free forefront protection? an investigation into hidden costs

© 2011 IT-Harvest | 1FREE FOREFRONT PROTECTION? AN INVESTIGATION INTO HIDDEN COSTS.

This paper is sponsored by Trend Micro.

Free Forefront Protection? An investigation into hidden costs.

Richard StiennonChief Research AnalystIT-Harvest



Key Findings

This white paper investigates Microsoft’s recent updates to eCAL pricing and changes to Forefront Security Suite in its Enterprise Client Access License (ECAL). Four primary arguments are presented to demonstrate that the total cost of ownership of Microsoft Forefront Security Suite is higher than using best of breed products from a third party vendor.

1. That there are additional investments in supporting Microsoft services that are not included in ECAL

2. That deployment, management and maintenance of ForeFront requires additional investment in Microsoft infrastructure

3. Microsoft’s lack of protection for non-Microsoft products means continued investment in security for Unix platforms and does not address the consumerization of IT.

4. Signature updates for Forefront requires Microsoft Software Assurance.

Introduction

Since it’s acquisition of Whale and Antigen, Microsoft has been slowly enhancing the ForeFront Security Suite for endpoint protection and gateway filtering. It’s most dramatic enhancement in 2011 was to incorporate endpoint protection management into the SCCMS console. Further enhancements to the management console are expected in the December, 2011 release. Microsoft’s message to current customers with Enterprise Client Access Licenses (eCAL) is that ForeFront Endpoint Protection is FREE. Is it truly free or are there hidden costs?

This white paper evaluates that “free” claim by examining the additional costs associated with deploying ForeFront and abandoning third party anti-malware solutions. Direct costs include the additional licenses for server products, very high costs for support, and the hidden cost of Software Assurance licenses. We also look at the holes in Microsoft’s protection strategy represented by the proliferation of devices (consumerization of IT), multiple OS platforms in most data centers, and the lack of cloud leverage for just-in-time protection.

Microsoft has successfully leveraged its near monopoly in the enterprise desktop operating system and productivity tools to make deeper gains in the data center through its server offerings including: Windows Server, Forefront Threat Management Gateway 2010 Server, MSQL, Exchange, Certificate Server, and SharePoint Server.

One aspect of computing infrastructures that can be decoupled from network, desktop and server platforms is security. Ironically, the argument has been well made that the very security

Free Forefront Protection? An investigation into hidden costs.



problems plaguing most organizations - rapid spread of malware, targeted attacks, and drive-by downloads from malicious web sites, is attributable to Microsoft’s domination of so many computers worldwide. This mono-culture of computing platforms means that malware created to infect home users with Trojans meant to steal their banking credentials also infects enterprise desktops, servers, and infrastructure. In other words, in their quest to dominate as much of corporate computing budgets as possible, Microsoft has created a world wide security problem that entails investment, lost time, management, compliance and reporting requirements to control. Microsoft’s Forefront product suite was acquired in an attempt to address these security issues and protect their dominant position in the enterprise.

Enterprise Client Access Licensing

Microsoft’s Client Access License (CAL) is a blanket end user license agreement that is purchased on a per-server/per-end user basis. It is separate from desktop licensing for Windows, Office or other applications. The Core CAL agreement grants access to Windows Server 2008, Exchange Server 2010, Office SharePoint Server 2010 and Systems Center Configuration (formerly Systems Management Server). Access to additional services is available piecemeal, for either an ala carte pricing or bundled in the Enterprise CAL license (ECAL). These additional services are:

Windows Server Standard • •

Active Directory Rights Management Services •

Exchange server Standard • •

Exchange Server Enterprise •

SharePoint Server Standard • •

SharePoint Server Enterprise •

Lync Server Standard • •

Lync Server Enterprise •

System Center Configuration Manager • •

System Center Client Management Suite •

Forefront Protection Suite •

Forefront Endpoint Protection • •

Forefront Unified Access Gateway •

Core CALSuite

Enterprise CAL Suite

Windows Server

Exchange Server

SharePoint Server

Lync Server

System Center

Forefront

Server CAL



These Enterprise additions to the Core CAL if purchased separately can cost $256.00/year (System Center Operations Manager Client OML is $32 per license for instance) but if purchased as an ECAL bundle cost $86 on top of the Core CAL pricing. Many Microsoft customers purchase the ECAL bundle to get the additional functionality of one or two services but do not use the full suite.

Note that ECAL does not include MSQL or Terminal Services CAL, and that this would be an additional purchase if the customer is not currently licensed for these at a cost ranging from $148.22 - $187 per user license.

This gives rise to the question: Should an enterprise that has the full ECAL licensing drop their use of a third party anti-virus product because the ECAL suite incorporates Forefront security? Enterprises considering this question should be aware that there are three reasons that using the marginally “free” Forefront security products entails additional costs. Sometimes free is not free.

1) Direct costs in additional Microsoft licensing requirements and support fees.

The list pricing for Forefront Security Suite starts at $12.72 per user or device, per year, for the security agent Microsoft Forefront Endpoint Protection uses Microsoft System Center Configuration Manager (SCCM) which could require additional server acquisitions for most large enterprises. The management console is supposed to support up to 10,000 clients. A large installment would involve multiple licenses for the management consoles along with the costs associated with maintaining the additional Microsoft servers.

Forefront Endpoint Protection uses Microsoft SQL Server 2005 (Standard Edition or Enterprise Edition) for detailed report and log generation. SQL Server 2005 Enterprise Edition is needed to support more than 2,000 clients and can be purchased with the Server Subscription License (SSL) for Forefront Security.

Microsoft customers interviewed for our research reported that getting premium support for the Forefront security solutions to resolve issues on a timely basis required them to upgrade their support contract for all of the products bundled in ECAL, it could not be broken out separately. This could be extremely expensive as Microsoft’s top level of support, Premier Mission Critical, can cost between $200K and $1 million based on the complexity of the deployment. Other levels of support; and Premier Plus, are available in hourly blocks whereas Premier Ultimate is a 24X7 service.

A decision to switch to Forefront client and server security based on Microsoft claims that it is “free” should not be made until the support service costs have been accounted for as well as the server license costs for a large deployment. An anti-malware solution from a non-Microsoft source will have dedicated support options at lower total costs.



2) Hidden costs in expanding the Microsoft monoculture.

Every business has to evaluate risks associated with vendor lock-in. Not only are there risks that the vendor could discontinue support for a particular offering but it also creates a cycle of increased lock-in as the vendor continues to offer more and more products inducing the customer to move to those new products, consolidate support contracts and billing, and ultimately lose the flexibility to choose optimal products or negotiate the best prices.

In the particular case of buying security products from Microsoft some consideration is due the concept of diversification. Every Microsoft server product is a member of a community of end points that suffer from continuous cycles of attacks. Microsoft issues software fixes on a monthly schedule with emergency updates announced frequently outside that schedule. Not only do the desktops, web servers, file servers, communication servers, and data base servers have to be patched but the systems hosting the security products themselves have to be patched. This lends additional cost to the overall system maintenance task as well as introduces security issues because the security products are exposed to the same types of attacks that they are deployed to protect against.

One IT security manager that we interviewed pointed out that Microsoft Forefront Security Suite had “too many moving parts” that required more resources to manage. Different skill sets and different people were involved in managing Forefront. Staff from security would handle the AV issues, a database specialist managed SQL Server, and another specialist was required for the server admin. Yet another group’s services were required to administer WSUS on the Forefront Security Management server. Responsibility for managing a standalone security product resides with the AV team alone and is therefore less expensive.

Note that Microsoft Forefront Client Security Management Console (FCSMC) is no longer

needed as its function has been incorporated into SCCMS. However, Forefront Server Security Management Console (FSSMC) is still required to manage Forefront for Exchange, Forefront for SharePoint, and Microsoft Antigen, which entails more Windows servers with MSQL, and MOM instances. FSSMC is not included in ECAL.

3) Costs associated with not having a best of breed security solution.

Microsoft has yet to demonstrate that Forefront Security is a best of breed product. While there may be a cost tradeoff between the best products and “good enough”, products in many areas, such as Certificate Servers, proxies, data base servers, and email servers, that argument does not hold with security products where much of the value of those products resides in their ability to provide the best protection possible. For instance an anti-malware product that blocks 1% more malware than another provides more than 1% greater value. The additional costs of cleanup measured in lost productivity and direct IT support resources could be thousands of dollars a month for the typical midsize enterprise. A data breach



resulting from a Trojan or Bot infection would lead to extraordinary costs from mandated disclosure and reparation requirements, damage to brand equity, and similar costs. According to the 5th Annual US Cost of a Data Breach Study from the Ponemon Institute the average cost of a data breach is over $6 million.

The current best practices for malware defense is to leverage the cloud to reduce the time to detection from fi rst appearance of a new attack to when updated signatures are fully deployed. Trend Micro has consistently been the best performing malware solution by this measure. Microsoft ForeFront still relies on the old model of pushing new signatures to every endpoint and gateway.

4) ForeFront security is not a heterogeneous solution

Many enterprises have multiple operating systems in their data centers, points of sale, or offi ces including fl avors of Unix from IBM and Sun(Oracle). If malware protection products are deployed to non-Microsoft systems, such as Linux servers, or MacBooks, an enterprise has not eliminated the costs associated with maintaining licensing for those systems by going with the “Free Forefront” offer. Switching to Microsoft Forefront may not reduce the number of vendors or products an enterprise must manage.

One of the predominant trends in IT computing is the move to mobile devices. Executives and knowledge workers are introducing new devices to the enterprise at an uncontrolled rate. iPads, smart phones from Blackberry, Google, and Apple, predominate and will need additional management and security products to accommodate this consumerization of IT or Bring Your Own Device (BYOD) as it is being called.

Much of the value derived from an enterprise class anti-malware product suite comes from its ability to analyze security incidents and create reports. In particular, generating data for compliance reports for government regulations and auditor requirements is not as mature in Microsoft Forefront as it is in established enterprise AV product suites that have been investing heavily in better and better reporting capabilities.

Microsoft worldw/Forefront protection

BYODIOS, OSX, Android,

Blackberry

w/Forefront protectionw/Forefront protectionUnix/Linux

Servers

Much of the value derived from an enterprise class anti-malware Much of the value derived from an enterprise class anti-malware

Virtual data center and VDI



Software Assurance Licensing In 2005 Microsoft began offering Software Assurance. This extra licensing regime serves to protect customers from the unpredictable release cycle of major new versions of Microsoft products such as Office Productivity and Windows. Because the typical contract is for three years and Microsoft releases often exceed that, many customers opt out of Software Assurance. However, as of August 1, 2011 in order to get signature updates for ForeFront customers must have a paid up Software Assurance license. This could significantly add to the cost of using FEP. According to Forester a desktop Software Assurance License is 29% of the cost of the underlying software and for a server 25%. [14]

Product use rights For Forefront Protection Suite are those in effect during the term of corresponding Enterprise CAL Suite Software Assurance coverage. A subscription to Forefront Protection Suite consists of the following online services:

• Forefront Endpoint Protection• Forefront for Office Communications Server (formerly Antigen for Instant Messaging)• Forefront Online Protection for Exchange (formerly Exchange Hosted Filtering)• Forefront Protection 2010 for Exchange Server• Forefront Threat Management Gateway Web Protection Service• Forefront Protection 2010 for SharePoint Server

In other words, a customer must enroll in Microsoft Software Assurance licensing to get the benefits from Forefront Protection Suite. It is an example of how Microsoft is using the immediacy and urgency of security updates to enhance their revenue stream.



Cost Model

For this study we created two models to quantify the costs of switching to a Microsoft Forefront Security solution. The first is for an enterprise with a centrally managed Microsoft Exchange environment. The second is for a distributed enterprise with twenty locations around the world and a decentralized Microsoft Exchange environment.

Model 1

Assumptions:• 35,000 desktops with ECAL contracts• 4 Forefront Server Security Management Consoles (Client security management is now through

System Center Client Management Suite.)• Customer already has Microsoft Software Assurance

YEAR 1 YEAR 2 YEAR 33 YEAR TOTAL

Additional staff to support components 156,250 156,250 156,250 468,750Premium support for ECAL 240,000 240,000 240,000 720,000Deployment 122,428 122,428TOTAL COST $ 518,678 $396,250 $396,250 $1,311,178Displaced vendor Premium Support savings 30,000 30,000 30,000 90,000Displaced vendor license fees 210,000 210,000 210,000 630,000TOTAL ADDITIONAL COSTS $ 278,678 $ 156,250 $ 156,250 $ 591,178

The costs associated with additional Microsoft server products to run ForeFront Security management consoles is not included because most enterprises would also use Microsoft servers to run competing products.



Model 2

Assumptions:• Same as Model 1 but customer has to switch to Microsoft Software Assurance licensing• ECAL purchased at 15% discount to $175 price

YEAR 1 YEAR 2 YEAR 33 YEAR TOTAL

Software Assurance premium (4%) 208,250 208,250 208,250 624,750Additional staff to support components 156,250 156,250 156,250 468,750Premium support for ECAL 240,000 240,000 240,000 720,000Deployment 122,428 122,428TOTAL COST $ 726,928 $ 604,500 $ 604,500 $ 1,935,928Displaced vendor Premium Support savings 30,000 30,000 30,000 90,000Displaced vendor license fees 210,000 210,000 210,000 630,000TOTAL ADDITIONAL COSTS $ 486,928 $ 364,500 $ 364,500 $ 1,215,928

IT-Harvest estimates that a typical mid to large enterprise will face over $156K annual increases in the cost of providing anti-malware defense across the enterprise. And $364K in additional costs if the enterprise is forced to acquire Software Assurance licensing. This model does not take into account other drawbacks associated with Microsoft Forefront Suite such as lack of available training, poor reporting, costs assigned to increased risk due to the complicated relationship between Microsoft and the vendors that support Forefront’s multiple AV engines and updates, or the increased costs of supporting (updating, patching, cleaning) additional Windows servers. It also does not include costs associated with potentially higher malware infection rates, which are hard to predict and may vary widely from customer to customer. Enterprises would do well to also factor in these and other potential costs when considering a move to Forefront.



Changes to Forefront in 2011

Forefront Client Security has been replaced by Forefront Endpoint Protection 2010 which is part of the Forefront Protection Suite ECAL.

Forefront Endpoint Protection is now managed from Systems Center Configuration Manager (SCCM). This saves the costs associated with licensing and managing Forefront Client Management but Server Security Management Consoles will still be needed and organizations are required to upgrade from SMS (System Management Server) to SCCM to take advantage of the new architecture, an investment of $1,321 per server (including MSQL) and $430 for an enterprise Management License (ML.)

Cost for core CAL has increased by 10% while ECAL pricing has remained the same. However the new components of ECAL as well as Forefront Protection cannot be enacted unless Software Assurance is purchased.

Conclusion

Microsoft Enterprise Client Access Licensing gives the enterprise the server and desktop protection products in the Forefront Security Suite, but additional Microsoft products, hardware and support must be purchased to manage Forefront today.

Most organizations maintain servers and devices that are not from Microsoft. Abandoning a third party AV vendor completely will not be possible.

Security should be treated as a separate layer in IT infrastructure. Basing malware defense on 100% Microsoft products decreases an enterprise’s overall security posture because the management and control systems are subject to the same attacks that they are protecting against. The way Microsoft has made Software Assurance a requirement for signature updates to Forefront components is an abject example of the entanglement that can occur when enterprises single source a vendor.

Enterprises should not switch to Microsoft Forefront Security Suite. Even though client and server licenses are included in the Enterprise Client Access License bundle, the additional costs could exceed $500,000 annually and the overall value delivered is less.



This white paper was produced with the sponsorship of Trend Micro. Its conclusions and opinions expressed are solely those of IT-Harvest and not necessarily those of our sponsors.

References: 1. Microsoft CAL guide: http://www.microsoft.com/resources/sam/lic_cal.mspx2. Dell Licensing Center CAL FAQ: http://www.dell.com/content/topics/global.aspx/licensing/en/faq_microsoft?c=u

s&cs=04&l=en&s=bsd&~page=53. Microsoft pricing for Forefront Client Security: http://www.microsoft.com/forefront/clientsecurity/en/us/pricing-

licensing.aspx4. Microsoft Service Offering Plans: http://www.microsoft.com/services/Microsoftservices/srv_compare.mspx5. Forefront Team blog: http://blogs.technet.com/forefront/default.aspx6. System problems http://www.vistaheads.com/forums/microsoft-public-security-forefront/195730-forefront-

client-security-console-crashing.html7. Microsoft Premier Mission Critical Description: http://www.microsoft.com/services/microsoftservices/srv_

premier_mcs.mspx8. New level of premium support http://www.thestandard.com/news/2009/02/03/microsoft-offers-premium-

corporate-service-premium-price 9. Microsoft Forefront TCO WhitePaper http://download.microsoft.com/download/5/c/d/5cd287b8-101d-4bcd-

9f38-7c40d5792641/FCS%20TCO%20Whitepaper%20FINAL.docx10. Miscrosoft Forefront Server Security Management Console Pricing https://partner.microsoft.com/download/

US/4004874111. Planning and Deploying the Server Infrastructure for Configuration Manager 2007. http://technet.microsoft.com/

en-us/library/bb680397.aspx12. Schedule and Strategy Update for Forefront Endpoint Protection. http://blogs.technet.com/forefront/

archive/2009/10/08/schedule-and-strategy-update-for-forefront-endpoint-protection.aspx13. http://finance.yahoo.com/news/Ponemon-Study-Shows-the-Cost-prnews-1296527288.html?x=0&.v=114. Network World Magazine “Microsoft customers sour on Software Assurance” http://www.networkworld.com/

news/2007/070907-microsoft-customers-sour-on-software.html15. Microsoft Premier Support page. http://www.microsoft.com/microsoftservices/en/us/support_premier.aspx

free forefront protection? an investigation into hidden costs

Documents