Information security managers at healthcare giant Johnson & Johnson, with more than $36 billion in revenue each year and 108,000 employees working in more than 200 separate businesses, have begun the large-scale rollout of digital certificates that eventually will replace passwords at the corporation.

J&J is installing a directory-enabled public-key infrastructure with digital certificates as the basis for security in authentication of identity and encryption of documents. The change that required J&J to retrofit many of its business applications to make use of PKI.

Digital certificates are electronic credentials that link a user's identity with a public-private encryption key pair that facilitates "signing" of documents by the sender, prevents document tampering and ensures confidentiality through encryption.

But it's been a slow process, requiring significant changes that include installing an enterprise directory and customizing existing applications from Oracle, SAP and Siebel Systems to support digital certificates.

"We're now in production deployment of 5,000 certificates, and we expect to have issued 10,000 by year-end," Rich Guida, J&J information security manager, said during a presentation at the recent RSA Conference in San Francisco. Guida and Gary Secrest, also a J&J information security manager, described the challenges the corporation has faced to do this.

The basic equipment for any PKI rollout includes a certificate authority server that lets supervisors issue digital certificates to those they supervise and a revocation authority server to revoke the certificates. J&J has deployed this equipment from e-Certify for this purpose.

In the long run, digital certificates at J&J are intended to replace passwords because it can cost as much as $37 per year, per employee, to support password changes and reset requests. But it's not clear that certificates will be more economical for J&J, which spends $1.4 billion on information management each year. The driving force is that PKI is hands-down far better security than passwords, Secrest said.

The ability to sign and encrypt mail and documents will make it easier to satisfy security requirements from federal regulators such as the Food and Drug Administration and Health & Human Services, he added.