html5-img
1 / 17

Johnson & Johnson Use of Public Key Technology

Johnson & Johnson Use of Public Key Technology. Brian G. Walsh Senior Analyst, WWIS. Johnson & Johnson. The world’s largest and most comprehensive manufacturer of health care products Founded in 1886 Headquartered in New Brunswick, NJ Sales of $41.9 billion in 2003

galya
Download Presentation

Johnson & Johnson Use of Public Key Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Johnson & JohnsonUse of Public Key Technology Brian G. Walsh Senior Analyst, WWIS

  2. Johnson & Johnson • The world’s largest and most comprehensive manufacturer of health care products • Founded in 1886 • Headquartered in New Brunswick, NJ • Sales of $41.9 billion in 2003 • 198 operating companies in 54 countries • Over 110,000 employees worldwide • Customers in over 175 countries

  3. Four Business Groups • Pharmaceuticals • Prescription drugs including EPREX, REMICADE • Medical Devices and Diagnostics • Blood analyzers, stents, wound closure, prosthetics, minimally invasive surgical equipment • Consumer Products • E.g., Neutrogena; SPLENDA • Consumer Pharmaceuticals and Nutritionals • E.g., TYLENOL

  4. Statistics • 400+ UNIX servers; 1900+ WinNT/2000 servers • 96,000+ desktops/laptops (Win2K) • 60,000+ remote users • Employ two-factor authentication (almost all using PKI; a few still using SecurID but being migrated) • 50M+ e-mails/month; 50+ TB of storage • 530+ internet and intranet servers, 3.3M+ website hits/day

  5. Enterprise Directory • Uses Active Directory forest • Separate from Win2K OS AD but some contents replicated • Populated by authoritative sources only • Uses World Wide Identifiers (WWIDs) as index • Supports entire security framework • Source of all information put into certificates • 300K+ entries (employees, partners, retirees, former) • LDAP accessible

  6. J&J PKI • Directory centric – certificate subscriber must be in Enterprise Directory • Certificate contents dictated by ED info (none based on “user-supplied input”) • Certificates issued with supervisor ID proofing • Simple hierarchy – root CA and subordinate online CA

  7. J&J PKI (con’t) • Standard form factor: hardware tokens (USB) • Production deployment began early 2003 • Total of over 150,000 certificates (signature and encryption) issued to date • Most important initial applications: • Remote authentication • Secure e-mail • Some enterprise applications

  8. Experience (1) • Training help desks (you can’t do too much of this…) • Ensuring sufficient help desk resources to respond to peaks (>100% of average level; fortunately reasonably short half-life) • Shifting user paradigms (always hard to change human behavior…) • Patience • Clear, unequivocal instructions/steps

  9. Experience (2) • Hardware tokens • CSP issues of “Pass Phrase caching” • User recovery from lost, stolen or destroyed token • Short term recovery (network userID/PW) • Long term recovery (new cert(s)) • Certificate revocation • Reason codes in CRL (25% increase in size of CRL) • Don’t give users options to select (too confusing to them) – ask questions instead (then automate reason code selection)

  10. Experience (3) • We put in three identifiers in each cert (e-mail address, WWID, UPN) • Right thing to do for apps • Means employee transfer out/transfer in processes require getting new certs (since e-mail address changes) • HR controls those processes, not IM • Moral: smart IM technical/policy decisions may require implementation outside IM

  11. Experience (4) • Once user gets new certs: • Register them with apps (e.g., Outlook S/MIME profile changes) • Link them to other user accounts (e.g., Nortel VPN client) • Thus – there are some additional steps to “migrate” to new certs • Not yet seamless

  12. Experience (5) • Decryption private key recovery • User can do for his/her own (after authenticating) • Local Key Recovery Authority Officer can request for others • Global KRAO must approve • But – important to distinguish key recovery from revocation or getting new certs • Unclear terminology (to users) resulted in lots of unnecessary requests, none of which required approval

  13. Experience (6) • CRL growth is always faster than you predict • Ours is now 1.3 MB (expected it to be less than half that size) • Caching CRLs in Windows is “easy” but not obvious • IE manages CRL cache as part of “temporary internet files” folder • Standard setting for us was: flush that folder when IE is closed • Results in lots of CRL downloads

  14. Experience (7) • With employees in over 50 countries, J&J has one main business language (English) and over 12 important languages • PKI certificate subscribers have to sign agreement to get tokens • Must be in native languages • Translation services became an issue – especially with last minute changes to agreement • Lesson learned: English is not legally binding universally

  15. Experience (8) • Rolling out tokens and certificates to over 1000 individuals at a time over a 4-6 month period • Users are not technically savvy, regular registration is confusing and complicated • Need more then one way to get certificates to the user population, not everyone will understand a series of technical steps • All problems attributed to PKI (Identity Token)!!!

  16. Questions?? Brian G. Walsh Senior Analyst, WW Information Security

  17. Group Registration Process • Rolling out to the masses • Strict Standard Operating Procedure • Number of Roles requiring training • Designed to maintain the integrity of the JJEDS, while enabling a speedy, easy roll-out • Training of Help Desk and Deployments teams were crucial to the successful deployments • It is still new technology, no matter how you package it

More Related