CA Options: Buy or Build, and Signed by Whom? Paul Caskey PKI Deployment Forum 2008.

Slides:

Advertisements

Similar presentations

Faruk Çubukçu Get Your IT Manager Title samples,

Advertisements

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Deploying and Managing Active Directory Certificate Services

Restricted © Siemens AG 2013 All rights reserved.siemens.com/answers The Siemens Healthcare Private Cloud

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Report on Attribute Certificates By Ganesh Godavari.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

The future of Desktops Transform Your Desktop with Virtualization.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Implementing Native Mode and Internet Based Client Management.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Brooks Evans – CISSP-ISSEP, Security+ IT Security Officer Arkansas Department of Human Services.

Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Security Certification

Greg Pierce| Concerto Cloud Services Which Cloud is Right for Microsoft CRM?

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Chapter 13 Organizing Information System Resources MIS Department Centralization and Decentralization Outsourcing Computer Facilities and Services.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

1 Digital Credential for Higher Education John Gardiner August 11, 2004.

SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Designing Active Directory Child Domain Sainath K.E.V Directory Services MVP 5/Aug/2015.

Treasury in the Cloud Bob Stark – Vice President, Strategy September 17, 2014.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 Buying factors – HP.

U.S. Department of Agriculture eGovernment Program December 3, 2003 eAuthentication Initiative USDA eAuthentication Service Overview eGovernment Program.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

System Center 2012 Certification and Training May 2012.

DEP351 Windows ® Rights Management (Part 2): Enterprise Readiness & Deployment Marco DeMello Group Program Manager Windows Trusted Platforms & Infrastructure.

1 ©2009 Desktone, Inc. All rights reserved. Desktops in the Cloud: It’s not Virtual Desktop Infrastructure (VDI) Danny Allan, Chief Solution Architect.

Chapter 6 of the Executive Guide manual Technology.

Microsoft and Community Tour 2011 – Infrastrutture in evoluzione Community Tour 2011 Infrastrutture in evoluzione.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Hosted by Why You Need a Storage Management Organization Ray Paquet Vice President & Research Director Gartner.

DEP350 Windows ® Rights Management (Part 1): Introduction, Concepts, And Technology Marco DeMello Group Program Manager Windows Trusted Platforms & Infrastructure.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

PKI Forum Business Panel March 6, 2000 Dr. Ray Wagner Sr. Director, Technology Research.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Introducing Microsoft Azure Government Steve Read Barbara Brucker.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

The Microsoft Services Provider License Program (SPLA)

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.

How to Deploy and Get the Most Out of Tokens Paul Caskey PKI Deployment Forum 2008.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Mindcraft is a registered trademark of Mindcraft, Inc. October 26, 1998Copyright 1998 Mindcraft, Inc. A Strategy for Buying Directory Servers Bruce Weiner.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Best Practices for a Successful SaaS Implementation Joseph H. Aston, Oracle Project Lead Velocity Technology Solutions September 18, 2015.

Some Technical Issues in PKI Deployment David Chadwick

Stevens International Consulting 1 MWA Group, L.L.C. and Stevens International Consulting, L.L.C.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

VDI AND DAAS – SAY WHAT?!? Bob Marshall, MD MPH MISM FAAFP Faculty, Valley Family Medicine Residency Faculty, DoD Clinical Informatics Fellowship.

Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Managing Office 365 Identities and Requirements Question Answer

Module 2: IT Professionals in an Enterprise. IT Professional Roles IT Management and Processes Professional Development for IT Professionals.

EJBCA AT THE HEART OF A TRUST CENTER F.Koray ATSAN Trust Center Project manager F.Koray ATSAN Trust Center Project manager

Clouding with Microsoft Azure

Chapter 6: Securing the Cloud

Your Next LIMS: SaaS or On-Premise? Presented by:

Server-to-Client Remote Access and DirectAccess

Agenda The current Windows XP and Windows XP Desktop situation

Remote Coding: Best Practices and Strategies AHIMA 2016

Cloud Management as a Service

Preparing for the Windows 8.1 MCSA

Presentation transcript:

CA Options: Buy or Build, and Signed by Whom? Paul Caskey PKI Deployment Forum 2008

Things to consider: Costs Fixed  Acquisition  Facilities  Initial Implementation  Hardware Variable/Recurring  Licensing/Signing  Service/Software/Renewal  Support  Personnel  Audit

Things to consider: Personnel Quantity/Roles Skills Availability Retention

Things to consider: Uses What will you use your certs for? Are there regulations governing this use? Are there special requirements?

Benefits of a “buy” approach Certs are trusted by almost all software New technologies/services easily adopted Minimal staffing challenges Minimal infrastructure demands No audits No policy development/maintenance Formal SLAs

Risks of a “buy” approach Vendor problems  Service degradation  Barriers to switching  Price increases Reduced Flexibility  Cross-certification  Custom OIDs  Different attributes (“Subject Unique Identifier”)

An analysis: Assumptions (source: Chosen Security – A 5,000 user implementation that remains constant over three years. A focus on client certificates only. There is an existing data center facility in place and one will not have to be built from scratch. The system needs to be both secure and available. A yearly external audit is required to maintain certification. Role separation as defined by Certificate Issuing and Management Components (CIMC) – from NIST

An analysis: Assumptions (cont) Security Level 3 Protection Profile (see Windows Server 2003 PKI and Certificate Security – Microsoft Press), consisting of one internal auditor, two PKI administrators and four operators need to be trained on the system, for a total of two FTEs. Redundant systems exist – two for the CA and two for the enrollment functions. Because of the security requirement, the enrollment and validation function is separated from the CA function, and the systems are separated by a firewall. There is a dedicated backup and monitoring function for the PKI environment. A pre-production system, with less redundancy which will be used for testing, also exists.

An Analysis: Year One DescriptionBuildBuy (Managed PKI) Setup FeeN/A$10,000 Software Cost$132,500N/A User Cost$32,400$145,000 Annual Hosting FeeN/A$45,000 Hardware-servers$60,000N/A Hardware-HSM$24,000N/A Data Center Setup$20,000N/A Data Center Rental$24,000N/A Personnel Cost$240,000N/A CA Audit$60,000N/A Root Signing$30,000N/A TOTAL: TOTAL:$622,900$200,000

An Analysis: Year Two DescriptionBuildBuy (Managed PKI) Annual Hosting FeeN/A$45,000 User Cost$5,400$145,000 Software Maintenance$22,400N/A Hardware Maintenance$10,000N/A HSM Maintenance$2,000N/A Data Center Rental$24,000N/A CA Audit$60,000N/A Personnel Cost$240,000N/A TOTAL: TOTAL:$363,800$190,000

An Analysis: Year Three DescriptionBuildBuy (Managed PKI) Annual Hosting FeeN/A$45,000 User Cost$5,400$145,000 Software Maintenance$22,400N/A Hardware Maintenance$10,000N/A HSM Maintenance$2,000N/A Data Center Rental$24,000N/A CA Audit$60,000N/A Personnel Cost$240,000N/A TOTAL: TOTAL:$363,800$190,000

An Analysis: 3 year total DescriptionBuildBuy (Managed PKI) Total Three Year Cost$1,350,500$580,000 Average Cost per User per Year$90.03$38.67 To be fair, Chosen Security, the vendor that published this analysis, did so to point out that their solution, called On- Demand PKI, meets the above scenario with a total 3-year cost of $259,600 ($17.31/user/year). The specifics were omitted since we use a Managed PKI solution.

Questions/Comments/Discussion?