Ian, I've led or been involved with several projects in academia that have used HSMs as a basis for a CA. I can't say I've done a cost analysis at the level of granularity you seem to be looking for, but I will say that at a high-level, the added personnel costs of integrating and maintaining an HSM have been the dominant factor in my experience.
I estimate several-to-six (depending on the experience of the staff) additional FTE*months to understand the HSM (documentation always seems lacking) and get it working with our security libraries (OpenSSL typically). Maintenance is painful for a one-off since the HSM is this completely unique hardware and software system sitting in ones infrastructure, so that is a significant fraction of a person plus a small fraction of a second for backup (vacations, continuity, etc.). We did a second site redundant HSM-based CA once and it was a lengthy process mainly due to the staff there having to come up to speed on the HSM, again several FTE*months. I try to avoid this now and in my most recent project we're outsourcing this to a commercial vendor and it's my expectation the initial legal/policy issues with that route will be less painful than the HSM technical issues and then maintenance will be simpler. Von On Apr 10, 2012, at 2:26 AM, ianG wrote: > Does anyone have any estimates for the project cost of employing HSMs at a > single task? (e.g., protecting / deploying a single secret, not a network of > them.) > > I'm not looking for sticker prices but project costings, including: spare > devices, programming, work-throughs and transfers, documentation, testing > recovery paths, training, maintenance contracts, upgrades, etc. > > In comparison to the null project, not using them (e.g., using straight > servers in locked racks etc). > > tia, > > iang > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography