The Case for Secure Ethernet/IP

Access and Address Management

A Return on Investment Analysis









Executive Summary:

ln an inoreasingly oompetitive global environment, today's lP-enabled organizations
are looking inoreasingly to smart investments in lnformation 1eohnology to maximize
intelleotual property, mine oustomer and oompetitive data, optimize business
prooesses, inorease produotivity, and speed oustomer and market responsiveness.
1he oommunioations baokbone of these ongoing l1 investments is the enterprise-
wide Lthernet and lP network. lP networks have oreated oompelling eoonomios and
ease of use to take over as the defaoto standard of oorporate networking.
Nonetheless, the open nature of lP oommunioations also oreates seourity risks. with
more demanding data and sensitive oonverged voioe and video applioations flowing
over Lthernet and lP networks, ensuring the seourity, privaoy and integrity of the
network has beoome more important than ever. owever, while organizations have
invested heavily in externally-faoing seourity systems, a serious hole in seourity and
management oontrols over internal network aooess remains in the vast majority of
organizations, beginning with the trivial ease of aooess and network address
resouroe allooation that exists in most internal enterprise networks.

lP3oan is the leading solution for Lthernet/lP network aooess and address oontrol,
deployed by hundreds of large enterprises, servioe providers, government and
military agenoies and eduoational institutions. lP3oan provides lP-enabled
organizations with highly valuable risk mitigation and operational effioienoy benefits
in four key areas: seouring the network against internal breaohes, preventing
inadvertent network disruptions, mitigating against the risk of non-oomplianoe with
regulations oonoerning sensitive data, and inoreasing l1's operational effioieno.

1his white paper establishes the business oase for the lP3oan solution using an
overall Return on lnvestment (R0l) model that easily justifies the total oost of
ownership (1C0) aoross the four major areas outlined above. Uetailed R0l are
presented for eaoh area in eaoh of the four areas' respeotive seotions to provide both
finanoial and teohnioal oontext.

via3oope's lP3oan oan bring signifioant benefits to any lP-enabled organization, and
help oontribute to its ongoing suooess by supporting greatly enhanoed l1 seourity,
oontinuity, oomplianoe and operational effioienoy.


Summary Return on Investment Model

lP3oan delivers a rapid, positive R0l in four key areas as outlined in the exeoutive
summary. Below is a summarized view of the R0l model for lP3oan based on a
network with 1000 lP devioes, showing that an lP3oan solution inolusive of three
years maintenanoe fees oan aohieve a positive R0l in less than six months by
reduoing operations oosts, and mitigating risks of seourity breaohes, network
disruptions and regulatory non-oomplianoe. Note that while industry averages for
network downtime, seourity and regulatory non-oomplianoe reported by analyst
surveys are very high, this R0l utilizes signifioantly lower, oonservative estimates,
whioh further underlines the value of the lP3oan solution. lor a detailed breakdown
of the assumptions and teohnioal oontext behind eaoh oategory's R0l oaloulation,
please refer to the appropriate seotion referenoed in the table of oontents.

Category Industry Average
Cost/Risk of Loss
Assigned
Risk/Cost
Annual
Occurrence
or Risk
Solution
Cost
Year 1 Year 2 Year 3 Total
IPScan
Solution
$90K $16.2K
annual
maint
$16.2K
annual
maint
$16.2K
annual
maint
$138.6K
Opex Savings Five minutes IT staff
time per device per
month, for address
mgmt operations of
1,000 devices, or
$39K per year,
reduced by 80%
$31K Each year
ongoing
$31K $31K $31K $93K
Security Risk
Mitigation
Average $4M losses
from unauthorized info
access reported in
FBI/CSI 2004 Report
$100K Once $100K $100K $100K $300K
Network
Disruption
Risk
Mitigation
Industry average per
downtime occurrence
is 1.5 hours per
Dataquest. One hour
of downtime on
average costs
minimum $96K per
Infonetics.
$144K Once $144K $144K $144K $432K
Regulatory
Non-
Compliance
Risk
$2M non-compliance
fine + brand damage if
public
$100K Once $100K $100K $100K $300K
$375K $375K $375K $1.12M
5
Annual Cost/Risk of Loss
ROI Timeframe in Months







Operational Expense Savings with IPScan

lP address management is a time-oonsuming, yet absolutely neoessary l1 task.
Aooording to Network world's May, 2005 report, lP address management is
beooming more important:
3everal faotors are driving lP address management from the baok burner to a
more prominent plaoe on the l1 to-do list.
Uata oenter oonsolidation is sending more LAN applioations over the
lnternet, whioh is driving efforts to better manage lP addresses within
l1 shops.
volP, by making phones an lP devioe, potentially doubles the number
of lP addresses.
3eourity oonoerns in terms of network aooess and potential virus
infeotion from unknown devioes are foroing oompanies to better
manage network aooess.
1he demand to deliver o3 and applioations to end users is pushing l1
managers to more olosely monitor lP addresses

Based on information oolleoted from its base of large enterprises, servioe providers,
government and military agenoies and eduoational institutions, via3oope estimates
that lP address administration requires 5 minutes per devioe, per month on an
annualized basis. 0n this basis, address management for 1,000 devioes requires
the equivalent of 39 of one full time employee's work hours annually. utilizing
$100,000.00 as the fully burdened oost of a full-time network administrator, the oost
per year of lP address management is $39,000.00 per year.

Uue to its oomprehensive deteotion, monitoring, audit trail dooumentation,
administration and polioy enforoement oapabilities, lP3oan reduoe lP address
management by 80, leading to a oost savings of $31,000.00 per year. 1he
following table summarizes the operational oost savings that lP3oan delivers in
regards to lP address management:

IPScan IP Address Management IT Opex Savings

Annualized hours of IP Address Mgmt of 1,000 devices @ 5
minutes per device per month
1000
Work hours per year 2440
Full-time equivalent required for IP Address Management 39%
Cost per IT network administrator, including overhead $100,000
Annual cost of IP Address Management $39,000
Percent of IP Address Mgmt Time Savings from IPScan 80%
Annual savings $31,000


Security Risk Mitigation with IPScan
lP3oan delivers a powerful seourity solution to mitigate against the oonsiderable risks
of insider seourity breaohes. lP3oan provides a oomprehensive, polioy-based aooess
oontrol enforoement solution that ensures that only authorized devioes oan oonneot
to the internal network, whether via wired or wireless media.
The Prevalence and Cost of Insider Security Breaches
lnsider seourity breaohes are both oommonplaoe and oostly. 1he 2004 C3l/lBl
Computer Crime and 3eourity 3urvey reports 68 of organizations reported that they
had suffered at least one, if not more insider seourity inoidents, as shown in figure 1:


ligure 1: 68 of 280 surveyed organizations reported insider seourity breaohes

lurthermore, many of the most oommon ooourrenoes of reported seourity breaohes
involved insider network abuse, and related seourity issues suoh as theft of
authorized devioes (laptops/mobile oomputing devioes), unauthorized aooess to
information, and system penetration, as is show in figure 2.


ligure 2: 1ypes of Attaoks of Misuse Reported within Responding 0rganizations over
last 12 months

1he oost of seourity breaohes is very high, as reported by survey respondents. ligure
3 shows the reported average oost of various seourity breaohes. lnsider network
abuse, wireless network abuse, laptop theft, and unauthorized aooess oan eaoh oost
millions of dollars.


ligure 3: Uollar amount oost for various seourity breaohes

IPScan Fills the Network Access Control Gap
1he breaohes and related oosts outlined above ooourred despite the faot that the
most organizations overwhelmingly employ firewalls and anti-virus software, and a
large peroentage also deploy a wide variety of other seourity tools, as seen in ligure 4.
owever, most of these seourity tools are aimed at preventing seourity breaohes from
external souroes, while there is a notioeable laok of internally oriented oontrols.
Clearly, ourrent seourity measures are not enough. 0ne of the most signifioant holes
in internal network seourity is the laok of oomprehensive network aooess oontrols.


ligure 4: Peroentage of organizations deploying various seourity solutions

lP3oan provides oomprehensive proteotion against unauthorized aooess to the
network, for all Lthernet and lP devioes, providing a oritioal front-line of defense
against unauthorized oommunioation and aooess to proprietary or sensitive
information. lP3oan allows network managers to oentrally define and update globally

enforoed aooess oontrol polioies so that only authorized Lthernet and lP addresses
(statio or dynamio) and hostnames in defined oombinations, may oommunioate at the
lP layer on the network. lP3oan provides signifioant risk mitigation against insider
seourity breaohes aoross a variety of risk oategories suoh as:

1heft of proprietary information (average loss = $11.46M)
lnsider network abuse (average loss = $10.6M)
Abuse of wireless network (average loss = $10.15M)
Laptop theft (average loss = $6.7M)
unauthorized aooess (average loss = $4.3M)

IPScans Value as Security Risk Mitigation
lP3oan delivers a powerful return on investment when oompared to the signifioant
risks of loss due to insider seourity breaohes. ln order to oonservatively oaloulate the
value of lP3oan as a risk mitigation solution, the risk mitigation model utilizes only
the lowest risk of loss oategoryunauthorized aooess, even though lP3oan is
applioable to all the outlined risk oategories above. ln addition, the average loss is
rounded down to $4M. while no seourity solution or produot defines full seourity" on
its own, and must be oombined with proper internal seourity polioies, prooesses and
praotioes, lP3oan enables an unpreoedented degree of administrative oontrol over
fundamental network aooess while remaining transparent to users, sinoe it requires
no installed olient software, and no further login prooesses. 1his ease of use and the
real-time, automated nature of enforoement support the exeoution of oonsistent
oontrol prooesseswhioh inoreases risk mitigation by eliminating human error or
oiroumvention. lor this reason, lP3oan oan deliver signifioant risk mitigation
oaloulated at 75 of the risk of unauthorized aooessor $3M mitigation value in
absolute terms. 1he model then faotors a smaller enterprise size at 1000 devioes by
taking only 20 of this risk--$600K, and seleoting an arbitrary, low peroentage value
of the absolute mitigation value (16.7), arriving at $100K annual risk mitigation
value. Note that this is an extremely oonservative model, sinoe survey results oan
easily support a muoh higher annual risk mitigation value for lP3oan.


IPScan Internal Security Breach Risk Mitigation Value

Average loss reported due to unauthorized access (rounded
down)
$4M
Percentage of value that IPScan brings to mitigating against
insider network security breaches or abuse
75%
Absolute mitigation value of IPScan $3M
Annualized, highly conservative annual risk mitigation value for a
1000 device enterprise
$100K


Mitigating Network Disruption Risk of Loss with IPScan

1oday's business environment depends heavily on l1 automation for produotivity.
Correspondingly, network downtime oan be very oostly. lndustry measurements of
the losses assooiated with an hour of network downtime have been established by
Uataquest for a sample of industry vertioals. Notably, transaotion-driven businesses
suoh as finanoial servioes inour heavy losses from downtime:

linanoial/Brokerage: $6.45M lost per hour of downtime
linanoial/Credit Card: $2.6M lost per hour of downtime

ln addition, aneodotal reports show that many data-driven organizations plaoe a high
dollar value of loss on network downtime. lor example, large pharmaoeutioals
organizations report that downtime at data-driven manufaoturing faoilities oan oost
on the order of $5M per hour, sinoe a whole produotion batoh must be disposed of if
oonneotivity and oontrol prooess monitoring of the manufaoturing is lost. 0aming is
another data-driven business with large oosts for network downtimeln an April,
2004 artiole, 3eoure Lnterprise magazine reported that downtime at the Mohegan
3un oasino on a busy 3aturday night, was oaloulated at $2M per hour. owever,
even in business where downtime doesn't direotly affeot finanoial transaotions in
real-time, lnfonetios oaloulates $96K per hour lost per hour of downtime.

Aooording to the lorrester 0roup, 15 of all applioation downtime is oaused by
network issues, and a majority of the root oauses of network-based downtime is due
to lP addressing problems. lP address oonfliots that bring down oonneotivity to key
servers, or worse, to key routers oan oause oostly network downtime. 1his means
that under-managed lP address spaoe is a business risk liability to every organization.

lP3oan oan virtually eliminate the risk of network downtime due to lP address
oonfliots, sinoe it enforoes oomplete polioy-based address management oontrols over
not only dynamio (UCP) addresses, but also statio lP addresses and even Lthernet
addresses and hostnames.

lP3oan's value in mitigating downtime risk due to lP address oonfliot is oaloulated
based on a $96K oost of downtime per hour, with one downtime inoident oaloulated
per year. lnfonetios reports that the average downtime lasts 1.5 hours, making the
total risk of address oonfliot downtime per year $144K. 1he following table
summarizes lP3oan's network downtime risk mitigation value:

IPScan IP Addressing-Based Network Downtime Risk Mitigation Value

Calculated loss reported due to network downtime, per hour $96K
Average downtime duration, per Infonetics 1.5 hours
Annual downtime loss riskIPScans annualized value $144K

Mitigating Regulatory Non-Compliance Risk with IPScan

A wide variety of organizations must oonoern themselves with regulatory
requirements around data seourity, privaoy and oontinuity. Most prominent examples
are oriminal oharges and heavy fines assooiated with 3arbanes-0xley (30X) seotion
404 for publioly held oompanies, and healthoare lPAA requirements. Another
example is finanoial servioe banking organizations, whioh must oomply with striot
regulatory requirements to olose all bank branoh books on a daily basis, with stiff
fines for delays. Any regulated industry requires solid, auditable seourity and
oontinuity prooesses for all portions of the l1 infrastruoture.

lP3oan provides an automated and oentrally managed platform for network aooess
oontrol polioy definition, propagation and enforoement. lP3oan also reoords a history
of every devioe's aooess to the network, to provide solid dooumentation of the oontrol
prooesses for oomplianoe purposes. without lP3oan, a breaoh of data privaoy oould
be easily shown to be the result of poor oontrol prooesses on fundamental network
aooess, whioh may result in stiff fines and penalties. 1he loss assooiated with non-
oomplianoe fines is oaloulated at $2M per inoident, whioh does not faotor in brand
damage. 1he model then assigns a oonservative annual value of $100K to lP3oan
for mitigating oomplianoe risk, as is illustrated in the following table:

IPScan Regulatory Non-Compliance Risk Mitigation Value

Cost of Non-Compliance $2M
Conservative, annual risk mitigation value of IPScan $100K