Microsoft Zero Trust TEI Study
Microsoft Zero Trust TEI Study
Microsoft Zero Trust TEI Study
DECEMBER 2021
Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their
organizations. For more information, visit forrester.com/consulting.
© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on
the best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®,
Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other
trademarks are the property of their respective companies.
with outdated identity management solutions, are faster and more efficient, end users needed
inadequate device management controls, and less help in the weeks following setup.
insufficient visibility into their corporate networks.
• Reduced the number of security and IAM-
These limitations led to increased risks of data
related help desk calls by 50%. Connecting
breaches, restrictive authentication policies that hurt
applications to Azure AD for SSO and MFA
the employee experience (EX), and challenges with
makes it easier for users — especially remote
onboarding new technology and employees.
workers — to access the applications they need;
Since the investment in implementing a Zero Trust this reduces the number of submitted application
architecture, the interviewees’ organizations have support tickets.
rolled out policies and technologies to improve their
In addition, the composite organization also
security postures, simplify security management,
experiences fewer false positive security alerts
increase employee productivity, and enable greater
and faster cross-domain remediation, saving
business agility. Key results from these investments
security teams time. In a related study, Forrester
include reducing the risks of a data breach, improving
found that Microsoft Sentinel can reduce the
the productivity of end users and IT, and improving
number of false positives by 79%.2 And
security management processes.
interviewees in another study said that when
KEY FINDINGS security incidents did occur, Microsoft Defender
Quantified benefits. Risk-adjusted present value could automatically detect and remediate over
(PV) quantified benefits include: 90% of security incidents, preventing the spread
of a security attack.3
• Reduced spend from legacy software and
infrastructure by over $7 million. The • Reduced the effort required to provision and
composite organization saves $20 per employee secure new infrastructure by 80%.
per month by eliminating now-redundant security Interviewees said the management capabilities
solutions, including, endpoint management, built into Microsoft solutions helped their
antivirus, and antimalware solutions. organizations implement robust cloud
governance strategies as part of their Zero Trust
Additionally, interviewees said their organizations
journeys. This involved standardizing workflows
could retire significant amounts of on-premises
and automating routine tasks like provisioning
software and hardware, such as legacy IAM
and securing new resources.
solutions. As the organizations continued to
implement a Zero Trust architecture with The time required to provision new infrastructure
Microsoft’s cloud-based products and services went from taking several months to mere days.
into their ecosystems, more opportunities to retire This not only allowed IT teams to support
legacy solutions arose, which led to increased business users at the speed of business, but it
savings year over year. also improved their organizations’ overall security
postures.
• Accelerated the process to set up end users
on new devices by 75%. Interviewees said they • Reduced the resources required for audit and
reduced the time required to set up end users on compliance management by 25%, saving $2
new devices by connecting apps to Microsoft million. The built-in advanced audit and
Azure AD, enabling single sign-on (SSO) and discovery capabilities, like those in the
multifactor authentication (MFA). Because setups centralized Microsoft 365 compliance center,
make it easier for security and compliance of the networks also meant that the organizations
personnel in the composite organization to audit experienced diminished financial losses when a
their environment and understand the policies breach did occur.
they need to implement to comply with internal
The interviewees said their organizations
and external governance requirements.
improved their security postures and mitigated
Additionally, because the composite organization
the possibility of a data breach arising from
has consolidated under the Microsoft platform, its
compromised credentials, phishing attacks, cloud
security team can enforce policies faster and
misconfigurations, compromised business
more consistently with less effort than before.
emails, social engineering, vulnerabilities in third-
• Increased the efficiency of security teams by party software, and malicious insiders. These
50%. Interviewees said Microsoft 365 Defender initial attack vectors were responsible for 80% of
helped their organizations triage alerts, correlate the data breaches in 2021.4 By reducing the
additional threat signals, and take remediation possibility and impact of a data breach from any
actions. Additionally, migrating key security one of these attack vectors, the interviewees’
solutions to the cloud freed up time previously organizations reduced the possibility of a data
spent on system updates and other operational breach in general.
tasks.
Recurring monthly charges also offer a cash-flow also quantified the additional costs associated
benefit over up-front licensing. with leveraging more of Microsoft’s solutions as
part of the composite organization’s Zero Trust
• Reducing the likelihood of regulatory fines.
strategy.
Implementing a Zero Trust architecture helps
organizations adhere to a wide range of • Ongoing management costs of $5.3 million.
regulatory requirements and reduces the number The composite organization dedicates internal
of noncompliance penalties they could incur. resources to manage its Microsoft solution stack.
Interviewed Decision-Makers
Total Benefits
Ref. Benefit Year 1 Year 2 Year 3 Total Present Value
Infrastructure management
Etr $233,280 $794,880 $794,880 $1,823,040 $1,466,203
time savings
Improved security
Htr $1,406,250 $1,577,813 $1,755,675 $4,739,738 $3,901,451
management
• The productivity capture rate of knowledge • The number of employees at an organization and
workers is 50% because not all time savings average labor rates.
translate into additional value-add work.
• Cultural and organizational change management
Risks. Forrester recognizes that end user barriers.
productivity improvements may vary by organization
Results. To account for risks, Forrester adjusted this
depending on:
benefit downward by 20%, yielding a three-year, risk-
• Preexisting solutions and productivity adjusted total PV of $2.2 million.
benchmarks.
A3 Frontline worker average hourly salary TEI Standard $25 $25 $25
A4 Frontline worker annual time savings A1*A2*52 weeks *A3 $1,625,000 $3,250,000 $3,250,000
A8 Average hourly knowledge worker rate TEI Standard $32 $32 $32
B2 Per-user monthly security tools license cost Interviews $20 $20 $20
Bt Legacy software and infrastructure cost savings B1*B2*12 + B3 $2,700,000 $2,900,000 $3,400,000
C6 IT staff member fully loaded hourly salary Assumption $58 $58 $58
C7 End user fully loaded hourly salary Assumption $31 $32 $33
Ct Endpoint deployment and management time savings C8+C9 $1,479,911 $1,494,910 $1,509,909
D3 Annual tickets deflected due to Microsoft products D1*D2 20,000 32,000 40,000
D4 Reduction in ticket resolution time for remaining tickets Interviews 15% 15% 15%
(D3*D5)+(D1*
Dt IT administration and help desk cost savings $580,000 $784,000 $920,000
(1-D2)*D4*D5)
Dtr IT administration and help desk cost savings (risk-adjusted) $551,000 $744,800 $874,000
Interviewees said these changes had a dramatic • Previously, the average infrastructure request
effect on their organizations. was for 150 instances. Provisioning and securing
one instance took 1.5 FTE hours.
• The enterprise security architect in the energy
industry said it previously took a month to • The composite organization can automate most
provision new applications but that it now of the tasks associated with deploying new
requires just a few hours. instances, but IT team members still manually
review new deployments to ensure everything is
• The executive director of information services in
deployed properly. Additionally, unique requests
the healthcare industry said onboarding the
require more manual effort.
systems of new acquisitions previously took three
to four years but now requires less than one. • The composite organization acquires one
organization during the three-year analysis
• The identity engineer in the manufacturing
period. The composite organization is able to
industry said: “[Using Microsoft security solutions]
completely integrate the acquired company’s
has allowed us to focus more on our future as
systems in one year.
opposed to worrying about infrastructure.”
Risks. Forrester recognizes that infrastructure
Modeling and assumptions. Forrester assumes the
management time savings may vary by organization
following about the composite organization:
depending on:
• Previously, new infrastructure provisioning
• The frequency of new provisioning requests.
requests could take up to a month to complete.
But most of that time was inactive. Requests • Existing optimizations around automatically
either sat in a queue or were delayed while deploying and securing infrastructure.
business, security, or infrastructure teams
Results. To account for these risks, Forrester
clarified a request.
adjusted this benefit downward by 10%, yielding a
three-year, risk-adjusted total PV of $1.5 million.
E2 Infrastructure and Security FTE hours dedicated per new request Interviews 225 225 225
E4 Average infrastructure and security FTE hourly salary TEI Standard $60 $60 $60
• In a related Forrester study, the director at a • The increased visibility provided by consolidating
manufacturing firm said Microsoft Secure Score under Microsoft allows the composite
reduced the time their organization needed to organization to create audit reports much more
comply with the California Consumer Privacy Act quickly than before.
(CCPA) and General Data Protection Regulation
• Because Zero Trust strategies often exceed other
(GDPR).8 Secure Score measures an
regulatory requirements, the composite
organization’s security posture. The interviewee
organization needs to perform fewer system-wide
said: “[Microsoft 365] E5 really enhances our
changes to adhere to new regulatory
security capabilities. They’ve helped reduce the
requirements.
cost to perform our twice-yearly security audits by
hundreds of thousands of dollars in internal labor • FTEs who perform regulatory and compliance
and consulting costs.” audits come from IT, legal, and business teams.
• Because Zero Trust requirements often exceed • The average fully burdened salary of an FTE is
many compliance requirements, organizations $120,000.
may find that they already meet a new
F2 Average audit and compliance FTE salary TEI Standard $126,000 $126,000 $126,000
Ft Improved regulatory audit and compliance management F1*F2*F3 $787,500 $945,000 $945,000
The interviewees simplified their IAM environments The same interviewee said the efficiency gains
by consolidating under Azure AD. This eliminated the their organization recognized by consolidating its
need to manage on-premises IAM infrastructure and IAM services onto Azure AD, and the reduction in
reduced time spent on policy management and required end-user support will ultimately free up
vendor management. IAM teams recognized further the time of their organization’s IAM team requires
time savings due to a reduction in application by 33% to 50%.
downtime on Azure AD. Lastly, interviewees noted • In a related study on Microsoft 365 E5, the CDO
that it was easier and faster to provision/de-provision of the restaurant chain explained the value Azure
users. AD had on his organization: “Conditional Access
• The principal architect for technical services in has been great for our security team. Managing
the logistics industry said: “Azure AD has our users is much easier with Azure Active
definitely allowed us to become more agile. We Directory Premium and Power Apps. We’ve been
can make changes on a dime. Whereas, with our able to automate our provisioning and de-
legacy system, product changes were far more provisioning efforts, reducing the burden on our
cumbersome and painful. … With our previous IT team considerably. [Before,] we had around 25
IAM solution, we often had to write custom code people working only on access management,
and update our IAM solution across multiple data [with Azure AD], we only have four or five people
centers [and] then troubleshoot any problems. doing this work. Everyone else is now focused on
With Azure AD, everything is handled by other security activities.”10
Microsoft. This has allowed us to free up some of • Additionally, in a separate study about securing
our resources and dedicate them to migrating our apps with Azure AD, an information security
remaining applications to Azure AD.” services group professional noted: “It is a lot
• Several interviewees said their organizations had easier now. We don’t have to go provision those
multiple IAM solutions across the cloud and on- services one at a time and create a file share
premises environments. This substantially form and things of that nature. When a new hire’s
increased the complexity of and the effort to account gets rolled out and synced to Azure AD,
manage their environments. they get a license automatically assigned and
those services are automatically provisioned for
• The identity engineer in the manufacturing
us.”11
industry said: “The MFA that Azure AD has is
Modeling and assumptions. Forrester assumes the Risks. Forrester recognizes that improved identity
following about the composite organization: and access management savings may vary by
organization depending on:
• The average annual salary of a full-time IAM
analyst is $120,000. • The size of the organization’s IAM team before
beginning its Zero Trust journey.
• The time required to manage IAM systems
continues to decrease as the composite • The average salary of the organization’s
organization fully migrates onto Azure AD and employees.
progresses through its Zero Trust journey. This
• The maturity of the organization’s Zero Trust
reduces the overall number of IAM solutions in
journey.
the composite organization’s environment and
IAM teams no longer need to make system Results. To account for these risks, Forrester
upgrades or create and manage custom code. adjusted this benefit downward by 10%, yielding a
three-year, risk-adjusted total PV of $1.5 million.
• The composite’s IAM team spends substantially
less time provisioning and de-provisioning users
by automating these tasks.
Gtr Improved identity and access management (risk-adjusted) $405,000 $648,000 $810,000
• In a Forrester TEI study for Azure network • The size of the organization’s security team at
security services, an enterprise infrastructure the beginning of its Zero Trust journey.
experienced several benefits from using • The average cost of a data breach for the
Microsoft 365 E5.13 They said: “One [benefit] is composite organization is $5.04 million.15
the ease of identification and increased trust. I
• The average likelihood that the composite
have more trust than before because I’m actually
organization has a data breach of 10,000 records
capturing more of the incidents. The resolution is
or more is 29.6% over two years, or 14.8% per
much better as well, so the breaches are very
year.16
limited, and it’s proven to be working very well.”
• By deploying Microsoft’s security tools, the
• In the same study, a director in the manufacturing
composite organization reduces its risk exposure
industry articulated the risk of a security breach
by 50%.
for their organization.14 “We found that we could
lose $50 million a year if someone stole some of Risks. Data breach avoidance savings may vary by
our proprietary information around some of the organization depending on:
products we manufacture. We valued the
• The average cost of a data breach for the
reduced risk of a security breach due to adopting
organization.
[Microsoft 365] E5 in the tens of millions of
dollars a year, which was enough to justify our • The inherent risk of a data breach.
investment in E5 by itself.”
• The extent to which the organization is able to
• Interviewees said their organizations prioritized improve its security posture and capabilities with
securing their employees from phishing, Microsoft 365 E5.
ransomware, and other malware attacks because Results. To account for these risks, Forrester
they were becoming increasingly sophisticated adjusted this benefit downward by 20%, yielding a
and prevalent, which increased the possibility of three-year, risk-adjusted total PV of $780,000.
a serious data breach. Without tools to protect
against these threats, the volume of attacks far
exceeded what security teams could handle.
I1 Average cost of data breach without Zero Trust Ponemon Institute $5,040,000 $5,040,000 $5,040,000
I2 Average cost of data breach with Zero Trust Ponemon Institute $4,380,000 $3,710,000 $3,495,000
Total Costs
Ref. Cost Initial Year 1 Year 2 Year 3 Total Present Value
Initial planning and
Jtr $1,512,500 $0 $0 $0 $1,512,500 $1,512,500
implementation
Ongoing management
Ltr $0 $1,892,000 $2,177,120 $2,473,328 $6,542,448 $5,377,521
costs
Additional network
Mtr $0 $164,850 $164,850 $164,850 $494,550 $409,958
bandwidth investment
• The composite organization dedicates 10 internal Risks. Initial implementation and planning costs will
FTEs to develop its Zero Trust adoption vary by organization depending on:
roadmap.
• The organization’s existing security stack and
• The composite organization’s roadmap prioritizes adherence to Zero Trust strategies.
modernizing its IAM solutions and securing its
• The size and scope of the initial deployment.
devices to support hybrid working models. This
involves migrating to Azure AD and MEM. • The professional services consumed.
• The composite organization engages with both Results. To account for these risks, Forrester
Microsoft and its partners to implement Azure AD adjusted this cost upward by 10%, yielding a three-
and other key solutions for implementing Zero year, risk-adjusted total PV (discounted at 10%) of
Trust (e.g., MEM, Microsoft 365 Defender, Azure $1.5 million.
network security services).
Evidence and data. Some interviewees said their • The organization’s existing bandwidth.
organizations required additional bandwidth to
Results. To account for these risks, Forrester
support additional network traffic resulting from
adjusted this cost upward by 5%, yielding a three-
increasing their cloud environments. This increased
year, risk-adjusted total PV of $410,000.
the number of frontline workers who required access
to the organization’s applications and created
additional network demands on solutions from
Microsoft.
Training Costs
Ref. Metric Source Initial Year 1 Year 2 Year 3
N1 Employees trained on Zero Trust features for the first time Assumption 10,000 1,500 1,500
N3 Average fully burdened FTE salary TEI Standard $30 $30 $30
$0
ROI 92%
Costs consider all expenses necessary to deliver the RETURN ON INVESTMENT (ROI)
proposed value, or benefits, of the product. The cost
category within TEI captures incremental costs over A project’s expected return in
the existing environment for ongoing costs percentage terms. ROI is calculated by
associated with the solution. dividing net benefits (benefits less costs)
by costs.
Flexibility represents the strategic value that can be
obtained for some future additional investment
building on top of the initial investment already made. DISCOUNT RATE
Having the ability to capture that benefit has a PV
that can be estimated. The interest rate used in cash flow
analysis to take into account the
Risks measure the uncertainty of benefit and cost time value of money. Organizations
estimates given: 1) the likelihood that estimates will typically use discount rates between
meet original projections and 2) the likelihood that 8% and 16%.
estimates will be tracked over time. TEI risk factors
are based on “triangular distribution.”
PAYBACK PERIOD
The initial investment column contains costs incurred at “time
The breakeven point for an investment.
0” or at the beginning of Year 1 that are not discounted. All
other cash flows are discounted using the discount rate at the This is the point in time at which net
end of the year. PV calculations are calculated for each total benefits (benefits minus costs) equal
cost and benefit estimate. NPV calculations in the summary initial investment or cost.
tables are the sum of the initial investment and the
discounted cash flows in each year. Sums and present value
calculations of the Total Benefits, Total Costs, and Cash Flow
tables may not exactly add up, as some rounding may occur.
1 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s
technology decision-making processes and assists vendors in communicating the value proposition of their
products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the
tangible value of IT initiatives to both senior management and other key business stakeholders.
2 Source: “The Total Economic Impact™ Of Microsoft Azure Sentinel,” a commissioned study conducted by
Forrester Consulting on behalf of Microsoft, November 2020.
3 Source: “The Total Economic Impact™ Of Microsoft 365 Enterprise E5,” a commissioned study conducted by
Forrester Consulting on behalf of Microsoft, December 2020.
4 Source: “Cost of a Data Breach Report 2021,” Ponemon Institute, July 2021.
5 Source: “Enhance EX With Zero Trust,” Forrester Research, Inc., July 13, 2020.
6 Source: “The Total Economic Impact™ Of Microsoft 365 Enterprise E5,” a commissioned study conducted by
Forrester Consulting on behalf of Microsoft, December 2020.
7 Ibid.
8 Ibid.
9 Source: “The Zero Trust eXtended (ZTX) Ecosystem,” Forrester Research, Inc., August 23, 2021.
10 Source: “The Total Economic Impact™ Of Microsoft 365 Enterprise E5,” a commissioned study conducted by
Forrester Consulting on behalf of Microsoft, December 2020.
11 Source: “The Total Economic Impact™ Of Securing Apps with Microsoft Azure Active Directory,” a commissioned
study conducted by Forrester Consulting on behalf of Microsoft, August 2020.
12 Source: “The Total Economic Impact™ Of Microsoft Azure Network Security,” a commissioned study conducted
by Forrester Consulting on behalf of Microsoft, October 2021.
13 Source: “The Total Economic Impact™ Of Microsoft 365 Enterprise E5,” a commissioned study conducted by
Forrester Consulting on behalf of Microsoft, December 2020.
14 Ibid.
15 Source: “Cost of a Data Breach Report 2021,” Ponemon Institute, July 2021.
16 Source: “Cost of a Data Breach Report 2019,” Ponemon Institute, July 2019.
17 Source: Forrester Analytics Global Business Technographics® Workforce Benchmark Survey, 2019.
18 Ibid.
A Zero Trust security model serves as a comprehensive cybersecurity strategy that extends across the entire digital
estate—inclusive of identities, endpoints, network, data, apps, and infrastructure.
The foundation of Zero Trust security is Identities. Both human and non-human identities need strong
authorization, connecting from either personal or corporate Endpoints with a compliant device.
As a unified policy enforcement, the Zero Trust Policy intercepts the request, and explicitly verifies signals from all
six foundational elements based on policy configuration and enforces least privileged access. In additional to
telemetry and state information, the risk assessment from threat protection feeds into the policy engine to
automatically respond to threats in real-time. Policy is enforced at the time of access and continuously evaluated
throughout the session.
The telemetry and analytics feeds into the Threat Protection system. The risk assessment feeds into the policy
engine for real-time automated threat protection, and additional manual investigation if needed.
Traffic filtering and segmentation is applied to the evaluation and enforcement from the Zero Trust policy before
access is granted to any public or private Network. Data classification, labeling, and encryption should be applied
to emails, documents, and structured data. Access to Apps should be adaptive, whether SaaS or on-premises.
Runtime control is applied to Infrastructure, with serverless, containers, IaaS, PaaS, and internal sites, with just-in-
time (JIT) and Version Controls actively engaged.
Finally, telemetry, analytics, and assessment from the Network, Data, Apps, and Infrastructure are fed back into the
Policy Optimization and Threat Protection systems.
To learn more about how Microsoft can help enable your Zero Trust strategy, visit aka.ms/zerotrust