Johnson Use of Public Key Technology .

Uploaded on:
Category: Business / Finance
2. Johnson
Slide 1

Johnson & Johnson Use of Public Key Technology Brian G. Walsh Senior Analyst, WWIS

Slide 2

Johnson & Johnson The world\'s biggest and most complete maker of social insurance items Founded in 1886 Headquartered in New Brunswick, NJ Sales of $41.9 billion in 2003 198 working organizations in 54 nations Over 110,000 representatives overall Customers in more than 175 nations

Slide 3

Four Business Groups Pharmaceuticals Prescription medications including EPREX, REMICADE Medical Devices and Diagnostics Blood analyzers, stents, wound conclusion, prosthetics, negligibly obtrusive surgical gear Consumer Products E.g., Neutrogena; SPLENDA Consumer Pharmaceuticals and Nutritionals E.g., TYLENOL

Slide 4

Statistics 400+ UNIX servers; 1900+ WinNT/2000 servers 96,000+ desktops/tablets (Win2K) 60,000+ remote clients Employ two-figure verification (all utilizing PKI; a couple as yet utilizing SecurID however being relocated) 50M+ messages/month; 50+ TB of capacity 530+ web and intranet servers, 3.3M+ site hits/day

Slide 5

Enterprise Directory Uses Active Directory woods Separate from Win2K OS AD yet a few substance reproduced Populated by definitive sources just Uses World Wide Identifiers (WWIDs) as file Supports whole security structure Source of all data put into declarations 300K+ sections (workers, accomplices, retirees, previous) LDAP open

Slide 6

J&J PKI Directory driven – endorsement supporter must be in Enterprise Directory Certificate substance managed by ED information (none in light of "client provided input") Certificates issued with boss ID sealing Simple chain of command – root CA and subordinate online CA

Slide 7

J&J PKI (con\'t) Standard shape consider: equipment tokens (USB) Production sending started mid 2003 Total of more than 150,000 testaments (mark and encryption) issued to date Most vital beginning applications: Remote validation Secure email Some venture applications

Slide 8

Experience (1) Training help work areas (you can\'t do a lot of this… ) Ensuring adequate assist work area assets with responding to crests (>100% of normal level; luckily sensibly short half-life) Shifting client ideal models (constantly difficult to change human conduct… ) Patience Clear, unequivocal guidelines/steps

Slide 9

Experience (2) Hardware tokens CSP issues of "Pass Phrase storing" User recuperation from lost, stolen or decimated token Short term recuperation (arrange userID/PW) Long term recuperation (new cert(s)) Certificate denial Reason codes in CRL (25% expansion in size of CRL) Don\'t give clients choices to choose (excessively confounding, making it impossible to them) – make inquiries rather (then computerize reason code determination)

Slide 10

Experience (3) We put in three identifiers in every cert (email address, WWID, UPN) Right thing to accomplish for applications Means representative exchange out/move in procedures require getting new certs (since email address changes) HR controls those procedures, not IM Moral: shrewd IM specialized/approach choices may require execution outside IM

Slide 11

Experience (4) Once client gets new certs: Register them with applications (e.g., Outlook S/MIME profile changes) Link them to other client accounts (e.g., Nortel VPN customer) Thus – there are some extra strides to "move" to new certs Not yet consistent

Slide 12

Experience (5) Decryption private key recuperation User can accomplish for his/her own (in the wake of confirming) Local Key Recovery Authority Officer can ask for others Global KRAO must affirm But – essential to recognize key recuperation from repudiation or getting new certs Unclear wording (to clients) brought about bunches of superfluous solicitations, none of which required endorsement

Slide 13

Experience (6) CRL development is constantly quicker than you foresee Ours is currently 1.3 MB (anticipated that it would be not as much as a large portion of that size) Caching CRLs in Windows is "simple" yet not evident IE oversees CRL reserve as a major aspect of "impermanent web documents" envelope Standard setting for us was: flush that organizer when IE is shut Results in loads of CRL downloads

Slide 14

Experience (7) With workers in more than 50 nations, J&J has one primary business dialect (English) and more than 12 critical dialects PKI authentication supporters need to consent to arrangement to get tokens Must be in local dialects Translation administrations turned into an issue – particularly with a minute ago changes to assention Lesson learned: English is not legitimately restricting all around

Slide 15

Experience (8) Rolling out tokens and endorsements to more than 1000 people at once over a 4-6 month time frame Users are not in fact insightful, general enlistment is befuddling and convoluted Need all the more then one approach to get testaments to the client populace, not everybody will comprehend a progression of specialized strides All issues ascribed to PKI (Identity Token)!!!

Slide 16

Questions?? Brian G. Walsh Senior Analyst, WW Information Security

Slide 17

Group Registration Process Rolling out to the masses Strict Standard Operating Procedure Number of Roles requiring preparing Designed to keep up the respectability of the JJEDS, while empowering a quick, simple take off Training of Help Desk and Deployments groups were urgent to the effective arrangements It is still new innovation, regardless of how you bundle it

View more...