Digital Signatures and the Hidden Costs of PKI

Companies that have decided to implement digital signatures have several different solutions, each offering different value propositions. The following provides a brief overview of these options, which will be discussed in greater detail later in the paper.

• Managed PKI: Outsourcing the Solution – Outsourcing refers to a PKI solution that is owned and operated by a trusted third-party entity known as the Certificate Authority (CA). The CA assumes responsibility for setting policy, managing the technology and infrastructure, and owns the legal liability on behalf of the client. This approach does not require purchasing hardware or software. However, when factoring set-up fees per user license, annual renewal fees, and in-house IT support, the costs can be considerable.  
• Traditional PKI: Developing an In-House Solution – In-house implementation involves the acquisition of PKI software and hardware in order to deploy digital certificates. Full-time, dedicated staff is required to create, manage, and support the systems and users. Utilizing this approach allows the organization to control and customize their digital signature solution according to their needs and infrastructure. Implementing an in-house option, even if using free software can be the most costly approach to PKI technology. 
• Server Side Signing: An Off-the-Shelf Solution – A new concept in PKI technology, also known as Server Side Signing, leverages the existing infrastructure that is currently in place at a company. This approach involves deploying a centralized appliance installed on the company’s network that immediately works in sync with the company’s user directory. Rather than reinventing the wheel, this solution compliments the company's existing infrastructure. As far as costs are concerned, Server Side Signing involves the minimal purchase of hardware and per user license fees (roughly $63,000 for 1,000 users over a three-year period).

The decision to utilize a PKI solution is often based on a comparison of only the most obvious costs. These costs may include:

• Charges for client software
• Licenses 
• Hardware 
• Server software
• Installation

These are important factors to consider, but they are only a small part of the total cost of ownership (TCO) of digital signature solutions. It is equally important to compare not only the obvious one-time costs, but the recurring annual charges as well.

Table 1 shows the basic cost analysis per solution that must be taken into consideration when computing the TCO for each digital signature - PKI solution.

In the world of high tech, outsourcing is a popular solution. It is often considered an easy way to
allow your company to focus on its core business. There is no need to invest in hardware, software, or personnel. Therefore, the TCO seems to be relatively low.

The Certificate Authority (CA), the outsourcing company, owns the digital signature solution and is responsible for the physical facility, the processing facility, operations and maintenance, as well as the legal framework. The CA is also responsible for all legal and security issues, as well as for changes in technology. In addition, the outsourcing entity assumes the responsibility for setting policy, and managing the information technology. Even though the client company maintains control of certificate issuance, co-branding and management.  The major responsibility for maintenance, scalability, and policy management is left to the outsourcing company.

Outsourcing is faster to deploy than in-house PKI efforts as the infrastructure is already in place. Also, this option is a way to avoid initial money and manpower shortages, since it does not require heavy up-front investments in infrastructure or additional staffing. Since PKI technology is fairly complex, outsourcing is an attractive option for companies with low financial resources that lack technical expertise and ongoing IT support.

While a managed solution certainly has benefits, it can be very costly in the long run. Even though the initial costs are low, as seen in Table 1, the TCO can become prohibitive. In addition, there are fees for customization and upgrades.

Outsourcing companies charge annual renewal fees and service fees for ongoing support. After a few years, these annual fees can add up to more than the initial cost of implementing a traditional in-house system. Companies that employ a managed PKI solution rely on this second party - with its own schedule of priorities - to implement every change necessary, no matter how simple it may be.

Depending on the outsourcing company, a managed solution may provide a company's employees with either hardware or software tokens for signing purposes (e.g., tokens are required for deploying and managing signature keys and certificates). It should be assumed from the onset that some of these devices will be misplaced or destroyed as time passes. Lacking or replacing these devices lead to: 

• Logistics issues  
• Added costs
• Helpdesk support
• Loss of production time 

These are major factor to consider when deciding on a PKI solution.

Organizations also need to be aware of managed solution scenarios. They may find themselves locked into an agreement with a solution provider that has become so expensive (due to the initial investment in set-up fees, user licenses, etc.), that it becomes cost prohibitive to change the managed solution provider.

In conclusion, while delegating all of the digital signature technology to an outsourced company may seem enticing, as there is no significant upfront cost, the truth is that the total cost of ownership has no limit. Table 1 shows that costs can run up to $313,000 for just 100 employees and close to half a million dollars for 1000 employees.  

Most of the companies that choose to develop and implement a traditional in-house digital signature PKI solution, base their decision on the perceived merits of greater control, flexibility and lower costs over the long term. With Traditional PKI, the expectation is that the solution can be implemented using the existing IT personnel without any additional expenses.

An in-house PKI solution gives a company the flexibility to issue and revoke certificates quickly and implement policies that can be tailored to meet business needs. However, with this solution, all of the infrastructure and services, including legal liabilities, project management, and manpower resources become the responsibility of the company. This means that the company must assume total responsibility in several different areas:

• Setting policies  
• Managing the root keys
• Managing digital certificates
• Managing the private keys
• Maintaining the necessary audit logs to comply with government regulations

When determining the expenses associated with developing an in-house solution, the costs of creating a Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) request (both are used to revoke a user's privilege for digital signing), must also be acknowledged. 

The company must also determine, implement, and document policies and practices that ensure PKI-standards are being enforced according to government regulations. In addition, it must also assume responsibility and risk for certificate issuance and authentication.

Furthermore, if a company chooses to invest in an in-house model, it must be prepared to continually make new investments in hardware upgrades to accommodate additional users. The company should also be prepared to repeatedly invest in software upgrades, as new versions of software are released.

Choosing an in-house PKI solution involves a major investment with several up-front costs. The first step is to choose the desired software. Many companies are enticed by the offer of "free" software, such as the Microsoft Certificate Server in Windows 2003. Although the software is "free", if you take into account the TCO and the total amount of resources needed, this option is no longer "free" (See the cost comparison chart).

According to Microsoft's own assessments for Managing a Windows Server 2003 Public Key Infrastructure, the initial set up effort demands 13 days (105.5 hours) of work. That's a tremendous amount of resources that need to be committed up-front for the solution, without even acknowledging the additional 90 days per year (720 hours) of ongoing operational tasks this
type of solution necessitates. In addition to the cost equivalents such a commitment of resources requires, a company that chooses a software package will often have to pay licensing fees as well. Moreover, hardware (dedicated servers) must also be purchased, in order to deploy digital certificates.

Once the hardware and software are purchased, it is essential to have experts in PKI technology, who are able to take responsibility for defining the company's certificate practices and policies for the creation and distribution of digital certificates. A dedicated IT staff will also be required. Building a digital signature PKI-based solution is a very complex process and implementing it requires a major investment in technical know-how. If the company does not have the required experts already on staff, then PKI consultants will need to be hired at the rate of approximately $2,500 per day.

Once the solution is up and running, there are additional expenses. The company is responsible for the physical plant, which includes:

• Security for the encryption keys 
• Back-up and disaster plans  
• All of the other incidentals that create a secure software environment

This is a critical issue. If the keys are not protected properly, it opens the door to forgery, and individuals from within or outside of the company may access the keys and use them to sign with the digital signatures of unsuspecting employees.

For companies that aren't experienced with handling the necessary commitments involved with in-house PKI solutions, this process can be extremely daunting, if not impractical. However, there is an upside to all of this investment. An in-house implementation, if done properly, may actually prove to be an excellent solution customized perfectly for a company's business. It can offer support for proprietary applications and services that an outsourced solution may not be willing to provide. This solution reduces the cost per user because it keeps the cost of issuing certificates low, since there is neither an original nor an annual license fee per user. An in-house solution offers a company total control, flexibility, and scalability of their solution.

Creating an in-house system is both expensive and complicated. According to the cost comparison in Table 1, minimum costs for 100 employees can be $1,630 per person. For a larger company with 1000 employees, these costs could run in excess of $491,750.00.