Even when business is booming, smart companies always have an eye on the bottom line. Security is not usually one of the first places companies look to trim expenses, but some IT professionals believe that they can easily lower costs by eliminating third-party Secure Sockets Layer (SSL) Certificate Authorities (CAs) from the budget equation.
Although spending money on SSL security for external facing sites – such as the company home page or e-commerce pages – still seems necessary, some IT professionals think that self-signed SSL certificates are an acceptable alternative for internal sites. They believe that, since only internal employees have access to servers that host internal-facing sites such as intranet portals and wikis, self-signed certificates provide adequate protection at practically no cost.
However, this kind of reasoning can backfire-badly. The total cost of ownership (TCO) of an SSL certificate is far more than just the price of the certificate. From security hardware, to management software, to data center space and more, the costs of establishing a secure self-signing architecture can quickly add up. Not only that, but a do-it-yourself approach to SSL security may put an organization at risk-from both technical and business perspectives-in a variety of ways.
This paper explores the true TCO for self-signed SSL certificates, including a side-by- side comparison of a self-signed architecture versus working with a third-party SSL vendor. Before a company decides to use self-signed certificates, these issues deserve careful consideration.
