"It is impossible for ideas to
compete in the marketplace if no forum for
their presentation is provided or available."
Thomas Mann, 1896
The Business Forum
An interesting White Paper I thought I would share with you
this month. ~ Jonathan Brody
The True Cost
of Strong Authentication for SSL VPN Access
Cutting Costs with On-Demand VPN Authentication
As the global workforce becomes increasingly mobile and
virtual, more employees are accessing corporate resources from remote
locations. Companies need strategies to offer secure, remote access, whether
to support telecommuting, mobile employees, remote offices or external
For many companies, Secure Socket Layer (SSL) VPNs are
the answer to the remote access dilemma. Businesses can easily deploy
web-based clients for SSL VPNs, while limiting remote access to specific
applications. Lacking complex client configuration, SSL VPN deployment is
rapid and cost-effective.
However, the SSL VPN incurs an additional cost to the
business: strong authentication for access. Because security is typically
the driving factor for SSL adoption, access to the SSL VPN must itself be
protected. Relying on a password alone to protect accounts has been proven
to be ineffective, no matter how �strong� you make your password policies.
Most businesses that depend on SSL VPNs to secure access to critical
resources also insist on strengthening authentication with a second factor.
The true price of an SSL VPN deployment includes the cost
of the strong authentication solution deployed along with the VPN, both in
upfront costs and operational costs over time.
Most organizations give their SSL VPN users a second
authentication factor using One Time Password (OTP) tokens. OTP token
solutions are available from a number of vendors. Most require enterprise
software deployment and ongoing management. Physical device management adds
another layer of complexity. The token deployment and management increases
the real Total Cost of Ownership of the SSL VPN effort considerably.
TriCipher offers an alternative: strong authentication
delivered completely as an on-demand service, without any enterprise
software or token hardware to manage. myOneLogin VPN Authentication is quick
to deploy and incurs a low, fixed subscription fee.
If you are contemplating an SSL VPN deployment or looking
for ways to expand SSL VPN usage and reduce token costs, you need to
carefully consider your options. This paper examines the total cost of
ownership for token solutions, using data from analysts, users and other
public sources. It also discusses and compares the total cost of OTP token
solutions with on-demand strong authentication using myOneLogin VPN
Calculating the True Costs of Tokens
In the sections that follow, we will analyze the total
cost of ownership for OTP token deployments. The different tasks and costs
are based on research from analysts and pricing information available from
major token vendors. Your specific costs will vary based on a number of
The negotiated pricing you have
arranged with a token vendor
The behavior of your users
Your help desk cost infrastructure
The final section of this paper points you to a TCO
calculator that you can personalize with your business� actual costs. The
information below simply explains and categorizes the various upfront and
ongoing costs of tokens. For the example, we will use costs based on a
500-seat OTP token license.
Upfront token costs include:
Purchase cost: The purchase cost of the various
tokens can only be accurately defined by negotiations with the vendor, based
on the number of seats you need. The following figures should serve as rough
guidelines only, based on tokens for 500 users. The cost estimates include
software, server hardware, token hardware, per-seat licensing and
Entrust RSA Security
$44,453 $66,548 $265,699
On-boarding: On-boarding is the process of
registering and creating an account for a user for the token solution. You
can either outsource the on-boarding process to a service provider, or
handle the process internally through the Help Desk and manual efforts by an
administrator. Typical costs are:
Internal on-boarding: $85 per user
Token deployment: Deployment costs include storing
the token hardware, managing the inventory, shipping or distributing the
devices, and distributing PINs. Your costs may vary depending on the
shipping requirements. (If overnight shipping is required, expenses can be
Once the solution is deployed, you�re not done paying for
tokens. Users come and go. They lose tokens, leave them at home, or run them
through the washing machine.
Ongoing token management costs include token replacement,
temporary access, and token synchronization issues.
Token replacement: The world being an imperfect
place, some percentage of your tokens will need to be replaced on a regular
basis. How often depends on a number of variables, including:
How many tokens are damaged or have
Employee turnover and new hires
Contractor usage and turnover
Percentage of employees/contractors
that return tokens
To determine your true token replacement costs, you need
to estimate values for these variables.
Employee turnover deserves a discussion. Theoretically,
when employees leave, they will return the token, which you can give to a
new employee replacing them. In practice, we find departing employees rarely
think to return tokens. Many businesses decide that recovering the token is
more costly and difficult than simply replacing it.
In our sample cost case, we will make the following
5% total replacement (including loss,
damage and battery problems)
10% turnover among token users (which
may include contractors)
75% of those that leave neglect to
return their tokens
Given our pricing examples, we found that our typical
token installation for 500 users incurs a token replacement cost of $1,250
per year, which grows as the installed base of token users grows.
Temporary access: Users need to gain temporary access
to the SSL VPN when they do not have their OTP token devices with them, or
are in a location where they cannot use external token hardware.
The variables in determining the costs of temporary
Using a conservative estimate of $25 per help desk call
for temporary access and 1.8 calls per use per year, the total temporary
access cost for 500 users is $22,500 per year. This number can vary widely
based on users� habits.
Token synchronization: Occasionally, tokens will
become out of synch with the OTP server and the user login fails.
Time-synchronous tokens (such as RSA�s OTP tokens) can experience
synchronization problems due to temperature fluctuations (including being
run through the laundry). Event-based OTP tokens can become out-of-synch if
the event button is pushed too many times (a young child gets the token, or
it presses up against something in a purse or pocket).
Unfortunately, troubleshooting and correcting a token
synchronization typically requires two Help Desk calls: one to the general
Help Desk about the login failure and another to an
OTP specialist that resynchronizes the token.
The variables to determine your costs here include:
Assuming a conservative 1% of tokens have synchronization
problems and the two Help Desk calls together cost your organization $45,
then the yearly cost of synchronization issues for a 500-token installation
Relying on tokens has other costs that are not easily
quantifiable. These are not included in our cost estimates, but may be
relevant to your business:
Token provisioning can delay the
project start for contractors or new employees.
The cost and inconvenience of
provisioning a contractor with a token may tempt organizations to allow
password-only access to SSL VPNs for short-term situations�introducing a
security exposure to the business as a whole.
The token deployment is difficult to
scale rapidly should your needs change unexpectedly. For example, you
may take on a large number of contractors for a onetime project, or give
remote access to more employees during a flu epidemic.
myOneLogin VPN Authentication: The On-Demand Alternative
myOneLogin VPN Authentication is an on-demand service
that adds a second authentication factor without the cost and inconvenience
of traditional token deployments.
Using myOneLogin VPN Authentication minimizes the
additional costs of strong authentication and speeds your SSL VPN
How it works
myOneLogin VPN Authentication uses TriCipher�s unified
authentication technology, which offers patented multi-factor authentication
using a variety of methods. myOneLogin VPN Authentication currently supports
the following authentication methods:
One part of the credential resides on the user�s computer,
the other part securely in the myOneLogin service. Both parts are necessary
for authentication. From the user�s perspective, the experience of
authenticating is as simple as providing a user ID and password. The
secondary factor exchange occurs in the background.
If the user is connecting from another device without the
secondary factor (such as a kiosk), they can gain a one-time authorization
by answering personalized security questions that they select during the
self-provisioning process, or by having a security key sent to a phone
number registered for that account.
You can choose how to integrate your directory information.
myOneLogin can validate passwords against your current corporate user store,
while validating the secondary authentication factor on the myOneLogin
service. Or, the myOneLogin service can maintain the user directory
information and validate both factors.
myOneLogin offers tight integration with Juniper Secure
Access SSL VPNs and Microsoft IAG 2007, using SAML federation standards.
With this tight integration, you can ensure that users only connect to the
SSL VPN with strong authentication. myOneLogin supports all other SSL VPNs
as well, but without the SAML integration capabilities it is more difficult
to ensure that users do not bypass the strong authentication service and
connect directly to the SSL VPN.
The cost of myOneLogin VPN Authentication is a simple and
straightforward $1 per user per month. Combining VPN Authentication with the
myOneLogin Secure Single Sign-On service creates a single portal for
connecting securely to your SSL VPN as well as webbased applications for
only $3 per month.
There are no upfront costs; deployment is quick and
simple. The only ongoing cost is the $1 per user per month (or $3 for the
broader single sign-on service). You do not need to purchase hardware or
Comparing Tokens and myOneLogin Costs
The first section of this paper used a sample
installation with 500 token users to illustrate the total cost of tokens.
Given the assumptions established in that section, the total token costs for
the various solutions are outlined in the table below.
Total upfront costs
Total annual ongoing costs
In contrast, the cost of myOneLogin for 500 users for one
year is a simple equation: $12 per year times 500 users, or $6,000 per year.
If you have a different number of users or want to adjust
the assumptions made about help desk costs or other factors, you can use an
interactive calculator at:
Use the Customize button, or click on the green
information buttons by the different fields, to examine the assumptions and
adjust the values for your specific business environment. You can adjust
most of the variables, including:
When you look at the calculator results, keep the
following in mind:
When calculating the true cost of an SSL VPN deployment
for your business, you must include the strong authentication technology
used to secure access through the SSL VPN. Traditional token solutions add
upfront cost and complexity to the SSL VPN deployment, and continue to incur
costs over time for token management, replacement and support. myOneLogin
VPN Authentication offers a cost-effective, on-demand alternative to OTP
tokens, without the implementation and ongoing management costs of tokens.
For a simple $12 per user per month, myOneLogin VPN is a fast and flexible
way to provide strong authentication to the SSL VPN. Because it is an
on-demand service, it is quick to implement and scale if your needs for
secure remote access grow.
is a Fellow of
The Business Forum Institute and
Vice President of Marketing at TriCipher
TriCipher, Inc. provides
Internet identity services to protect web and enterprise portals, the
people that use them and the business processes that flow through them
against fraud and identity theft. TriCipher myOneLogin� is the first
secure, on-demand offering that delivers strong authentication, single
sign-on (SSO) and federation capabilities for web applications in a
single solution. The TriCipher Armored Credential System� (TACS) is a
unified authentication system that enables companies to deploy and
manage multiple types of credentials from a single infrastructure.
Through this flexible �Authentication Ladder,� TriCipher protects
customer investment by adjusting authentication strength to defeat new
threats and to meet regulatory changes without the need to implement a
Before joining TriCipher.
Jon served as VP of Marketing for Sygate Technologies, Inc. and
President of VeriQ. Jon has a BA degree in Biology from from Case
Visit the Authors Web Site
Search the ENTIRE Business
Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.
Nothing you read in
The Business Forum Journal
should ever be construed to
be the opinion of, statements condoned by, or advice
from, The Business Forum, its staff, workers, officers, members, directors, sponsors or shareholders. We pass no opinion whatsoever on the content
of what we publish, nor do we accept any responsibility for the claims, or
any of the statements made, within anything published herein. We merely
aim to provide an academic forum and an information sourcing vehicle for
the benefit of the business and the academic communities of the Pacific States of America
and the World.
Therefore, readers must always determine for themselves where the statistics, comments, statements and
advice that are published herein are gained from and act, or not act, upon such entirely and always at their own risk. We
accept absolutely no liability whatsoever, nor take any responsibility for
what anyone does, or does not do, based upon what is published herein, or
information gained through the use of links to other web sites included
herein. Please refer to our:
Calendar The Business Forum Journal
Contact The Business Forum
The Business Forum
Beverly Hills, California United States of America
Copyright The Business Forum Institute 1982 - 2010 All rights reserved.