Re: Time and labor commitment to stand up a PKI

[Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>]

I would reach out to Brian Komar (bkomar () komarconsulting com) as far as consultants in this area go - he knows this 
stuff inside out. He is the author of the Microsoft Press PKI book 
(http://www.microsoft.com/learning/en/us/book.aspx?id=9549&locale=en-us) and implementing this (both the technical side 
and crafting CPS and such) is what he does for a living. 

Thanks,
Brian Desmond
brian.desmond () morantechnology com

w - 312.625.1438 | c   - 312.731.3132

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary 
Flynn
Sent: Wednesday, June 13, 2012 1:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Time and labor commitment to stand up a PKI

Hi,

We've gone without a PKI a long time because every use
case that came up couldn't justify the outlay to stand
up a PKI and alternatives were always found. Sometimes
the concern over the operational costs and risks
associated with failures overrode the perceived benefits.

We're using Incommon for server certificates and plan
to use them for user and code signing certificates.
EFS certificates for the few places we implemented it
were created on an ad-hoc basis and manually backed up.

Once again, a use case has come up causing us to
revisit the decision for a campus PKI. This time to
support management of off-campus Windows computers
through Microsoft's Direct Access feature. We
currently manage almost all on-campus JMU owned
Windows computers using SCCM/SUP and Secunia and
would like to extend that to JMU owned computers
off-campus.

Given the Incommon services, I don't see a huge need
for something on campus other than to handle machine
certificates (for Direct Access and IPSEC) and
possibly to help distribute Incommon user certificates.
EFS and Bitlocker key management may enter the picture
too but they're not strategic encryption options at
this point. But maybe I'm missing something.

I'd like to get a feel from those of you who have
gone through this process of the time and labor
commitments necessary to:

1) Get up to speed on the intricacies of implementing
    and operating a PKI. Frankly, I find it daunting.
    Sure, we could copy others' CPS, bring one up, and
    have it operating fairly quickly. But the complexities
    of merging technologies with business policies in
    things like certificate contents and practices
    statements and the somewhat questionable
    compatibility and finish of various "standards" and
    products concerns me. I'm very worried about what
    we don't know and I want to make sure we do it right
    the first time.

2) Actual implementation time and personnel commitments.

3) Ongoing operating, maintenance, and support time and
    costs.

I'd also like to ask if you know of a consultant who
has actually gone through this process in a higher
education environment who helped you set up something
that lasted through subsequent changes in use cases,
policies, integrations, and product changes and that
you'd recommend to others.

We'd probably be implementing using the Microsoft
Certificate Services product due to pricing and
compatibility with the perceived primary use cases.

Thanks in advance for any advice.


-- 
Gary Flynn
Security Engineer
James Madison University