How Pfizer Did ID Management Right
IT pros at Pfizer used innovative smart card technology in a challenging ID management revamp.
Mon, July 09, 2007
CIO — By 2003, pharmaceutical giant Pfizer found itself with a costly business problem: paper. Any drug research project generates mounds of the stuff, including documentation that must be signed and tracked for legal and patent-protection reasons. "In the past, it's been an intensely paper-filled process. Literally, you can fill a tractor trailer. A digital signature is a tremendous driver in a pharmaceutical environment," says Leslie Holbrook, Pfizer's director of worldwide business technology.
The firm was also grappling with a second problem: Whenever Pfizer acquired a new company, it also acquired its building access-control systems, which are both expensive and difficult to change. "Your CIO isn't going to be excited about swapping out a control system," Holbrook says, because of the cost. But the mishmash of access systems made IT management chores complex and it frustrated the many Pfizer employees who constantly move among sites, she says.
Pfizer's business-facing IT group saw the need to address both issues, for cost reasons. Could they kill two birds with one smart card system?
Yes, they decided, and using the cost arguments, they won support from the business side for a smart card-based ID management system that would enable digital signatures, standardize building access and handle PC network logons.
While theoretical work began in 2002, Pfizer IT began getting the project resources together in 2003. "It was definitely an IT-driven project," says Scott Potter, Pfizer's senior director of worldwide business technology. What's more, it was bleeding-edge technology. So the pressure was on.
First lesson learned: If you're doing an ID management overhaul, don’t expect to find pretty, prewrapped packages. Pfizer's IT group could not find an off-the-shelf smart card product that offered enough power and flexibility: "We wanted to be able to support other uses going forward," Potter says. For example, the Pfizer IT team wanted as much memory on the smart card as was practical. The IT team decided it would need to create its own card. "We basically designed this platform ourselves," Potter says, noting Pfizer brought together two vendors, Gemalto and HID Global, to provide parts of the smart cards.
The card itself has a 64KB Gemalto Java Module chip that houses the PKI (public key infrastructure) credentials and certificate information for digital signatures, and two HID chips, one of which houses the physical access control information, and one that supports add-on applets, for applications like biometric security. Because the cards are based on a Java OS, Pfizer can change or add Java applets after the cards are issued.