170 likes | 183 Views
Johnson & Johnson: Use of Public Key Technology. Rich Guida Director, Information Security. Rajesh Shah Sr. Consultant, Information Security. Johnson & Johnson. The world’s largest and most comprehensive manufacturer of health care products Founded in 1886
E N D
Johnson & Johnson: Use of Public Key Technology Rich Guida Director, Information Security Rajesh Shah Sr. Consultant, Information Security
Johnson & Johnson • The world’s largest and most comprehensive manufacturer of health care products • Founded in 1886 • Headquartered in New Brunswick, NJ • Sales of $36.3 billion in 2002 • Over 198 operating companies in 54 countries • Over 110,000 employees worldwide • Customers in over 175 countries
Statistics • 400+ UNIX servers; 1900+ WinNT/2000 servers • 96,000+ desktops/laptops (Win2K) • 60,000+ remote users • Employ two-factor authentication (currently SecurID, migrating to PKI) • 50M+ e-mails/month; 50+ TB of storage • 530+ internet and intranet servers, 3.3M+ website hits/day
Information Security Objectives • Improve enterprise security posture • Reduce costs and complexity of business processes • Interoperate with partners, customers • Comply efficiently with regulatory requirements Common thread to meet goals: Johnson & Johnson Enterprise Directory and PKI
Business Benefits • Digital identity • Single identity • Strong access control • E-business enabler • Remote access via internet • Robust Directory • Automated entries and admin. • Enables process automation • Single identity master for enterprise • Digital Signatures • Creates digital original • E-forms – greatly reduce paper • Legal signature • Guaranteed integrity • Encryption • Privacy • Documents and files • Protection on the Internet
Enterprise Directory • Uses Active Directory forest • Separate from Win2K OS AD but some contents replicated • Populated by authoritative sources only • Uses World Wide Identifiers (WWIDs) as index • Supports entire security framework • Source of all information put into certificates • 250K+ entries (employees, partners, retirees, former) • LDAP accessible
J&J PKI • Directory centric – certificate subscriber must be in Enterprise Directory • Certificates issued with supervisor ID proofing or through “group” registration process • Simple hierarchy – root CA and subordinate online CA; FDA validated • Standard form factor: hardware tokens (USB) • Production deployment began mid-2003 • Total of over 12,000 certificates issued to date • Expect to issue > 100K certificates in 2003 • Most important initial applications: • Remote authentication • Secure e-mail • Some enterprise applications
PKI-Enablement - Three Levels • Authentication only (usually with transmission encryption) • Example is SSLv3 • Persistent digital signature • Usually through digitally signed hash of document or file, or portion thereof • Persistent encryption • Usually in conjunction with symmetric encryption • Public key used to encrypt symmetric key
PKI-Enablement • Windows applications PKI-ready • Outlook 2000 “out of the box” under any version of Windows; MS Office XP; Internet Explorer • Internal (home-grown) applications • Do it ourselves but with expert contractor help • Use FIPS validated libraries – MSCAPI and RSA BSafe preferred • External software and service suppliers - e.g., Oracle, SAP, JDEdwards, Siebel, Documentum • Initial focus is authentication using SSLv3 (also get transmission encryption) • Successfully done with SAP already (digital signature work continuing) and with Oracle • Siebel/JDEdwards/Documentum also underway
Observations • Get identity infrastructure in place first – and ensure it is well-defined • Prefer to have supervisors act as “local registration authorities” for subordinates • Hard to do ROI calculation – just like e-mail • Many enterprise applications are PKI-aware – and more are coming • Good CP/CPS critical to success and discipline
Challenges • Getting people familiar with the token form factor (“plug it in”) • Recovery from lost/locked token • USB port congestion/power • PDAs (CSP/PKCS11 support) • Any problem becomes “PKI did it” • Engineers being asked for legal advice (“when to dig sig e-mail”) • Interoperability
Oracle Advanced Security Option Certificate based authentication
Business Drivers • Secure communication with database from the middle tier • Eliminate embedded passwords • Reduce & simplify maintenance
Test Environment • Backend • HP-UX 11.0 • Oracle 8.1.7 • Middle tier • MS W2K • MS IIS • Client • MS IE 5.5
Next Steps/Enhancements • Certificate Revocation List (CRL) checking • Support within the Oracle tools allowing for Smartcard based logon (ex: SQLPlus connection using Smartcard) • Ability to import externally generated certificates • Ability to use of multiple wallets co-currently • PKI based authentication within the E-Business suite • Performance benchmarks • Integration w/OS Certificate store instead of Oracle wallet manager
Thank you Questions…