PKI In-House or 3rd Party?

The question of taking advantage of a third-party vendor or developing public key infrastructure (PKI) within our your organization is a pretty tough question that doesn’t seem to have a clear-cut answer.  Each method has its own pros and cons that I’ll try to outline for you here, and there are a lot of factors that could go into this decision.

Some of the good points on sourcing a public key infrastructure through a third-party vendor could include:

• Guarantees and service level agreements on uptime and availability of the infrastructure they are providing your organization.
• Pricing is often based on volume where larger organizations can take advantage of better rates than organizations with smaller user populations.
• The majority of companies out there providing this kind of service often have very thorough disaster recovery and business continuity plans that help to ensure that what you’re paying for is always available and remains as secure as possible.
• These vendors can also supply key management services that are streamlined and efficient to help minimize the overhead costs associated with implementing and sustaining the program.

Bad points of using third-party vendors to implement PKI could include:

• You’d have to trust an outside agency to handle a business area of your organization that, if compromised, could be very costly to your company.
• You’ll
• You’d most likely have pay per-user fees.

Research seems to indicate that implementing a solution in-house can be far more costly up front than taking advantage of a third-party solution.  That being said, in the long run, it may be less expense because the only costs associated with the project would be maintenance and sustainment costs long term.  Also keep in mind that if your company experiences heavy growth in personnel in the future, the cost of your PKI would not significantly change if managed in-house.  By implementing a PKI program yourself, you’d also maintain control of how the program is implemented and would not have to necessarily trust anyone outside of our company with something so integral to the overall security posture of your information and resources.

There have been a lot of studies on this particular question, and they do not all agree on a suggested implementation plan.  I suppose the questions that need to be seriously considered prior to making a decision would include:

•  Do we have the capital to invest in an in-house solution at this point in time?
• Can we support the implementation of PKI, and do we have the expertise in-house to stand something like this up?
• Are there vendors that can provide this service to us at a reasonable and affordable cost to our organization?
• Do we expect the size of our employee population to increase or decrease significantly in the foreseeable future?

 

Social Contracts?

Of all of the good client/vendor relations I’ve seen, there seems to be one fundamental trait that each good relationship has had in common – the client knowing exactly what it wants in the short and long term. But how often do we usually run into clients that know EXACTLY what they want?  Most of the time, especially in the information security field, clients understand that they must be compliant, but they don’t necessarily understand how to get there.

So many times the I’ve seen the vendor/client relationship fail because both sides were not on the same page at the onset of partnership.  Almost universally, this has been the result of the client not having a clear and concise picture of what its business requirements are or what the ultimate goals of the partnership entail.

In some regards, one might expect the vendor to be flexible enough to adapt to whatever the client wants, however, in the world of contracting, of course, this is not always the case.  It is sometimes extremely difficult to assign words within a contract to provide clients and vendors the flexibility to adapt to changing requirements.  Having a  heart-to-heart meeting of the minds during the contracting stages of the partnership can help to ensure that both sides understand the intentions and expectations of the other side.

If a client knows exactly what it wants, negotiating the deal can typically be executed rather seamlessly.  However, if the client is unsure of what is needed or desired, or if it lacks long-term foresight, the vendor should have a clear understanding of this fact up front, and a social contract (Google it) of some sort should be established. 

Working through and establishing sound requirements based on the business needs of the client ultimately lends itself to successes for the vendor – and consequently the client as well.  Overall, the fundamental principle that propagates success is that of being open and honest up front so that both parties understand the intentions and ultimate goals of the agreement.

Vendors will continue to offer services and solutions to facilitate the day-to-day operations of businesses and organizations utilizing information technology.  It is important, however, that these vendors and the clients that seek their services understand the fundamental requirements of the agreement they are entering into.  It is crucial to the success of the relationship and to the outcome of the contract that both the client and the vendor are on the same page from the beginning.  If a client is unclear of exactly what it wants and choose to rely on the vendor to tell it what it needs, that needs to be understood via a social contract.  Social contracts will go a long way in securing client/vendor relations; they help to ensure that both sides of the contract understand exactly what it is being agreed to and ultimately provide sound footing for moving forward through the successful execution of the partnership/relationship.