By 2003, pharmaceutical giant Pfizer found itself with a costly\nbusiness problem: paper. Any drug research project generates mounds\nof the stuff, including documentation that must be signed and\ntracked for legal and patent-protection reasons. "In the past, it's\nbeen an intensely paper-filled process. Literally, you can fill a\ntractor trailer. A digital signature is a tremendous driver in a\npharmaceutical environment," says Leslie Holbrook, Pfizer's\ndirector of worldwide business technology.\nTop ID TipsRead Five Quick Tips for Integrated ID ManagementThe firm was also grappling with a second problem: Whenever\nPfizer acquired a new company, it also acquired its building\naccess-control systems, which are both expensive and difficult to\nchange. "Your CIO isn't going to be excited about swapping out a\ncontrol system," Holbrook says, because of the cost. But the\nmishmash of access systems made IT management chores complex and it\nfrustrated the many Pfizer employees who constantly move among\nsites, she says.Pfizer's business-facing IT group saw the need to address both\nissues, for cost reasons. Could they kill two birds with one smart\ncard system?Yes, they decided, and using the cost arguments, they won\nsupport from the business side for a smart card-based ID management system that would enable digital signatures, standardize\nbuilding access and handle PC network logons. While theoretical work began in 2002, Pfizer IT began getting\nthe project resources together in 2003. "It was definitely an\nIT-driven project," says Scott Potter, Pfizer's senior director of\nworldwide business technology. What's more, it was bleeding-edge\ntechnology. So the pressure was on.First lesson learned: If you're doing an ID management overhaul,\ndon\u2019t expect to find pretty, prewrapped packages. Pfizer's IT\ngroup could not find an off-the-shelf smart card product that\noffered enough power and flexibility: "We wanted to be able to\nsupport other uses going forward," Potter says. For example, the\nPfizer IT team wanted as much memory on the smart card as was\npractical. The IT team decided it would need to create its own\ncard. "We basically designed this platform ourselves," Potter says,\nnoting Pfizer brought together two vendors, Gemalto and HID Global,\nto provide parts of the smart cards.The card itself has a 64KB Gemalto Java Module chip that houses\nthe PKI (public key infrastructure) credentials and certificate\ninformation for digital signatures, and two HID chips, one of which\nhouses the physical access control information, and one that\nsupports add-on applets, for applications like biometric security.\nBecause the cards are based on a Java OS, Pfizer can change or add\nJava applets after the cards are issued. HID did the manufacturing, as a subcontractor to Gemalto.\nPfizer's IT people soon found themselves caught up in quandaries\nthat are usually the realm of physical engineering experts. The\nplastic for the cards proved tricky, Potter says. It was hard to\npack everything into the size card needed. "We had a real question\nabout durability and thickness," he says, noting no one else had\ndeveloped a card like this one, with its three chips and two\nantennae.What did Pfizer's IT people learn during this part of the\nproject? "You've got to work with them like partners not vendors,"\nHolbrook says, and avoid the temptation to tell the vendor that the\nmanufacturing problems are their headache. Also, she says, Pfizer\nlearned to not go crazy customizing every piece. "As much as you\ncan, try to stick to out of the box," she says, noting that too\nmany tweaks will only make it harder to get the badges, badge\nreaders, desktop PC client software and other pieces to\nintegrate."Make sure you have a primary subcontractor," Potter says. Who\nwas going to be the "alpha dog" became a bit of a challenge, he\nsays. "We eventually put that on Gemalto," he says, with\ninstructions to make sure the Gemalto and HID pieces fit\ntogether.Pfizer rolled out the finished smart card badges across its\nresearch and development staff globally: That's 20,000 to 30,000\nemployees, plus a roughly equal number of contractors, Holbrook\nsays.Then Pfizer IT got an unexpected result: "We were somewhat\nsurprised by how much of a benefit cross-site access was," Holbrook\nsays. Pfizer employees work among many sites quite commonly; under\nthe old system, they had to physically register at a visitor center\nbefore getting down to work. The smart cards let them simply use an\nonline system to register to work at an alternate site. "Once\npeople heard about that capability, they asked for the badge\noutside of R&D," she says.There was a tipping point of such requests last fall, and IT\ndecided to roll out the smart cards across the corporation, to\nroughly 90,000 to 100,000 users, Holbrook says.The project is never going to be "done," Holbrook says, because\nPfizer is constantly acquiring new groups and bringing them into\nthe ID management system.Also, the project's reach continues to expand, because people\nare finding uses for the cards that Pfizer didn\u2019t foresee,\nHolbrook says.For example, Pfizer employees are using mobile smart card\nreaders at the door of training classrooms to keep track of who\nattends classes. Training records are a big deal in the\npharmaceutical industry since some training is mandated, Holbrook\nsays. Employees also use the cards and readers for what Potter calls\n"access control in a box." For sensitive offsite meetings, he says,\na meeting leader can use the cards and reader to better control and\ntrack who attends.Within Pfizer's research groups, digital signatures are\ntransforming lab notebooks, every page of which have to be signed\nand witnessed, to the tune of about 14,000 signatures a month,\nHolbrook says. "Previously, we were unable to fully automate lab\nnotebooks," she says. For patent protection, Pfizer employees need\nto sign, date and stamp these entries, on which Pfizer wants the\nearliest possible date in case of patent questions. People used to\nwait to date the entries, she says; now the digital signature\ntechnology makes it easier to keep a digital notebook and sign and\ndate the entry immediately.Pfizer employees can even use the cards for cashless vending at\ncompany cafeterias.As for ROI metrics, Holbrook says that they're hard to pin down\nprecisely on a project like this. Pfizer IT has worked with its\nvendors to drive down the cost of the badges, from about $30 at the\nstart, to about $13 now, Holbrook says. At the start of the\nproject, no one knew how to price the card because it didn\u2019t\nexist, she says. Also, some R&D costs were loaded into pricing\nat the beginning and the vendors didn\u2019t know what to expect\nin terms of future volume.Pfizer pegs the cost of one "wet signature" at $30 (including\ntime to track down the signer, plus storage and scanning costs,\nHolbrook says, though some analysts estimate the cost as high as\n$125.) Today, one smart card (and its unlimited number of digital\nsignatures) costs $13 plus $70 for a three-year license for the\nhigh-assurance PKI credential (Pfizer uses a Microsoft digital\ncertificate authority for some in-house signatures, but for\nsignatures subject to outside scrutiny, it partners with Citibank\nto license the SAFE high-assurance PKI credential;\nSAFE\u2014"signatures and access for everyone"\u2014is a\npharmaceutical industry consortium.) Anecdotally, Pfizer's use of\nFedEx to ship documents for signatures has also dropped, Potter\nsays.What's next? The company plans to take the technology to new\nplaces, Potter says, including biometric applications recently\ninstalled at some Pfizer facilities. The smart card stores the\nuser's thumbprint, which is matched by a reader at the door. One\nbenefit of this system is that Pfizer doesn\u2019t need to\nmaintain a big database of the thumbprints, Holbrook notes, which\npresents privacy concerns, especially in Europe, where governmental\nprivacy regulations are more strict than in the United States."There's plenty of room to innovate on this platform," Potter\nsays.