Eeny meany miney moe… choosing the right Deep Security option

Written by Bryan Webster

One of the most frequent questions I hear from customers in the early stages of evaluating Trend Micro Deep Security for their workloads, centers on how to run the Deep Security manager. By the time I’m involved- to discuss network and security architecture and operations workflow – everyone is familiar with the three options for Deep Security (as a Service, AWS Marketplace AMI or software) but it’s not always clear which option is best. Sometimes I hear this question asked as a procurement problem (which way should I buy it?) and sometimes as a deployment problem (which one do I want to run?). I will explore this question from each perspective in two blogs. First, let’s explore this question as a procurement problem.

Which way should I buy Deep Security?

While deployment model has a larger impact on architecture, I usually start with the procurement question because it is the simpler choice, and may eliminate the need to discuss architecture implementation.

Deep Security as a Service 

Deep Security as a Service is a hosted implementation of the Deep Security Manager. It offers pay as you go pricing for hourly usage of compute resources based on the size of the instance. For organizations with highly flexible or largely temporary workloads, Deep Security as a Service offers unparalleled flexibility to pay for what you use, as you use it. Many organizations like the idea of paying less to secure lighter workloads, in the same way they pay less for the workloads themselves as it aligns with application delivery cost or charge back to their [internal or external] customers. Deep Security as a Service also has an incredibly simple payment method – just charge to a credit card after your free trial. This last bit always strikes an exceptional chord with organizations dabbling in the cloud, developers running small side projects, Ops teams hiding from their CFO, or departments just plain going behind IT’s back to run their workloads. Lastly, because someone else is responsible for the database, compute, bandwidth and associated operational costs of maintaining the server infrastructure, there are no additional expenses and you can predict your security spend as accurately as your compute use is planned.

Deep Security on AWS Marketplace 

Available in the AWS Marketplace, Deep Security Manager can be purchased as an appliance (AMI) running on Amazon Linux. While pretty cool, you won’t care in the slightest as you watch an AMI deploy to your VPC then log into a web page to customize and complete your server configuration. A favorite of organizations with limited workload numbers and complicated procurement, the AWS Marketplace option is even easier than credit card payment as your security spend shows up seamlessly on your AWS bill after your 30 day trial ends. If you’re jumping for joy at that last sentence, you’re probably in an organization where root canals are preferable to getting a new vendor approved, have cloud operations completely segmented from IT and limited staff to handle finances, or just love the easy way of including chargeback to departments or subscribers. As opposed to the as a service option, you will be responsible for MSSQL or Oracle database costs, bandwidth, and the time it takes someone to check in occasionally and see that all your precious assets are still protected.

Deep Security software

Traditional software purchase is, well, just that – traditional. Call up your favorite vendor, talk about licenses and bundles and volume, (hopefully get a nice dinner), then cut a PO and wake up to a key in your inbox. After, you’ll need to stand up a database, provision boxes, then download and install the software, but let’s be real; if you’re still reading, you probably think that’s fun. I spend a lot of time with teams with very structured procurement processes, in which the labor of getting an exception far outweighs the benefit provided by credit card or direct AWS billing. Let’s also be super honest here; as much flexibility as may be afforded by application load in AWS, many of these workloads gain no benefit from elasticity, and are sitting around 24/7 doing exactly what they did in the traditional datacenter. Whether forklifted from a premise infrastructure or just not designed for / in need of variable compute resources, sometimes servers in the cloud look like servers in the next room, and sometimes it makes sense to license software for them the same way.  Whether installing in AWS or on premise, the transition from checking out Deep Security in test to production can still be pretty smooth.

Of the 3 options, the traditional software purchase is the most likely to shorten conversations around procurement plans, and mostly just because it is the easiest for organizations for whom it is a fit to identify quickly “Yup that’s me!”.  Deep Security as a Service and AWS Marketplace AMI options tend to be more difficult colors for companies to paint themselves and lead to more design questions than the old school buy.

Stay tuned for part two of this post, where we will explore this question from the deployment perspective…

Or go to for more info and to sign up for a free trial