1 / 17

Johnson & Johnson: Use of Public Key Technology

Johnson & Johnson: Use of Public Key Technology. Rich Guida Director, Information Security. Rajesh Shah Sr. Consultant, Information Security. Johnson & Johnson. The world’s largest and most comprehensive manufacturer of health care products Founded in 1886

pward
Download Presentation

Johnson & Johnson: Use of Public Key Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Johnson & Johnson: Use of Public Key Technology Rich Guida Director, Information Security Rajesh Shah Sr. Consultant, Information Security

  2. Johnson & Johnson • The world’s largest and most comprehensive manufacturer of health care products • Founded in 1886 • Headquartered in New Brunswick, NJ • Sales of $36.3 billion in 2002 • Over 198 operating companies in 54 countries • Over 110,000 employees worldwide • Customers in over 175 countries

  3. Statistics • 400+ UNIX servers; 1900+ WinNT/2000 servers • 96,000+ desktops/laptops (Win2K) • 60,000+ remote users • Employ two-factor authentication (currently SecurID, migrating to PKI) • 50M+ e-mails/month; 50+ TB of storage • 530+ internet and intranet servers, 3.3M+ website hits/day

  4. Information Security Objectives • Improve enterprise security posture • Reduce costs and complexity of business processes • Interoperate with partners, customers • Comply efficiently with regulatory requirements Common thread to meet goals: Johnson & Johnson Enterprise Directory and PKI

  5. Business Benefits • Digital identity • Single identity • Strong access control • E-business enabler • Remote access via internet • Robust Directory • Automated entries and admin. • Enables process automation • Single identity master for enterprise • Digital Signatures • Creates digital original • E-forms – greatly reduce paper • Legal signature • Guaranteed integrity • Encryption • Privacy • Documents and files • Protection on the Internet

  6. Enterprise Directory • Uses Active Directory forest • Separate from Win2K OS AD but some contents replicated • Populated by authoritative sources only • Uses World Wide Identifiers (WWIDs) as index • Supports entire security framework • Source of all information put into certificates • 250K+ entries (employees, partners, retirees, former) • LDAP accessible

  7. J&J PKI • Directory centric – certificate subscriber must be in Enterprise Directory • Certificates issued with supervisor ID proofing or through “group” registration process • Simple hierarchy – root CA and subordinate online CA; FDA validated • Standard form factor: hardware tokens (USB) • Production deployment began mid-2003 • Total of over 12,000 certificates issued to date • Expect to issue > 100K certificates in 2003 • Most important initial applications: • Remote authentication • Secure e-mail • Some enterprise applications

  8. PKI-Enablement - Three Levels • Authentication only (usually with transmission encryption) • Example is SSLv3 • Persistent digital signature • Usually through digitally signed hash of document or file, or portion thereof • Persistent encryption • Usually in conjunction with symmetric encryption • Public key used to encrypt symmetric key

  9. PKI-Enablement • Windows applications PKI-ready • Outlook 2000 “out of the box” under any version of Windows; MS Office XP; Internet Explorer • Internal (home-grown) applications • Do it ourselves but with expert contractor help • Use FIPS validated libraries – MSCAPI and RSA BSafe preferred • External software and service suppliers - e.g., Oracle, SAP, JDEdwards, Siebel, Documentum • Initial focus is authentication using SSLv3 (also get transmission encryption) • Successfully done with SAP already (digital signature work continuing) and with Oracle • Siebel/JDEdwards/Documentum also underway

  10. Observations • Get identity infrastructure in place first – and ensure it is well-defined • Prefer to have supervisors act as “local registration authorities” for subordinates • Hard to do ROI calculation – just like e-mail • Many enterprise applications are PKI-aware – and more are coming • Good CP/CPS critical to success and discipline

  11. Challenges • Getting people familiar with the token form factor (“plug it in”) • Recovery from lost/locked token • USB port congestion/power • PDAs (CSP/PKCS11 support) • Any problem becomes “PKI did it” • Engineers being asked for legal advice (“when to dig sig e-mail”) • Interoperability

  12. Oracle Advanced Security Option Certificate based authentication

  13. Business Drivers • Secure communication with database from the middle tier • Eliminate embedded passwords • Reduce & simplify maintenance

  14. Architecture

  15. Test Environment • Backend • HP-UX 11.0 • Oracle 8.1.7 • Middle tier • MS W2K • MS IIS • Client • MS IE 5.5

  16. Next Steps/Enhancements • Certificate Revocation List (CRL) checking • Support within the Oracle tools allowing for Smartcard based logon (ex: SQLPlus connection using Smartcard) • Ability to import externally generated certificates • Ability to use of multiple wallets co-currently • PKI based authentication within the E-Business suite • Performance benchmarks • Integration w/OS Certificate store instead of Oracle wallet manager

  17. Thank you Questions…

More Related