Johnson & Johnson solidifies security

Information security managers at healthcare giant Johnson & Johnson have begun the large-scale rollout of digital certificates that eventually will replace passwords at the corporation.

Information security managers at healthcare giant Johnson & Johnson, with more than $36 billion in revenue each year and 108,000 employees working in more than 200 separate businesses, have begun the large-scale rollout of digital certificates that eventually will replace passwords at the corporation.

J&J is installing a directory-enabled public-key infrastructure with digital certificates as the basis for security in authentication of identity and encryption of documents. The change that required J&J to retrofit many of its business applications to make use of PKI.

Digital certificates are electronic credentials that link a user’s identity with a public-private encryption key pair that facilitates “signing” of documents by the sender, prevents document tampering and ensures confidentiality through encryption.

But it’s been a slow process, requiring significant changes that include installing an enterprise directory and customizing existing applications from Oracle, SAP and Siebel Systems to support digital certificates.

“We’re now in production deployment of 5,000 certificates, and we expect to have issued 10,000 by year-end,” Rich Guida, J&J information security manager, said during a presentation at the recent RSA Conference in San Francisco. Guida and Gary Secrest, also a J&J information security manager, described the challenges the corporation has faced to do this.

The basic equipment for any PKI rollout includes a certificate authority server that lets supervisors issue digital certificates to those they supervise and a revocation authority server to revoke the certificates. J&J has deployed this equipment from e-Certify for this purpose.

In the long run, digital certificates at J&J are intended to replace passwords because it can cost as much as $37 per year, per employee, to support password changes and reset requests. But it’s not clear that certificates will be more economical for J&J, which spends $1.4 billion on information management each year. The driving force is that PKI is hands-down far better security than passwords, Secrest said.

The ability to sign and encrypt mail and documents will make it easier to satisfy security requirements from federal regulators such as the Food and Drug Administration and Health & Human Services, he added.

But rolling out PKI on an enterprisewide scale is fraught with obstacles, the chief one being that many of the commercial applications used at J&J, including those from Documentum, J.D. Edwards, Oracle, SAP and Siebel, can’t make use of digital certificates out of the box and have to be retrofitted to use them.

“We spend a lot of time working to enable the applications for PKI,” Guida said. “And we spend a lot of time working with vendors to do this.”

To retrofit these business applications, J&J has used RSA Security’s BSAFE tool kit, which has been tested and evaluated under the National Institute of Standards and Technology FIPS certification program. J&J’s security managers said they prefer to use independently evaluated products.

In contrast to many of the enterprise CRM and accounting applications, Microsoft’s out-of-the-box applications are often PKI-ready, Guida said.

“Outlook 2000, Microsoft Office XP and Internet Explorer are Windows applications that are very PKI-aware today,” Guida said.

Secrest said the PKI deployment has led J&J’s IT department to instigate other changes as well, such as centralizing information about users in an online enterprise directory. “We have 200 human resources systems, and we had no enterprise directory,” Secrest said.

The enterprise directory now in place holds the information about users and the public-key certificates that can be accessed to send a signed message to the intended recipient. J&J selected Microsoft’s Active Directory running on Windows 2000, which now holds 250,000 entries. With J&J on a buying spree of hundreds of much-smaller companies for more than a year, the IT departments have gained practice in quickly setting up feeds to the main Enterprise Directory.

“The employee has to be in the Enterprise Directory, and authorized by human resources, to request a certificate,” Guida said.

J&J intends to issue digital certificates for about 150,000 individuals, including business partners that use the J&J corporate network regularly. One challenge in operating a PKI is learning how to quickly aggregate lists of revoked certificates – which are known as the certificate revocation lists – to enforce security policy.

J&J maintains its own encryption root key – a core part of the PKI technology for issuing certificates – and to make it a little harder to discover this secret key, keeps the root key in three sections stored at three locations.