In networking we often discuss routing, packets, protocols and latency.  It’s always been our lifeblood and our passion.  Another area we are passionate about is hardware.  A new router, firewall, switch or network appliance will elicit numerous debates and send us to a world of what if?  What if I deployed this box to my network?  How would it impact it?  Would it make the network faster?  Would it make my job easier?  Now, one topic we don’t discuss is the “green” impact of this new box. 

Our networks are complex, costly and truth be told, they impact the world around us.  At Axis Security, we often refer to the journey of Amy in HR.  Amy is part of the hybrid workforce.  Her day begins in her home office which is located at the kitchen table of her house.  Everyday Amy must use the corporate VPN to access the applications she requires to complete her job.  Her journey looks like this.  

Amy must run a virtual gauntlet of IT network and security hardware appliances.  Typically, this may include a series of seven systems each with a redundant twin for high availability.   

So, what is the impact of these 14 boxes on our planet?  Let’s break it down.  

Amy’s point of entry is the data center firewall.  Typically the firewall is the second most power consuming device.  For our scenario, we will select at Palo Alto Networks PA-5430 firewall.  The power ratings for this device come in at 630 watts.  Since our design is redundant, we will need two of them.  Therefore, the total for the two is 1260 watts.  

Next up is the Denial of Service appliance.  This time we will go with a product from Cisco Systems.  The selection will be a Cisco the Defense Pro 20.  Its power requirements are rated at 320 watts.  Again, we will need two for high availability so the number is 640 watts.  

NAC and ADC are next in the path.  While there are appliances in this area, we will leverage Cisco ISE.  While we could build this out a number of ways, let’s keep it simple and call it two servers running a dedicated application.  Power requirements will come in around 850 watts per server.  Again, we need two so 1700 watts is our total for NAC and ADC.  

On to the SSL!  For the SSL decryption, we will go back to Cisco.  The Cisco Firepower 5555 is our most efficient solution at 134 watts at peak.  We need two so 268 watts is our number!

Now comes the IPS system.  Again, we will go with a Cisco Firepower product, the 9300 appliance.  Unlike the Firepower 5555, the 9300 is power hungry at 1000 watts for both.  

And we are almost done.   One more firewall to go!!  Again, we’ll go back to Palo Alto Networks.  Add a pair of PA-5430 at 1260 watts.  

Now that we’ve completed Amy’s journey from a network and security appliance point of view, let’s add up our power budget and determine the power costs as well as most importantly, the impact on the planet.  

The power budget comes to 6,128 watts at peak.  Based on a cost of power at .32 per kWh, at 24 hours a day, creating 146 kW/h per day (aka 53,681.28 kW/h per year), our total per datacenter cost comes to $17,178 each year – just in electricity costs.  This doesn’t include Manufacturing costs either.

But what is the total carbon impact? We used the free Greenhouse Gas Equivalent calculator provided by the EPA and found that 53,681.28 kW/h per year is equivalent to 25.6 tons of Co2 per datacenter! That is equivalent to what 27 acres of US forests sequesters per year. Check out some other interesting equivalencies below.

A report commissioned by Statistica found that 73% of companies have 3 to 5 data centers in use. 40% of companies have 6 or more! 

So if we assume 5 data centers for each Fortune 2,000 company (most will likely have more), the electricity costs alone for the VPN gateway would be $85,890 per year (again only for electricity). The environmental impact would be a whopping 128 tons of CO2 emissions. Times that by 2,000 Fortune companies and that’s 253,475 tons of CO2 emissions. The equivalent to carbon sequestered by 272,129 acres of US forests. 

That’s a lot of green, for too much green. It’s time to say bye to hardware based VPN and move to a new software based solution designed using the Security Service Edge framework.  It can be delivered from the Cloud from data centers with carbon offsets.  Result, better for the environment, better for the planet and likely, lower cost. 

If you’re ready to say goodbye to VPN, we’ve got your back. Let us buyout your VPN contract and replace it with our Atmos ZTNA solution, part of our Atmos Security Service Edge (SSE) platform.

The post Dirty appliances: The hidden environmental costs of VPN gateways appeared first on Axis Security.

The air has a crispness to it, kids are back in school and the afternoon shadows are growing longer. For me, Fall has always been the season when the last revisions for projects and business as usual (BAU) budget requests were finalized. It was one of the last opportunities to dial in the plan of work for the upcoming year as well as align the projects with the critical financing which makes it all possible. If you are considering a Security Service Edge (SSE) project for 2023, here are some tips as you enter the final lap of budgeting season.  

Create the map

The most critical aspect is the scope. Implementing an SSE project is a journey. It’s not something you accomplish overnight or even a year. Often, these types of projects take multiple years. So, start with a phased plan.  Determine what your first phase is as well as the follow-on aspects of your journey.  Set guideposts and determine the schedule. Think in terms of 6 months. What do you want to accomplish in H1 and H2? What is the order? Understand which technologies in your portfolio will be impacted and the timing for each. Based on this, take inventory. Create a schedule to replace each item.  

Technology meet finance 

Once you have the list of technologies that the project will impact, attach them to a proposed schedule. Now it is time to work on the details. As simple as it may seem to replace one technology with another, unfortunately, it is not. Here’s where technology meets the real world of finance. Your roadmap for the journey must align with the interests of your finance department. And trust me, this is where projects and budgets get complex fast!! But keep in mind, by doing the hard work upfront, you will lower the inevitable amount of budget friction in your future. The key here is to take inventory of the technologies impacted and then align them with terms the finance team will understand. 

OpEx, CapEx, BAU….. Oh my!

You need to be aware of how each item is treated. Is it an OpEx or CapEx expense? Is there a “Business As Usual” (BAU) line item associated with it? If the item is CapEx based, is the item on the depreciation schedule? Is it 12 months into a 36 month depreciation schedule? If so, the finance team is going to frown upon your proposed replacement plan. As you will find out, much like Cloud, SSE tends to be weighted on the OpEx side of the coin. What this means is you will need to learn how to trade in CapEx investments for OpEx ones. For example, if are you proposing to move off a legacy firewall that is listed at $100K and depreciated on a 3-year schedule? If so, you will not be able to trade the amount dollar for dollar in year one. Rather, from the financial perspective, you will need to divide by three. Thus $100K becomes $33K for budgeting.  

Make friends and reduce the budget friction

If these terms and concepts are new to you, this is when you make fast friends with your resource on the finance team. As a technology leader, you must understand the complexities of how finance views technology investments. Ask questions. If you are not familiar with the terms finances is using, ask them for a lesson. The more you can speak their language, the more success you will have on your SSE journey. Once you get the finance side of the coin dialed in, you can determine if your project plan is possible or not. Based on this, revise your project plan and timelines.  

Eating the whale, one bite at a time

Next, break down the phases into digestible units. Now that you know where each item fits within the technology and finance puzzle, you can start putting your overall project together. Maybe during the financial analysis, it was determined a key VPN gateway was just purchased 18 months ago but the Secure Web Gateway (SWG) subscription is up for renewal in March. If so, it would be a good idea to pivot your project and tackle the SWG first and VPN in the following year. This will help you not only in the coming year but also create a multi-year story from both the finance and technology angles. The more you can help guide finance over 12, 24, and 36 months, the less time you will need to spend on constantly revising your budgets. You will quickly find out the finance team prefers the predictable path. At the end of the day, your job is to be the storyteller from both a technology and financial perspective.  

SSE value calculator

And to help you with your story, Axis has created an SSE Value Calculator. It allows you to take the puzzle pieces of your project and help guide you on your journey. The value calculator will help you to put the story together. It includes common inputs such as investments in services like SWG, VPN gateways, and CASB along with expected savings by transitioning from costly MPLS transport to Internet connectivity. You can also consider cost savings such as reduced operational overhead for managing SSE services vs traditional approaches. You can even run “what if” scenarios. The output will help guide you to success in both the technology area as well as the finance one too. It will also assist you in determining how to accomplish the best Return on Investment (ROI). Keep in mind, at the end of the day, all IT projects are business projects. The link is here – https://www.axissecurity.com/atmos-value-calculator/

If you have questions, feel free to reach out.  Hopefully, your Fall is full of fun and excitement!  

The post CxOs: Here’s how to budget for success during your Security Service Edge (SSE) project appeared first on Axis Security.

As a kid who grew up on a steady diet of network TV in the 80s, I always got excited when a crossover was teased at the end of an episode.  Take the original Magnum PI starring Tom Selleck.  There were several.  Magnum and Hawaii Five-O… classic.  Simon and Simon on the case with Higgins and Thomas Magnum in 1982, that was a good one!  And who could not forget Jessica Fletcher (Angela Lansbury) using her detective skills in episode ‘Novel Connection’!  Another timeless crossover success!  

When it comes to deploying Zero Trust, you need a similar approach.  You need what I call the silo crossover episode!  If you leave it to one silo or one group to evaluate, select, deploy and operationalize Zero Trust, your chances of success are going to be low.  So, who’s on the team, who should you partner with to create your Zero Trust crossover show for success?

Based on my many conversations with prospects, customers and my network of peers, here is my recommendation for your killer crossover Zero Trust team.

The Modern Day ZTNA Tiger Team

1) First, start with a business champion. To bring a transformational security strategy like Zero Trust successfully from inception to production, you need someone who will provide top cover for the project.  The business champion is the go-to resource when (because it will) the project goes sideways.  Often, this can be due to competing business priorities, resource conflicts, alignment between IT silos and so on.  We’ve all been there and seen the impact one person can have on a project, good and bad.  The business champion is the person you need to clear the lanes for success.  Make sure you have one!

2) The second team member is likely to be the most important.  You need an excellent Business Analyst.  You need someone who can act as the bridge between the company and the IT team.  To quote one of the father’s of Zero Trust, Paul Simmonds, “Zero Trust is not an IT Security project, it is a Business Project”.  What Mr Simmonds is referring to is at the end of the day, the project is “all about the data” and making risk based decisions based on the identity of all the components in the transaction chain. So, you will need a person who is adept in breaking down business processes, understanding the critical components and helping IT to design a solution that is based on “yes” vs slowing the business down or breaking a critical process. Select wisely here.

3) Next, is the security resource.  A Zero Trust project is about changing the way security is viewed.  Zero Trust flips the script on the traditional approach where a firewall is the demarcation line between resources which are trusted and untrusted.  In today’s modern IT landscape, the utility of a firewall to secure, detect and protect the enterprise is waning quickly.  This is because the crown jewels (people and data) now exist beyond the walls of the enterprise.  With distributed applications and now a distributed workforce, these critical resources exist in every nook and cranny of the Internet. Therefore, the security engineer is essential to be the advocate of change.  You need a resource who understands the technology options available. Can explain it in layman’s terms and knows how to leverage solutions such as zero trust private access, secure web gateway and cloud access broker as well as data loss prevention.

4) The fourth is one of the most critical resources.  An identity engineer.  As applications, as well as the workforce, get up and leave the corporate data center and corporate campus, creating and operating a solid identity program is essential to the project and the ongoing care and maintenance once the solution is deployed. Look for the resource who understands how identity can be leveraged in both SaaS and on-prem applications.  A resource who is willing to do the dirty work of uncovering years and years of privilege debt.  Meaning those employees who have moved around the organization and gained more and more rights even though these additional privileges are not required to perform their current job.  You need a person who is technical but who is also willing to dig in with the operations team to both resolve identity debt and consider how they can make the operations team’s life simpler.  This may sound like a unicorn but with the proper mindset and guidance, I’ve seen this sort of magic develop during a project!

5) The fifth member of the team must come from the end user compute team.  It’s essential for someone to understand the world of devices, OSs, client software, posture checks and to know how to deploy and manage a fleet at scale.  While the Zero Trust is a strategy you must also leverage technology to achieve your goals.  One of the goals that must be foremost in your mind is setting up your workforce for success.  Having the right person to guide the conversation and act as the voice of “user experience” is critical.    I’ve seen a number of projects where the technology selection did not include the client technology team.  The result is the project dies a stillborn death during the rollout and millions of dollars are never utilized because the impact on the customer, the employee, is so poor.  Do not discount this role during the project.

The last two team members are also essential.  Make sure to include the network team.  Find a top-notch network engineer who understands remote access, campus and Cloud based networking.  You need all of them to be successful in the arena of Zero Trust.  While the remote access aspect is obvious, campus networking is thinking forward.  As the world transitions out of the pandemic, workers will return on to the campus and branch.  In that process, the enterprise will have an opportunity to rethink how to secure the campus and the branch.  Legacy technologies like NAC will be heavily scrutinized as they are expensive to operate and brittle. Modern ZTNA solutions like the Security Service Edge (SSE) will soon become the answer as both the cost and operational simplicity will outweigh the heritage approach of the past.  Don’t miss out on this opportunity!

The last member of the core team is the project manager (PM). Here, select wisely.  A good PM is a difference maker.  As the individual team members will also do their normal job duties, having someone to keep “all the plates spinning” is a must-have requirement.  I’ve been on plenty of projects in which the outcome of the project was decided by the quality of the PM.  Do your homework!  Look for a person who is good at breaking down the tasks, has the gift of foresight to see if there is danger ahead and also, maybe most importantly, is diplomatic when working both within the team and outside the team.  It is often the hard conversations which are required, which, in the end, save the day.  Do your homework here.  Get the best PM available.  Don’t accept a lesser quality PM (and this is a great area to leverage your project champion)!There you go.  Your core team for success with Modern Zero Trust!! If you have questions, please reach out.  I am happy to work with you on your journey.  Also, if you want to discuss your favorite crossover TV episodes from the 80s, hit me up on LinkedIn!

The post Five People That Should Make Up Your Modern Day ZTNA Tiger Team appeared first on Axis Security.