Whitepaper Cost Effective Pki

8/8/2019 Whitepaper Cost Effective Pki

http://slidepdf.com/reader/full/whitepaper-cost-effective-pki 1/10

whit ppr

Reducing complexityand total cost ofowneRship withVeRisign managed pKi



whit ppr

contents

1 IntroductIon

1 thecomplexItyofon-premIsepKI

2 uncoverIngthetruecostofon-premIsepKI

Wha if h SfWar iS fr?

2 comparIngamanagedpKIservIcetoanon-premIsesolutIon

aSSmiS

SfWar

ifraSrr

rSl

h Bm li

6 theBenefItsoftheverIsIgn®managedpKIservIce

7 conclusIon

7 glossary

8 learnmore

8 aBoutverIsIgn



whit ppr

1

itroductio

Whether it’s complying with mandates to protect sensitive

data, enabling trust in a business ecosystem, or securing

corporate digital assets against unauthorized access, enterprises

turn to public key infrastructure (PKI)-based solutions for

the highest levels of protection. Enterprises, government

organizations, and digitally connected communities recognize

PKI as the gold standard for highly secure and trusted

authentication, digital signatures, and encryption.

While cryptography is the core mechanism within PKI,

certicate issuance, management, and revocation need to be

properly established for relying parties to effectively enjoy

the benets of PKI. As such, not all PKI deployments are

the same. Some provide limited functions to support simple

applications like sending and receiving encrypted email

within an organization, while others deliver complex methods

of integrating physical and logical access to secure sites and

networks that protect matters of national security.

Regardless of the application, deploying and managing aPKI solution can be a complex undertaking. Unlike other

technology solutions, PKI has many moving parts that

go far beyond the software involved — from training to

policy development, from data center security to certicate

management. All the components that make up a robust,

secure PKI environment can add to the cost of implementing

PKI. These sometimes hidden or forgotten costs can be far

more substantial than the acquisition cost of the software.

This is particularly the case with on-premise PKI software,

implemented and maintained by the organization in its data

center. This white paper explores the hidden costs of PKI when implemented in house. It also shows how VeriSign®

Managed PKI is an extremely cost-effective alternative that

reduces the complexity of implementation while ensuring

trust and simplifying the goal of achieving authentication,

verication, integrity, and encryption for the most critical

enterprise applications.

th complxity of o-prmis pKi

Unlike other technology solutions, PKI requires far more than

the authentication software and the infrastructure to support

it. For organizations wanting to implement an on-premise

PKI, they will need dedicated, trained personnel to create,

manage, and support the infrastructure. They need highly

secure facilities, as well as robust policies and procedures, to

ensure that the keys used for certicates are protected. Anothe

consideration is the need for failover technology and a scalable

infrastructure to ensure continuous operation. Availability can

be a major concern because employees and partners who are

unable to validate their identities due to PKI unavailability

may be prevented from conducting business in a timely

manner.

Security of the root certicate and the certicate issuance

process is a critical issue enterprises must be prepared to

handle when implementing an on-premise PKI. Appropriately

high levels of security, background checks, procedures,

and more must be in place or the root certicate could be

compromised — at great risk to the enterprise. And shouldthe root certicate ever become compromised, all certicates

issued from the governing Certicate Authority (CA) are

compromised and their validity may be called into question —

jeopardizing the entire PKI trust hierarchy.

Most importantly, trust is the key building block of PKI. If

the enterprise wants to use its PKI to securely communicate

and transact business with third parties outside of the

organization, it needs a trusted, third-party CA as the root

certicate. Certicates issued by companies acting as their

own CA will most likely not be trusted by parties outside of

the organization, thereby requiring a separate, additional PKIinfrastructure using a trusted CA for business-to-business

communications.

Alternatively, two (or more) independent organizations could

create a cross-certication trust infrastructure. In which case,

one organization’s root CA hierarchy issues a subordinate CA

Reducing complexity and total costof owneRship with VeRisign managed pKi



whit ppr

2

certicate to a CA in the other organization’s CA hierarchy.Each of the participating members in the cross-certication

trust network could then work in an interoperable fashion.

However, the cost and effort to create the cross-certication

can be prohibitively expensive and time consuming.

ucovri th tru cost of

o-prmis pKi

When considering a PKI implementation, organizations

often focus on only the traditional solution costs such as

software licensing, hardware, and installation services. But

with PKI, there are a number of additional factors that

organizations need to consider when deciding whether to

implement PKI in house. In fact, software and hardware for

the PKI solution are often only a small component of the

overall cost of ownership for an on-premise PKI solution.

To create a scalable, reliable, and secure on-premise PKI,

companies need to carefully consider not only the acquisition

costs, but the ongoing costs, including:

Software acquisition and maintenance

Hardware and networking infrastructure

Secure facilities

Creation and auditing of policies and procedures

Management of the certicate lifecycle

Highly available validation (Certicate Revocation List(CRL)/Online Certicate Status Protocol (OCSP))infrastructure

End user support

IT training

Backup and disaster recovery

Scalability to support user and application growth

Wiswif?

While implementing the “free” PKI capabilities includedin some server operating systems (OSs) can appear to be a

low-cost PKI solution, the reality is that the hidden labor

and infrastructure costs still make this type of on-premise

solution an expensive undertaking.

With this do-it-yourself form of PKI, the onus is on the

enterprise to create the PKI infrastructure, customize it to

suit the needs of the organization, and maintain it. While

organizations assume that this can be achieved with existingIT personnel at no additional cost, often in-house personnel

lack the PKI expertise needed to effectively implement an

on-premise solution. In addition, enterprises must be prepared

to commit signicant IT resources to ongoing PKI support

requirements. Maintaining audit logs, creating a Certicate

Revocation List and other tasks are not trivial matters —

requiring trained, dedicated PKI personnel or costly external

consultants. Without serious consideration to these matters,

you could potentially undermine the strength of your “trust

anchor” and likewise the value of PKI.

compri md pKi srvic to o-prmis solutio

Alternatively, organizations can use a managed PKI service,

which delivers PKI capabilities on demand. A managed

service dramatically reduces the burden on the enterprise

while ensuring scalability and availability. Policies,

operational processes, and certicate management can be

handled by the service provider.

A managed service is also able to scale more easily to the

growing needs of the business. To scale an on-premise

solution, organizations often have to install separate instance

of the software, requiring more hardware, backup, disasterrecovery, and other infrastructure.

A managed PKI service drastically reduces the cost of

deploying PKI compared to an on-premise solution. To

illustrate this, let’s compare the VeriSign® Managed PKI

Service to an alternative on-premise PKI solution. We’ll look

at three major areas of cost that organizations incur when

deploying and using a PKI solution: software, infrastructure,

and personnel.

ai

The following cost analysis is based on a three-yeartimeframe, with one-time costs occurring in the rst year.

All amounts are in U.S. dollars and are based on publicly

available U.S. General Services Administration (GSA)

Advantage pricing. Professional services costs are based on

industry averages for comparable services. The number of

seats/certicates used in the analysis is 1,000 — representing

an average enterprise deployment.1



whit ppr

3

swTo deploy PKI into a production environment, for the

VeriSign Managed PKI Service, there is a one-time set-up

fee and then recurring fees for the service. Basic support

is included in the service fee.2 There are no license or

maintenance fees. With the on-premise solution, the

organization incurs the software license, maintenance, and

support fees.

Also included in the calculation are costs incurred to pilota solution before rolling it out to the broader organization

as well as disaster recovery costs. For VeriSign Managed

PKI, disaster recovery is included as part of the standard

Certication Practice Statement (CPS).

The table below shows that the on-premise software is

signicantly more expensive to acquire and deploy than the

managed service.

manage pKi seeta n

on-ee pKita n

one-te reng one-te reng

pn pn

account Set p fee $5,000.00 /a ra autoty $30,128.00 /a

annu mnged Sevce fee /a $20,000.00 Dgt iD $94,920.00 /a

annu e Set fee /a $31,000.00 ug-n appcton $16,190.00 /a

Suppot /a /a Suppot /a $24,858.00

sb-ta $5,000.00 $51,000.00 sb-ta $141,238.00 $24,858.00

p p

account Set p fee /a /a ra autoty $15,064.00 /a

annu mnged Sevce fee /a /a Dgt iD $1,187.00 /a

annu e Set fee /a /a ug-n appcton $202.00 /a

Suppot /a /a Suppot /a $2,896.00

sb-ta $0 $0 sb-ta $16,453.00 $2,896.00

dae ree dae ree

account Set p fee /a /a ra autoty /a /a

annu mnged Sevce fee /a /a Dgt iD /a /a

annu e Set fee /a /a ug-n appcton /a /a

Suppot /a /a Suppot /a /a

sb-ta / / sb-ta / /

sae ta $5,000.00 $51,000.00 sae ta $157,691.00 $27,754.00



whit ppr

4

IFor the infrastructure, all the costs are on the on-premise

side. The VeriSign Managed PKI Service does not require

any additional on-premise infrastructure, saving not only the

costs of acquiring and maintaining the infrastructure, but

the IT effort required to install and manage it.

The following costs represent fairly conservative guresfor the infrastructure and assume a highly secure facility is

already in place. Organizations without a secure building,

data center, or equipment access, will need to invest

additional funds to bring the facility to a higher security

level to protect the PKI system.

manage pKi seeta n

on-ee pKita n


haae haae

Seves /a /a Seves (De) $8,800.00 $1,760.00

lod Bnce /a /a lod Bnce (foundy) $19,500.00 $3,900.00

yptogpc hdwe /a /ayptogpc hdwe

(Seet)$42,393.00 $6,359.00

sb-ta $0 $0 sb-ta $70,693.00 $12,019.00

sae sae

petng Syste lcenses /a /apetng Syste lcenses

(mcosot)$4,116.00 $823.00

autentcton, autoton,

& Bck p lcenses/a /a

autentcton, autoton,

& Bck p lcenses (Vous)$4,600.00 $920.00

Dectoy Seve lcense /a /aDectoy Seve lcense

(lDa)$2,000.00 $400.00

sb-ta $0 $0 sb-ta $10,716.00 $2,143.00

inae an ta $0 $0 inae an ta $81,409.00 $14,162.00



whit ppr

5

pPKI is a complex technology that requires knowledgeable

staff for on-premise solutions. IT personnel or consultants

will need to implement the required software and hardware

components, create and enforce policies and procedures,

manage the certicate lifecycle, create a disaster recovery

plan, and more.

The following cost comparison calculates the personnel costs

for deploying and managing a PKI solution. For the VeriSign

Managed PKI Service, organizations need only one, part-time administrator to manage use of the service, with no

training costs. Costs were calculated based on one-fourth of

a full-time employee's time, where the fully loaded cost for

an employee was $80k per year. No deployment, integration

or consulting costs are needed for the managed service.

As shown in the chart below, there is a signicant difference

in personnel costs for the on-premise solution, with very high

recurring costs as the ongoing IT burden remains high.

manage pKi see ta n on-ee pKi ta none-te reng one-te reng

pena see pena see

Depoyent (int

instton)/a /a

Depoyent (int

instton)$17,600.00 /a

Syste integton (Ki-

nbng appctons)/a /a

Syste integton (Ki-

nbng appctons)$16,000.00 /a

intenet Secuty onsutng

(Ki ocy)/a /a

intenet Secuty onsutng

(Ki ocy)$88,000.00 /a

se nan (pKi

na)

/ $20,000.00se nan (pKi

na)

/ $160,000.0

sb-ta $0 $20,000.00 sb-ta $121,600.00 $160,000.0

tanng tanng

adnstto ouse /a /a adnstto ouse $5,000.00 /a

Ki opeensve ouse /a /aSecuty mnge

opeensve ouse$7,500.00 /a

ookt ouse /a /aSecuty ookt o Jv

Deveopes ouse$7,500.00 /a

sb-ta $0 $0 sb-ta $20,000.00 $0

penne an ta $0 $20,000.00 penne an ta $141,600.00 $160,000.0



whit ppr

6

tBliIn terms of total acquisition and deployment costs across all

three major areas above, the on-premise solution comes in

at more than $580,000 compared to $76,000 for VeriSign

Managed PKI. Recurring costs were nearly three times

higher than those for the VeriSign Managed PKI Service.

Over three years, total costs for the on-premise solution were more than $980,000, averaging out to about $328,000

per year. For the VeriSign Managed PKI Service, the total

cost for three years was $218,000, which averages out to

slightly more than $72,000 per year.

manage pKi seeta n

on-ee pKita n


Sotwe ot $5,000.00 $51,000.00 Sotwe ot $157,691.00 $27,754.00

esonne ot $0 $20,000.00 esonne ot $141,600.00 $160,000.0

instuctue ot $0 $0 instuctue ot $81,409.00 $14,162.00

totl costs $5,000.00 $71,000.00 totl costs $380,700.00 $201,916.00

th Bfits of th vrisi® md

pKi srvic

VeriSign® Managed PKI Service is a hosted solution

enabling complete management of digital certicates(issue, revoke, renew, escrow keys, view status, run reports)

for authentication, encryption and digital signing. With

VeriSign managed services, organizations can establish a

robust PKI and certicate authority (CA) system without

the cost and time-to-market burden of on-premise PKI

deployment.

Leading organizations, government agencies, and digitally

connected communities choose VeriSign Managed PKI

Service because it delivers:

Lower total cost of ownership. Organizationsdrastically reduce upfront capital investments andongoing IT personnel costs for PKI.

Fast deployment. VeriSign enables organizations todeploy PKI rapidly to employees, customers, businesspartners, Web services applications and network devices.

Seamless integration. VeriSign Managed PKIService can integrate into many organizations' existing

architecture without expensive custom programming.

Ease of use. VeriSign Managed PKI Service simpliesdeployment and enables enterprises to quickly and easily

manage large numbers of certicates, while offeringtransparency to end users.

Scalability and reliability. VeriSign’s trusted andreliable infrastructure scales to millions of users andexes to meet evolving business needs.

Market-leading. VeriSign’s time-tested policies andpractices have been proven effective across many industries and sizes of organizations. VeriSign ManagedPKI Service has helped thousands of organizations,including partners and companies such as Avaya Inc.,CertiPath LLC, and the U.S. Department of Educationto protect their online data, systems, and processes

against intrusion and business disruption. A trusted solution. VeriSign operates the longestrunning commercial PKI platform in the world and hasissued more than 103 million device certicates.



whit ppr

7

coclusioBy eliminating or reducing the high costs of the

infrastructure and IT personnel resources, a managed PKI

service enables enterprises to cost-effectively comply with

regulatory mandates, protect sensitive corporate data, and

communicate in a trusted way with external parties.

For more than a decade, VeriSign has been the trusted

provider of PKI services for all types of enterprises,

government organizations, and trusted communities. VeriSign

Managed PKI Service delivers the high level of protection

organizations need without the complexity, burden and cost

of an on-premise solution. With VeriSign, organizations nolonger have to decide between the high price of security

versus the high cost of a breach — they can implement PKI

for all their critical business transactions.

lossryCerticate Authority (CA) — A trusted party, authorized

to issue, revoke, or suspend digital certicates as part of a

Public Key Infrastructure (PKI).

Certicate Revocation List (CRL) — A periodically

issued list, digitally signed by a CA, of identied certicates

that have been revoked prior to their expiration dates. The

list generally indicates the CRL issuer’s name, the date of

issue, the date of the next scheduled CRL issue, the revoked

certicates’ serial numbers, and the specic times and reason

for revocation.

Certication Practices Statement (CPS) — A document

containing a statement that species the practices a CA or RA

employs in issuing certicates. This document is revised as

necessary by the CA.

Credential — A form factor that represents the digital

identity of an individual or entity. Trusted parties,

such as CAs, issue a form factor based on the level of

authentication required/performed on that individual or

entity. Digital certicates are a type of form factor and may

be combined with other form factors such as Tokens or

Hardware Security Modules.

Digital Certicate — A X.509 le, based on a public/

private key pair. This le binds the public key to identity

of the individual or entity. A digital certicate is used for

authentication, encryption, and digital signature purposes.

Digital Signature — A trusted and secure form of an

electronic signature, which provides veried user identity,

document integrity, time stamp, and non-repudiation of

signed electronic documents.

Key Generation — The trustworthy process for generating,

documenting, and storing public keys and private keys.



whit ppr

8

©2010 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo, the Checkmark Circle logo, and other trademarks, service marks, and designs are registered or unregistered

trademarks of VeriSign, Inc., and its subsidiaries in the United States and foreign countries. All other trademarks are property of their respective owners.

00028649 05-10-10

Private Key — The mathematical key (kept secret by theholder) used to create digital signatures and decrypt messages

or les encrypted with the corresponding public key.

Public Key — The publicly available mathematical key that

is used to verify signatures created with its corresponding

private key. Depending on the algorithm, public keys are

also used to encrypt messages or les which can then be

decrypted with the corresponding private key.

Public Key Infrastructure (PKI) — An umbrella term used

to describe all the hardware, software, people, policies, and

procedures needed to create, manage, store, distribute, and

revoke a digital certicate.

Registration Authority (RA) — An entity approved

by a CA to assist entities in applying and/or revoking or

suspending certicates. The RA also approves applications for

certicates. An RA is not the agent of a certicate applicant,

and may not delegate the authority to approve certicate

applications to anyone other than authorized RAAs.

Registration Authority Administrator (RAA) — An

employee of an RA who is responsible for carrying out the

functions of an RA.

lr morFor more information about VeriSign® Managed PKI Services

please call 650-426-5310 or email:

[email protected]

Bout vrisi

VeriSign is the trusted provider of Internet infrastructure

services for the digital world. Billions of times each day,

companies and consumers rely on our Internet infrastructure

to communicate and conduct commerce with condence.

Vst us t www.VeSgn.co o oe noton.

1. Tis sample comparison is made available to you to independently evaluate the benets of implementing managed PKI and the

associated direct costs of managed PKI deployment, including customer care and solution-related costs. Tis sample comparison

is not intended to provide nancial or investment advice, and should not be relied upon as such. Te information presented is

only to highlight issues for your consideration. All scenarios are hypothetical and are for illustrative purposes only. Deployment/

investment decisions should not be based upon this sample comparison alone. Tere are no representations or warranties of any

kind, either express or implied. VeriSign cannot and does not guarantee results.

2. Premium support is available for additional charges.

Documents

Whitepaper Cost Effective Pki