Yep, that's the sort of info I was after - non-sticker price costs :)
OK, several to six months FTE or mm. That feels about right.
I'm not sure about the outsourcing bit. What does it mean to preserve
your secrets in a HSM and then hand the HSM over to the care of someone
else... ? I'm not ruling it out, it's just that we seem to have a
strange confluence of contrary objectives :)
iang
On 11/04/12 00:12 AM, Von Welch wrote:
Ian,
I've led or been involved with several projects in academia that have used
HSMs as a basis for a CA. I can't say I've done a cost analysis at the level of
granularity you seem to be looking for, but I will say that at a high-level,
the added personnel costs of integrating and maintaining an HSM have been the
dominant factor in my experience.
I estimate several-to-six (depending on the experience of the staff)
additional FTE*months to understand the HSM (documentation always seems
lacking) and get it working with our security libraries (OpenSSL typically).
Maintenance is painful for a one-off since the HSM is this completely unique
hardware and software system sitting in ones infrastructure, so that is a
significant fraction of a person plus a small fraction of a second for backup
(vacations, continuity, etc.).
We did a second site redundant HSM-based CA once and it was a lengthy process
mainly due to the staff there having to come up to speed on the HSM, again
several FTE*months.
I try to avoid this now and in my most recent project we're outsourcing this
to a commercial vendor and it's my expectation the initial legal/policy issues
with that route will be less painful than the HSM technical issues and then
maintenance will be simpler.
Von
On Apr 10, 2012, at 2:26 AM, ianG wrote:
Does anyone have any estimates for the project cost of employing HSMs at a
single task? (e.g., protecting / deploying a single secret, not a network of
them.)
I'm not looking for sticker prices but project costings, including: spare
devices, programming, work-throughs and transfers, documentation, testing
recovery paths, training, maintenance contracts, upgrades, etc.
In comparison to the null project, not using them (e.g., using straight servers
in locked racks etc).
tia,
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography