Johnson%20

1
Johnson JohnsonsPublic Key Infrastructure

• Bob Stahlrstahl_at_corus.jnj.com

2
Johnson Johnson

• The worlds largest and most comprehensive
  manufacturer of health care products
• Founded in 1886
• Headquartered in New Brunswick, New Jersey
• Sales of 42 billion in 2003
• 200 operating companies in 50 countries
• 109,000 employees worldwide
• Customers in over 175 countries

3
Baseline PKI Architecture
JJEDS
JJEDS Offline Root CA (ORCA)
Authoritative Feeds - Employees, Partners, Server
s, Email addresses,Windows IDs
JJEDS Enterprise Directory
CRLDistributionWebsite
JJEDS Principal Online CA (POLCA)
PKI and Directory Enabled Applications
4
JJEDS PKI Principles

• Based on open standards
• Directory-driven
• Directory is the global identity master
• Web-based, self service model
• Strong identity proofing
• Build and operate it ourselves
• Separate signing and encryption keys
• Hardware tokens preferred
• Support operation in FDA-validated environments

5
Standards Based

• LDAP Directory
• X.509v3 Certificates and CRLs
• RFC 2459, Internet X.509 Public Key
  Infrastructure Certificate and CRL Profile
• RFC 2527 Certificate Policy and Certificate
  Practice Statement
• Rewrite underway based on RFC 3647

6
Self-Service Registration
1. New employee, Alice, is entered into HR
Database
2. Overnight, Alice has an entry in the
Enterprise Directory
EnterpriseDirectory
4. One-time codes are generated and emailed to
Alice and her supervisor
4. Alices supervisor delivers her IVC to her
person-to-person
5. Alice returns to JJEDS and authenticates with
her IVC and CAC 6. Alices certificates are
generated on her client, and provide only her ID,
not her access privileges
7. Alices certificates are published to the
Enterprise Directory and from there to the Email
directory
9. When Alices cert is about to expire or if her
Name or Email changed, then she can revoke her
old certificate and get a new one by herself.
8. Alices signature key is never duplicated --
her decryption key is escrowed for
contingencies If Alice ever need to recover an
old encryption key, she can do it herself
7
Security Vision
Unique identities for people (and machines)
Directory- Centric Corporation (Global
Identity Master)
Legal Regulatory Compliance
SecureElectronicTransactions
Eliminate Passwords
JJEDS Digital Identities
Authoritative Sources
8
Applications

• Directory took off on its own
  150,000 active entries
• WWID-based login
• Workflow routing
• Phonebook replacement
• Online organization charts
• Compliance tracking / training
• Email lookups for applications

9
PKI Applications

• Remote Access 60,000 users
• Secure Email
• Research collaboration
• Legal department
• Marketing
• Personnel discussions
• Adverse event reporting
• Skincare marketing intelligence web site
• SOX compliance reporting
• Ethics certification
• Coming Soon Enterprise Apps
• e.g., SAP, Oracle, Windows Login

10
Next Leap - SAFE

• SAFE Secure Access for Everyone
• What is it?
• Biopharma industry consortium aimed at
  facilitating e-transactions through SAFE-wide
  digital credentials
• Participants include JJ, Pfizer, Merck, GSK,
  Aventis, Lilly, PG, Novartis, others
• Technology selected for use PKI
• PKI perspective
• Additional emphasis on Digital Signatures

11
SAFE Value Potential