Embed Size (px)
Citation preview
TCO Study of WSUS & SCCM
sponsored by
Q 2 , 2 0 2 0
sponsored by
1
A B S T R A C T
Patch management remains an essential component of the Information Technology (IT) industry as it is needed toprotect infrastructure against security vulnerabilities, prevent crashes, and yield new updates enhancing the userexperience. This white paper addresses the total cost of ownership (TCO) and other supplemental benefitsbetween legacy on-premise patch management systems (i.e., Microsoft’s WSUS and SCCM) and cloud-basedSoftware as a Service (SaaS) patch management providers (e.g. Automox). Our analysis reveals SaaS-basedsolutions are often less expensive when multiple Operating Systems (OS) are in use along with geographicallydiverse employee populations. SaaS is capable of scaling to meet the demands of remote-based workforceswithout any need to shift patch deployment techniques or alterations to company systems.
I N T R O D U C T I O N
Patch management is a critical function as applying patches ensures that systems are running at optimal levels and safeguards against exploitation. This avoids issues arising from incompatibility, introduces new features, fixes bugs, and reduces crashes. Today, multiple patch management solutions exist that provide answers to the complex challenge of ensuring that all corporate endpoints and systems are optimally and efficiently maintained – knowing which platform to select is the fundamental decision at play.
Selecting a patch management system is not easy – there are a bevy of hidden costs relating to required hardware, software, licensing, training, personnel, and more. Large organizations (those with a greater number of endpoints) are more impacted than smaller organizations by these hidden costs as they significantly increase total cost of ownership (TCO) over time and affect purchase decisions. Many companies have strict processes and regimens to procure software and the confounding factors surrounding many patch management platforms can slow or impede acquisitions. Additionally, costs stemming from unplanned scenarios, such as the sudden shift to remote-based workforces, or labor costs to repair system damage from breaches (resulting from the misuse of corporate VPNs), will all factor into TCO.
Our analysis suggests that these common factors (represented as hypothetical scenarios) should be considered when weighing legacy on-premise systems versus SaaS-based platforms. Given the ability of SaaS-based patch platforms to reduce the impact from unplanned expenses, companies may achieve greater cost savings by selecting a SaaS-based platform.
In this analysis, we will explore the TCO of three platforms: Microsoft Windows Server Update Service
(WSUS), Microsoft System Center Configuration Manager (SCCM), and Automox. This paper analyzes
several factors that impact the TCO and defines what to expect when purchasing or owning these platforms.
sponsored by
2
PATC H M A N A G E M E N T S O LU T I O N SH I G H - L E V E L O V E R V I E W
In this section, we offer a high-level comparison of each selected patch management solution. We provide a comparative gap analysis and offer an overall value proposition, vendor claims, as well as highlights and lowlights of each solution. These ‘observations’ along with additional research on specific cost items are factored into a TCO comparison to clearly illustrate the total cost difference.
M I C R O S O F T W I N D O W S S E R V E R U P D AT E S E R V I C E S ( W S U S )
Microsoft Windows Server Update Services (WSUS) is a software and network service which enables organizations to manage the distribution of updates released for Microsoft products to computers managed by the organization. WSUS downloads these updates from the Microsoft Update website and then distributes them to computers on a network. WSUS is an integral component of Windows Server and is most used by small-to-medium sized businesses to effectively manage the distribution of updates to computers in the network.
What Microsoft Says about WSUSMicrosoft claims that leveraging WSUS provides management of updates on each endpoint or server, rather than having them managed autonomously using Windows automatic updates. This provides organizations with a more detailed view on which machines have updates installed.
HighlightsLeveraging WSUS, organizations can save bandwidth by aggregating patch software on a single source for intranet distribution. This prevents each endpoint from reaching out to the internet to download updates individually, consuming valuable company resources and creating a bottleneck during patch days.
WSUS also provides enhanced reporting capabilities over leveraging Windows automatic updates, allowing administrators to target specific sets of computers for distribution for ease of deployment and better optimization of time and resources.
LowlightsWSUS requires Internet to support remote machines and provides little granularity beyond standard Windows automatic updates. It does not support third-party operating systems, software inventory management, multiple management views, support for patch testing or verification, controls for policies, detailed information for enrolled assets, or support for non-standard assets such as mobile devices, Internet of Things (IoT), etc.
sponsored by
3
M I C R O S O F T S Y S T E M C E N T E R CO N F I G U R AT I O N M A N A G E R ( S CC M )
Microsoft System Center Configuration Manager (SCCM) is a systems management product for managing computers within a Windows-based environment. SCCM provides customers remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. SCCM is often used by mid-to-large enterprise organizations due to its integration with Windows-based services, and predictable workflows for companies of this size.
What Microsoft Says about SCCMMicrosoft claims that SCCM empowers productivity by providing a unified IT management infrastructure with Windows systems and resources, as well as providing simplified administrative and flexible support for most
HighlightsDue to its tightly integrated stance with the Windows operating system environments, SCCM provides some features, such as virtual desktop management, that are unavailable in other management suites. Additionally, SCCM licensing can be bundled with other Microsoft costs that companies may already be purchasing, creating the potential opportunity for discounting.
LowlightsMicrosoft SCCM requires Internet to support report machines and is not cloud-enabled unless it is integrated with Microsoft InTune, which requires further licensing and administration overhead. SCCM is also bulky and cumbersome, requiring extensive Microsoft team experience to deploy and maintain.
AU TO M OX
Automox is a cloud-native cyber hygiene and patch management product. It provides support for multiple operating systems, policy management and enforcement, automated patch management, role-based access controls, full hardware and software visibility, as well as a rich Application Programming Interface (API). Automox delivers all these services from the cloud using a single lightweight agent. Automox (as a SaaS-based platform) is best suited for companies with mixed OS, heavily virtualized environments, or remote-based staff, given the ability to rapidly deploy updates without the need to modify or procure additional software to manage third-party machines.
What Automox Says Automox is the only solution in the industry with its capabilities and features. It provides modern cyber hygiene solutions that give IT managers confidence about the status of their system security. HighlightsAutomox works regardless of network borders or boundaries, allowing administrators to enforce policy and manage on-premises systems, remote laptops, and workstations, as well as cloud-based virtual machines, containers, and micro-services.
LowlightsAutomox requires Internet connectivity to gain full benefits of its product suite capabilities.
sponsored by
4PATCH MANAGEMENT IS A CRITICAL FUNCTION
Comparative Gap Analysis
The patch management systems used during this TCO study were selected based on their overall features and functionality, as well as perceived derived value. Each system provides competitive features and is designed to simulate a customer evaluation exercise to better understand how the products operate and what the solution provides in terms of total value.
PATC H M A N A G E M E N T S O LU T I O N S : G A P A N A LYS I S
Core Capabilities
Overall Overall Distribution
Description WSUS SCCM Automox
Solution is able to deploy patches without administrative
When path is not successful due to system availability,
Solutions is capable of organizing system into logical groups or
Automated or simplified device enrollment
Agent is directly installed on managed clients.
No agent is required on target patch clients.
Sports out-of-office/remote assets such as remote
Ability to quickly uninstall a patch in the event that it causes
Offers multiple user interface views (Web, Console, etc).
Patch support for OS images and snapshots. (patch offline
Solutions can generate inventory of deployed software on in-
Provides a list of managed organizational assets.
For customers with remote considerations for sites subject to
Role based access controls, solutions supports multi-user
Support for patch testing & success verification
Controls policies for individual software regardless of OS.
Solution controls operating system specific policy elements
Packages can be generated on a custom basis per application
Solution comes with pre-packaged deployment options to
Reports containing graphs, metrics, and other information
Detailed status report is provided on patch status for all
Solution features dashboard customization flexibility
Notification messages are provided to administrator or other
Solution notifies customers when a critical patch is required
Product is capable of providing accurate risk assessment view
Product includes support for ticketing and patch workflow.
Product integrates with third party ticketing systems
Solution will automatically update tickets once action is
Product has a capability to restrict patching or changes unless
Has task scheduling capability to drive update windows/
Lock down controls to prevent system alteration outside of
Solution can manage patch deployment for third party
Support for non-standard assets such as mobile devices,
Support for multiple operating systems
Has capability to create record for unmanaged assets, read
Averaged Representation
Averaged Representation
Averaged Representation
Averaged Representation
Averaged Representation
Capabilities
Overall Overall Distribution
Description WSUS SCCM Automox
Solution is able to deploy patches without administrative intervention.
When patch is not successful due to system availability, solution will attempt to re-deploy patch.
Solution is capable of organizing system into logical groups or containers for policy management.
Automated or simplified device enrollment
Agent is directly installed on managed clients.
No agent is required on target patch clients.
Supports out-of-office / remote assets such as remote workers
Ability to quickly uninstall a patch in the event that it causes business interruptions
Patch support for OS images and snapshots. (Patch offline images a nd quarantine dormant virtual machine instances.)
Offers multiple user interface views (Web, Console, etc).
Solution can generate inventory of deployed software on in-scope assets.
Provides a list of managed organizational assets.
For customers with remote considerations for sites subject to limited connection
Role based access controls, solution supports multi-user model.
Support for patch testing & success verification
Controls policies for individual software regardless of OS.
Solution controls operating system specific policy elements (ie. Group Policies for Windows).
Packages can be generated on a custom basis per application or system.
Solution comes with pre-packaged deployment options to ease customer adoption.
Reports containing graphs, metrics, and other information can be easily generated
Detailed status report is provided on patch status for all enrolled assets
Solution features dashboard customization flexibility
Notification messages are provided to administrator or other users via e-mail delivery system
Solution notifies customers when a critical patch is required on an asset.
Product is capable of providing accurate risk assessment view on patch prioritization
Product includes support for ticketing and patch workflow.
Product integrates with third party ticketing systems.
Solution will automatically update tickets once action is taken or resolved.
Product has a capability to restrict patching or changes unless required approval is introduced.
Has task scheduling capability to drive update windows / actions that may impact critical business functions.
Lockdown controls to prevent system alteration outside of change management schedule.
Solution can manage patch deployment for third party applications.
Support for non-standard assets such as mobile devices, appliances, IoT, etc.
Support for multiple operating systems
Has capability to create record for unmanaged assets, read exiting asset data for context to UI/action, or update asset information.
Averaged Representation
Averaged Representation
Averaged Representation
Averaged Representation
Averaged Representation
Core Capabilities
Management
Reporting
Workflow Tracking
3rd Party Support
Core Capabilities
Management
Reporting
Workflow Tracking
3rd Party Support
sponsored by
5
PATC H M A N A G E M E N T C H A L L E N G E S
IT systems are exploited daily and many organizations often lack the ability to adequately assess and distribute patches to protect against exploitation and attack. Patches need to be applied in a timely manner to reduce the likelihood of exploitation. Compounding the issue, many organizations leverage varying types of devices with different OS, and each with a different version of installed software. This mixed environment creates a troubling scenario for system administrators who conduct network and device inventories, execute risk assessments, test patches, and perform routine system audits.
Based on these use cases and challenges, the Automox platform was created to provide a cloud-native, automated patch management solution that works across multiple OS and hardware environments. Automox provides cross-operating system support, is simple to configure and manage, creates capabilities to patch third-party applications, is fully customizable, and acts as a single platform of record for patch management and endpoint hardening.
PATC H M A N A G E M E N T S O LU T I O N S : TCO CO S T C A LC U L AT I O N M E T H O D O LO G Y
Cost Components
In our study, the cost component categories used to calculate TCO for patch management systems
include the following:
Hardware Product Costs: The cost of hardware procurement (i.e., network equipment, storage equipment, and servers for data processing).
Software Licenses: Software license costs that include the initial purchase price of software, which is subject to specific requirements (i.e., number of CPU cores).
Software Maintenance: Maintenance license agreements with software companies which extend support for software over a period of months or years.
Internal Labor Estimates: Internal labor estimates include time and cost for a specific resource to accomplish a given task such as decommissioning, patch testing, scaling events.
Service Costs: Services encompass third party services required to maintain or operate patch management software.
Travel Costs: Employee travel costs associated with upkeep, training, or similar activities.
Leasing Costs: Leasing costs for physical space such as co-locating data processing servers regionally.
Disaster Recovery Costs: Unforeseen events that could cause a disruption in service.
sponsored by
6
# Primary Locations
# Secondary Locations
# Managed Workstations
# Managed Servers
# Unmanaged Endpoints
Legacy Vendor Discount - Hardware
Legacy Vendor Discount - Services
Legacy Vendor Discount - Software
Automox Discount - Software
Automox Discount - Services
% Estate: Windows
% Estate: Linux
Implementation Travel
Total Managed Endpoints
Capabilities Unit(s)
2
6
8,000
2,000
5,000
6%
0%
0%
0%
0%
90%
10%
35%
10,000
Type
Geo
Geo
Assets
Assets
Assets
Percentage
Percentage
Percentage
Percentage
Percentage
Percentage
Percentage
Percentage
Assets
CO S T FA C TO R S A N D A S S U M P T I O N S
The following factors and assumptions were built into a TCO calculator that were used to construct scenarios and uncover ownership costs over time between legacy on-premise and SaaS-based systems.
PATC H M A N A G E M E N T S O LU T I O N S : T CO R E S U LT S
Why WSUS Isn’t the Lowest Cost Solution
WSUS lacks the components provided by a patch management solution, requiring an extensive increase in labor on behalf of the adopting customer to fill in the gaps. This results in a customer deploying various disparate solutions to manage systems. The diversity of software and configurations required increases overall management overhead, lowering the value of WSUS and increasing total cost of ownership.
Total Cost of Ownership (TCO)
Implementation & One-Time Purchases - Year 1
On-Going Run & Maintain - Year 2
On-Going Run & Maintain - Year 3
On-Going Run & Maintain - Year 4
On-Going Run & Maintain / HW Decommission - Year 5
Description
$6,658,441.6
$1,865,361.68
$1,197,020.00
$1,197,020.00
$1,197,020.00
$1,202,020.00
WSUS
sponsored by
7
Total Cost of Ownership (TCO)
Implementation & One-Time Purchases - Year 1
On-Going Run & Maintain - Year 2
On-Going Run & Maintain - Year 3
On-Going Run & Maintain - Year 4
On-Going Run & Maintain / HW Decommission - Year 5
Description SCCM
$6,658,654.12
$1,865,574.12
$1,197,020.00
$1,197,020.00
$1,197,020.00
$1,202,020.00
W H Y S CC M I S N ’ T T H E LO W E S T CO S T S O LU T I O N
SCCM is riddled with hidden costs including license fees such as databases, hardware deployment requirements, labor, professional services and more. Geographically dispersed, or larger organizations that do not have an infrastructure where most managed hosts are network adjacent, will suffer the most from these additional costs. The burden of upkeep for SCCM servers results in massive overhead, burdening large organizations and proving to be too taxing for smaller organizations who often remain non-compliant due to the technical and logistical challenges of patch management with SCCM.
Total Cost of Ownership (TCO)
Implementation & One-Time Purchases - Year 1
On-Going Run & Maintain - Year 2
On-Going Run & Maintain - Year 3
On-Going Run & Maintain - Year 4
On-Going Run & Maintain / HW Decommission - Year 5
Description AUTOMOX
$4,455,924.88
$891,524.88
$891,100.00
$891,100.00
$891,100.00
$891,100.00
W H Y AU TO M OX I S T H E LO W E S T T O TA L CO S T S O LU T I O N
Unlike competitors, Automox is capable of scaling both remote and on-premise without a shift in deployment technique or other costly labor or software changes. Automox’s pricing is much more straightforward, allowing customers to easily plan and scale without unforeseen costs or changes associated with hardware, support, or other components.
8
sponsored by
H I G H - L E V E L TCO CO M PA R I S O N
The total cost of ownership comparison illustrates that the Capital Expenditure (CapEx) cost of Automox, representative of a cloud-native provider, provides a significant discount over Microsoft WSUS or SCCM. Additionally, ongoing run and maintain tasks are less expensive, as well as the decommissioning phase, as it includes a single lightweight agent which can be dissolved with no hardware, intensive labor, or other associated fees.
Automox is approximately half as expensive as WSUS and SCCM at initial start-up and in subsequent years where Automox’s annualized cost is approximately 25% less expensive ($891,100) as WSUS and SCCM at $1,197,200 for 10,000 managed endpoints.
Cumulative Costs over Five Years
$7,000,000$6,000,000$5,000,000$4,000,000$3,000,000$2,000,000$1,000,000
$0.00Year 1 Year 2 Year 3 Year 4 Year 5
SCCM WSUS Automox
Moreover, Automox’s annualized subscription model enables predictable costs with minor fluctuations over time compared to legacy providers where companies may encounter hidden fees that stem from additional labor and licensing fees.
Total Cost of Ownership Year over Year$2,000,000$1,800,000$1,600,000$1,400,000$1,200,000$1,000,000
$800,000$600,000$400,000$200,000
0Year 1 Year 2 Year 3 Year 4 Year 5
SCCM WSUS Automox
9
sponsored by
PATC H M A N A G E M E N T S O LU T I O N S : S P E C I A L I Z E D S C E N A R I O A N A LYS I S
Hidden costs exist behind patch management systems due to the complex nature of ensuring systems are adequately patched – costs arise from additional labor expenditure as well as license fees, needed subscriptions, and related hardware requirements.
There are several processes many businesses follow during the patching lifecycle and should be considered as standard practice:
1. Validate patch integrity through verified channels.2. Test patches on corporate assets before widespread implementation to ensure that system stability will not be negatively impacted.3. Alert company to disruptions in critical services if patches will render essential systems
temporarily offline.4. Leverage tools (aka patch management platforms) to deploy patches and validate success.5. Manually respond to adverse events caused by bad
patches.Scenarios
Scenarios
During the TCO analysis, several scenarios were selected for study given their high likelihood of occurrence for any given business. Associated costs from labor expenditures, software licenses, VPN use, and average costs of remediation were included in our model to yield a realistic TCO from these three assessed platforms.
A total of four scenarios were selected and include:
- Unplanned remote work - Heavily virtualized customers - Geographically dispersed - Cybersecurity hygiene focused customers
10
sponsored by
S C E N A R I O 1 : Unplanned Remote Work
With more organizations moving toward a remote workforce there are associated costs, both in monetary and resource allocation terms. These unforeseen expenditures may result in severe budget disruptions if they are not planned for given the high costs associated with VPN misuse and remediation.
Organizations are not stagnant entities so unexpected growth – which requires both quick and efficient scaling, needs to be accounted for. These scaling events include training, security, and supportive connectivity, which all increase an organization’s relative cost per employee.
New work-from-home policies translate into critical requirements for businesses to secure remote endpoints, laptops, and VPNs. A fully automated SaaS patch management solution not only provides the most up-to-date software, without the need for VPN use, but it also does so at a much lower overall cost to an organization.
In our TCO analysis the costs associated with unplanned remote work consists of both VPN costs and a single Disaster Recovery (DR) event. Using the model outlined in the TCO cost calculation methodology, this would translate into direct scenario costs of approximately $354,000 for both WSUS and SCCM users, whereas SaaS-based users (Automox) would incur only $10,000 in expenses for the unplanned DR event as there is no need to purchase VPN subscriptions for employees to gain access to routine updates.
$400,000
$350,000
$300,000
$250,000
$200,000
$150,000
$100,000
$50,000
$0
Unplanned Remote Work
Scenario 1 - Unplanned Remote Work
$354,000
WSUS
$354,000
SCCM
$10,000
Automox
11
sponsored by
Subsequent analysis of our model reveals that ongoing maintenance costs associated with all three platforms remain consistent once the initial purchase is made; however, costs between the platforms vary at both the initial purchase and when decommissioning.
S C E N A R I O 2 : Heavily Virtualized Customers.
When the number of virtual machines on a network reaches a point where an administrator can no longer manage them effectively, organizations experience what is commonly referred to as “virtualization sprawl,” or VM sprawl. As VMs are simple to establish and run, many go without patches and can quickly lead to security breaches and result in significantly higher costs to businesses.
Organizations need efficient ways to eliminate risk stemming from vulnerabilities. Legacy on-premise enterprise security solutions come with higher overall costs and require manual labor. SaaS patch management solutions enable IT administrators to deploy patches to all VMs with minimal manual input.
Our analysis estimates the costs of a heavily virtualized customer is $598,500 for both WSUS and SCCM users. The Automox customer would incur zero expenses relating to this scenario since the cloud-native software solution would continue to function normally even if workforces shifted towards heavily virtualized instances.
Further analysis reveals conventional solutions (WSUS & SCCM) would incur expenses relating to VM sprawl where insecure devices (due to the eventuality of VM misuse) would result in a breach scenario costing time and money to correct. At an average cost of $1,049.85 per managed device (cost of incident: response effort + third party software management) this equates to the nearly $600,000 in incurred expenses for those legacy users.
$700,000
$600,000
$500,000
$400,000
$300,000
$200,000
$100,000
$0
Heavily Virtualized Systems
Scenario 2 - Heavily Virtualized
$598,500
WSUS
$598,500
SCCM
0
Automox
12
sponsored by
S C E N A R I O 3 : Geographically Dispersed Customers
Geographical dispersion affects many of today’s companies, as employees often find themselves working with colleagues, clients, and customers located across multiple continents with different languages and across various time zones. Managing teams and infrastructure located in different parts of the globe present challenges when it comes to patch management as the entire network needs to work flawlessly to successfully update.
The amount of administrative overhead needed to manage the infrastructure of a dispersed organization can be significantly greater than required for companies with only a single location due to the sheer volume of additional systems to manage. As this labor category does not develop nor produce goods or services, it can be difficult for organizations to sustain large IT overhead costs directly stemming from their dispersed infrastructure management.
Networking issues stemming from working across time zones, continents, and languages can also contribute to additional costs stemming from low to moderate productivity amongst IT staff. Working across different countries often is at the mercy of local infrastructure and connections can be slow, temperamental, or simply unreliable at times, leading to a stagnated labor force that cannot implement patches when necessary.
Geographically dispersed customers include companies with thousands of employees (e.g. most Fortune 500 corporations) as well as small companies with satellite offices in various countries that require a centralized patch management platform to manage their devices. As more and more companies are connected with staff from around the world, the need for global, automated patch management solutions will continue to rise.
Our analysis of a geographically dispersed workforce consists of two variables that translate into incurred costs: administrative overhead, such as costs related to extraneous equipment and connected support requirements, and productivity costs due to networking issues. Using our example of 10,000 managed endpoints this translates into $354,000 for WSUS and SCCM customers and $344,000 for an Automox customer. The main difference in this scenario for conventional versus SaaS-based platforms is the ability to eliminate administrative overhead costs.
Again, the Automox customer does incur expenses related to the geographically dispersed scenario because negative productivity costs stemming from poor network connections and issues affect both platform types equally. The cost estimates of $344,000 are related to incurred downtime using an average salary per employee and adjusted on an annualized basis (assumes $43 of labor expense per endpoint).
$360,000
$355,000
$350,000
$345,000
$340,000
$335,000Scenario 3 - Geographically Dispersed
Geographically Dispersed
$354,000
WSUS
$354,000
SCCM
$344,000
Automox
13
sponsored by
S C E N A R I O 4 : Cybersecurity Hygiene Focused Customers
Cybersecurity remains a critical element to any organization operating at scale due to the need to safeguard proprietary information and secure physical workspaces, digital infrastructure, and personnel. In this scenario, we model customers that place cybersecurity as a leading critical factor in their organization, where they strive to implement patches and software updates on a real-time basis to minimize risk. Cybersecurity hygiene focused customers are those companies that place safeguarding data at the forefront of their business and likely require its employees to use VPNs, utilize email scanning technologies, and educate staff to protect against phishing operations.
This scenario has a myriad of costs that factor into the patch management responsibilities ranging from incurred labor costs due to patch availability issues, additional time needed for manual policy management, and license costs for compliance suites.
Time spent on remediation to fix damages caused by successful exploitation from lapses in point-in-time security protocols (e.g., signatures, sandboxing, fuzzy fingerprinting) all add to fluctuating costs in hourly spend to correct. Depending on the severity of an event, costs may vary from only minimal, to the expensive mobilization of blue teams to respond to and control the incident.
Bad patches also serve as a leading reason many companies do not implement patches on a recurring basis: an overabundance of patches, the need to manually update, and the risk of disrupting internal systems and operations. When these bad patch incidents do occur, specialized IT staff is necessary to course-correct to update systems and respond to the needs of the organization, altogether creating a catch-22 of incurred costs adding to the reluctance to continually apply new patches.
Manual policy management introduces the chances of human error and is often slower than automated practices; however, manual work is sometimes needed based on the system architecture of a given organization (e.g. air-gapped networks).
External compliance suites often come with hefty license costs and require additional time from security practitioners to draft and distribute written policies, along with time spent tracking user acceptance, managing exceptions, and defining policy evidence.
14
sponsored by
Shadow IT enables companies with stringent IT policies to bypass security standards via workarounds to accomplish their goals. While this workaround yields increases in reactivity, shadow IT carries a host of drawbacks ranging from wasted time, inefficiencies, and a higher likelihood of data loss due to its hidden nature. One major drawback is that many organizations with shadow IT departments often hide their existence and many fail to successfully apply routine updates leaving organizations vulnerable.
Of all the analyzed scenarios, the cybersecurity hygiene focused customer will incur the greatest expenses at $2,352,200 for WSUS and SCCM and $1,821,100 for Automox. The difference between SaaS versus conventional patch management here stems from license fees and costs relating to manual policy management – these costs are $531,100 for WSUS and SCCM at 10,000 total endpoints whereas they remain at zero for Automox users.
Additionally, our analysis incorporates cybersecurity-related expenses to include manual labor associated with point-in-time changes and remediation, lost productivity due to availability issues, license fees, manual policy management labor (zero for Automox users), external compliance license, labor costs, and shadow IT impacts.
$2,500,000
$2,000,000
$1,500,000
$1,000,000
$500,000
$0
Cybersecurity Hygiene
Scenario 4 - Cybersecurity Hygiene
$2,352,200
WSUS
$2,352,200
SCCM
$1,821,100
Automox
15
sponsored by
S U M M A R Y
SaaS-based patch management has potential to substantially reduce costs
Overall, our analysis reveals that Automox was less expensive than legacy platforms in all four scenarios. The significant cost savings are most prevalent in scenarios where multiple OS are in use, or workforces consist of heavily virtualized or entirely remote-based staff.
As studied scenarios consisted of events with a high probability of occurrence, selecting a SaaS-based patch management solution over a legacy provider minimizes the risk of financial impact. While initial start-up costs and implementation fees appear higher than WSUS or SCCM, with SaaS-based solutions, the annual fixed costs and ability to minimize risk result in long-term savings.
$4,000,000
$3,500,000
$3,000,000
$2,500,000
$2,000,000
$1,000,000
$500,000
$-
Summarized Scenario Costs
WSUS SCCM Automox
Scenario 1 Unplanned
Remote Work
Scenario 2 Heavily
Virualized
Scenario 3Geo
Dispersed
Scenario 4Cybersecurity
Hygiene
Total Scenario
Costs
16
sponsored by
CO N C LU S I O N
Impact of a remote workforce on TCO
Automox delivers a cloud-native patch management platform. This means that there are no servers to buy, no software to manage, and no training to attend. This architectural model significantly improves the outcomes in terms of scalability and flexibility for customers. Network borders no longer present a major concern, and scaling is as simple as purchasing additional licensing.
As the requirements for policy management, automated controls, and native third-party patching shift from a single local to a geographically dispersed model, including remote workforces, it begins to stress the traditional architecture of patch management system capabilities.
With Automox, other factors that become less of an issue include extraneous equipment and connection requirements. If the users have a reliable internet connection, they can receive management commands.
A company attempting to scale a remote workforce using a solution such as SCCM would have to contend with VPN implementation, costs, and maintenance of those services, as well as the latency introduced by having users tethered to a single region. To mitigate this, a company might attempt to cluster or load balance across regions. This approach begins to significantly increase costs as the need for hardware, software, connections, and labor double and triple.
Simply put, a cloud-delivered solution such as Automox is the only viable, scalable, and cost-effective option for businesses needing to adapt their patch management strategy to the challenge of a remote workforce.
It’s Time to Invest in SaaS Patch Management Products
Microsoft’s WSUS and SCCM, and Automox each perform patch management, but have separate areas of strengths and capabilities. SCCM and Automox are the more robust options with extended feature sets and capabilities beyond simple patch management. For example, SCCM can aide in OS deployment, allow company resource access and desktop analytics whereas Automox delivers automated PowerShell and Bash scripting, role-based access control, a rich API across Windows, Mac, and Linux.
Microsoft WSUS provides minimal value and limited features and should not be considered as a primary tool for patch management unless a customer only has a small Windows server environment within a centralized locale. Even in this instance, a cloud-native platform provides extra features and capabilities at a cost comparable rate that is flexible and scalable for future growth and modern implementations.
Microsoft SCCM provides a comprehensive list of features but falls short in terms of scalability. While it can provide valuable system management tools and resources, the lack of a robust capability to scale geographically, as well as to meet the needs of the ever-increasing demands of a remote workforce, make it a less viable option in the current and future IT climate.
Automox provides a comparably inexpensive solution that exercises a greater capability to execute in all key areas for customers and works across PC, Mac, and Linux. The unique combination of features, future proof design, minimal maintenance and support, as well as the ability to patch remote devices or hybrid infrastructure are primary advantages. Customers seeking a high-value solution with peak return on investment (ROI) for cybersecurity hygiene and automated patch management should look no further than Automox.
17
sponsored by
A B O U T AU TO M OX
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-based and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.
A B O U T S E D U LO
Sedulo Group is a full-service competitive strategy consultancy that specializes in fact-based research and consulting services. By uniquely combining a robust network of global sources, deep in-house subject matter expertise and a proven management consulting approach, Sedulo provides clients with fully validated competitive and market insights needed to outmaneuver their competition and outperform the market. Sedulo’s services support business activities such as the go-to-market strategy, product development and innovation, sales enablement, and M&A due diligence. To learn more about how Sedulo Group provides "Intelligence to Fuel Your Competitive Edge", visit https://sedulogroup.com/
