Menu
▾
▴
Re: [Ejbca-develop] rough estimation
|
From: Tomas G. <to...@pr...> - 2012-07-17 11:02:47
|
Hi Hans, Of course PrimeKey has extensive experience from many customer deployments. We have a "standard" setup that will install a redundant standard PKI with HSMs with approx 2 people in 2 weeks. After that there is one week training for the operations staff, long term support and maintenance, etc etc. The preparations before deployment can vary a lot depending on the specific requirements, policies etc. From almost 0 to months of preparations. If the pure "standard" deployment suits you, you can get away rather cheap, say <100KEUR, including stuff like training. On the other side of the spectrum we have installed many national id/ePassport PKIs, with high availability and high audit requirements, as well as integration with card/passport manufacturing processes. Such a project might go for something like 0.5-1MEUR, including training and first years maintenance. For a normal organization I would not recommend to go with an "official" CA (i.e. recognized by browsers etc). The audit cost is very high (100s of KEUR), and there is usually no benefit for organizational usage. Self signed environment is most common, and it does not have to be small. From what you describe you might cope with something rather standard to start with, but it needs to be a rather serious base PKI that you can build on and extend as you go (requests from other departments). You could go for a "standard" redundant and audit enabled PKI and then budget every year for integration and expansion costs as the PKI usage grows and more departments hooks in. If you start with one CA and a few thousand certs, you may end up with 20 CAs and 20 million certs after 5 years of operations (all in one EJBCA installation of course). We have installations that have grown like that, and naturally the total cost is not a one-time cost, but a continuous operational cost that is spread out on an ever growing number of customers (internal to the organization). I don't know what your expectations are on the organizational overhead but many people get surprized by the PKI hardware costs when it comes to HSMs. If you have a professional installation with redundancy and (more than one) test environments, HSM costs alone easily gets up to 50-100KEUR. Cheers, Tomas On 07/16/2012 09:59 PM, Hans Witvliet wrote: > On Mon, 2012-07-16 at 13:21 +0200, Tham Wickenberg wrote: >> Hello, >> >> I agree with Martin but thought I would throw my two cents in there as >> well. > Tnx, anything to avoid tunnelvision from my side is welcome.. > >> First I would like to divide the problem into client side and CA side. >> The cost for the client side integration will largely be a function of >> what client software and systems you want to integrate with. I know very >> little about this side. > Client side is dealt with for 100% > >> On the CA side I have more experience. In my experience the cost and >> time required for setting up and maintaining the CA is a function of the >> required: >> >> * Security/Trust >> High security requires HSM, more personel because of role separation, >> hardening, access control, physical security etc. Trust may require more >> documentation and audit depending on the relationship with relying >> parties. If a FIPS or Common Criteria certified CA is required that will >> limit your choices and possibly increase your cost in comparison to >> other alternatives. >> >> * Availability/Reliability >> High availability/reliability costs more because you will need >> redundancy in staff and in components. You will need multiple >> CA-servers/ Database Servers, perhaps multiple site setup etc. You will >> also want to have support from an integration specialist and/or software >> vendor if you require high availability. >> >> * Performance >> Cost may rise if you need a high performance solution. You may see >> increased cost in terms of hardware and staffing needs if you have high >> volumes and performance requirements. Most small CA implementations are >> NOT performance intensive though. One issued certificate per second is >> 3600 issued certificates per hour ofc. > Obviously, when asked to advise any software for ca/ra/crl/ocsp/etc > ejbca will be my first choice, knowing the developpers and some of their > clients. > > I don't think that the costs of "the iron" will be significant, compared > with other costs. > >> * Certificate Enrollment Process. >> What your staffing needs are going to be are heavily dependent on how >> automated and distributed your enrollment process is. If you are >> enrolling a lot of users/machines you should automate it or expect a lot >> of manual labour. This cost will be more related to the card solution >> you choose and again is not my area. >> >> Due to differences in the above the time needed for setting up a CA will >> vary greatly from a one person - two weeks project to a four people - >> three months project. The effort for maintainig will vary from one >> person part time to many people full time. >> >> I have not discussed revocation and revocation information here, but I >> think it will be largely the same function as above. >> >> I realize this 'it depends' answer can be frustrating. I really can't be >> more precise than this without knowing more about the requirements, but >> I can tell you that if you score high on some of the requirements above >> it will probably not be very cheap. >> >> I hope this was a useful post, everyone is welcome to correct me or agree! > Well, it becomes clear that in this phase i do not know enough customer > requirements to present a real case. > I'm confident that with ejbca it gives me all the functionality for a > single machine for a tiny organisation towards clusters of HA-capable > subfunctions for a medium sized company. > > > I had a vague hope that someone might say: > For hotel-chain-such-and-so (ZZZ employees) we needed X people for Y > months, for getting all procedures legally water-tight. > Specially interfacing towards P&O-software XYZ was a real PITA. > > Or at the other end of the spectrum: "we tried it and you should just > forget about it" > > > Hans > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
