So, you’ve decided to select a vendor solution for your enterprise key and certificate management. You’ve made a wise decision—manual tracking methods or limited internal scripts cannot effectively manage and secure the number of keys and certificates in an average enterprise. But to get the most of your investment dollars and ensure that the vendor solution you choose will meet your needs now and in the future, you need to create a clear and comprehensive request for proposal (RFP).
An RFP is a formal statement of your requirements and is worth every effort you put into it. In many cases, companies view RFPs as a burden. But when projects fail, they often do so due to inadequately defined requirements that lead to the purchase of the wrong solution for what the company needs.
The clearer and more comprehensive your RFP, the greater your chances of getting vendor responses that lead to a successful outcome. The exercise of writing the RFP forces you and your team to work through the tradeoffs between cost, convenience, flexibility, security, scalability, compliance, and ease of use. To create an effective RFP, I recommend these 3 steps:
- Ask your end users for input. All too often, the people who actually use the system have no say in the system design. Instead, IT develops a system based how they think things should work. Not only are important issues missed as a result, but it is harder to gain user acceptance down the road. Your users may have some excellent suggestions, such as:
- Can the issuance and renewal process be automated?
- Is there a web-based, self-service portal for certificate requests and renewals?
- Can certificate ownership be assigned by an individual or group to assist with renewals?
- Involve members of your company’s compliance or legal department. With the myriad of overlapping industry and government regulations out there, it pays to have a compliance expert on the RFP team. For example, he or she may ask you to consider the following:
- What is the process for quickly identifying the misuse of keys and certificates?
- What is the process for enforcing policies and workflows for security and compliance?
- How does the solution prevent certificate-based outages?
- Is there an automated key and certificate replacement process for fast remediation if there is a CA compromise or vulnerability like Heartbleed?
- Finally, involve the primary project manager. Make sure the person responsible for managing the RFP and the point of contact for the vendor is part of the RFP team. He or she has a vested interest in making sure that ongoing management is efficient and easy for users to adopt and may ask you to include the following:
- How does the solution help you gain control of your key and certificate environment with visibility and fast remediation?
- What is the process for compiling a complete inventory and central management of keys and certificates?
- What is the validation process for proper installation and configuration?
- Is there flexible criteria for certificate management, such as lifetime, authorized CA, and so on?
- Is there a robust policy framework for controlling workflow processes as well as for controlling attributes such as key lengths, validity periods, and cryptographic hash types?
Once your team has created a comprehensive set of RFP requirements, you’re armed and ready to approach leading vendors. Perhaps you’ve already done some basic market research during the RFP creation process, but now it’s time to get serious. For additional input, I recommend the KuppingerCole report, Leadership Compass: Enterprise Key and Certificate Management.
Has your company drafted a successful RFP for a key and certificate management and security project? Were their particular requirements that you included in your RFP that would help others with their project planning? Let me know what worked for you.