Close

    Rather than modifying this calculated value, it is recommended to enter custom values for other variables used in the formula.

    ROUNDUP ( [working_hours] x [appliances] x ( if CMR=1 then { ( 1 - [reduction_bonus] ) } else { 1 } ) / [workloads_admin] , 0 )
    Revert
    admin_rate Close

    Rather than modifying this calculated value, it is recommended to enter custom values for other variables used in the formula.

    ROUNDUP ( [admin_salary] x [burdened_unburdened] / [working_hours] , 0 )
    Revert
    hardware_setup Close

    This calculated value is the same shown for IT Admin Setup Labor.

    Rather than modifying this value, it is recommended to enter custom values for other variables used in the formula.

    [provision_time] x [admin_rate] x [appliances]
    Revert
    hardware_support Close

    This calculated value is the same shown for IT Admin Support Labor.

    If this value seems inaccurate, it is recommended to review the variables used in this formula as well as those variables' formulas.

    [support_time] x [admin_rate]
    Revert
    hardware_rackspace Close

    Rather than modifying this calculated value, it is recommended to enter custom values for other variables used in the formula.

    ( 1+ INT ( [appliances] x [rack_usage] / [rack_size] ) ) x [footprint_rack] x [facility_rate]
    Revert
    power_requirements Close
    Traffic Throughput (Mbps) Operating Power Vendor Appliance Retail Price
    Low High CPU kW Low Mean High
    Including Proxy-Based Anti-Malware & SSL Decryption
    0 19 1x2 0.300 $4,000 $6,000 $8,000
    20 49 1x4 0.375 $6,000 $9,000 $12,000
    50 99 2x2 0.375 $10,000 $15,000 $20,000
    100 249 2x4 0.469 $25,000 $37,500 $50,000
    250 499 4x6 0.586 $50,000 $70,000 $90,000
    500 999 8x6 1.289 $90,000 $115,000 $140,000
    Excluding Proxy-Based Anti-Malware & SSL Decryption
    0 19 1x2 0.225 $2,000 $4,000 $6,000
    20 49 1x4 0.225 $4,000 $7,000 $10,000
    50 99 2x2 0.300 $6,000 $10,500 $15,000
    100 249 2x4 0.375 $15,000 $22,500 $30,000
    250 499 4x6 0.469 $30,000 $40,000 $50,000
    500 999 8x6 0.586 $50,000 $60,000 $70,000
    Centralized Management/Reporting (No Traffic Enforcement)
    n/a n/a 2x4 0.469 $10,000 $15,000 $20,000
    Revert
    hardware_power Close

    This calculated value is the same shown for Facility Power.

    If this value seems inaccurate, it is recommended to enter custom values for other variables used in the formula.

    ROUNDUP ( [power_requirements] x [operating_hours] x [electricity_rate] , 0 )
    Revert
    hardware_cooling Close

    This calculated value is the same shown for Facility Cooling.

    If this value seems inaccurate, it is recommended to enter custom values for other variables used in the formula.

    ROUNDUP ( [hardware_power] x [cooling_power] , 0 )
    Revert
    hardware_appliances Close

    This calculated value is the same shown for Vendor Appliance Cost.

    Traffic Throughput (Mbps) Operating Power Vendor Appliance Retail Price
    Low High CPU kW Low Mean High
    Including Proxy-Based Anti-Malware & SSL Decryption
    0 19 1x2 0.300 $4,000 $6,000 $8,000
    20 49 1x4 0.375 $6,000 $9,000 $12,000
    50 99 2x2 0.375 $10,000 $15,000 $20,000
    100 249 2x4 0.469 $25,000 $37,500 $50,000
    250 499 4x6 0.586 $50,000 $70,000 $90,000
    500 999 8x6 1.289 $90,000 $115,000 $140,000
    Excluding Proxy-Based Anti-Malware & SSL Decryption
    0 19 1x2 0.225 $2,000 $4,000 $6,000
    20 49 1x4 0.225 $4,000 $7,000 $10,000
    50 99 2x2 0.300 $6,000 $10,500 $15,000
    100 249 2x4 0.375 $15,000 $22,500 $30,000
    250 499 4x6 0.469 $30,000 $40,000 $50,000
    500 999 8x6 0.586 $50,000 $60,000 $70,000
    Centralized Management/Reporting (No Traffic Enforcement)
    n/a n/a 2x4 0.469 $10,000 $15,000 $20,000
    Revert
    vendor_support Close

    This calculated value is the same shown for Vendor Support Fees.

    If this value seems inaccurate or is included in your current appliance-based renewal subscription quote, enter your custom value here.

    ROUNDUP ( [hardware_appliances] x [support_hardware] , 0 )

    Traffic Throughput Help

    traffic_throughput Close

    With appliance-delivered security and based on your environment, the throughput (in Megabits per second) required of all appliances enforcing policies and protections, in aggregate, will need to support all user-generated on-premises traffic and backhauled off-premises traffic.

    This value cannot be modified directly. Please view the inputs, assumptions and calculations on the previous page. Cloud-delivered security will support unlimited traffic throughput.

    To handle on-premises users & off-premises users with VPN.

    Appliances Help

    appliances Close

    With appliance-delivered security and based on your environment, you will need to deploy one or more appliances to enforce policies and protections at each location with an Internet gateway. And optionally, one or more appliances for centralized management and reporting.

    This value cannot be modified directly. Please view the assumptions and calculations on the previous page. Cloud-delivered security requires no comparable appliances.

    More if high availability & centralized management are checked.

    Annual

    Revert
    vendor_support_cost Close

    Appliance-delivered security vendor's charge annual fees for hardware warranties, as well as to maintain (e.g. bug fix, performance improvements) the OS and other software preinstalled on the appliance. This cost is usually separate from the single- or multi-year subscription to policy (e.g. new website categorization) and protection (new threat discovery) updates.

    View the assumptions and calculations for a detailed cost breakdown. Cloud-delivered security does not have comparable costs.

    Revert
    IT_support_cost Close

    In addition to the vendor's support fees, IT admins still spend many hours annually to support appliances. For example, upgrading appliances for periodic feature releases. Updating the appliance's network settings or even physically moving them between racks or connected cables. Turning knobs to balance false positives and negatives to more accurately secure their organization's users.

    View the assumptions and calculations for a detailed cost breakdown. Cloud-delivered security does not have comparable costs.

    Revert
    rackspace_cost Close

    Appliances require physical placement in every location with an Internet gateway. By default, this cost will be $8,400 or more based on accommodating at least one full rack. As most IT systems and their network device counterparts are shifting to the cloud, this cost can be eliminated with the help of shifting from appliance-delivered security to cloud-delivered security.

    View the assumptions and calculations for a detailed cost breakdown.

    Revert
    power_cost Close

    Appliances consume power 24x7. Unlike end-user devices, appliances have a constant high CPU utilization rate, which results in significant costs.

    View the assumptions and calculations for a detailed cost breakdown. Cloud-delivered security does not have comparable costs.

    Revert
    cooling_cost Close

    Appliances generate significant heat that must be dissipated. The systems to cool appliances, also consume power 24x7.

    View the assumptions and calculations for a detailed cost breakdown. Cloud-delivered security does not have comparable costs.

    One-Time per Upgrade Cycle

    Revert
    vendor_appliance_cost Close

    By sampling and averaging the retail prices of multiple appliance-delivered security solutions, a matrix of the appliance's recommended traffic throughput range and ability to enforce policies and protections over HTTPS was created. Based on the number of “small” and “large” appliances used for enforcement at each “small” or “large office location with an Internet gateway, as well as any appliances deployed for centralized management and reporting, this cost was approximated.

    View the assumptions and calculations for a detailed cost breakdown. Cloud-delivered security does not have comparable costs.

    Revert
    IT_setup_cost Close

    Appliances require physical procurement and placement in every location with an Internet gateway. Combined with avoiding or minimizing disruptions during the placement of these appliances within the network environment, which may involve changes with third-party network devices, these additional labor costs are significant.

    View the assumptions and calculations for a detailed cost breakdown. Cloud-delivered security does not have comparable costs.

    Networking

    Show and Modify Assumptions & Calculations

    Assumptions

    Revert
    bandwidth_rate Close

    Average: http://bit.ly/OECD-Communications-Outlook-2011 (pg293)

    Revert
    infrastructure_rate Close

    Appliance-delivered routers and ISP-delivered services are required to set-up wide area networks (WAN) and multi-protocol label switching (MPLS) networks capable of reliably backhauling traffic between office locations and from remote off-premises users.

    To simply account for all these one-time costs, an average cost per Mbps is assumed.

    Calculations

    Revert
    annual_bandwidth Close

    This calculated value is the same shown for ISP Bandwidth Fees.

    ROUNDUP ( [traffic_backhauled] x [bandwidth_rate] , 0 )
    Revert
    network_infrastructure Close

    This calculated value is the same shown for WAN (MPLS/VPN Gateway) Incremental Costs.

    It is recommended that you enter your custom value here, as this cost is very difficult to estimate per organization.

    You may have other pre-existing needs, which prevents attributing all such costs to your Web security solution. Do consider that IT systems, and where corporate data resides, is shifting to the cloud.

    So an increasing volume and proportion of the traffic backhauled through your existing WAN infrastructure is really only relevant for Web security.

    ROUNDUP ( [infrastructure] x [traffic_backhauled] x [locations] / [gateways] , 0 )

    Traffic Backhauled Help

    Between offices via WAN/MPLS and off-premises users with VPN.

    traffic_backhauled Close

    With appliance-delivered security and based on your environment, user-generated off-premises traffic will backhauled to locations with Internet gateways to protect off-network devices.

    This value cannot be modified directly. Please view the assumptions and calculations on the previous page.

    Annual Help

    Revert

    bandwidth_cost Close

    The traffic backhauled will consume bandwidth supplied by your Internet service provider. As network environments become more distributed, roaming laptops and mobile devices become more powerful, ultra-fast connectivity becomes ubiquitous over Wi-Fi networks and carrier wireless, the cost of backhauling this traffic is significant.

    View the assumptions and calculations for a detailed cost breakdown. Cloud-delivered security does not have comparable costs.

    One-Time per Upgrade Cycle Help

    Revert

    gateway_cost Close

    In order to support backhauling traffic from locations without Internet gateways and off-network devices, there will likely be incremental WAN costs. And the adoption of cloud-hosted apps is rapidly decreasing the need for such network infrastructures to be maintained at all.

    View the assumptions and calculations for a detailed cost breakdown. Cloud-delivered security does not have comparable costs.

    Managed Risk

    Show and Modify Assumptions & Calculations

    Assumptions

    Revert
    national_salary Close

    Average 2012 US National Salary: http://www.ssa.gov/oact/cola/AWI.html

    Revert
    records_user Close

    Consider the ratio of customers to employees of your company

    Revert
    failure_probability Close

    There's a statistical probability that over a year an appliance enforcing policies and protections 8736 hours annually will have either a hardware failure or software bug that causes it to go offline.

    Provide your assumption for this probability, which will matter if there's no automatic failover provided by a redundant appliance topology.

    Revert
    disaster_probability Close

    There's a statistical probability that over a year a gateway location enforcing policies and protections 8736 hours annually will have a disaster that cuts of Internet connectivity for backhaul locations and off-premises users, in addition to on-premises users.

    Provide your assumption for this probability, which will matter if there's no automatic failover provided by a backup site topology.

    Revert
    failure_recovery Close

    When there is an appliance failure, how long will it take for you to diagnose the point of failure in the network, then either replace the hardware or restart the software?

    Revert
    disaster_recovery Close

    When there is a site disaster, how long will it take for you to restore Internet connectivity to this site, or change your network infrastructure to redirect backhaul locations and off-premises users to send their traffic to a different site (assuming one even exists)?

    Revert
    infection_probability Close

    There's a statistical probability that over a year an unprotected off-premises user that works on average 1960 hours annually will visit a website, which infects their computer because the endpoint security solution did not detect the threat.

    Provide your assumption for this probability, which will matter if the user has VPN turned off.

    Revert
    breach_probability Close

    There's a statistical probability that over a year an infected device will steal your data or breach your network by phoning home to a botnet controller.

    Provide your assumption for this probability, which will matter if the user has VPN turned off.

    Revert
    malware_remediation Close

    When the user's device is infected with malware, and the user or another security solution eventually detects it, how long will it take for IT to remediate the device.

    Revert

    Calculations

    Revert
    failure_downtime Close

    This calculated value is based on the proportion of on-premises users' working hours to appliances' operating hours, and the number of hours a user may experience downtime while IT recovers after a failure.

    ROUNDUP ( [working_hours] / [operating_hours] x [failure_probability] x [failure_recovery] , 0 )
    Revert
    disaster_downtime Close

    This calculated value is based on the proportion of off-premises users' working hours to appliances' operating hours, and the number of hours a user may experience downtime while IT recovers after a disaster.

    ROUNDUP ( [working_hours] / [operating_hours] x [disaster_probability] x [disaster_recovery] , 0 )
    Revert
    downtime_labor Close

    This calculated value is the same shown for Lost Productivity due to appliance failure/site disaster.

    In today's Internet-connected work environment, the inability to access the Internet results in lost productivity.

    ROUNDUP ( [failure_downtime] x [on_prem_users] x [concurrency] + [disaster_downtime] x [off_prem_users] x [concurrency] ) x [employee_rate]
    Revert
    employee_rate Close
    ROUNDUP ( [national_salary] x [burdened_unburdened] / [working_hours] , 0 )
    Revert
    remediation_user Close

    This calculated value is based on the statistical probability of an user's device becoming infected during normal working hours as they access the Internet off-premises without sufficient protection.

    ROUNDUP ( [infection_probability] x [malware_remediation] , 0 )
    Revert
    remediation_labor Close

    This calculated value is the same shown for Lost Productivity due to malware remediation.

    In today's Internet-connected work environment, the inability to safely use our computers due to an infection results in lost productivity. And it consumes IT staff resources from doing more productive activities that may turn IT into a profit center for the business.

    ROUNDUP ( [remediation_user] x [off_prem_users] x ( [admin_rate] + [employee_rate])
    Revert
    breach_incidents Close

    This calculated value is based on the statistical probability of an user's infected device as they access the Internet on- or off-premises without effective botnet containment.

    Most solutions rely on Web-based proxies, which are not app, protocol and port agnostic to be able to detect and block phone home attempts occurring over non-Web channels such as P2P, IRC or DNS tunneling.

    ROUNDUP ( [unprotected_users] x [infection_probability] x [breach_probability] , 0 )
    Revert
    legal_fees Close

    This calculated value is the same shown for Legal Fees.

    It is recommended that you enter your custom value here, as this cost is very difficult to estimate per organization.

    Assuming a breach occurs in which your organization's customer records were stolen, you will be accountable by law to notify and in many cases provide fraud protection for every customer.

    ROUNDUP ( [breach_incidents] x [incident_rate] x [users] x [records_user] , 0 )

    Annual

    Revert
    downtime_cost Close

    Appliances do not guarantee 100% uptime. Software can glitch. Hardware can fail. To mitigate the risk of end-user lost productivity during downtime, IT admins need to deploy two or more appliances per Internet gateway in a high-availability topology.

    If there are locations without Internet gateways or off-premises users that connect to Internet gateways, then there is also a need to setup high-availability across multiple locations.

    Some appliance-delivered security solutions do not natively provide this support, and additional third-party network devices are needed.

    View the assumptions and calculations for a detailed breakdown.

    Revert
    remediation_cost Close

    Appliance-delivered security solutions are blind to off-premises users, unless their devices connect back to the network via a VPN. If VPN is not always-on, these users, during these times, risk exposure to malware infecting their devices without the protection of a secure network environment.

    View the assumptions and calculations for a detailed breakdown.

    Revert
    breach_cost Close

    Appliance-delivered security solutions are blind to off-premises users, unless their devices connect back to the network via a VPN. If VPN is not always-on, and these users' devices become infected, there is a probability of a major data loss / network breach incident due to the inability of many endpoint security suites and even security appliance to prevent the infected device from phoning home to botnet controllers, which often use non-Web communications.

    View the assumptions and calculations for a detailed breakdown.

  3. Calculate Your Savings

    annual_costs Close

    Appliance-delivered security results in significant recurring costs above and beyond the initial one-time purchase and renewal subscription.

    Cloud-delivered security does not have comparable costs.

    This value cannot be modified directly. Please view the costs, assumptions and calculations on the previous page.

    [vendor_support_cost] + [IT_support_cost] + [rackspace_cost] + [power_cost] + [cooling_cost] + [bandwidth_cost] + [downtime_cost] + [remediation_cost] + [breach_cost]
    lifespan Close

    The industry standard ranges from 3 to 5 years.

    one_time_costs Close

    The rapid velocity and pace of change in the technology landscape is disruptive to IT. Device diversity, ubiquitous connectivity, cloud services and virtualization is overwhelming current appliance-delivered security solution's ability to scale as well as retain visibility and control. The threat landscape is evolving to exploit these new technologies. Crime-as-a-service, imperfect software, gullible end users, and targeted attacks continue to outpace appliance-delivered security solution's ability to collect and react to new samples of malware or copies of attacks. The need to upgrade or add new appliance-delivered security solutions is never-ending.

    Cloud-delivered security can be more than a point product. If built properly, it can be a scalable and modular platform that eliminates customer-initiated upgrades.

    This value cannot be modified directly. Please review the costs, assumptions and calculations on the previous section; and feel free to customize any of them.

    [vendor_appliance_cost] + [IT_setup_cost] + [gateway_cost]
    competitor_quote Close

    The vendor's annual hardware/software support costs were already assumed and calculated in step 2. So include just the cost to renew your one or multi-year subscriptions for policy (i.e. new feature) and protection (i.e. new threat) service updates.

    total_cost_of_ownership Close

    Your comprehensive cost to own appliance-delivered security for one or more years. Please review the costs, assumptions and calculations in the previous section for a more detailed breakdown, and feel free to customize any of them.

    [annual_costs] x [lifespan] + [one_time_costs] + [competitor_quote]
    umbrella_quote Close

    Umbrella is a 100% cloud-delivered Web security service. We require no additional hardware/software or networking costs.

    Umbrella is built on a DNS-based platform with Anycast routing that ensures enforcement over any protocol (including HTTPS) and 100% global network uptime, so the managed risk costs are mitigated.

    Umbrella's cloud-managed dashboard centralizes policy configuration and aggregates report data by default. And our service is always up-to-date.

    Hence, Umbrella's subscription quote is your cost of ownership relative to your current appliance-delivered security. NOTE: The quote's term should be for the same number of years as your useful appliance lifespan.

    Request a Quote

    Quote Required to Calculate

    Umbrella Cloud-Delivered Security

    Current Appliance-Delivered Security

    • Hardware/Software Help
      Appliance Close

      This value cannot be modified directly. Please view the costs, assumptions and calculations on the previous page.

      Cloud

      Umbrella does not require purchasing, deploying or maintaining any hardware or software.

    • Networking Help
      Appliance Close

      This value cannot be modified directly. Please view the costs, assumptions and calculations on the previous page.

      Cloud

      Umbrella does not require backhauling traffic to your on-premises networks.

    • Managed Risk Help
      Appliance Close

      This value cannot be modified directly. Please view the costs, assumptions and calculations on the previous page.

      Cloud

      Umbrella provides 100% global network uptime to eliminate the risk of lost productivity due to service downtime. Umbrella provides always-on security even when devices are outside the network perimeter, so we reduce the risk of lost productivity due to malware remediation when users are not protected off-premises.

    • Subscription Help
      Appliance Close

      Your current costs to keep your software up-to-date and hardware maintained/warrantied.

      Cloud

      Please request a custom quote to input. Click the orange button.

Request a Quote

Security Without Appliances

A shift to Umbrella's cloud-delivered Web security dramatically improves the efficacy to block advanced malware, botnet and phishing threats with enterprise-class coverage, performance and accuracy.

Improved coverage is achieved by securing the mobility of your users on any device, everywhere. Backed by the world's largest Internet-wide security network, which delivers powerful app, protocol and port agnostic threat protection.

Improved performance is achieved by leveraging the OpenDNS Global Network with unlimited scalability and always-on reliability. Anycast routing, 19 data centers and over 200 BGP sessions, results in 100% global uptime since service inception in 2006 and zero net new latency.

Improved accuracy is achieved by harnessing big data analytics and real-time machine learning systems to predict the Internet host origins of unknown malware, botnet and phishing threats.

Huge TCO savings over renewing your current appliance-delivered security is achieved by improving the solution's manageability to provision, setup, enforce and support Web security on any device, everywhere.