Johnson & Johnson Use of Public Key Technology Brian G. Walsh Senior Analyst, WWIS

2 Johnson & Johnson The world’s largest and most comprehensive manufacturer of health care products Founded in 1886 Headquartered in New Brunswick, NJ Sales of $41.9 billion in operating companies in 54 countries Over 110,000 employees worldwide Customers in over 175 countries

3 Four Business Groups Pharmaceuticals –Prescription drugs including EPREX, REMICADE Medical Devices and Diagnostics –Blood analyzers, stents, wound closure, prosthetics, minimally invasive surgical equipment Consumer Products –E.g., Neutrogena; SPLENDA Consumer Pharmaceuticals and Nutritionals –E.g., TYLENOL

4 Statistics 400+ UNIX servers; WinNT/2000 servers 96,000+ desktops/laptops (Win2K) 60,000+ remote users –Employ two-factor authentication (almost all using PKI; a few still using SecurID but being migrated) 50M+ s/month; 50+ TB of storage 530+ internet and intranet servers, 3.3M+ website hits/day

5 Enterprise Directory Uses Active Directory forest –Separate from Win2K OS AD but some contents replicated Populated by authoritative sources only Uses World Wide Identifiers (WWIDs) as index Supports entire security framework –Source of all information put into certificates 300K+ entries (employees, partners, retirees, former) LDAP accessible

6 J&J PKI Directory centric – certificate subscriber must be in Enterprise Directory Certificate contents dictated by ED info (none based on “user-supplied input”) Certificates issued with supervisor ID proofing Simple hierarchy – root CA and subordinate online CA

7 J&J PKI (con’t) Standard form factor: hardware tokens (USB) Production deployment began early 2003 –Total of over 150,000 certificates (signature and encryption) issued to date Most important initial applications: –Remote authentication –Secure –Some enterprise applications

8 Experience (1) Training help desks (you can’t do too much of this…) Ensuring sufficient help desk resources to respond to peaks (>100% of average level; fortunately reasonably short half-life) Shifting user paradigms (always hard to change human behavior…) –Patience –Clear, unequivocal instructions/steps

9 Experience (2) Hardware tokens –CSP issues of “Pass Phrase caching” –User recovery from lost, stolen or destroyed token Short term recovery (network userID/PW) Long term recovery (new cert(s)) Certificate revocation –Reason codes in CRL (25% increase in size of CRL) –Don’t give users options to select (too confusing to them) – ask questions instead (then automate reason code selection)

10 Experience (3) We put in three identifiers in each cert (e- mail address, WWID, UPN) –Right thing to do for apps –Means employee transfer out/transfer in processes require getting new certs (since address changes) –HR controls those processes, not IM –Moral: smart IM technical/policy decisions may require implementation outside IM

11 Experience (4) Once user gets new certs: –Register them with apps (e.g., Outlook S/MIME profile changes) –Link them to other user accounts (e.g., Nortel VPN client) Thus – there are some additional steps to “migrate” to new certs –Not yet seamless

12 Experience (5) Decryption private key recovery –User can do for his/her own (after authenticating) –Local Key Recovery Authority Officer can request for others Global KRAO must approve –But – important to distinguish key recovery from revocation or getting new certs –Unclear terminology (to users) resulted in lots of unnecessary requests, none of which required approval

13 Experience (6) CRL growth is always faster than you predict –Ours is now 1.3 MB (expected it to be less than half that size) Caching CRLs in Windows is “easy” but not obvious –IE manages CRL cache as part of “temporary internet files” folder –Standard setting for us was: flush that folder when IE is closed –Results in lots of CRL downloads

14 Experience (7) With employees in over 50 countries, J&J has one main business language (English) and over 12 important languages PKI certificate subscribers have to sign agreement to get tokens Must be in native languages Translation services became an issue – especially with last minute changes to agreement Lesson learned: English is not legally binding universally

15 Experience (8) Rolling out tokens and certificates to over 1000 individuals at a time over a 4-6 month period Users are not technically savvy, regular registration is confusing and complicated Need more then one way to get certificates to the user population, not everyone will understand a series of technical steps All problems attributed to PKI (Identity Token)!!!

Questions?? Brian G. Walsh Senior Analyst, WW Information Security

17 Group Registration Process Rolling out to the masses Strict Standard Operating Procedure –Number of Roles requiring training –Designed to maintain the integrity of the JJEDS, while enabling a speedy, easy roll-out Training of Help Desk and Deployments teams were crucial to the successful deployments It is still new technology, no matter how you package it