Security vendors are in the business of making money and
they want to be compensated based on the value that they provide. They face challenges in calculating that
value. Should they charge based on
volume of data processed? How about the number
of security analysts that use the product?
There is no simple answer to this question, and you see this in the back
and forth in licensing models over time within a single organization.
One approach that software vendors use is the number of
accounts that are in Active Directory. Larger
organizations should pay more, and they will typically have more accounts. However, if vendors try this approach, they discourage
best practices.
Within the system administrators in your organization,
they will typically each have between two and four accounts. They have their regular user account. Then they will have an administrative account. Some organizations separate the accounts so
that they have one account to manage Active Directory (their Domain Admin account),
one account to administer file servers and applications, and one to manage workstations.
This is would be following a Tier Model
of administrative access that is recommended by Microsoft in MitigatingPass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2.
If a security vendor wants to practice what it preaches,
then it cannot penalize companies for improving their security. If a customer moves to the Tier Model for Administrator
access and add tens of new accounts, they should be penalized by being charged
more money.
Vendors, please forget accounts and count the humans in
the organization in calculating a fair price for your solution.