As part of their Digital Transformation projects, Bitglass customers shift from legacy network security architectures to a direct-to-cloud security architecture on the Bitglass SASE platform.
In doing so, customers replace a multitude of point products and appliances with a single, integrated cloud platform that delivers unified security controls for data and threat protection.
Based on the experience of our customers, the following presents an ROI analysis on a model customer with 10,000 users, amortizing capex costs over 4 years.
Firewall/VPN for Remote Work
Most organizations start with enforcing VPN to the corporate network to enable secure remote work. With Digital Transformation to the cloud, the VPN becomes a performance bottleneck.
Direct-to-cloud SASE security eliminates the need for VPN altogether. Assuming the average price of a Firewall/VPN appliance at $100K.
Secure Web Gateway
Another big-ticket item is the Secure Web Gateway for protecting against threats and unsuitable content. Once the user is on the network in person, or via VPN, all HTTP traffic passes through the SWG to ensure hygiene. As of 2020, ~90% of HTTP traffic is encrypted, requiring hefty SWG appliances to decrypt, inspect and filter the traffic.
Direct-to-cloud SASE security eliminates the need for SWG appliances altogether. Assuming the average price of web security appliances (e.g. Blue Coat / Symantec Web Filter)
As an alternative, cloud proxies will alleviate the need for security teams to deploy appliances. However, by nature of being an additional “hop,” this option will often see similar bottlenecks while incurring a per-user cost model that is often more expensive.
Standalone DLP & CASB
Legacy DLP appliances were deployed on the corporate network, with first-gen CASBs making remote calls to the DLP engines to secure data. Such a model is necessary when the CASB does not support sophisticated Exact Match and Fingerprint DLP capabilities to reduce false positives. This model also requires all remote users to VPN to the corporate network.
Switching to direct-to-cloud SASE that includes full spectrum DLP and a multi-mode CASB delivers substantial savings.
Standalone IdP and MFA
A full-function SASE product includes IdP and MFA capabilities, eliminating the cost of operating standalone IdP and MFA.
While less quantifiable as an “out-of-pocket” cost, operational costs must be considered when replacing appliances and standalone offerings. Typically, these can add 20-30% to the above total.