Collaboration is necessary across all levels of a life sciences organization, from bench scientists to supply-chain vendors to joint-venture partners to industry consortiums. But, of course, if firms can't guarantee the secure passage of information as it is shared among collaborators, opening up systems to allow data sharing can do more harm than good.

The need among life sciences firms, specifically pharmas, for secure collaboration is particularly acute because of their revenue model, according to Clayton Donley, founder and CTO of OctetString. A provider of virtual directory and LDAP proxy software, OctetString helps Fortune 1000 companies such as Pfizer and Bayer manage fractured identities across the enterprise.

Liberty Alliance Drives Identity Standards Founded in the fall of 2001, the Liberty Alliance Project is a consortium of more than 150 companies, nonprofit organizations, and government agencies. The alliance is the only worldwide organization dedicated to developing an open standard for federated network identity that supports current and emerging network devices. Much of the group's success stems from its holistic approach to defining standards, according to Liberty Alliance President George O. Goodman. "We pay attention not just to the technology, but to the relevant business and deployment guidelines," he says. "We create guidelines that provide a starting point for the important business and legal relationships." Liberty Alliance specifications define the technical and business protocols and policies that: Enable consumers to protect the privacy and security of their identity information Allow businesses to maintain and manage customer relationships without third-party participation Provide an open, cross-domain single sign-on framework Allow for advanced policy framework for developing role-based policies to facilitate regulatory and privacy compliance "Liberty is at its best when the organizations participating have a vested interest in solving the problems at hand," Goodman says. "It's when these constituents are fully participating in the process that we learn the most and move toward our goals for strong authentication, convergence, and growing and adapting our infrastructure and Web services for specific verticals."

"Pharma is a very high-margin business on the manufacturing side, and developing drugs is by far the biggest expense," Donley says. "The bulk of any pharma's budget is spent on research and development. Better collaboration results in faster, more productive R&D, which translates to faster regulatory submissions and shortens time to market. It's all about improving processes to save time and boost productivity."

Rewards and Risks

To manage the competing demands of collaboration and security, firms look to identity management. By precisely managing who has access to data at any given time from any given location, firms can not only facilitate collaboration and increase productivity, but also keep their data and intellectual property secure—all while reducing IT costs.

From automating password resets to handling complex federated identity across vast global enterprises, the deployment of identity management varies by organization. In the past, the degree to which organizations adopted identity management depended upon their perception of its value.

Today the demands of regulatory compliance and the need to reduce risk have thrust identity management into the spotlight.

"Identity management began to take hold in the early to mid-'90s as the technology advanced, but many companies took a wait-and-see approach before investing heavily," says Donley. "Because of current market conditions and the need to comply with regulations such as Sarbanes-Oxley, CTOs and CIOs are focused on identity management in a way they weren't even two years ago. They view identity management as a means to mitigate risk by establishing a chain of custody for information."

Sun Microsystems and PricewaterhouseCoopers announced in February that they will offer a joint solution to help companies leverage identity management as part of their Sarbanes-Oxley compliance efforts. PricewaterhouseCoopers has developed a methodology for identity management implementations based on its experience with more than 125 identity and access management deployments. With the joint solution from Sun and PricewaterhouseCoopers, companies can get help setting up workflow processes that facilitate segregation of duties.

Moving Toward Compliance

Though it has been the catalyst for an estimated 30 to 40 percent annual growth in the total market for identity management solutions, regulatory compliance isn't the sole driver behind implementing the technology, according to John Barco, director of marketing for identity management software at Sun.

"The value of identity management is to define how identity is used throughout an organization and how it affects business processes," says Barco. "From a business perspective, organizations are constantly striving to improve security. At the same time, they're providing services to larger and larger numbers of constituents both internally and externally. Those two goals are in conflict."

As firms pursue these objectives, they look closely at how identity management can add value. Barco points to the following benefits of the Sun Java System Identity Management Suite:

• Across-the-board cost reductions and increased quality of service as a result of increased efficiency, reduction in complexity, and streamlined processes
• Tighter security resulting from closing access loopholes
• Reduced risk and increased compliance stemming from the creation of a chain of custody for data
• Competitive advantage derived from a single security framework that allows for the rapid deployment of internal and external applications across the enterprise
• Creation of new business models through affiliate organization "circles of trust" made possible by federated identity management

As a founding member of the Liberty Alliance Project (see sidebar), Sun is committed to promoting the development and deployment of standards for federated identity management, which allows users to log on once to gain access to multiple systems across multiple enterprises. Single sign-on is important to individual scientists, who must access multiple databases and applications in a day's work.

In addition, Sun's identity management solutions are role-based, which allows access privileges to be set automatically based on a user's role in the organization. Role-based administration is extremely useful in a very large company—for example, a pharmaceutical firm with tens or even hundreds of thousands of employees—because rather than manually assign access privileges to each individual, IT staff can automatically assign access levels to everyone with a certain title or job description.

Rapid Deployment Boosts Value

Martin Fredrickson, Sun's vice president of global identity management, notes that organizations must consider how a solution allows them to manage employees, information, and assets, all while staying on top of product life cycles and keeping total cost of ownership as low as possible. The success of the Sun Java System Identity Management Suite in meeting these needs has led to strong customer relationships with many Fortune 500 companies, including three of the top five global pharmas.

"Because Sun identity management solutions employ an agentless architecture that facilitates rapid deployment, we offer our customers a faster time to value and lower cost of deployment," says Fredrickson. "Right now, organizations are spending heavily to comply with Sarbanes-Oxley. With the reduction in total cost of ownership that Sun identity management solutions offer, in effect, those savings can help fund compliance efforts."

For example, Fredrickson says a typical corporate employee password resets four to six times a year, at a cost of $15 to $20 per reset. "Automating with identity management can reduce those costs significantly through secure self-service portals—potentially eliminating most of this cost from the help desk and allowing help desk staff to focus on more critical service-level agreements," he says. "That's just one scenario of demonstrable return on an investment in identity management."