Johnson & Johnson solidifies security

Information security managers at healthcare giant Johnson & Johnson, with more than $36 billion in revenue each year and 108,000 employees working in more than 200 separate businesses, have begun the large-scale rollout of digital certificates that eventually will replace passwords at the corporation.

J&J is installing a directory-enabled public-key infrastructure with digital certificates as the basis for security in authentication of identity and encryption of documents. The change that required J&J to retrofit many of its business applications to make use of PKI.

Digital certificates are electronic credentials that link a user's identity with a public-private encryption key pair that facilitates "signing" of documents by the sender, prevents document tampering and ensures confidentiality through encryption.

But it's been a slow process, requiring significant changes that include installing an enterprise directory and customizing existing applications from Oracle, SAP and Siebel Systems to support digital certificates.

"We're now in production deployment of 5,000 certificates, and we expect to have issued 10,000 by year-end," Rich Guida, J&J information security manager, said during a presentation at the recent RSA Conference in San Francisco. Guida and Gary Secrest, also a J&J information security manager, described the challenges the corporation has faced to do this.

The basic equipment for any PKI rollout includes a certificate authority server that lets supervisors issue digital certificates to those they supervise and a revocation authority server to revoke the certificates. J&J has deployed this equipment from e-Certify for this purpose.

In the long run, digital certificates at J&J are intended to replace passwords because it can cost as much as $37 per year, per employee, to support password changes and reset requests. But it's not clear that certificates will be more economical for J&J, which spends $1.4 billion on information management each year. The driving force is that PKI is hands-down far better security than passwords, Secrest said.

The ability to sign and encrypt mail and documents will make it easier to satisfy security requirements from federal regulators such as the Food and Drug Administration and Health & Human Services, he added.

But rolling out PKI on an enterprisewide scale is fraught with obstacles, the chief one being that many of the commercial applications used at J&J, including those from Documentum, J.D. Edwards, Oracle, SAP and Siebel, can't make use of digital certificates out of the box and have to be retrofitted to use them.

"We spend a lot of time working to enable the applications for PKI," Guida said. "And we spend a lot of time working with vendors to do this."

To retrofit these business applications, J&J has used RSA Security's BSAFE tool kit, which has been tested and evaluated under the National Institute of Standards and Technology FIPS certification program. J&J's security managers said they prefer to use independently evaluated products.