Skip Links

Network World

  • Social Web 
  • Email 
  • Close

Johnson & Johnson solidifies security

By Ellen Messmer , Network World , 05/19/2003
Newsletter Signup
  • Share/Email
  • Tweet This
  • Comment
  • Print

Information security managers at healthcare giant Johnson & Johnson, with more than $36 billion in revenue each year and 108,000 employees working in more than 200 separate businesses, have begun the large-scale rollout of digital certificates that eventually will replace passwords at the corporation.

J&J is installing a directory-enabled public-key infrastructure with digital certificates as the basis for security in authentication of identity and encryption of documents. The change that required J&J to retrofit many of its business applications to make use of PKI.

Digital certificates are electronic credentials that link a user's identity with a public-private encryption key pair that facilitates "signing" of documents by the sender, prevents document tampering and ensures confidentiality through encryption.

But it's been a slow process, requiring significant changes that include installing an enterprise directory and customizing existing applications from Oracle, SAP and Siebel Systems to support digital certificates.

"We're now in production deployment of 5,000 certificates, and we expect to have issued 10,000 by year-end," Rich Guida, J&J information security manager, said during a presentation at the recent RSA Conference in San Francisco. Guida and Gary Secrest, also a J&J information security manager, described the challenges the corporation has faced to do this.

The basic equipment for any PKI rollout includes a certificate authority server that lets supervisors issue digital certificates to those they supervise and a revocation authority server to revoke the certificates. J&J has deployed this equipment from e-Certify for this purpose.

In the long run, digital certificates at J&J are intended to replace passwords because it can cost as much as $37 per year, per employee, to support password changes and reset requests. But it's not clear that certificates will be more economical for J&J, which spends $1.4 billion on information management each year. The driving force is that PKI is hands-down far better security than passwords, Secrest said.

The ability to sign and encrypt mail and documents will make it easier to satisfy security requirements from federal regulators such as the Food and Drug Administration and Health & Human Services, he added.

  • Share/Email
  • Tweet This
  • Comment
  • Print
Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed