Case Study: Secure IM and Workspaces for Project Teams

Nektar Therapeutics security unites teams inside—and outside—the company

When it comes to developing new drugs, pharmaceutical companies are famously security-conscious. Given all the money spent on research and development, that’s no surprise. One good discovery and the subsequent patent can sustain a company for years.

Nektar Therapeutics is a drug delivery company developing a new, inhaled-insulin drug, with Pfizer. To enable (and promote) collaboration with non-Lotus-shop partners, Nektar opted for instant messaging and virtual workspaces—but it needed those tools secure. Nektar ultimately selected software from Lotus able to securely unite project teams both inside and outside the company.

Nektar has been a Lotus shop for over six years. Originally a Notes shop, less than two years ago the company moved to Domino, driven by the acquisition of two non-Lotus-using companies, plus the desire for “a more Web-based solution,” says Nektar application development project manager Heidi Rebottaro. “To make the easiest and most cost-effective transition, we thought a move to the Web was easiest,” she says.

About four months ago, the company rolled out Lotus’s IM product, now officially dubbed IBM Lotus Instant Messaging & Web Conferencing. Since then, Rebottaro says about 10 percent of all employees are using it, “and that’s with no marketing—we like to have that ‘build it and they will come’ method of applications,” at least for most applications, she says. Initial, popular IM uses are for help-desk support and for coordinating between the three offices (in San Carlos, Calif.; Huntsville, Ala., and Bradford, England), especially during cross-site conference calls with single speakers.

Nektar ultimately selected Lotus IM because of its bundled pricing with another Lotus application it uses, but security was a major prerequisite. “With the nature of the business, with biotech, the security [aspect] was very important,” says Rebottaro. Regarding Lotus’s security in particular, “We figured if the Navy could use it during the Gulf War to communicate across ships, it would be good for us too; we’ve always felt secure about Lotus.”

The company also use’s IBM’s WebSphere portal product (live now for a year) and single sign-on. “The portal has given us the ability to roll out applications—clients don’t have to have that [capability] anymore,” she says. Developing a client used to take three months. Using a portal cuts that to three weeks.

Dubbed Galileo, the portal “is basically the interface to all of our backend applications, we’re interfacing with Oracle, Domino applications, ISO Training [a training application]. Because of FDA regulations, we are a [good manufacturing practice]. Everyone has to be at least 98 percent compliant with training, and the average employee has to take 20 to 40 courses throughout the year,” she says.

One particularly innovative use of the software is literally to draw a map of the office in San Carlos, where over half of the organization’s approximately 700 employees work. Click on a person’s name, and a map displays onscreen showing his or her cubicle’s location. “We are a cubicle environment, meaning no one has an office here, including the CEO, and every nine months we shuffle,” she says. As a result, physically locating someone isn’t always easy. “So, we’ve built a custom directory off of the Lotus Notes application. It’s extremely dynamic, it’s Web-based.”

Nektar uses single sign-on for Galileo and three backend applications. For example, “we have a dedicated interface to our [training] system, and the portal knows who you are, so when you log in, you have that awareness,” she says. The portal acknowledges the employee’s identity, lists courses taken, and also online courses in which they can enroll. That approach “has increased our training compliance by a good 20 to 30 percent in just three months.”

The master list of employee information resides in its JD Edwards software, but Nektar plans to tie the information into Microsoft’s Active Directory soon to manage groups and users’ accounts.

Securing Research

Pharmaceutical companies live and die by their research. Nektar is no exception, except its research often involves collaborations with four other companies, including Pfizer, so Nektar also rolled out Lotus Team Workplace (also known as QuickPlace) a year ago to securely facilitate such work. “We’re using QuickPlace for project teams, we have an external QuickPlace server, and they’re leveraging that technology to share information,” she says. “In the past, [teams] were using e-mail, and it was becoming very cumbersome to send document information for routing and scheduling.”

By contrast, Team Workspace offered an easy, Web-based way to bridge Nektar’s Lotus shop with its partners—not necessarily Lotus shops, so unable to otherwise interconnect with Nektar’s computers. The approach has meant “faster, more secure” sharing of information, says Rebottaro. “We built a Notes application that Pfizer had access to … and they were able to pull off information and reports directly from the application that our project teams were entering their data into,” she says. The approach replaced a process based on multiple, Microsoft Excel spreadsheets that often snagged on application-version incompatibilities.

Nektar will continue to roll out IM, and sort out other, security-related questions, such as whether to retain copies of every IM sent or received. “We haven’t looked into that yet … [but] it’s treated just like e-mail,” notes Rebottaro. “We are starting to go through a document policy retention program … headed up by the chief operating officer.” In the next few months, she expects to implement the new retention policy company-wide.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.