The lessons learned listed next are drawn from SBCA lessons learned as well as individual SAFE member experiences. Many of the individual member lessons learned are taken from white papers produced by the SAFE members [ASAFE, PSAFE]. Some of the most important lessons learned during SAFE are:
Build business case for all players. The SBCA was realized because the competing businesses came together and built industry-wide business cases to support lower costs for information technology, especially by
Turner c09.tex V2 - 03/26/2008 5:45pm Page 177
Chapter 9 ■ Signatures and Authentication for Everyone 177
eliminating costs associated with paperwork and document storage. Going paperless can save everyone money and increase productivity. Involve regulators early in the process. SAFE involved the FDA early
in the process. By gaining FDA support early in the process, it saved time in the long run, as the FDA saw the benefit to both the industry and themselves. The FDA continues in an advisory role as new efforts are being developed to ensure that course corrections, when necessary, are received as early as possible in the design process.
Desktop setup can be a challenge. Drivers for tokens and smart cards are a major challenge. These Drivers are not under the control of SAFE, but the members need to make sure that these are loaded on user’s machines. Additional issues relating to the desktop included the following:
Often there were conflicts with existing drivers and software.
Users did not have administrative control of the desktop and could not install drivers themselves.
Due to HIPPA considerations, some users did not have access to USB ports.
Desktop challenges are the primary reason that SAFE ultimately accepted the use of software-based credentials and credentials hosted on network-attached devices in the SAFE policy framework.
Streamline initial identification and authentication process. The iden- tification and authentication can require several steps and may involve a paper notary service. Often users wouldn’t complete all of the steps. A streamlined process will increase the likelihood that users will complete the process in a timely manner.
Start small. The Pfizer team learned that small pilots are adequate to test business and information technology concepts. The scale makes it easier to isolate and fix any problems that arise; however, one should never ignore the issue of scale, particularly when it comes to provision- ing and ease of use. For example, Pfizer choose to centralize signing with an application environment based on a product called MySignatureBook from TriCipher. This solution removed much of the complexity from of the desktop, putting it into a centralized, more manageable environment that was easily accessible by all Pfizer’s users.
Stay focused. Instead of trying to solve the entire company’s identity management problem, stay within the scope of the pilot. AstraZeneca found that the FDA ESG application could easily have been late and over budget if they had tried to expand beyond SAFE signatures. By expand- ing the scope of an application, more systems and business areas are affected, resulting in the need for credentials for many more users.
178 Part V ■ Case Studies
By staying focused on their FDA ESG application, they avoided these pit- falls and delivered on time and on budget.
Test firewall access. The SAFE architecture requires the exchange of in- formation between the user and SAFE CA both for certification request/ response and for certificate status checks. Both Pfizer and AstraZeneca found this required access through their firewalls, but the solution to the problem was different for each company. Adequate time for test- ing and problem resolution must be built into the project timeline. Application configurations might need to be updated. Interfacing with
the tokens requires token drivers, middleware, and the application itself. AstraZeneca found that its standard desktop configuration had an ear- lier version of Adobe Acrobat than the one required by SAFE, which is Acrobat 6 or above. Installing new applications on user machines does cause some disruption, but the benefits outweighed the risks, and they decided to install Acrobat 7 Professional for their FDA ESG users.
Rely on existing infrastructure. Wherever possible rely on existing infras- tructure. Users are generally comfortable with existing infrastructure, which eliminates human anxiety and the need for training in some- thing new.
Build strong partnership with the internal legal organization. Affixing a wet signature to a document has legal ramifications and this is also true for digital signatures. Information technology people need to work hand in hand with legal professionals to resolve issues in this area. Infor- mation technologists usually delve into too much technical detail, and let’s face it, they’re not lawyers. The best approach is to engage with the attorneys from the beginning. Make sure that the attorneys understand the issue, and then work with the attorneys to answer the business ques- tions regarding non-repudiation and other legal issues. Attorneys are a great help when it comes to formalizing internal policies, explaining records management, and determining risk management approaches. Involve all potential business colleagues from the beginning. Mov-
ing from wet signatures to digital signatures requires business process change. For a smooth and successful transition to the new digital busi- ness process, everyone involved in the wet signatures process should be involved in design of the new business process, preferably from the start. Primarily, this allows everyone to understand the new process, but it also allows everyone to provide input so that process actually works. What Pfizer found was that changing the business process actually had more impact than the technology, and introducing digital signatures required many hours of education and process review with the people concerned with business and quality assurance.
Turner c09.tex V2 - 03/26/2008 5:45pm Page 179
Chapter 9 ■ Signatures and Authentication for Everyone 179
Determine dispute resolution policy. Cross-organization systems involve more than one IT group. It is helpful if there’s one IT sponsor to resolve priorities and solve resourcing issues. If you’re going across mul- tiple companies, it’s helpful to have a dispute resolution process that is acceptable to all of the stakeholders.
Make use and installation painless. User uptake is based almost entirely on ease of use. Application installation is the first step that is visible to the users. If the application is complicated to install, users won’t accept it and use it. Not everyone has enough computer savvy (it’s actually often patience) to wade through a complicated installation. Further, providing the training to make everyone computer savvy would be too expensive. The key to successful application deployment and
Turner c10.tex V3 - 03/26/2008 5:48pm Page 181