CA Options: Buy or Build, and Signed by Whom?

Paul Caskey

PKI Deployment Forum 2008

Things to consider: Costs

• Fixed Acquisition Facilities Initial Implementation Hardware

• Variable/Recurring Licensing/Signing Service/Software/Renewal Support Personnel Audit

Things to consider: Personnel

• Quantity/Roles

• Skills

• Availability

• Retention

Things to consider: Uses

• What will you use your certs for?

• Are there regulations governing this use?

• Are there special requirements?

Benefits of a “buy” approach

• Certs are trusted by almost all software

• New technologies/services easily adopted

• Minimal staffing challenges

• Minimal infrastructure demands

• No audits

• No policy development/maintenance

• Formal SLAs

Risks of a “buy” approach

• Vendor problems Service degradation

Barriers to switching

Price increases

• Reduced Flexibility Cross-certification

Custom OIDs

Different attributes (“Subject Unique Identifier”)

An analysis: Assumptions(source: Chosen Security – www.chosensecurity.com)

• A 5,000 user implementation that remains constant over three years.

• A focus on client certificates only.

• There is an existing data center facility in place and one will not have to be built from scratch.

• The system needs to be both secure and available.

• A yearly external audit is required to maintain certification.

• Role separation as defined by Certificate Issuing and Management Components (CIMC) – from NIST

An analysis: Assumptions (cont)

• Security Level 3 Protection Profile (see Windows Server 2003 PKI and Certificate Security – Microsoft Press), consisting of one internal auditor, two PKI administrators and four operators need to be trained on the system, for a total of two FTEs.

• Redundant systems exist – two for the CA and two for the enrollment functions.

• Because of the security requirement, the enrollment and validation function is separated from the CA function, and the systems are separated by a firewall.

• There is a dedicated backup and monitoring function for the PKI environment.

• A pre-production system, with less redundancy which will be used for testing, also exists.

An Analysis: Year One

Description Build Buy (Managed PKI)

Setup Fee N/A $10,000

Software Cost $132,500 N/A

User Cost $32,400 $145,000

Annual Hosting Fee N/A $45,000

Hardware-servers $60,000 N/A

Hardware-HSM $24,000 N/A

Data Center Setup $20,000 N/A

Data Center Rental $24,000 N/A

Personnel Cost $240,000 N/A

CA Audit $60,000 N/A

Root Signing $30,000 N/A

TOTAL:TOTAL: $622,900$622,900 $200,000$200,000

An Analysis: Year Two

Description Build Buy (Managed PKI)

Annual Hosting Fee N/A $45,000

User Cost $5,400 $145,000

Software Maintenance $22,400 N/A

Hardware Maintenance $10,000 N/A

HSM Maintenance $2,000 N/A

Data Center Rental $24,000 N/A

CA Audit $60,000 N/A

Personnel Cost $240,000 N/A

TOTAL:TOTAL: $363,800$363,800 $190,000$190,000

An Analysis: Year Three

Description Build Buy (Managed PKI)

Annual Hosting Fee N/A $45,000

User Cost $5,400 $145,000

Software Maintenance $22,400 N/A

Hardware Maintenance $10,000 N/A

HSM Maintenance $2,000 N/A

Data Center Rental $24,000 N/A

CA Audit $60,000 N/A

Personnel Cost $240,000 N/A

TOTAL:TOTAL: $363,800$363,800 $190,000$190,000

An Analysis: 3 year total

Description Build Buy (Managed PKI)

Total Three Year Cost $1,350,500 $580,000

Average Cost per User per Year

$90.03 $38.67

To be fair, Chosen Security, the vendor that published this analysis, did so to point out that their solution, called On-Demand PKI, meets the above scenario with a total 3-year cost of $259,600 ($17.31/user/year). The specifics were omitted since we use a Managed PKI solution.

Questions/Comments/Discussion?