If you're thinking of undertaking a public key infrastructure (PKI) project, you may want to first make sure you know your way around a spreadsheet.

Determining the cost of a PKI project can be almost as difficult as the implementation itself, judging from a session presented at the recent RSA Conference 2001 in San Francisco by Brad Hildreth, research director at Gartner Group. Yes, that's an exaggeration, but Hildreth really did display a spreadsheet at the show that was about six feet wide, listing variables for all known PKI vendors.

The point was there are a lot of variables to consider, many of which are "hidden" costs. On the other hand, Hildreth pointed out that the capital investment accounts for only 7% of the overall decision as to whether to implement a PKI. Categories like "Functionality" (24%) and "Trustworthiness" (21%) account for the lion's share of the Gartner decision tree. And once you decide to implement PKI, cost makes up only about 5% to 10% of your decision regarding a vendor. So, while determining PKI costs may be complicated, keep in mind that it's also a relatively small part of the overall project.

That said, part of what makes the process complicated is that while there aren't all that many actual components to a PKI, there are lots of costs associated with getting it all done right. Further, PKI vendors tend to price their wares differently, some per seat and some per digital certificate issued. It is especially difficult, Hildreth says, to compare PKI service providers to software providers.

"There is nothing else besides a total cost of ownership approach that can really give you a good comparison," Hildreth says.

To get started, Hildreth says to list the various "overt" costs, including:

  • Hardware, including costs for smart cards and readers, tokens or dongles, desktop machines to support Registration Authority (RA) software, a certificate authority (CA) server and a dedicated root CA server, validation server and timestamp server.
  • Software costs, including RA, CA, directory and software for integrating the PKI with applications.
  • License costs, including the cost of certificates for users (or per-seat costs), servers and code-signing, as well as for additional domains and administrators, if needed.
  • Maintenance fees.

Next come the hidden costs. It starts with staff to write the Certificate Practice Statement (CPS), which details how certificates are issued and managed. For example, what should happen if a smart card that holds a user's certificate is lost or stolen? Typically, legal staff has to be involved with IT and business management in writing the CPS. You can also buy or rent a CPS, Hildreth says, but still have to figure in the cost of customizing it.

Similarly, you will need staff to cross-certify your CA with any others with which you need to do business, as well as RA staff to manage certificate registrations, distributions, revocations, changes and more.

Expect your help desk costs to rise dramatically when the PKI is rolled out. Keep in mind that these costs don't scale well; you generally need the same ratio of help desk employees to end users, Hildreth says. And if you consider that maybe 20% of your employees currently forget their passwords each year, expect roughly the same percentage to forget the PIN required for PKI.

There are training and education costs all over, for end users and IT staff alike. Hildreth suggests investigating computer-based training for end users, which should run you about $5,000. Consider also any outside training that you may need for IT staff.

Facilities are another consideration. You need to be especially concerned about providing physical security for your root keys, CA and RA servers. The cost of providing such security will vary depending on what kind of facilities you already have.

If you've got only limited physical security, this could be a key reason to outsource, Hildreth says. In that case, you've got to ask, "Do you trust the environment that a PKI vendor has more than your own?"

To net out all the costs, Hildreth recommends using a spreadsheet. List in each row the various overt and hidden costs that you need to factor in. Across the columns, use the formula: quantity x price x years. Quantity is the number of servers, clients, people, classes, seats, certificates or whatever fits the given category. Price could be purchase or license cost, dollars per hour, per-person cost, seat fee, certificate fee or the like. For years, figure one for initial setup, where costs are generally higher, then x for ongoing, where x is however many years you are going to amortize the purchase, or the length of the contract.

The amortization period is a key differentiator between vendors and service providers. Hildreth notes that PKI service providers will try to get you to amortize over a low number of years; because their upfront costs are lower, they will look more attractive than a product vendor in that scenario. Conversely, if you amortize over a longer period, the product vendors generally come out looking more cost-effective.

The number of end users also plays into the equation, however. When you hit about 200,000 users, it's probably cost-effective to bring the PKI in-house, Hildreth says.

It's important to assemble the spreadsheet prior to choosing a vendor, plugging in prices for each as appropriate, he says. It's also best to get per-seat pricing if you can. The alternative is to estimate your expected usage, which is a tougher chore. And remember to factor in all possible discounts, including things like negotiated maintenance fees.