Free Trial
Contact Us
Podcast

Root Causes 339: The ROI of CLM

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
October 31, 2023

In this episode we describe at a high level how to calculate the Total Cost of Ownership of CLM as opposed to manual installation and management of certificates.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanToday, we want to talk about the ROI, or perhaps it’s TCO - we can discuss that - of certificate automation.
Jason SorokoJason SorokoCertificate automation in terms of your investment, sometimes it can be fairly low. We need to talk about Certificate Lifecycle Management more as a whole because really what you’re getting in return is you’re getting the pillars of CLM. And, Tim, you and I have talked about the pillars of CLM fairly often and some of the most important ones are automated renewals, the value of technology that help you to deploy, visibility overall, discovery, revocation and renewal. Revocation and replacement is what I should say. And then, of course, there’s the creature comforts of getting your CLM into the IT workflow and making sure that things like other forms of notifications are available to you having that come through Slack or TMS Teams or something like that. So, those are the pillars.

As a whole, what we are talking about here today, Tim, is the ROI mostly on the renewal automation. And we had a podcast about talking about the value of productivity overall. We really kind of had a heart to heart, this fireside chat recently with systems administrators people who administrate Linux and Windows servers and quite often are responsible for webservers, load balancers and all that kind of good technology. I would say that if you want to have the real basic calculation in your head, like I think we can spell it out. We are not a website. We are a podcast. An audio podcast. So, we are gonna spell out what the calculation really looks like. The basic formula.

I think that what you gotta multiply is, obviously, the number of hours it takes to do an individual certificate installation or renewal. So, a new installation by somebody who has done it before let’s give it maybe a couple of hours. Let’s give it two hours for that. For somebody who is experienced on a renewal, a manual renewal, let’s give it an hour. I think for somebody who has not done it before, I think two hours is fair. And that includes everything from manually getting the cert from the CA and all the way to modifying the configuration files of the webserver or wherever the certificate is going. And so that’s the basis of your multiplication. Then all of the sudden you’ve gotta plug in your own variables which is, well, what’s the hourly cost of the person doing it and then you have to multiply it across, well, how many webservers are we talking about.
Tim CallanTim CallanRight. How many certs are we talking about a year in any given period of time? Right. So, therefore, you get a basic number, yeah?
Jason SorokoJason SorokoThat’s correct. And so, you can start seeing why some people use things like wildcard certificates, right, because it cuts down on the number of certificates that are needed for various subdomains and all these kinds of things because you are only dealing with pullover. You’ve got to decide in terms of the way you multiply what is the setup of your webservers? Are you dealing with individual discreet webservers, are you dealing with a singular webserver that hosts a number of subdomains and therefore has a complex configuration file? Right? That’s something that your technical person would be able to count for you and simply, you would need to count the number of instances that need to be updated every time or renewed every time that there is a renewal sequence that needs to happen.

Then, of course, what are talking about? You also have to multiply the next multiplier which is, well, what is the lifespan of the certificate? Right now, typically, once a year, which it’s not 365. It’s not 398. You are not gonna wait. You are typically gonna do it before the 398 which is the actual number of days of the certificate for a one-year cert.
Tim CallanTim CallanYou’ll probably pretty much do it on a yearly cadence I would think.
Jason SorokoJason SorokoExactly. I think that would be very, very normal. And, of course, those of you who are working with 90-day certs you might want to be doing it at the 60-day, 70-day, 80-day mark. Right?
Tim CallanTim CallanRight. Sure.
Jason SorokoJason SorokoIt’s not uncommon to do that. And so, there’s your next multiplier. Is how often are you doing it? For one-year certs, well, once a year. For 90-day certs, four to five times a year. Those are the dimensions that you are multiplying together. What I would also like to point out in terms of cost is if you are doing it manually, I would hazard to guess that a lot of people who do manual certificate renewals have either had a close call or have experienced outages. And what did that cost you? So, I think, Tim, what I’m trying to point out here very simply is, you gotta put in some kind of quotient for - -
Tim CallanTim CallanYeah. There’s a risk - -
Jason SorokoJason SorokoIf you’re not automating, right, you gotta calculate the risk is what I’m saying.
Tim CallanTim CallanThere’s kind of a hard cost cost, which is how much human labor is involved and what is the cost of that human labor and I put that in that bucket. But then, to your point, you’ve got some kind of adjusted risk variable which is to say there is a chance of an outage. If an outage occurs the cost will be in this range. Of course, that depends on what the outage is. And then from there you put that in and then how likely is that to occur and then you add that on your cost side as well. Your expected cost.

Now, the risk one is interesting because there is a number of factors you can consider there. You can consider lost business, lost productivity; you can consider a lost employee time because they can’t do the things they need to do. You can consider good old-fashioned real lost business like the person who would have bought doesn’t buy or the order doesn’t get fulfilled and that person needs a refund. You also consider things like SLAs, SLA penalties, fines, regulatory penalties. These are all possible consequences as well and you and I have talked in the past about people being fined for SLAs and things along those lines when they have outages. So that’s a real possibility as well.
Jason SorokoJason SorokoRight on, Tim. And remember, sometimes this can be an outage in your load balancer. It can be an outage in one of your intranet subdomains. It doesn’t have to be sometimes even your main site which would cause a brand, a very, very uncomfortable brand issue. It could be all kinds of harder to find outages and heck knows, we’ve seen this Tim. Every time we have one of these reports about another outage, another high profile outage, it’s usually because of a certificate that’s hiding behind something. You know, API authentication. It could be all kinds of things. And so, the risks are definitely there and I think if you are doing things manually, you’ve got to calculate that in. So, in other words, when you then do the comparison ROI of automation, there’s the initial setup of the automation technology and then the rest of the risk mostly gets taken away and the rest of the manual time spent, everything from the getting of the cert to the modification of the webserver configuration file and testing it and all that good business, that kind of goes away. Those are no longer multipliers.
Tim CallanTim CallanRight. And then so on the other side of the equation, you’ve got the cost of automation. So you’ve got whatever software you are using, whatever services you need to use that, some amount of time to administer that stuff and what are your administer costs on that. And you put those in the other column and you weigh the two against each other.
Jason SorokoJason SorokoI would say, Tim, that the Certificate Lifecycle Management pillars such as visibility and discovery because a lot of what we’ve been talking about right now is one of the pillars, which is basically deployment as one and then automation of the renewal as the other. That’s what we’ve been talking about but I would say if you want to talk about real return on investment, I would say compare the cost of the risk of outage of some kind with the cost of discovery and visibility. True visibility that comes through discovery. Right?
Tim CallanTim CallanSure. That’s fair.
Jason SorokoJason SorokoI would say, my goodness, that’s cheap compared to the risk of taking down pieces of your business.
Tim CallanTim CallanI agree. It’s cheap. I think if you do this calculus in a spreadsheet, you are gonna find that it’s very tilted. I agree with you and everybody probably needs to do this individually but that’s where you’re gonna wind up. Right?
Jason SorokoJason SorokoExactly. It’s so clear in my mind and I’ve done this many, many times ROI calculators with customers over many years and it’s been done in many ways over many years and I just have never seen it not come out so lopsided that automation specifically and Certificate Lifecycle Management particularly with all of it’s five pillars including visibility over the top of everything, it’s just, it’s such an easy, easy calculation. It’s such an easy, easy payoff in terms of when you calculate it all in. It’s always held true.

I just gotta throw in this last point, Tim, which is 90-day certificates are coming. They will eventually be mandated by the big players who, you know - -
Tim CallanTim CallanYep.
Jason SorokoJason SorokoListen to any Tim’s talks about the CA/Browser Forum and all the players who talk there. We are probably going to be living in that world of maximum 90-day publicly-trusted certificates. All of the sudden multiply everything we’ve said. If you are using one-year certificates right now, multiple everything we said by at least somewhere between four and five at least and then all of the sudden the return on investment of visibility and discovery and absolutely automation of renewals – it’s such a no-brainer at the 90-day mark. It’s almost funny we have to have a podcast about it, but here it is.
Tim CallanTim CallanI agree. I think that’s the one - - like already even now it’s very tilted. When you start to put it in that kind of timeframe, it just becomes extremely tilted.
Jason SorokoJason SorokoThe tools to do it right are out there. Please check them out. Tim and I are exhausted with podcasting about the latest cert outage. We just don’t want to do it anymore. Don’t be that guy.
Don’t be that guy. So, alright. That’s great. I think that gives people a good framework to try to do this kind of work on their own and we may deep dive on more of this but that’s a good overview.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud