A certificate authority is a requirement for many organizations, whether for customer-facing products or internal security protocols. One of the first decisions to make regarding a Public Key Infrastructure (PKI), of which the CA is just one piece, is where to host it: on premise or in the cloud?
Organizations that land on running their own in-house certificate authority often come to that decision via one of two routes:
- I can just build it with Active Directory Certificate Services (AD CS) myself since I already have a Microsoft environment.
- Our data is very confidential and we need to keep it in-house for privacy or compliance reasons.
Both are valid reasons for an on-premise certificate authority, but if you had the whole picture of the costs an inhouse CA will occur, you might be inclined to make a different choice. Using a managed private certificate authority can cost half as much as operating your own CA.
Don’t believe me? Here’s the breakdown.
Don’t believe me still? Globalsign says much the same thing here.
If you still need more convincing, here is Digicert’s cost comparison.
The results are in – managed cloud services are cheaper than on-premise services. That’s not the only factor to consider when deciding where to host your network infrastructure, of course. Security is paramount. However, considering the recent breach of SolarWinds’ ubiquitous on-premise software, more and more admins are coming to the realization that the cloud is safer than on-prem.
Why are On-Premise CAs More Expensive?
The reality is that there are few instances in which an organization only needs a certificate authority. More than once, our customers have told us that they started looking for a certificate authority solution but ended up needing an entire PKI.
With that in mind, the total cost of deploying an on-prem CA can increase by several orders of magnitude. Let’s look at some frequently overlooked costs of a CA (and PKI):
1. Employee Salary and Human Resources Required
The on-prem vs managed (or cloud) debate is often characterized as a balance between upfront and recurring costs – would you rather invest a lot in infrastructure now or pay a managed service provider a subscription cost over the course of years?
The reality is that the expertise and effort required to run a PKI, and indeed some high-volume CAs, is a full-time job. You should be comparing the subscription cost to the “true cost” of an employee – about 30% higher than their stated salary.
The vast majority of organizations will save money with a managed service over an in-house CA. Internal human resources requirements alone make the on-premise PKI vastly more expensive, but what about external HR?
Most organizations don’t have the experience required to set up, and manage a Public Key Infrastructure – it typically requires outside consultation and training. Even worse, organizations may feel the project is too costly for external resources, leaving a critical piece of security infrastructure unmanaged and at risk.
2. Certificate Management Solutions
AD CS has few features for managing the X.509 digital certificates that it produces, and any admin that has to provision more than a handful of certs at a time will find that managing them is almost more trouble than it’s worth.
The lack of quality-of-life features in the ubiquitous AD CS is partially responsible for the industry’s slow adoption of certificates. The frustration of dealing with the inadequate certificate management led many admins to compromise and use credential-based authentication methods, despite it being common knowledge that they are inferior.
Don’t make the same mistake. If you decide to go with an in-house certificate authority, either build or buy a proper certificate management solution. You need to be able to view and interact with certificates at any stage of the certificate lifecycle. Any blind spot in your network authentication is an unacceptable risk.
SecureW2 provides one of the industry’s most advanced certificate management solutions (CMS) with real-time reporting on your whole network from a robust, single pane management interface. Our #1 rated onboarding application makes certificate enrollment and distribution a breeze for both BYOD and MDM.
3. Overburdened IT
We have alluded to it already, but the cost of an in-house certificate authority is not just financial. It requires significant man-hours. Even after setup and deployment are complete, maintenance and support will continue to drain your resources.
It’s true that deploying certificate-based authentication can reduce your support ticket load by up to 50%, but that’s still a non-zero number. Few IT teams can claim to be eager for support tickets – so why not let someone else handle it?
SecureW2’s managed PKI service comes with white-glove support from start to finish. Even after we’ve successfully deployed the network, our expert technicians are on call 24/7 to help customers resolve issues and to provide troubleshooting help.
Shifting the burden of maintaining the PKI, or even just a CA, to an external team leaves you the free time (and money) to spend on projects that move the needle for your organization.
Consider a Managed Certificate Authority
There are certainly some valid scenarios in which a private, in-house CA is the best option. Massive enterprises or organizations with lots of user turnover that have to issue extraordinary numbers of certificates might find it cost-effective. Organizations that are protecting highly sensitive data might need an on-premise CA for compliance reasons.
However, the above organizations make up a tiny fraction of those who use certificate authorities. For almost everyone else, a managed cloud solution is both cheaper and more secure – it’s a no-brainer, really.
SecureW2’s managed certificate authority (and PKI) are totally vendor-neutral. We can integrate into your existing network infrastructure with no forklift upgrades, enabling certificate-based authentication with hardly any disruption at all. We have affordable options for organizations of all sizes, click here to see our pricing.
