1. CA Options: Buy or Build, and Signed by Whom? Paul Caskey PKI Deployment Forum 2008

2. Things to consider: Costs Fixed  Acquisition  Facilities  Initial Implementation  Hardware Variable/Recurring  Licensing/Signing  Service/Software/Renewal  Support  Personnel  Audit

3. Things to consider: Personnel Quantity/Roles Skills Availability Retention

4. Things to consider: Uses What will you use your certs for? Are there regulations governing this use? Are there special requirements?

5. Benefits of a “buy” approach Certs are trusted by almost all software New technologies/services easily adopted Minimal staffing challenges Minimal infrastructure demands No audits No policy development/maintenance Formal SLAs

6. Risks of a “buy” approach Vendor problems  Service degradation  Barriers to switching  Price increases Reduced Flexibility  Cross-certification  Custom OIDs  Different attributes (“Subject Unique Identifier”)

7. An analysis: Assumptions (source: Chosen Security – www.chosensecurity.com) A 5,000 user implementation that remains constant over three years. A focus on client certificates only. There is an existing data center facility in place and one will not have to be built from scratch. The system needs to be both secure and available. A yearly external audit is required to maintain certification. Role separation as defined by Certificate Issuing and Management Components (CIMC) – from NIST

8. An analysis: Assumptions (cont) Security Level 3 Protection Profile (see Windows Server 2003 PKI and Certificate Security – Microsoft Press), consisting of one internal auditor, two PKI administrators and four operators need to be trained on the system, for a total of two FTEs. Redundant systems exist – two for the CA and two for the enrollment functions. Because of the security requirement, the enrollment and validation function is separated from the CA function, and the systems are separated by a firewall. There is a dedicated backup and monitoring function for the PKI environment. A pre-production system, with less redundancy which will be used for testing, also exists.

9. An Analysis: Year One DescriptionBuildBuy (Managed PKI) Setup FeeN/A$10,000 Software Cost$132,500N/A User Cost$32,400$145,000 Annual Hosting FeeN/A$45,000 Hardware-servers$60,000N/A Hardware-HSM$24,000N/A Data Center Setup$20,000N/A Data Center Rental$24,000N/A Personnel Cost$240,000N/A CA Audit$60,000N/A Root Signing$30,000N/A TOTAL: TOTAL:$622,900$200,000

10. An Analysis: Year Two DescriptionBuildBuy (Managed PKI) Annual Hosting FeeN/A$45,000 User Cost$5,400$145,000 Software Maintenance$22,400N/A Hardware Maintenance$10,000N/A HSM Maintenance$2,000N/A Data Center Rental$24,000N/A CA Audit$60,000N/A Personnel Cost$240,000N/A TOTAL: TOTAL:$363,800$190,000

11. An Analysis: Year Three DescriptionBuildBuy (Managed PKI) Annual Hosting FeeN/A$45,000 User Cost$5,400$145,000 Software Maintenance$22,400N/A Hardware Maintenance$10,000N/A HSM Maintenance$2,000N/A Data Center Rental$24,000N/A CA Audit$60,000N/A Personnel Cost$240,000N/A TOTAL: TOTAL:$363,800$190,000

12. An Analysis: 3 year total DescriptionBuildBuy (Managed PKI) Total Three Year Cost$1,350,500$580,000 Average Cost per User per Year$90.03$38.67 To be fair, Chosen Security, the vendor that published this analysis, did so to point out that their solution, called On- Demand PKI, meets the above scenario with a total 3-year cost of $259,600 ($17.31/user/year). The specifics were omitted since we use a Managed PKI solution.

13. Questions/Comments/Discussion?