Identity Crisis: Pfizer's Fix
- 02 October, 2007 11:09
- How digital signatures can save time and money
- Lessons learned from a smart card project
- The future benefits of digitized ID management
By 2003, pharmaceutical giant Pfizer found itself with a costly business problem: Paper. Reams of paper. Mountains of paper. Pfizer was up to its neck in the stuff.
Any drug research project generates masses of paper, including documentation that must be signed and tracked for legal and patent-protection reasons. And all that paper needs to be categorized, filed and stored — a costly, time-consuming and labour-intensive process. "[Research] has always been an intensely paper-filled process," sums up Leslie Holbrook, Pfizer's director of worldwide business technology.
"Literally, you can fill a tractor trailer."
A digital signature is a tremendous driver in a pharmaceutical environment," says Holbrook.
All enterprises churn out paper, but the pharmaceutical industry generates more than most, as its business involves an especially high level of documentation to navigate a dense web of government regulations and protect itself against the spectre of looming lawsuits. "A digital signature is a tremendous driver in a pharmaceutical environment," says Holbrook. To wit, every document Pfizer could sign digitally would be one less piece of paper it had to manage and store. And then there's the issue of speed. Pfizer's research groups must sign, date and have witnessed every single entry in their lab notebooks. That's about 14,000 signatures a month. Just in case one of those entries might turn into a patentable product, Pfizer wanted the earliest possible date on each entry. But with researchers having to wait to find the right person to witness the entry, that wasn't happening.
Within Pfizer's research groups, digital signatures, enabled by the smart cards, are transforming those previously unwieldly lab notebooks
Pharmaceutical, finance and health-care enterprises, among others, are now being pushed to digitize signatures for reasons of security and compliance, sys IDC's Sally Hudson, research director, security products and services. In a nutshell, digital signatures lower costs and decrease complexity while increasing security, she says.
"Compliance regulations are going to become more specific and intricate over time, and the penalties for non-compliance will be strictly enforced," Hudson says. "The use of digital IDs and electronic contracts will become more commonplace over the next several years."
But necessity is not the digital signature's only mother. IDC believes that the move to digital signatures, when complete, will make compliance with government regulations easier and less costly, protecting companies as well as consumers. Hudson sees digital evidence increasingly being accepted as proof in courts of law, and online contracts becoming legally acceptable.
In other words, companies that perfect their processes for digital signatures and ID management will gain an immediate competitive advantage over those that don't.
Who's That Knocking on My Door
Pfizer was also wrestling with a second, security-related problem: Whenever Pfizer acquired a new company, it also acquired that company's building access control systems, which are expensive and difficult to change. "Your CIO isn't going to be excited about swapping out a control system," Holbrook says, because of the cost. But the mishmash of access systems made IT management chores complex, and it frustrated the many Pfizer employees who constantly move among sites.
Pfizer's IT group saw an opportunity to address both issues: digital signatures and ID management. Could they kill two birds with one smart card system?
Yes, they decided, and using a cost-reduction argument, they won support from the business side for a smart card-based ID management system that would enable digital signatures, standardize building access and handle PC network logons.
Lessons Learned While Making a Smarter Card
Theoretical work on the smart card project began in 2002, and Pfizer IT began getting the project resources together in 2003. "It was definitely an IT-driven project," says Scott Potter, Pfizer's senior director of worldwide business technology and Holbrook's boss. What's more, it was bleeding-edge technology. So the pressure was on.
The first lesson learned was that if you're doing an ID management overhaul, don't expect to find pretty, prewrapped packages. Pfizer's IT group could not find an off-the-shelf smart card product that offered enough power and flexibility.
"We wanted to be able to support other uses going forward," Potter says. For example, the Pfizer IT team wanted as much memory on the smart card as was practical. So the IT team decided it would need to create its own card. "We basically designed this platform ourselves," Potter says, noting Pfizer brought together two vendors, Gemalto and HID Global, to provide parts of the smart cards.
The card itself has a 64KB Gemalto Java Module chip that houses the PKI credentials and certificate information for digital signatures, and two HID chips, one of which houses the physical access control information, and one that supports add-on applets, for applications like biometric security. Because the cards are based on a Java OS, Pfizer can change or add Java applets after the cards are issued.
HID did the manufacturing, as a subcontractor to Gemalto. Pfizer's IT people soon found themselves caught up in quandaries that are usually the realm of physical engineering experts. The plastic for the cards proved tricky, Potter says. It was hard to pack everything into the size card needed. "We had a real question about durability and thickness," he says, noting no one else had developed a card like this one, with its three chips and two antennas.
What did Pfizer's IT people learn during this part of the project? To work with its vendors as if they were partners, Holbrook says, and avoid the temptation to tell the vendor that the manufacturing problems were their headache. Also, she says, Pfizer learned to not go crazy customizing every piece. "As much as you can, try to stick to out of the box," she says, noting that too many tweaks only make it harder to get the badges, badge readers, desktop PC client software and other pieces to integrate.
Another lesson was to "make sure you have a primary subcontractor", says Potter. Deciding who was going to be the alpha dog was, he says, a bit of a challenge. "We eventually put that on Gemalto", which had the bulk of the digital signature experience, he says, instructing it to make sure the Gemalto and HID pieces fit together.
In 2004, Pfizer rolled out the finished smart card badges across its global research and development staff. That's 20,000 to 30,000 employees, plus a roughly equal number of contractors.
Smarter Cards, Smarter Results
Within Pfizer's research groups, digital signatures, enabled by the smart cards, are transforming those previously unwieldly lab notebooks. Despite Pfizer's need to date the lab entries ASAP in order to create evidence for potential patents, researchers used to wait to date the entries because it wasn't always easy to track down an appropriate person to witness a signature. This, in turn, encouraged researchers to have their work signed off in batches instead of in timelier snippets of data, says Holbrook. Conversely, the digital signature technology allows researchers to sign and date the day's entry immediately.
But that wasn't the end of the benefits Pfizer began to reap from its smart cards.
"We were somewhat surprised by how much of a benefit cross-site access was," says Holbrook. Pfizer employees quite commonly work at many sites, going back and forth. Under the old system, they had to physically register at a visitor centre before getting down to work. The smart cards let them use an online system to register to work at an alternate site, then swipe the card there. "Once people heard about that capability, they asked for the badge outside of R&D," she says.
There was a tipping point of such requests late last year, and IT decided to roll out the smart cards across the corporation to roughly 90,000 to 100,000 users.
The smart card project's reach continues to expand, says Holbrook, as people find uses for the cards that Pfizer didn't foresee. For example, the company is now using readers at the door of training classrooms to keep track of who attends. Training records are a big deal in the pharmaceutical industry, as some training is mandated, Holbrook says. Employees also use the cards and readers for what Potter calls "access control in a box". For sensitive offsite meetings, he says, a meeting leader can use the cards and reader to control and track who attends, guarding against corporate espionage.
Pfizer employees can even use the cards for cashless vending at company cafeterias.
And Now for the ROI
Holbrook says that the smart card project's ROI is hard to pin down precisely. Pfizer IT has worked with its vendors to drive down the cost of the badges, from about $US30 at the start to about $US13. (At the beginning of the project, Holbrook points out, no one knew how to price the card because it didn't exist. Also, some R&D costs were loaded into pricing and the vendors didn't know what to expect in terms of volume.)
Pfizer estimates the cost of one "wet signature" at $US30 (including time to track down the signer, plus storage and scanning cost; some analysts put the cost as high as $US125.) Today, one smart card, with its unlimited number of digital signatures, costs $US13, plus $US70 for a three-year licence for the high-assurance PKI credential. Pfizer uses a Microsoft digital certificate authority for some in-house signatures, but for signatures subject to outside scrutiny, it partners with Citibank to license the SAFE high-assurance PKI credential. (SAFE — "signatures and access for everyone" — is a pharmaceutical industry consortium.) Anecdotally, Pfizer's use of FedEx to ship documents for signatures has also dropped, Potter says.
Pfizer plans to take the technology to new places, Potter says, including biometric applications recently installed at some Pfizer facilities. The smart card stores the user's thumbprint, which is matched by a reader at the door. One benefit of this system, Holbrook says, is that Pfizer doesn't need to maintain a big database of the thumbprints — a serious privacy concern, especially in Europe, where governmental privacy regulations are quite strict.
"There's plenty of room to innovate on this platform," Potter says.
SIDEBAR: 5 QUICK TIPS for Integrated ID Management
Pfizer's move to digital signatures and smart cards came with more than a few hard-won lessons
1.Understand your business case, cold. "This is the only bleeding-edge technology project [that I've worked on] that I felt had an iron-clad business case," says Leslie Holbrook, Pfizer's director for worldwide business technology. "We had a hard business reason to push this."
2.Build as flexible a platform as you can afford. Don't skimp on memory or chips for your smart card. Pfizer is seeing the ability to add Java applets to its cards pay off — for example, with a new biometrics application.. "Blow it out," Holbrook says, meaning leave room on the smart cards for unanticipated uses. You don't want to have to go out and redeploy cards after a short time.
3.Leave plenty of time to craft your policies around certificates and passwords. Pfizer had to deal with a multitude of questions around passwords, reset times and the like. The technology was ready before the policy. "Our digital signature policy had about 100 authors," Holbrook says. "I'm not sure how long it is but it's a sure cure for insomnia." You'll also have to decide who'll own the policy when it's done, and it may not have a natural home, she adds. At Pfizer, human resources, risk management and internal audit groups own the policy.
4.Strike a tight partnership with legal from the start. "It's really crucial," Holbrook says. Also, bring in outside help to give your IT and legal staff advice on the bleeding-edge issues. "We were able to tap into some consulting resources," Holbrook says, to gain people with experience with the financial and legal issues relating to digital credentials. In one example, Pfizer had to confirm precisely what kinds of digital signature policies need to be attached to its lab research notebooks.
5.Make sure the IT people on the project are flexible. "Being on the bleeding edge always hurts a little," Holbrook says. "You need a team that can roll with the punches. There's no solution for this. There's no standard API. It's just not standard development work."
— L MCLAUGHLIN