Johnson

1
Johnson JohnsonUse of Public Key Technology

• Brian G. Walsh
• Senior Analyst, WWIS

2
Johnson Johnson

• The worlds largest and most comprehensive
  manufacturer of health care products
• Founded in 1886
• Headquartered in New Brunswick, NJ
• Sales of 41.9 billion in 2003
• 198 operating companies in 54 countries
• Over 110,000 employees worldwide
• Customers in over 175 countries

3
Four Business Groups

• Pharmaceuticals
• Prescription drugs including EPREX, REMICADE
• Medical Devices and Diagnostics
• Blood analyzers, stents, wound closure,
  prosthetics, minimally invasive surgical
  equipment
• Consumer Products
• E.g., Neutrogena SPLENDA
• Consumer Pharmaceuticals and Nutritionals
• E.g., TYLENOL

4
Statistics

• 400 UNIX servers 1900 WinNT/2000 servers
• 96,000 desktops/laptops (Win2K)
• 60,000 remote users
• Employ two-factor authentication (almost all
  using PKI a few still using SecurID but being
  migrated)
• 50M e-mails/month 50 TB of storage
• 530 internet and intranet servers, 3.3M website
  hits/day

5
Enterprise Directory

• Uses Active Directory forest
• Separate from Win2K OS AD but some contents
  replicated
• Populated by authoritative sources only
• Uses World Wide Identifiers (WWIDs) as index
• Supports entire security framework
• Source of all information put into certificates
• 300K entries (employees, partners, retirees,
  former)
• LDAP accessible

6
JJ PKI

• Directory centric certificate subscriber must
  be in Enterprise Directory
• Certificate contents dictated by ED info (none
  based on user-supplied input)
• Certificates issued with supervisor ID proofing
• Simple hierarchy root CA and subordinate online
  CA

7
JJ PKI (cont)

• Standard form factor hardware tokens (USB)
• Production deployment began early 2003
• Total of over 150,000 certificates (signature and
  encryption) issued to date
• Most important initial applications
• Remote authentication
• Secure e-mail
• Some enterprise applications

8
Experience (1)

• Training help desks (you cant do too much of
  this)
• Ensuring sufficient help desk resources to
  respond to peaks (gt100 of average level
  fortunately reasonably short half-life)
• Shifting user paradigms (always hard to change
  human behavior)
• Patience
• Clear, unequivocal instructions/steps

9
Experience (2)

• Hardware tokens
• CSP issues of Pass Phrase caching
• User recovery from lost, stolen or destroyed
  token
• Short term recovery (network userID/PW)
• Long term recovery (new cert(s))
• Certificate revocation
• Reason codes in CRL (25 increase in size of CRL)
• Dont give users options to select (too confusing
  to them) ask questions instead (then automate
  reason code selection)

10
Experience (3)

• We put in three identifiers in each cert (e-mail
  address, WWID, UPN)
• Right thing to do for apps
• Means employee transfer out/transfer in processes
  require getting new certs (since e-mail address
  changes)
• HR controls those processes, not IM
• Moral smart IM technical/policy decisions may
  require implementation outside IM

11
Experience (4)

• Once user gets new certs
• Register them with apps (e.g., Outlook S/MIME
  profile changes)
• Link them to other user accounts (e.g., Nortel
  VPN client)
• Thus there are some additional steps to
  migrate to new certs
• Not yet seamless

12
Experience (5)

• Decryption private key recovery
• User can do for his/her own (after
  authenticating)
• Local Key Recovery Authority Officer can request
  for others
• Global KRAO must approve
• But important to distinguish key recovery from
  revocation or getting new certs
• Unclear terminology (to users) resulted in lots
  of unnecessary requests, none of which required
  approval

13
Experience (6)

• CRL growth is always faster than you predict
• Ours is now 1.3 MB (expected it to be less than
  half that size)
• Caching CRLs in Windows is easy but not obvious
• IE manages CRL cache as part of temporary
  internet files folder
• Standard setting for us was flush that folder
  when IE is closed
• Results in lots of CRL downloads

14
Experience (7)

• With employees in over 50 countries, JJ has one
  main business language (English) and over 12
  important languages
• PKI certificate subscribers have to sign
  agreement to get tokens
• Must be in native languages
• Translation services became an issue especially
  with last minute changes to agreement
• Lesson learned English is not legally binding
  universally

15
Experience (8)

• Rolling out tokens and certificates to over 1000
  individuals at a time over a 4-6 month period
• Users are not technically savvy, regular
  registration is confusing and complicated
• Need more then one way to get certificates to the
  user population, not everyone will understand a
  series of technical steps
• All problems attributed to PKI (Identity Token)!!!

16
Questions??

• Brian G. Walsh
• Senior Analyst, WW Information Security

17
Group Registration Process

• Rolling out to the masses
• Strict Standard Operating Procedure
• Number of Roles requiring training
• Designed to maintain the integrity of the JJEDS,
  while enabling a speedy, easy roll-out
• Training of Help Desk and Deployments teams were
  crucial to the successful deployments
• It is still new technology, no matter how you
  package it