by Laurianne McLaughlin

Five Quick Tips for Integrated ID Management

Jul 09, 20072 mins
Data CenterSecurity

Lessons from Pfizer's ID management effort.

Pfizer’s move to integrated ID management came with more than a few hard-won lessons. For CIOs contemplating ID management overhauls or smart card projects, Scott Potter, Pfizer’s senior director for worldwide business technology, and Leslie Holbrook, director for worldwide business technology, have five key suggestions.

1. Understand your business case, cold. “This is the only bleeding-edge technology project [that I’ve worked on] that I felt had an iron-clad business case,” Holbrook says. “We had a hard business reason to push this.”

2. Build “as flexible a platform as you can afford,” Holbrook says. Don’t skimp on memory or chips. Pfizer is seeing the ability to add Java applets to its cards pay off—for example, with a new biometrics application, she says. “Blow it out,” she says, meaning leave room on the smart cards for unanticipated uses. You don’t want to have to go out and redeploy cards after a short time.

3. Leave plenty of time to craft your policies around certificates and passwords. Pfizer had to deal with a multitude of questions around passwords, reset times and the like. The technology was ready before the policy. “Our digital signature policy had about 100 authors,” Holbrook says. “I’m not sure how long it is but it’s a sure cure for insomnia.” You’ll also have to decide who’ll own the policy when it’s done, and it may not have a natural home, she adds. At Pfizer, human resources, risk management and internal audit groups own the policy.

4. Strike “a tight partnership with legal from the start,” Holbrook says. “It’s really crucial.” Also, bring in outside help to give your IT and legal staff advice on the bleeding-edge issues. “We were able to tap into some consulting resources,” Holbrook says, to gain people with experience with the financial and legal issues relating to digital credentials. In one example, Pfizer had to confirm precisely what kinds of digital signature policies need to be attached to its lab research notebooks.

5. Make sure the IT people on the project are flexible. “Being on the bleeding edge always hurts a little,” Holbrook says. “You need a team that can roll with the punches. There’s no solution for this. There’s no standard API. It’s just not standard development work.”