Johnson Johnson Use of Public Key Technology Brian
Johnson & Johnson Use of Public Key Technology Brian G. Walsh Senior Analyst, WWIS
Johnson & Johnson l The world’s largest and most comprehensive manufacturer of health care products l Founded in 1886 l Headquartered in New Brunswick, NJ l Sales of $41. 9 billion in 2003 l 198 operating companies in 54 countries l Over 110, 000 employees worldwide l Customers in over 175 countries 2
Four Business Groups l Pharmaceuticals – Prescription drugs including EPREX, REMICADE l Medical Devices and Diagnostics – Blood analyzers, stents, wound closure, prosthetics, minimally invasive surgical equipment l Consumer Products – E. g. , Neutrogena; SPLENDA l Consumer Pharmaceuticals and Nutritionals – E. g. , TYLENOL 3
Statistics l 400+ UNIX servers; 1900+ Win. NT/2000 servers l 96, 000+ desktops/laptops (Win 2 K) l 60, 000+ remote users – Employ two-factor authentication (almost all using PKI; a few still using Secur. ID but being migrated) l 50 M+ e-mails/month; 50+ TB of storage l 530+ internet and intranet servers, 3. 3 M+ website hits/day 4
Enterprise Directory l Uses Active Directory forest – Separate from Win 2 K OS AD but some contents replicated l Populated by authoritative sources only l Uses World Wide Identifiers (WWIDs) as index l Supports entire security framework – Source of all information put into certificates l 300 K+ entries (employees, partners, retirees, former) l LDAP accessible 5
J&J PKI l Directory centric – certificate subscriber must be in Enterprise Directory l Certificate contents dictated by ED info (none based on “user-supplied input”) l Certificates issued with supervisor ID proofing l Simple hierarchy – root CA and subordinate online CA 6
J&J PKI (con’t) l Standard form factor: hardware tokens (USB) l Production deployment began early 2003 – Total of over 150, 000 certificates (signature and encryption) issued to date l Most important initial applications: – Remote authentication – Secure e-mail – Some enterprise applications 7
Experience (1) l Training help desks (you can’t do too much of this…) l Ensuring sufficient help desk resources to respond to peaks (>100% of average level; fortunately reasonably short half-life) l Shifting user paradigms (always hard to change human behavior…) – Patience – Clear, unequivocal instructions/steps 8
Experience (2) l Hardware tokens – CSP issues of “Pass Phrase caching” – User recovery from lost, stolen or destroyed token • Short term recovery (network user. ID/PW) • Long term recovery (new cert(s)) l Certificate revocation – Reason codes in CRL (25% increase in size of CRL) – Don’t give users options to select (too confusing to them) – ask questions instead (then automate reason code selection) 9
Experience (3) l We put in three identifiers in each cert (email address, WWID, UPN) – Right thing to do for apps – Means employee transfer out/transfer in processes require getting new certs (since e-mail address changes) – HR controls those processes, not IM – Moral: smart IM technical/policy decisions may require implementation outside IM 10
Experience (4) l Once user gets new certs: – Register them with apps (e. g. , Outlook S/MIME profile changes) – Link them to other user accounts (e. g. , Nortel VPN client) l Thus – there are some additional steps to “migrate” to new certs – Not yet seamless 11
Experience (5) l Decryption private key recovery – User can do for his/her own (after authenticating) – Local Key Recovery Authority Officer can request for others • Global KRAO must approve – But – important to distinguish key recovery from revocation or getting new certs – Unclear terminology (to users) resulted in lots of unnecessary requests, none of which required approval 12
Experience (6) l CRL growth is always faster than you predict – Ours is now 1. 3 MB (expected it to be less than half that size) l Caching CRLs in Windows is “easy” but not obvious – IE manages CRL cache as part of “temporary internet files” folder – Standard setting for us was: flush that folder when IE is closed – Results in lots of CRL downloads 13
Experience (7) l With employees in over 50 countries, J&J has one main business language (English) and over 12 important languages l PKI certificate subscribers have to sign agreement to get tokens l Must be in native languages l Translation services became an issue – especially with last minute changes to agreement l Lesson learned: English is not legally binding universally 14
Experience (8) l Rolling out tokens and certificates to over 1000 individuals at a time over a 4 -6 month period l Users are not technically savvy, regular registration is confusing and complicated l Need more then one way to get certificates to the user population, not everyone will understand a series of technical steps l All problems attributed to PKI (Identity Token)!!! 15
Questions? ? Brian G. Walsh Senior Analyst, WW Information Security
Group Registration Process l Rolling out to the masses l Strict Standard Operating Procedure – Number of Roles requiring training – Designed to maintain the integrity of the JJEDS, while enabling a speedy, easy roll-out l Training of Help Desk and Deployments teams were crucial to the successful deployments l It is still new technology, no matter how you package it 17
- Slides: 17