How Pfizer Did ID Management Right

By 2003, pharmaceutical giant Pfizer found itself with a costly business problem: paper. Any drug research project generates mounds of the stuff, including documentation that must be signed and tracked for legal and patent-protection reasons. “In the past, it’s been an intensely paper-filled process. Literally, you can fill a tractor trailer. A digital signature is a tremendous driver in a pharmaceutical environment,” says Leslie Holbrook, Pfizer’s director of worldwide business technology.

Top ID Tips

Read Five Quick Tips for Integrated ID Management

The firm was also grappling with a second problem: Whenever Pfizer acquired a new company, it also acquired its building access-control systems, which are both expensive and difficult to change. “Your CIO isn’t going to be excited about swapping out a control system,” Holbrook says, because of the cost. But the mishmash of access systems made IT management chores complex and it frustrated the many Pfizer employees who constantly move among sites, she says.

Pfizer’s business-facing IT group saw the need to address both issues, for cost reasons. Could they kill two birds with one smart card system?

Yes, they decided, and using the cost arguments, they won support from the business side for a smart card-based ID management system that would enable digital signatures, standardize building access and handle PC network logons.

While theoretical work began in 2002, Pfizer IT began getting the project resources together in 2003. “It was definitely an IT-driven project,” says Scott Potter, Pfizer’s senior director of worldwide business technology. What’s more, it was bleeding-edge technology. So the pressure was on.

First lesson learned: If you’re doing an ID management overhaul, don’t expect to find pretty, prewrapped packages. Pfizer’s IT group could not find an off-the-shelf smart card product that offered enough power and flexibility: “We wanted to be able to support other uses going forward,” Potter says. For example, the Pfizer IT team wanted as much memory on the smart card as was practical. The IT team decided it would need to create its own card. “We basically designed this platform ourselves,” Potter says, noting Pfizer brought together two vendors, Gemalto and HID Global, to provide parts of the smart cards.

The card itself has a 64KB Gemalto Java Module chip that houses the PKI (public key infrastructure) credentials and certificate information for digital signatures, and two HID chips, one of which houses the physical access control information, and one that supports add-on applets, for applications like biometric security. Because the cards are based on a Java OS, Pfizer can change or add Java applets after the cards are issued.

HID did the manufacturing, as a subcontractor to Gemalto. Pfizer’s IT people soon found themselves caught up in quandaries that are usually the realm of physical engineering experts. The plastic for the cards proved tricky, Potter says. It was hard to pack everything into the size card needed. “We had a real question about durability and thickness,” he says, noting no one else had developed a card like this one, with its three chips and two antennae.

What did Pfizer’s IT people learn during this part of the project? “You’ve got to work with them like partners not vendors,” Holbrook says, and avoid the temptation to tell the vendor that the manufacturing problems are their headache. Also, she says, Pfizer learned to not go crazy customizing every piece. “As much as you can, try to stick to out of the box,” she says, noting that too many tweaks will only make it harder to get the badges, badge readers, desktop PC client software and other pieces to integrate.

“Make sure you have a primary subcontractor,” Potter says. Who was going to be the “alpha dog” became a bit of a challenge, he says. “We eventually put that on Gemalto,” he says, with instructions to make sure the Gemalto and HID pieces fit together.

Pfizer rolled out the finished smart card badges across its research and development staff globally: That’s 20,000 to 30,000 employees, plus a roughly equal number of contractors, Holbrook says.

Then Pfizer IT got an unexpected result: “We were somewhat surprised by how much of a benefit cross-site access was,” Holbrook says. Pfizer employees work among many sites quite commonly; under the old system, they had to physically register at a visitor center before getting down to work. The smart cards let them simply use an online system to register to work at an alternate site. “Once people heard about that capability, they asked for the badge outside of R&D,” she says.

There was a tipping point of such requests last fall, and IT decided to roll out the smart cards across the corporation, to roughly 90,000 to 100,000 users, Holbrook says.

The project is never going to be “done,” Holbrook says, because Pfizer is constantly acquiring new groups and bringing them into the ID management system.

Also, the project’s reach continues to expand, because people are finding uses for the cards that Pfizer didn’t foresee, Holbrook says.

For example, Pfizer employees are using mobile smart card readers at the door of training classrooms to keep track of who attends classes. Training records are a big deal in the pharmaceutical industry since some training is mandated, Holbrook says. Employees also use the cards and readers for what Potter calls “access control in a box.” For sensitive offsite meetings, he says, a meeting leader can use the cards and reader to better control and track who attends.

Within Pfizer’s research groups, digital signatures are transforming lab notebooks, every page of which have to be signed and witnessed, to the tune of about 14,000 signatures a month, Holbrook says. “Previously, we were unable to fully automate lab notebooks,” she says. For patent protection, Pfizer employees need to sign, date and stamp these entries, on which Pfizer wants the earliest possible date in case of patent questions. People used to wait to date the entries, she says; now the digital signature technology makes it easier to keep a digital notebook and sign and date the entry immediately.

Pfizer employees can even use the cards for cashless vending at company cafeterias.

As for ROI metrics, Holbrook says that they’re hard to pin down precisely on a project like this. Pfizer IT has worked with its vendors to drive down the cost of the badges, from about $30 at the start, to about $13 now, Holbrook says. At the start of the project, no one knew how to price the card because it didn’t exist, she says. Also, some R&D costs were loaded into pricing at the beginning and the vendors didn’t know what to expect in terms of future volume.

Pfizer pegs the cost of one “wet signature” at $30 (including time to track down the signer, plus storage and scanning costs, Holbrook says, though some analysts estimate the cost as high as $125.) Today, one smart card (and its unlimited number of digital signatures) costs $13 plus $70 for a three-year license for the high-assurance PKI credential (Pfizer uses a Microsoft digital certificate authority for some in-house signatures, but for signatures subject to outside scrutiny, it partners with Citibank to license the SAFE high-assurance PKI credential; SAFE—”signatures and access for everyone”—is a pharmaceutical industry consortium.) Anecdotally, Pfizer’s use of FedEx to ship documents for signatures has also dropped, Potter says.

What’s next? The company plans to take the technology to new places, Potter says, including biometric applications recently installed at some Pfizer facilities. The smart card stores the user’s thumbprint, which is matched by a reader at the door. One benefit of this system is that Pfizer doesn’t need to maintain a big database of the thumbprints, Holbrook notes, which presents privacy concerns, especially in Europe, where governmental privacy regulations are more strict than in the United States.

“There’s plenty of room to innovate on this platform,” Potter says.