The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)
description
Transcript of The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)
![Page 1: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/1.jpg)
The Decision to Buy vs. BuildNicholas Davis (UW-Madison)
Tom McDonnell (Geotrust)
/ca/eecert
![Page 2: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/2.jpg)
Overview• History of PKI at UW-Madison• UW-Madison IT environment• Our PKI requirements• Comparison of benefits we found in
buy vs. build• Our experience so far• Integration with existing systems• Critical success factors• Summary of benefits• Future considerations• What we have learned• Questions and comments
![Page 3: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/3.jpg)
History of PKI at UW-Madison
• October 2000 Internet2 Public Key Infrastructure Lab established at UW-Madison.
•2001 Secure email pilot study
![Page 4: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/4.jpg)
History of PKI at UW-Madison
• 2002 Provided certificates to Shibboleth testing community and participated in Federal Bridge Pilot project
![Page 5: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/5.jpg)
History of PKI at UW-Madison
• 2004 Campus requirements gathering initiative
• Spring 2005 RFI review• August 2005 Geotrust
selected
![Page 6: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/6.jpg)
How UW-Madison Differs From Peers
• Faculty, Staff, Students• Highly decentralized• Public institution• Research driven environment
![Page 7: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/7.jpg)
Why the UW-Madison is interested in PKI
• Threat of identity theft (strong 2-factor authentication)
• More university businesses conducted via web / extranets through open community, across organizations
• Privacy of information (encryption)
• Authenticated communication (signing)
![Page 8: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/8.jpg)
UW-MadisonCritical Solution Requirements
• Ease of management• Ready integration into existing
systems• Ease of adoption by end users• Scalability, flexibility, cost of
ownership, accreditations…
![Page 9: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/9.jpg)
Core Requirements
• Automated certificate delivery • Used for encryption, digital
signing and potentially authentication
• Off site key escrow• Transparency to end user• Global trust• Implementation within 6
months• Minimum “lock in” commitment
![Page 10: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/10.jpg)
Up Front Development Costs
• Gartner Group estimates that the average commercial PKI system costs $1 million to implement
• 80% of PKI systems never get beyond “pilot” status
• Our estimated first year costs are substantially less than this
![Page 11: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/11.jpg)
Project Features
• Time• Cost• Features• Quality
![Page 12: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/12.jpg)
PKI Systems Under Consideration
• RFI solicited input from:
![Page 13: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/13.jpg)
PKI Models Under Consideration
• In House (Commercial and Open Source)
• Co-managed
![Page 14: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/14.jpg)
Time to Implement In House (Open Source)
• To develop our desired feature set would require 2 full time programmers for 12 months
• Cost of establishing sandbox, QA and production environments
• Hardware acquisition: secure cage, network equipment, Certificate Authority, Registration Authority
• CP and CPS statements would need to be written and reviewed by DoIT management and UW Legal
• Estimated time to implement: 12 months
![Page 15: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/15.jpg)
Time to Implement In House (Commercial)
• 1 FTE would be needed to act as Administrator
• Need to establish sandbox, and QA environments.
• Design logical and physical security infrastructure for secure CA and offsite key escrow
• Purchase hardware, install software• Develop policy, CP and CPS
• Estimated time to implement: 9 months
![Page 16: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/16.jpg)
Time to Implement Co-Managed
• 1 FTE would be needed to act as Administrator
• Upon completion of purchase contract, system would be immediately ready
• No need to establish sandbox, and QA environments.
• Estimated time to implement: 4 weeks
![Page 17: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/17.jpg)
Projected costs for an aggressive PKI rollout schedule
Build (Open Source)
Year 1 system costs5000 users ~$50,0002 FTE (salary and benefits) ~$200,000Total Year 1 costs: ~$250,000
Year 2 and beyond (annual costs)5000 users ~$02 FTE (salary and benefits) ~$200,000 Total annual costs ~$200,000
10 year cost ~$2,050,000
![Page 18: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/18.jpg)
Projected costs for an aggressive PKI rollout schedule
Build (Commercial)Year 1 system costs5000 users ~$200,0001 FTE (salary and benefits) ~$100,000Total Year 1 costs: ~$300,000
Year 2 and beyond ($40,000 maint.)5000 users ~$01 FTE (salary and benefits) ~$100,000Upgrades and maintenance ~$5000 Total annual costs ~$145,000
10 year cost ~$1,605,000
![Page 19: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/19.jpg)
Projected costs for an aggressive PKI rollout schedule
Buy (Co-Managed)
Year 1 System costs5000 users ~$43,0001 FTE (salary and benefits) ~$100,000 Total yearly costs = ~$143,000
Year 2 and beyond (annual contract)5000 users ~$43,0001 FTE (salary and benefits) ~$100,000 Total annual cost $143,000
10 year cost ~$1,430,000
![Page 20: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/20.jpg)
Annual Cost Summary
$-
$100,000.00
$200,000.00
$300,000.00
$400,000.00
1 2 3 4 5 6 7 8 9 10
Build In House OpenSource
Build In HouseCommercial
Buy Co-Managed
!0 year cost
$-$500,000.00
$1,000,000.00$1,500,000.00$2,000,000.00$2,500,000.00
Build InHouse Open
Source
Build InHouse
Commercial
Buy Co-Managed
![Page 21: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/21.jpg)
Feature Set – No Trusted Root With Open Source
Unsigned Root means distrustboth within and outside ourcore universe
![Page 22: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/22.jpg)
Feature Set – Trusted Root -- Geotrust
Seamless trust let’s us playglobally via the EquifaxSecure eBusiness CA1
![Page 23: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/23.jpg)
Feature Set – Key Escrow -- Build
Logistical, financial andpolitical issues with buildingtrue off site key escrow
![Page 24: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/24.jpg)
Feature Set – Key Escrow – Co-Managed
Keys are securely kept inAtlanta, GA
![Page 25: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/25.jpg)
Feature Set – Distance Users -- Build
Logistical issues with gettingcertificates to users who aregeographically distant.
![Page 26: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/26.jpg)
Feature Set – Distance Users – Co-Managed
All the user needs is a webbrowser in order to get theircertificate
![Page 27: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/27.jpg)
Service -- Build
• Supporting a PKI in house would require dedicated staff to work on monitoring system health constantly
![Page 28: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/28.jpg)
Service – Co-Managed
• True Credentials is constantly monitored, patched, upgraded and backed up by Geotrust at their operations center in Atlanta, GA
![Page 29: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/29.jpg)
Our Experience So FarCustomers appreciate:• Automated certificate delivery• Trusted Root• Key EscrowUses:• Using certificates for digital signing• Using certificates for encrypted
email• Digital signing of mass email to
campus
![Page 30: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/30.jpg)
Integration With Existing Systems
• Easily scalable – Load users in CSV format in batch
• Public keys are exportable to LDAP and University White Pages
• CRL is automated via True Credentials system
• Third party software available for high assurance server authentication
![Page 31: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/31.jpg)
Critical Success factors for the UW-Madison
• A focus on the customer requirements is of pinnacle importance
• Financial lifecycle modeling for both short and long term
• Being careful not to reinvent the wheel simply for the sake of pride
• Top down support from the CIO’s office
![Page 32: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/32.jpg)
Summary Benefits of Buying
• Lower upfront fixed costs
• Lower 10 year costs• Faster road to
implementation• Trusted Root• Off Site Key Escrow• Automated
certificate delivery• UW-Madison common
look and feel• No long term lock in
![Page 33: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/33.jpg)
Future Considerations
• The beneficial cost argument may change if our user population grows dramatically
• Widespread adoption of the Federal Bridge may alter our reliance on a commercial pre-installed root
![Page 34: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/34.jpg)
What We Have Learned• A certificate is a certificate• What matters most is what
your organization does with the certificate once it is issued
• The challenge of implementing PKI is 30% technical and 70% user education, marketing and acceptance
![Page 35: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/35.jpg)
What We Have Learned• The key to success in a
decentralized environment lies in motivating your users, not obligating your users
• Whether you choose to build or buy, remember to keep it simple for the customers
• Don’t spend time on duplication of effort
![Page 36: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/36.jpg)
Questions and CommentsNicholas DavisPKI Project [email protected]
Thomas McDonnell, CISSPDirector of Sales [email protected]
www.doit.wisc.edu/middleware/pki
![Page 37: The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)](https://reader035.fdocuments.in/reader035/viewer/2022062422/56813f18550346895da9b04d/html5/thumbnails/37.jpg)