Identity management for all by 2008

Johnson & Johnson's public-key infrastructure project and PayPal's Security Key program are two leading examples of this almost-prime-time technology

If the members of the CISO inner circle have one thing in common, it is that they are leaders in the areas of identity management. Johnson & Johnson's PKI system and PayPal's Security Key program are among the standout projects in this area.

Johnson & Johnson's PKI system uses physical tokens that meet the digital signature standards issued by the SAFE-BioPharma Association. The PKI system not only gives unique identities to Johnson & Johnson users, it gives them the capability to provide legally binding signatures.

Since it rolled out live in 2003, the centralized, enterprisewide PKI directory has been the identity master for the enterprise, now synchronizing 149 human resource systems worldwide every day, says Joseph Moorcones, vice president for worldwide information security at the New Brunswick, N.J., company. The PKI token is required for all employees who work remotely; the majority of the company's employees and partners are carrying these physical tokens.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

If the members of the CISO inner circle have one thing in common, it is that they are leaders in the areas of identity management. Johnson & Johnson's PKI system and PayPal's Security Key program are among the standout projects in this area.

Johnson & Johnson's PKI system uses physical tokens that meet the digital signature standards issued by the SAFE-BioPharma Association. The PKI system not only gives unique identities to Johnson & Johnson users, it gives them the capability to provide legally binding signatures.

Since it rolled out live in 2003, the centralized, enterprisewide PKI directory has been the identity master for the enterprise, now synchronizing 149 human resource systems worldwide every day, says Joseph Moorcones, vice president for worldwide information security at the New Brunswick, N.J., company. The PKI token is required for all employees who work remotely; the majority of the company's employees and partners are carrying these physical tokens.

Moorcones envisions even more for the future. "I would like to extend that platform to every computer - and every application - on the network, so that they, similarly, would get a unique identity," he says. "If we could authenticate with public-key technology, this would dramatically improve interoperability with other companies. If a company had a PKI infrastructure, and we trusted each other, we could allow its employees to use their credentials to access applications at Johnson & Johnson, and vice versa."

As the constant target of phishing schemes, PayPal has centered its identity management on combating e-mail fraud. The much-ballyhooed Security Key, released to the public in February, is a PKI token also. Every 30 seconds it generates a new password, which is used with a regular user name and password. The idea is twofold: Even if phishers do get hold of a user's account information, that knowledge is useless without the token. It also lets e-mail resume being a useful way for PayPal and parent company eBay to communicate with customers. Security Key uses VeriSign's One-Time Password Token product and is available to users for a one-time $5 fee, with no monthly service charges.

Such consumer-oriented identity projects will have a big impact on speeding overall identity-management adoption, says Michael Barrett, CISO of PayPal in San Jose, Calif. "VeriSign, our partner on PayPal's Security Key, has been pushing its VIP program for some time. The question is, when does it become interesting, and the answer is, when we get a large number of companies that are members of that network and a large number of consumers with tokens in their hand that they can use across multiple providers. . . . We may see it happen in 2007."

< Return to main story: CISO inner circle >

Read more about security in Network World's Security section.