Johnson - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Johnson

Description:

Blood analyzers, stents, wound closure, prosthetics, minimally invasive ... E.g., Neutrogena; SPLENDA. Consumer Pharmaceuticals and Nutritionals. E.g., TYLENOL ... – PowerPoint PPT presentation

Number of Views:42
Avg rating:3.0/5.0
Slides: 18
Provided by: cio56
Learn more at: http://www.dartmouth.edu
Category:

less

Transcript and Presenter's Notes

Title: Johnson


1
Johnson JohnsonUse of Public Key Technology
  • Brian G. Walsh
  • Senior Analyst, WWIS

2
Johnson Johnson
  • The worlds largest and most comprehensive
    manufacturer of health care products
  • Founded in 1886
  • Headquartered in New Brunswick, NJ
  • Sales of 41.9 billion in 2003
  • 198 operating companies in 54 countries
  • Over 110,000 employees worldwide
  • Customers in over 175 countries

3
Four Business Groups
  • Pharmaceuticals
  • Prescription drugs including EPREX, REMICADE
  • Medical Devices and Diagnostics
  • Blood analyzers, stents, wound closure,
    prosthetics, minimally invasive surgical
    equipment
  • Consumer Products
  • E.g., Neutrogena SPLENDA
  • Consumer Pharmaceuticals and Nutritionals
  • E.g., TYLENOL

4
Statistics
  • 400 UNIX servers 1900 WinNT/2000 servers
  • 96,000 desktops/laptops (Win2K)
  • 60,000 remote users
  • Employ two-factor authentication (almost all
    using PKI a few still using SecurID but being
    migrated)
  • 50M e-mails/month 50 TB of storage
  • 530 internet and intranet servers, 3.3M website
    hits/day

5
Enterprise Directory
  • Uses Active Directory forest
  • Separate from Win2K OS AD but some contents
    replicated
  • Populated by authoritative sources only
  • Uses World Wide Identifiers (WWIDs) as index
  • Supports entire security framework
  • Source of all information put into certificates
  • 300K entries (employees, partners, retirees,
    former)
  • LDAP accessible

6
JJ PKI
  • Directory centric certificate subscriber must
    be in Enterprise Directory
  • Certificate contents dictated by ED info (none
    based on user-supplied input)
  • Certificates issued with supervisor ID proofing
  • Simple hierarchy root CA and subordinate online
    CA

7
JJ PKI (cont)
  • Standard form factor hardware tokens (USB)
  • Production deployment began early 2003
  • Total of over 150,000 certificates (signature and
    encryption) issued to date
  • Most important initial applications
  • Remote authentication
  • Secure e-mail
  • Some enterprise applications

8
Experience (1)
  • Training help desks (you cant do too much of
    this)
  • Ensuring sufficient help desk resources to
    respond to peaks (gt100 of average level
    fortunately reasonably short half-life)
  • Shifting user paradigms (always hard to change
    human behavior)
  • Patience
  • Clear, unequivocal instructions/steps

9
Experience (2)
  • Hardware tokens
  • CSP issues of Pass Phrase caching
  • User recovery from lost, stolen or destroyed
    token
  • Short term recovery (network userID/PW)
  • Long term recovery (new cert(s))
  • Certificate revocation
  • Reason codes in CRL (25 increase in size of CRL)
  • Dont give users options to select (too confusing
    to them) ask questions instead (then automate
    reason code selection)

10
Experience (3)
  • We put in three identifiers in each cert (e-mail
    address, WWID, UPN)
  • Right thing to do for apps
  • Means employee transfer out/transfer in processes
    require getting new certs (since e-mail address
    changes)
  • HR controls those processes, not IM
  • Moral smart IM technical/policy decisions may
    require implementation outside IM

11
Experience (4)
  • Once user gets new certs
  • Register them with apps (e.g., Outlook S/MIME
    profile changes)
  • Link them to other user accounts (e.g., Nortel
    VPN client)
  • Thus there are some additional steps to
    migrate to new certs
  • Not yet seamless

12
Experience (5)
  • Decryption private key recovery
  • User can do for his/her own (after
    authenticating)
  • Local Key Recovery Authority Officer can request
    for others
  • Global KRAO must approve
  • But important to distinguish key recovery from
    revocation or getting new certs
  • Unclear terminology (to users) resulted in lots
    of unnecessary requests, none of which required
    approval

13
Experience (6)
  • CRL growth is always faster than you predict
  • Ours is now 1.3 MB (expected it to be less than
    half that size)
  • Caching CRLs in Windows is easy but not obvious
  • IE manages CRL cache as part of temporary
    internet files folder
  • Standard setting for us was flush that folder
    when IE is closed
  • Results in lots of CRL downloads

14
Experience (7)
  • With employees in over 50 countries, JJ has one
    main business language (English) and over 12
    important languages
  • PKI certificate subscribers have to sign
    agreement to get tokens
  • Must be in native languages
  • Translation services became an issue especially
    with last minute changes to agreement
  • Lesson learned English is not legally binding
    universally

15
Experience (8)
  • Rolling out tokens and certificates to over 1000
    individuals at a time over a 4-6 month period
  • Users are not technically savvy, regular
    registration is confusing and complicated
  • Need more then one way to get certificates to the
    user population, not everyone will understand a
    series of technical steps
  • All problems attributed to PKI (Identity Token)!!!

16
Questions??
  • Brian G. Walsh
  • Senior Analyst, WW Information Security

17
Group Registration Process
  • Rolling out to the masses
  • Strict Standard Operating Procedure
  • Number of Roles requiring training
  • Designed to maintain the integrity of the JJEDS,
    while enabling a speedy, easy roll-out
  • Training of Help Desk and Deployments teams were
    crucial to the successful deployments
  • It is still new technology, no matter how you
    package it
Write a Comment
User Comments (0)
About PowerShow.com