The Decision to Buy vs. Build Nicholas Davis PKI Project Manager
300 likes | 533 Views
The Decision to Buy vs. Build Nicholas Davis PKI Project Manager. Overview. History of PKI at UW-Madison UW-Madison IT environment Our PKI requirements Comparison of benefits we found in buy vs. build Our experience so far Integration with existing systems Critical success factors
The Decision to Buy vs. Build Nicholas Davis PKI Project Manager
E N D
Presentation Transcript
The Decision to Buy vs. BuildNicholas Davis PKI Project Manager
Overview • History of PKI at UW-Madison • UW-Madison IT environment • Our PKI requirements • Comparison of benefits we found in buy vs. build • Our experience so far • Integration with existing systems • Critical success factors • Summary of benefits • Future considerations • What we have learned • Questions and comments
History of PKI at UW-Madison • October 2000 Internet2 Public Key Infrastructure Lab established at UW-Madison. • 2001 Secure email pilot study
History of PKI at UW-Madison • 2002 Provided certificates to Shibboleth testing community and participated in Federal Bridge Pilot project
History of PKI at UW-Madison • 2004 Campus requirements gathering initiative • Spring 2005 RFI review • August 2005 Geotrust selected
How UW-Madison Differs From Peers • Faculty, Staff, Students • Highly decentralized • Public institution • Research driven environment
Core Requirements • Automated certificate delivery • Used for encryption, digital signing and potentially authentication • Off site key escrow • Transparency to end user • Global trust • Implementation within 6 months • Minimum “lock in” commitment
Up Front Development Costs • Gartner Group estimates that the average commercial PKI system costs $1 million to implement • 80% of PKI systems never get beyond “pilot” status • Our estimated first year costs are substantially less than this
Project Features • Time • Cost • Features • Quality
Time to Implement -- Build • To develop our desired feature set would require 2 full time programmers for 12 months • Cost of establishing sandbox, QA and production environments • Hardware acquisition: secure cage, network equipment, Certificate Authority, Registration Authority • CP and CPS statements would need to be written and reviewed by DoIT management and UW Legal • Estimated time to implement: 12 months
Time to Implement -- Buy • 1 FTE would be needed to act as Administrator • Upon completion of purchase contract, system would be immediately ready • No need to establish sandbox, and QA environments. • Estimated time to implement: 4 weeks
Projected costs for an aggressive PKI rollout schedule -- Build Year 1 system costs 5000 users ~$50,000 2 FTE (salary and benefits) ~$200,000 Total Year 1 costs: ~$250,000 Year 2 and beyond (annual costs) 5000 users ~$0 2 FTE (salary and benefits) ~$200,000 Total annual costs ~$200,000 10 year cost ~$2,050,000
Projected costs for an aggressive PKI rollout schedule -- Buy Year 1 System costs 5000 users ~$43,000 1 FTE (salary and benefits) ~$100,000 Total yearly costs = ~$143,000 Year 2 and beyond (annual costs) 5000 users ~$43,000 1 FTE (salary and benefits) ~$100,000 Total annual cost $143,000 10 year cost ~$1,430,000
Feature Set – Trusted Root -- Build Unsigned Root means distrust both within and outside our core universe
Feature Set – Trusted Root -- Buy Seamless trust let’s us play globally via the Equifax Secure eBusiness CA1
Feature Set – Key Escrow -- Build Logistical, financial and political issues with building true off site key escrow
Feature Set – Key Escrow -- Buy Keys are securely kept in Atlanta, GA
Feature Set – Distance Users -- Build Logistical issues with getting certificates to users who are geographically distant.
Feature Set – Distance Users -- Buy All the user needs is a web browser in order to get their certificate
Service -- Build • Supporting a PKI in house would require dedicated staff to work on monitoring system health constantly
Service -- Buy • True Credentials is constantly monitored, patched, upgraded and backed up by Geotrust at their operations center in Atlanta, GA
Our Experience So Far • Customers appreciate: • Automated certificate delivery • Trusted Root • Key Escrow • Uses: • Using certificates for digital signing • Using certificates for encrypted email
Integration With Existing Systems • Easily scalable – Load users in CSV format in batch • Public keys are exportable to LDAP and University White Pages • CRL is automated via True Credentials system • Third party software available for high assurance server authentication
Critical Success factors for the UW-Madison • A focus on the customer requirements is of pinnacle importance • Financial lifecycle modeling for both short and long term • Being careful not to reinvent the wheel simply for the sake of pride • Top down support from the CIO’s office
Summary Benefits of Buying • Lower upfront fixed costs • Lower 10 year costs • Faster road to implementation • Trusted Root • Off Site Key Escrow • Automated certificate delivery • UW-Madison common look and feel • No long term lock in
Future Considerations • The beneficial cost argument may change if our user population grows dramatically • Widespread adoption of the Federal Bridge may alter our reliance on a commercial pre-installed root
What We Have Learned • A certificate is a certificate • What matters most is what your organization does with the certificate once it is issued • The challenge of implementing PKI is 30% technical and 70% user education, marketing and acceptance
What We Have Learned • The key to success in a decentralized environment lies in motivating your users, not obligating your users • Whether you choose to build or buy, remember to keep it simple for the customers • Don’t spend time on duplication of effort
Questions and Comments Nicholas Davis PKI Project Manager University of Wisconsin-Madison ndavis1@wisc.edu 608-262-3837 www.doit.wisc.edu/middleware/pki
