Upload
yannis-karadimas
View
219
Download
0
Embed Size (px)
Citation preview
8/8/2019 Whitepaper Cost Effective Pki
http://slidepdf.com/reader/full/whitepaper-cost-effective-pki 1/10
whit ppr
Reducing complexityand total cost ofowneRship withVeRisign managed pKi
8/8/2019 Whitepaper Cost Effective Pki
http://slidepdf.com/reader/full/whitepaper-cost-effective-pki 2/10
whit ppr
contents
1 IntroductIon
1 thecomplexItyofon-premIsepKI
2 uncoverIngthetruecostofon-premIsepKI
Wha if h SfWar iS fr?
2 comparIngamanagedpKIservIcetoanon-premIsesolutIon
aSSmiS
SfWar
ifraSrr
rSl
h Bm li
6 theBenefItsoftheverIsIgn®managedpKIservIce
7 conclusIon
7 glossary
8 learnmore
8 aBoutverIsIgn
8/8/2019 Whitepaper Cost Effective Pki
http://slidepdf.com/reader/full/whitepaper-cost-effective-pki 3/10
whit ppr
1
itroductio
Whether it’s complying with mandates to protect sensitive
data, enabling trust in a business ecosystem, or securing
corporate digital assets against unauthorized access, enterprises
turn to public key infrastructure (PKI)-based solutions for
the highest levels of protection. Enterprises, government
organizations, and digitally connected communities recognize
PKI as the gold standard for highly secure and trusted
authentication, digital signatures, and encryption.
While cryptography is the core mechanism within PKI,
certicate issuance, management, and revocation need to be
properly established for relying parties to effectively enjoy
the benets of PKI. As such, not all PKI deployments are
the same. Some provide limited functions to support simple
applications like sending and receiving encrypted email
within an organization, while others deliver complex methods
of integrating physical and logical access to secure sites and
networks that protect matters of national security.
Regardless of the application, deploying and managing aPKI solution can be a complex undertaking. Unlike other
technology solutions, PKI has many moving parts that
go far beyond the software involved — from training to
policy development, from data center security to certicate
management. All the components that make up a robust,
secure PKI environment can add to the cost of implementing
PKI. These sometimes hidden or forgotten costs can be far
more substantial than the acquisition cost of the software.
This is particularly the case with on-premise PKI software,
implemented and maintained by the organization in its data
center. This white paper explores the hidden costs of PKI when implemented in house. It also shows how VeriSign®
Managed PKI is an extremely cost-effective alternative that
reduces the complexity of implementation while ensuring
trust and simplifying the goal of achieving authentication,
verication, integrity, and encryption for the most critical
enterprise applications.
th complxity of o-prmis pKi
Unlike other technology solutions, PKI requires far more than
the authentication software and the infrastructure to support
it. For organizations wanting to implement an on-premise
PKI, they will need dedicated, trained personnel to create,
manage, and support the infrastructure. They need highly
secure facilities, as well as robust policies and procedures, to
ensure that the keys used for certicates are protected. Anothe
consideration is the need for failover technology and a scalable
infrastructure to ensure continuous operation. Availability can
be a major concern because employees and partners who are
unable to validate their identities due to PKI unavailability
may be prevented from conducting business in a timely
manner.
Security of the root certicate and the certicate issuance
process is a critical issue enterprises must be prepared to
handle when implementing an on-premise PKI. Appropriately
high levels of security, background checks, procedures,
and more must be in place or the root certicate could be
compromised — at great risk to the enterprise. And shouldthe root certicate ever become compromised, all certicates
issued from the governing Certicate Authority (CA) are
compromised and their validity may be called into question —
jeopardizing the entire PKI trust hierarchy.
Most importantly, trust is the key building block of PKI. If
the enterprise wants to use its PKI to securely communicate
and transact business with third parties outside of the
organization, it needs a trusted, third-party CA as the root
certicate. Certicates issued by companies acting as their
own CA will most likely not be trusted by parties outside of
the organization, thereby requiring a separate, additional PKIinfrastructure using a trusted CA for business-to-business
communications.
Alternatively, two (or more) independent organizations could
create a cross-certication trust infrastructure. In which case,
one organization’s root CA hierarchy issues a subordinate CA
Reducing complexity and total costof owneRship with VeRisign managed pKi
8/8/2019 Whitepaper Cost Effective Pki
http://slidepdf.com/reader/full/whitepaper-cost-effective-pki 4/10
whit ppr
2
certicate to a CA in the other organization’s CA hierarchy.Each of the participating members in the cross-certication
trust network could then work in an interoperable fashion.
However, the cost and effort to create the cross-certication
can be prohibitively expensive and time consuming.
ucovri th tru cost of
o-prmis pKi
When considering a PKI implementation, organizations
often focus on only the traditional solution costs such as
software licensing, hardware, and installation services. But
with PKI, there are a number of additional factors that
organizations need to consider when deciding whether to
implement PKI in house. In fact, software and hardware for
the PKI solution are often only a small component of the
overall cost of ownership for an on-premise PKI solution.
To create a scalable, reliable, and secure on-premise PKI,
companies need to carefully consider not only the acquisition
costs, but the ongoing costs, including:
Software acquisition and maintenance
Hardware and networking infrastructure
Secure facilities
Creation and auditing of policies and procedures
Management of the certicate lifecycle
Highly available validation (Certicate Revocation List(CRL)/Online Certicate Status Protocol (OCSP))infrastructure
End user support
IT training
Backup and disaster recovery
Scalability to support user and application growth
Wiswif?
While implementing the “free” PKI capabilities includedin some server operating systems (OSs) can appear to be a
low-cost PKI solution, the reality is that the hidden labor
and infrastructure costs still make this type of on-premise
solution an expensive undertaking.
With this do-it-yourself form of PKI, the onus is on the
enterprise to create the PKI infrastructure, customize it to
suit the needs of the organization, and maintain it. While
organizations assume that this can be achieved with existingIT personnel at no additional cost, often in-house personnel
lack the PKI expertise needed to effectively implement an
on-premise solution. In addition, enterprises must be prepared
to commit signicant IT resources to ongoing PKI support
requirements. Maintaining audit logs, creating a Certicate
Revocation List and other tasks are not trivial matters —
requiring trained, dedicated PKI personnel or costly external
consultants. Without serious consideration to these matters,
you could potentially undermine the strength of your “trust
anchor” and likewise the value of PKI.
compri md pKi srvic to o-prmis solutio
Alternatively, organizations can use a managed PKI service,
which delivers PKI capabilities on demand. A managed
service dramatically reduces the burden on the enterprise
while ensuring scalability and availability. Policies,
operational processes, and certicate management can be
handled by the service provider.
A managed service is also able to scale more easily to the
growing needs of the business. To scale an on-premise
solution, organizations often have to install separate instance
of the software, requiring more hardware, backup, disasterrecovery, and other infrastructure.
A managed PKI service drastically reduces the cost of
deploying PKI compared to an on-premise solution. To
illustrate this, let’s compare the VeriSign® Managed PKI
Service to an alternative on-premise PKI solution. We’ll look
at three major areas of cost that organizations incur when
deploying and using a PKI solution: software, infrastructure,
and personnel.
ai
The following cost analysis is based on a three-yeartimeframe, with one-time costs occurring in the rst year.
All amounts are in U.S. dollars and are based on publicly
available U.S. General Services Administration (GSA)
Advantage pricing. Professional services costs are based on
industry averages for comparable services. The number of
seats/certicates used in the analysis is 1,000 — representing
an average enterprise deployment.1
8/8/2019 Whitepaper Cost Effective Pki
http://slidepdf.com/reader/full/whitepaper-cost-effective-pki 5/10
whit ppr
3
swTo deploy PKI into a production environment, for the
VeriSign Managed PKI Service, there is a one-time set-up
fee and then recurring fees for the service. Basic support
is included in the service fee.2 There are no license or
maintenance fees. With the on-premise solution, the
organization incurs the software license, maintenance, and
support fees.
Also included in the calculation are costs incurred to pilota solution before rolling it out to the broader organization
as well as disaster recovery costs. For VeriSign Managed
PKI, disaster recovery is included as part of the standard
Certication Practice Statement (CPS).
The table below shows that the on-premise software is
signicantly more expensive to acquire and deploy than the
managed service.
manage pKi seeta n
on-ee pKita n
one-te reng one-te reng
pn pn
account Set p fee $5,000.00 /a ra autoty $30,128.00 /a
annu mnged Sevce fee /a $20,000.00 Dgt iD $94,920.00 /a
annu e Set fee /a $31,000.00 ug-n appcton $16,190.00 /a
Suppot /a /a Suppot /a $24,858.00
sb-ta $5,000.00 $51,000.00 sb-ta $141,238.00 $24,858.00
p p
account Set p fee /a /a ra autoty $15,064.00 /a
annu mnged Sevce fee /a /a Dgt iD $1,187.00 /a
annu e Set fee /a /a ug-n appcton $202.00 /a
Suppot /a /a Suppot /a $2,896.00
sb-ta $0 $0 sb-ta $16,453.00 $2,896.00
dae ree dae ree
account Set p fee /a /a ra autoty /a /a
annu mnged Sevce fee /a /a Dgt iD /a /a
annu e Set fee /a /a ug-n appcton /a /a
Suppot /a /a Suppot /a /a
sb-ta / / sb-ta / /
sae ta $5,000.00 $51,000.00 sae ta $157,691.00 $27,754.00
8/8/2019 Whitepaper Cost Effective Pki
http://slidepdf.com/reader/full/whitepaper-cost-effective-pki 6/10
whit ppr
4
IFor the infrastructure, all the costs are on the on-premise
side. The VeriSign Managed PKI Service does not require
any additional on-premise infrastructure, saving not only the
costs of acquiring and maintaining the infrastructure, but
the IT effort required to install and manage it.
The following costs represent fairly conservative guresfor the infrastructure and assume a highly secure facility is
already in place. Organizations without a secure building,
data center, or equipment access, will need to invest
additional funds to bring the facility to a higher security
level to protect the PKI system.
manage pKi seeta n
on-ee pKita n
one-te reng one-te reng
haae haae
Seves /a /a Seves (De) $8,800.00 $1,760.00
lod Bnce /a /a lod Bnce (foundy) $19,500.00 $3,900.00
yptogpc hdwe /a /ayptogpc hdwe
(Seet)$42,393.00 $6,359.00
sb-ta $0 $0 sb-ta $70,693.00 $12,019.00
sae sae
petng Syste lcenses /a /apetng Syste lcenses
(mcosot)$4,116.00 $823.00
autentcton, autoton,
& Bck p lcenses/a /a
autentcton, autoton,
& Bck p lcenses (Vous)$4,600.00 $920.00
Dectoy Seve lcense /a /aDectoy Seve lcense
(lDa)$2,000.00 $400.00
sb-ta $0 $0 sb-ta $10,716.00 $2,143.00
inae an ta $0 $0 inae an ta $81,409.00 $14,162.00
8/8/2019 Whitepaper Cost Effective Pki
http://slidepdf.com/reader/full/whitepaper-cost-effective-pki 7/10
whit ppr
5
pPKI is a complex technology that requires knowledgeable
staff for on-premise solutions. IT personnel or consultants
will need to implement the required software and hardware
components, create and enforce policies and procedures,
manage the certicate lifecycle, create a disaster recovery
plan, and more.
The following cost comparison calculates the personnel costs
for deploying and managing a PKI solution. For the VeriSign
Managed PKI Service, organizations need only one, part-time administrator to manage use of the service, with no
training costs. Costs were calculated based on one-fourth of
a full-time employee's time, where the fully loaded cost for
an employee was $80k per year. No deployment, integration
or consulting costs are needed for the managed service.
As shown in the chart below, there is a signicant difference
in personnel costs for the on-premise solution, with very high
recurring costs as the ongoing IT burden remains high.
manage pKi see ta n on-ee pKi ta none-te reng one-te reng
pena see pena see
Depoyent (int
instton)/a /a
Depoyent (int
instton)$17,600.00 /a
Syste integton (Ki-
nbng appctons)/a /a
Syste integton (Ki-
nbng appctons)$16,000.00 /a
intenet Secuty onsutng
(Ki ocy)/a /a
intenet Secuty onsutng
(Ki ocy)$88,000.00 /a
se nan (pKi
na)
/ $20,000.00se nan (pKi
na)
/ $160,000.0
sb-ta $0 $20,000.00 sb-ta $121,600.00 $160,000.0
tanng tanng
adnstto ouse /a /a adnstto ouse $5,000.00 /a
Ki opeensve ouse /a /aSecuty mnge
opeensve ouse$7,500.00 /a
ookt ouse /a /aSecuty ookt o Jv
Deveopes ouse$7,500.00 /a
sb-ta $0 $0 sb-ta $20,000.00 $0
penne an ta $0 $20,000.00 penne an ta $141,600.00 $160,000.0
8/8/2019 Whitepaper Cost Effective Pki
http://slidepdf.com/reader/full/whitepaper-cost-effective-pki 8/10
whit ppr
6
tBliIn terms of total acquisition and deployment costs across all
three major areas above, the on-premise solution comes in
at more than $580,000 compared to $76,000 for VeriSign
Managed PKI. Recurring costs were nearly three times
higher than those for the VeriSign Managed PKI Service.
Over three years, total costs for the on-premise solution were more than $980,000, averaging out to about $328,000
per year. For the VeriSign Managed PKI Service, the total
cost for three years was $218,000, which averages out to
slightly more than $72,000 per year.
manage pKi seeta n
on-ee pKita n
one-te reng one-te reng
Sotwe ot $5,000.00 $51,000.00 Sotwe ot $157,691.00 $27,754.00
esonne ot $0 $20,000.00 esonne ot $141,600.00 $160,000.0
instuctue ot $0 $0 instuctue ot $81,409.00 $14,162.00
totl costs $5,000.00 $71,000.00 totl costs $380,700.00 $201,916.00
th Bfits of th vrisi® md
pKi srvic
VeriSign® Managed PKI Service is a hosted solution
enabling complete management of digital certicates(issue, revoke, renew, escrow keys, view status, run reports)
for authentication, encryption and digital signing. With
VeriSign managed services, organizations can establish a
robust PKI and certicate authority (CA) system without
the cost and time-to-market burden of on-premise PKI
deployment.
Leading organizations, government agencies, and digitally
connected communities choose VeriSign Managed PKI
Service because it delivers:
Lower total cost of ownership. Organizationsdrastically reduce upfront capital investments andongoing IT personnel costs for PKI.
Fast deployment. VeriSign enables organizations todeploy PKI rapidly to employees, customers, businesspartners, Web services applications and network devices.
Seamless integration. VeriSign Managed PKIService can integrate into many organizations' existing
architecture without expensive custom programming.
Ease of use. VeriSign Managed PKI Service simpliesdeployment and enables enterprises to quickly and easily
manage large numbers of certicates, while offeringtransparency to end users.
Scalability and reliability. VeriSign’s trusted andreliable infrastructure scales to millions of users andexes to meet evolving business needs.
Market-leading. VeriSign’s time-tested policies andpractices have been proven effective across many industries and sizes of organizations. VeriSign ManagedPKI Service has helped thousands of organizations,including partners and companies such as Avaya Inc.,CertiPath LLC, and the U.S. Department of Educationto protect their online data, systems, and processes
against intrusion and business disruption. A trusted solution. VeriSign operates the longestrunning commercial PKI platform in the world and hasissued more than 103 million device certicates.
8/8/2019 Whitepaper Cost Effective Pki
http://slidepdf.com/reader/full/whitepaper-cost-effective-pki 9/10
whit ppr
7
coclusioBy eliminating or reducing the high costs of the
infrastructure and IT personnel resources, a managed PKI
service enables enterprises to cost-effectively comply with
regulatory mandates, protect sensitive corporate data, and
communicate in a trusted way with external parties.
For more than a decade, VeriSign has been the trusted
provider of PKI services for all types of enterprises,
government organizations, and trusted communities. VeriSign
Managed PKI Service delivers the high level of protection
organizations need without the complexity, burden and cost
of an on-premise solution. With VeriSign, organizations nolonger have to decide between the high price of security
versus the high cost of a breach — they can implement PKI
for all their critical business transactions.
lossryCerticate Authority (CA) — A trusted party, authorized
to issue, revoke, or suspend digital certicates as part of a
Public Key Infrastructure (PKI).
Certicate Revocation List (CRL) — A periodically
issued list, digitally signed by a CA, of identied certicates
that have been revoked prior to their expiration dates. The
list generally indicates the CRL issuer’s name, the date of
issue, the date of the next scheduled CRL issue, the revoked
certicates’ serial numbers, and the specic times and reason
for revocation.
Certication Practices Statement (CPS) — A document
containing a statement that species the practices a CA or RA
employs in issuing certicates. This document is revised as
necessary by the CA.
Credential — A form factor that represents the digital
identity of an individual or entity. Trusted parties,
such as CAs, issue a form factor based on the level of
authentication required/performed on that individual or
entity. Digital certicates are a type of form factor and may
be combined with other form factors such as Tokens or
Hardware Security Modules.
Digital Certicate — A X.509 le, based on a public/
private key pair. This le binds the public key to identity
of the individual or entity. A digital certicate is used for
authentication, encryption, and digital signature purposes.
Digital Signature — A trusted and secure form of an
electronic signature, which provides veried user identity,
document integrity, time stamp, and non-repudiation of
signed electronic documents.
Key Generation — The trustworthy process for generating,
documenting, and storing public keys and private keys.
8/8/2019 Whitepaper Cost Effective Pki
http://slidepdf.com/reader/full/whitepaper-cost-effective-pki 10/10
whit ppr
8
©2010 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo, the Checkmark Circle logo, and other trademarks, service marks, and designs are registered or unregistered
trademarks of VeriSign, Inc., and its subsidiaries in the United States and foreign countries. All other trademarks are property of their respective owners.
00028649 05-10-10
Private Key — The mathematical key (kept secret by theholder) used to create digital signatures and decrypt messages
or les encrypted with the corresponding public key.
Public Key — The publicly available mathematical key that
is used to verify signatures created with its corresponding
private key. Depending on the algorithm, public keys are
also used to encrypt messages or les which can then be
decrypted with the corresponding private key.
Public Key Infrastructure (PKI) — An umbrella term used
to describe all the hardware, software, people, policies, and
procedures needed to create, manage, store, distribute, and
revoke a digital certicate.
Registration Authority (RA) — An entity approved
by a CA to assist entities in applying and/or revoking or
suspending certicates. The RA also approves applications for
certicates. An RA is not the agent of a certicate applicant,
and may not delegate the authority to approve certicate
applications to anyone other than authorized RAAs.
Registration Authority Administrator (RAA) — An
employee of an RA who is responsible for carrying out the
functions of an RA.
lr morFor more information about VeriSign® Managed PKI Services
please call 650-426-5310 or email:
Bout vrisi
VeriSign is the trusted provider of Internet infrastructure
services for the digital world. Billions of times each day,
companies and consumers rely on our Internet infrastructure
to communicate and conduct commerce with condence.
Vst us t www.VeSgn.co o oe noton.
1. Tis sample comparison is made available to you to independently evaluate the benets of implementing managed PKI and the
associated direct costs of managed PKI deployment, including customer care and solution-related costs. Tis sample comparison
is not intended to provide nancial or investment advice, and should not be relied upon as such. Te information presented is
only to highlight issues for your consideration. All scenarios are hypothetical and are for illustrative purposes only. Deployment/
investment decisions should not be based upon this sample comparison alone. Tere are no representations or warranties of any
kind, either express or implied. VeriSign cannot and does not guarantee results.
2. Premium support is available for additional charges.