Things to consider: Costs
• Fixed Acquisition Facilities Initial Implementation Hardware
• Variable/Recurring Licensing/Signing Service/Software/Renewal Support Personnel Audit
Things to consider: Uses
• What will you use your certs for?
• Are there regulations governing this use?
• Are there special requirements?
Benefits of a “buy” approach
• Certs are trusted by almost all software
• New technologies/services easily adopted
• Minimal staffing challenges
• Minimal infrastructure demands
• No audits
• No policy development/maintenance
• Formal SLAs
Risks of a “buy” approach
• Vendor problems Service degradation
Barriers to switching
Price increases
• Reduced Flexibility Cross-certification
Custom OIDs
Different attributes (“Subject Unique Identifier”)
An analysis: Assumptions(source: Chosen Security – www.chosensecurity.com)
• A 5,000 user implementation that remains constant over three years.
• A focus on client certificates only.
• There is an existing data center facility in place and one will not have to be built from scratch.
• The system needs to be both secure and available.
• A yearly external audit is required to maintain certification.
• Role separation as defined by Certificate Issuing and Management Components (CIMC) – from NIST
An analysis: Assumptions (cont)
• Security Level 3 Protection Profile (see Windows Server 2003 PKI and Certificate Security – Microsoft Press), consisting of one internal auditor, two PKI administrators and four operators need to be trained on the system, for a total of two FTEs.
• Redundant systems exist – two for the CA and two for the enrollment functions.
• Because of the security requirement, the enrollment and validation function is separated from the CA function, and the systems are separated by a firewall.
• There is a dedicated backup and monitoring function for the PKI environment.
• A pre-production system, with less redundancy which will be used for testing, also exists.
An Analysis: Year One
Description Build Buy (Managed PKI)
Setup Fee N/A $10,000
Software Cost $132,500 N/A
User Cost $32,400 $145,000
Annual Hosting Fee N/A $45,000
Hardware-servers $60,000 N/A
Hardware-HSM $24,000 N/A
Data Center Setup $20,000 N/A
Data Center Rental $24,000 N/A
Personnel Cost $240,000 N/A
CA Audit $60,000 N/A
Root Signing $30,000 N/A
TOTAL:TOTAL: $622,900$622,900 $200,000$200,000
An Analysis: Year Two
Description Build Buy (Managed PKI)
Annual Hosting Fee N/A $45,000
User Cost $5,400 $145,000
Software Maintenance $22,400 N/A
Hardware Maintenance $10,000 N/A
HSM Maintenance $2,000 N/A
Data Center Rental $24,000 N/A
CA Audit $60,000 N/A
Personnel Cost $240,000 N/A
TOTAL:TOTAL: $363,800$363,800 $190,000$190,000
An Analysis: Year Three
Description Build Buy (Managed PKI)
Annual Hosting Fee N/A $45,000
User Cost $5,400 $145,000
Software Maintenance $22,400 N/A
Hardware Maintenance $10,000 N/A
HSM Maintenance $2,000 N/A
Data Center Rental $24,000 N/A
CA Audit $60,000 N/A
Personnel Cost $240,000 N/A
TOTAL:TOTAL: $363,800$363,800 $190,000$190,000
An Analysis: 3 year total
Description Build Buy (Managed PKI)
Total Three Year Cost $1,350,500 $580,000
Average Cost per User per Year
$90.03 $38.67
To be fair, Chosen Security, the vendor that published this analysis, did so to point out that their solution, called On-Demand PKI, meets the above scenario with a total 3-year cost of $259,600 ($17.31/user/year). The specifics were omitted since we use a Managed PKI solution.
Top Related