The case for server consolidation in the data center (and even in more sizable server rooms) is well understood. Organizations and service providers can accrue all kinds of interesting benefits by trading in or replacing large numbers of standalone server enclosures or older 1u/2u/4u 19" rack-mounted server units.
Savvy VARs and solution providers can take advantage of the benefits that security consolidation can offer to create opportunities for new business.
In the world of information security appliances, similar opportunities for consolidation are beginning to present themselves. In this tip, we'll discuss those opportunities for security hardware consolidation and learn how security solution providers can take advantage of them.
With server hardware consolidation, the units that replace multiple large standalone or modular servers are typically blade server enclosures. These units are 5u or 10u in size (a normal rack offers up to 42u of capacity), each of which can accommodate 8 to 16 blade servers. Other types of blade devices include switching, routing, storage, SAN and Fibre Channel blades. Uninterruptible power supplies and sometimes even cooling channels may also be integrated into equipment racks as individual rack-mounted components.
Many of the benefits associated with server hardware consolidation -- including increased processing power, reduced electricity usage, ease of management and ultimately reduced cost -- also apply to consolidation of security appliances. Savvy VARs and solution providers can take advantage of the benefits that security consolidation can offer to create opportunities for new business, and to help their customers improve their security and compliance postures at the same time. With fleets of discrete, independent security appliances -- which can include routing, firewall, XML and content filtering, VPN, intrusion detection and prevention, spam screening and antimalware -- the benefits of removing collections of multiple such appliances per site and replacing them with more modern, powerful and all-inclusive boundary security appliances can make a compelling economic argument, even in today's tough economy.
In general, undergoing a security hardware consolidation effort and reducing the overall number of security appliances that are acquired, provisioned and maintained usually results in savings of many kinds for IT organizations. These include:
- Outright acquisition costs, where fewer, more expensive, multipurpose security appliances produce smaller aggregate total costs than do significantly larger numbers of less expensive, single-function appliances.
- Facilities space, where a reduction in the number of appliances by a factor of 3 to 5 can also significantly reduce overall rack space requirements for security appliances.
- Power and cooling requirements, where a similar reduction in the number of security appliances reduces cooling and power needs overall.
- Manpower and support costs, where replacing a larger number of security appliances from multiple vendors with a smaller number of appliances from fewer vendors entails reduced needs for training, patches and fixes to software and firmware, and a lower overall volume of support calls and related troubleshooting and problem-solving activities.
These benefits should be quite familiar to sales professionals used to dealing with enterprise and SMB customers making the transition to high-density data center technologies.
On the other hand, certain aspects of security hardware consolidation are unique to that product space, and can help create a heightened sense of urgency to tighten up the sales cycle. These include the following items and elements:
- Reduced support and subscription costs: Most security environments require constant software or signature updates to keep up with new threats and to counter newly discovered vulnerabilities. Consolidation may permit buyers to pay for a single subscription that covers everything from malware, to firewall rules, to spam and other content filtering, rather than individual subscriptions for each one. The same goes for annual support costs, where a single payment replaces multiple such outlays.
- Access to 24x7x365 management, support and protection services: Many of the companies that offer do-it-all security appliances also offer service plans to back them up with security response teams that are on duty around the clock, all the time.
- A single consolidated security appliance presents a smaller and less complex attack surface to the outside world, and will generally be designed to implement "defense-in-depth" (a layered security model) to protect the network core, endpoints on the network periphery, and end users, systems and servers alike. Layered security helps to address possible inadequacies in single security products with multiple layers of coverage, so if any single layer is breached, another layer presents itself to thwart attacks. By combing multiple functions into a single consolidated security appliance, designers can better coordinate and control the implementation of layered security, and offer better protection against attacks, vulnerabilities and exposures than any collection of discrete appliances.
- Coordination of VPN and remote access and management services: Ensure that security inside the network periphery can be properly and safely extended to remote sessions outside those boundaries.
- Finally, and perhaps most importantly, deployment of a single consolidated security appliance can significantly reduce the time and effort necessary to learn, maintain and manage a collection of appliances. A single management console and reporting structure replaces a collection of such things, and requires less effort for staff to learn and manage than a handful of different consoles, features and function sets.
Major security vendors are increasingly turning to all-in-one security appliances to enable their customers to consolidate and simplify their information security infrastructure. Examples of such product families include the following:
- Juniper SRX Series Gateways
- Cisco Adaptive Security Appliances (ASA)
- Fortinet FortiGate family of multithreat appliances
- SonicWALL UTM firewalls
These security appliances offer varying numbers of VPN and simultaneous user connections and network bandwidth at a variety of price points, but all of them combine routing and switching functionality with firewall and UTM support to deliver truly consolidated security appliances that can help organizations reduce costs and complexity.
Work with your favorite vendors to develop and convey a "consolidation sales story" that will appeal to your target customer base. Such a story should include the standard and well-understood benefits of consolidation at the device level, such as cost savings on energy (both to power security devices and to maintain proper operating temperatures) and rack space, and in human costs for reductions in training, maintenance and upkeep costs. But the real and most pronounced benefits come from improvements in layered security coverage -- especially from a reduced attack surface and better integrated "defense in depth" -- and from reduced needs for staff training, management and upkeep thanks to a smaller number of devices and the management consoles that go with them. In general, solution providers can and should ask vendors of such "do-it-all" security appliances for ammunition and insight in building their sales stories -- a request which such vendors will usually be more than happy to comply, because it helps their bottom lines, too!
About the author:
Ed Tittel is a full-time freelance writer based in Round Rock, Texas, and a contributor to the upcoming 5th Edition of the Sybex CISSP Study Guide (due out in December, 2010). He writes regularly on security topics for numerous TechTarget websites, InformIT.com, and PearsonITCertification.com.