GlobalSign Blog

The hidden costs of running your customer's on-premise CA

The hidden costs of running your customer's on-premise CA

Digital certificates provide an answer to a number of business security challenges – website security, email encryption, strong authentication…

As enterprises increasingly outsource security projects to experts, the task of building and maintaining Public Key Infrastructure (PKI) operations often falls on their IT provider.  The general misconception that on-premise CAs are 'free' can lead System Integrators to take on the task unaware of the full cost implications. 

Effort estimate

PKI projects are made up of a number of complex moving elements, and are often subject to regulations and best practices. There is more to an on-premise CA than meets the eye. In total, we estimate a 5 year project to take 3 to 4 months to set up and around $500,000 to deploy and maintain. These figures can increase a great deal for extensive PKI projects, for example if public trust is also required.

So before quoting for a project, make sure to consider all these elements:

  • Software & Hardware Costs: The certificate issuance itself might be free, but operating systems, virtualization environments, CA servers, CRL/OCSP servers, Hardware Security Modules and load balancers all come at a cost.

  • Documentation: For any production grade implementation, a number of documents need to be drafted, approved and maintained throughout the lifecycle of the project. A single change request means a full review.

  • Compliance: Knowledge of industry-specific regulations is critical, and Certificate Practice Statements and processes need to be implemented accordingly. This includes anything from physical building security to employee training.

  • Internal Resources: Multiple teams will need to be involved in CA operations (not just to set things up but also for maintenance and updates), so make sure to budget for all the man hours - infrastructure team, cybersecurity experts, and technical support team to maintain the required SLAs...

Leveraging SaaS CAs to increase customer satisfaction

If you are an IT provider you will be all too familiar with this - Meeting project deadlines and budget is your toughest challenge but the fastest way to securing returning customers.

Leaving PKI operations to an external Certificate Authority provides a faster go to market and removes the administrative and resource burden associated with maintaining an on-premise CA.

All four items listed above will be handled by the public CA, reducing the risk of data breaches and service disruption. Nowadays a few CAs also offer Active Directory integration options, so you can deliver a PKI solution that ticks all the boxes.

Are you looking to reduce PKI deployment time and costs? Get in touch with us to learn more about the Auto Enrollment Gateway (AEG). AEG acts as a connector between GlobalSign’s SaaS certificate services and a corporate Active Directory environment to automate certificate registration and installation. Alternatively, watch our webinar for a detailed overview!


Share this Post

Recent Blogs