It is often said that a given technology is not a panacea to all of your security problems. Security depends on layers of protections (some of which are non-technical) to ensure the failure of a given layer does not result in compromise. The all-in-one (AiO) or unified threat management (UTM) products are often a very reasonable attempt to get all of your technical layers in a nice package.
One of the biggest benefits of all-in-one security software is the simplified management. A poorly managed security product probably doesn't help you much, and the management of several disparate technologies can be very time-consuming and specialized. Operational tasks such as monitoring hardware health, deploying software updates, examining the logs of security products, or deploying signature updates and configuration changes can be a huge effort. That effort is often under-scoped, in part due to the overpromises of sales persons. AiO products, in principle, greatly simplify management by giving you one vendor, one management console, and consistency of upgrades and logs.
If your AiO of choice is the result of a larger company acquiring smaller specialized companies and bundling them together, you may not get many of the expected gains of an all-in-one product, particularly if those technology acquisitions have been recent. The management applications may be separate (for example, the firewall is managed through one console and the antivirus is managed through a second). The various components may not interact at all, resulting in several point solutions that have been sold as an AiO.
On the other hand, the components can form an enormously powerful all-in-one security product if bundled together effectively. For example, a vulnerability scanner that is effectively bundled with a patch management system can eliminate much of the effort in reviewing scan reports since the system will be capable of automatically applying the necessary patches.
Now that I've discussed the benefits of AiO, let's consider the downsides. I've already mentioned that the AiO may be a hasty bundling of several disparate products with one common name. This gives you all of the marketing advantages of the AiO, complete with technology lock-in for each area, and few of the benefits of AiO.
The most obvious downside of AiO is the usually true cliché of "jack of all trades, master of none." The given technologies in each area may not be a particularly good product compared to the others in the market place. In that case you're increasing risk by implementing a sub-standard product. However, this risk may be justifiable especially if the breadth of the all-in-one security software is greater than what you can afford to implement using best-of-breed products.
AiO security products also put you in jeopardy of having a single point of failure. A failure of the management system can prevent access to all of your products, not just one. If the vendor is slow to respond to a new threat, then none of the bundled products may provide protection, whereas separate products may have a higher chance of offering at least partial protection.
Security is cost-effective risk management; you need to ensure the upfront and operational costs are justified by the gain from the product(s) used. If you have a choice between an AiO containing three substandard technologies or one best-of-breed technology, then you need to consider all of the factors I've mentioned as part of a cost/benefit solution.
Quantifying ROI in security is certainly tricky, but we don't need to do that here; just consider the comparative upfront and operational costs of the AiO and best-of-breed approaches in the context of the relative effectiveness of each product area. That almost sounds simple, doesn't it?
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send Tom your security questions.
Join us on LinkedIn.