Educause Security Discussion mailing list archives
Re: Time and labor commitment to stand up a PKI
From: Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>
Date: Wed, 13 Jun 2012 18:22:11 +0000
I would reach out to Brian Komar (bkomar () komarconsulting com) as far as consultants in this area go - he knows this stuff inside out. He is the author of the Microsoft Press PKI book (http://www.microsoft.com/learning/en/us/book.aspx?id=9549&locale=en-us) and implementing this (both the technical side and crafting CPS and such) is what he does for a living. Thanks, Brian Desmond brian.desmond () morantechnology com w - 312.625.1438 | c - 312.731.3132 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn Sent: Wednesday, June 13, 2012 1:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Time and labor commitment to stand up a PKI Hi, We've gone without a PKI a long time because every use case that came up couldn't justify the outlay to stand up a PKI and alternatives were always found. Sometimes the concern over the operational costs and risks associated with failures overrode the perceived benefits. We're using Incommon for server certificates and plan to use them for user and code signing certificates. EFS certificates for the few places we implemented it were created on an ad-hoc basis and manually backed up. Once again, a use case has come up causing us to revisit the decision for a campus PKI. This time to support management of off-campus Windows computers through Microsoft's Direct Access feature. We currently manage almost all on-campus JMU owned Windows computers using SCCM/SUP and Secunia and would like to extend that to JMU owned computers off-campus. Given the Incommon services, I don't see a huge need for something on campus other than to handle machine certificates (for Direct Access and IPSEC) and possibly to help distribute Incommon user certificates. EFS and Bitlocker key management may enter the picture too but they're not strategic encryption options at this point. But maybe I'm missing something. I'd like to get a feel from those of you who have gone through this process of the time and labor commitments necessary to: 1) Get up to speed on the intricacies of implementing and operating a PKI. Frankly, I find it daunting. Sure, we could copy others' CPS, bring one up, and have it operating fairly quickly. But the complexities of merging technologies with business policies in things like certificate contents and practices statements and the somewhat questionable compatibility and finish of various "standards" and products concerns me. I'm very worried about what we don't know and I want to make sure we do it right the first time. 2) Actual implementation time and personnel commitments. 3) Ongoing operating, maintenance, and support time and costs. I'd also like to ask if you know of a consultant who has actually gone through this process in a higher education environment who helped you set up something that lasted through subsequent changes in use cases, policies, integrations, and product changes and that you'd recommend to others. We'd probably be implementing using the Microsoft Certificate Services product due to pricing and compatibility with the perceived primary use cases. Thanks in advance for any advice. -- Gary Flynn Security Engineer James Madison University
Current thread:
- Time and labor commitment to stand up a PKI Gary Flynn (Jun 13)
- Re: Time and labor commitment to stand up a PKI Brian Desmond (Jun 13)
- Re: Time and labor commitment to stand up a PKI Gioia, Matthew P. (Jun 13)