Solving the Challenge of FIPS 201 Card Issuance

April 25, 2006
Lenel offers a sneak preview of its IdentityDefender solution for FIPS 201 credential management and issuance

The GovSec show, which is coupled with a conference for law enforcement and one for emergency preparedness professionals, is a place where you can see a variety of heavy technologies, from tactical security systems designed for military installations to hazmat equipment and even essential access control devices.

But in 2006, we're sure that for government facility security managers, at least a good bit of the time will be spent listening to presentations on the HSPD-12/FIPS 201 issues that are leading government facilities into converged access control with a "one card" solution.

And even though the show hasn't started, we can already imagine the frank discussions among those in charge of government facilities as they come to grips with the HSPD-12 directive of converged access.

"What technology are you looking at?" "Are we going to have to change all of our card systems?" "Have you even started to coordinate this with your network people?" "Where on Earth are we expected to get the budget money to make these changes?" -- They are all questions that will likely pop up between security managers on the show floor and in the lecture halls.

At is most simple, the FIPS 201/HSPD-12 directive and movement is designed to ensure security not only of our governmental facilities, but also of the data that resides in our government's logical network. It's a directive that not only requires a common credential for facilities and networks, but it's designed to ensure that only the people who belong to be inside those facilities can get there, and that only the persons given privileges to be on that network can be there.

Lenel, long known for its software that manages access control and video surveillance needs, is planning to make a splash tomorrow at GovSec with a new solution that ties together the essentials for providing a secure government ID card.

The company gave SecurityInfoWatch.com a sneak-peek at its new IdentityDefender brand, which is an end-to-end identity credentialing solution designed to meet FIPS 201 requirements for government facilities.

According to Erik Larsen, product manager of identity solutions at Lenel, the new system is a step away from the company's traditional access control and video management solutions, and instead solves the problem of how government facilities will meet federal requirements that ensure that the correct information is on the card, that the correct person is receiving a federal workplace ID, and that the card meets those government standards.

"IdentityDefender is more than a physical access control system," explains Larsen. "It's a platform that allows an organization to issue credentials, a.k.a. badges, in a secure manner."

Larsen explained how the IdentityDefender system works. Here's what it is and what it does:

The core of IdentityDefender is the IdentityDirector module. It's a server application that manages how applicant data is collected, who is collecting it, how it is processed, signed and verified, and how a credential/card is finally issued and validated. Running on a Windows platform, the IdentityDirector module is the "glue" of the card issuance process, and communicates the standards and data back in forth in a secure and automated manner.

To start the process of a FIPS 201-compliant card issuance, it communicates with another module, the IdentityCollector, which is a web-based module that oversees the processes of acquiring the information that FIPS 201 specifies. In common Lenel fashion, it's designed with an open architecture in mind, so that it can link up with common biometric and data collection hardware items for inputting the information. The web-based format makes it especially friendly for remote offices.

"It tells the sponsor employer and the applicant what is required, the required biometrics, the required documents," says Larsen, "and this software automates a secure collection of that data. The key with IdentityCollector is that the operator or sponsor of the employee doesn't have to make the decisions."

The IdentityCollector portion of the system then feeds that data (in many cases, this would be the photo, fingerprint and essential identity information) back into the IdentityDirector server, where it's saved and processed. Data can be automatically fed to the OPM (federal Office of Personnel Management) and the FBI for employee background checks. Again, says Larsen, the advantage is that the system automates the workflow, and takes out the human errors from the equation.

The IdentityDirector system can then notify the registrant that the identity information has been checked and the background review completed, and then it feeds the registrant's data for an automatic review by the registrar. From there, the Lenel system offers the IdentityProducer system which can auto-integrate card management and card printing for pre-personalization of a card and for badge printing. Essentially, this part of the process securely "preps" the card for final issuance.

Added to that is the IdentityActivator module, which before the badge is activated, uses a process to re-verify the original biometric data against the intended card recipient, and once that can be verified, writes the private keys to the card, biometric data, and alerts access control systems that the badge has been activated, says Larsen. There's also an ancillary product called IdentityEnforcer which oversees network access control in a single-sign-on fashion.

The design of the system, says Larsen, answers not only the requirements of FIPS 201 -- and he notes that it's the only system available to manage complete identity verification and card issuance requirements of FIPS 201 -- but the add-on, module-style design also solves the perennial problem of government budgets.

"The big concern is that you have a security mandate, but the funding for it is very limited, and they have to get very creative on how they can find that funding," says Larsen. "Maybe they've already invested in other systems, like access control management systems and the Department of Defense Common Access Card or with an ActiveIdentity system."

By going modular in design, explains Larsen, the government agency can pick and choose what parts of the IdentityDefender system it needs (data collection, data verification, secure card pre-personalization, validation, etc.). It is designed with APIs that allow it to integrate directly to existing physical and logical access control databases, rather than requiring government agencies gut their existing systems.

"What we wanted to do was to create government clients a system for managing the process of issuing a credential," says Larsen. "They want a solution that puts a workflow in place, so the credential is secure and in the right hands."

The Lenel system, while a robust solution on its own, also strikes as a harbinger of changes to come as this October's HSPD-12 deadlines looms, requiring federal agencies to begin issuing FIPS 201 compliant cards by the 27th of that month. It's a sign that FIPS 201 compliancy is ready to move, especially as compliance deadlines loom, and as vendors begin to understand not only the processes and challenges that federal security managers are facing in meeting the FIPS 201/HSPD-12 requirements, but also the budgetary limitations.

More Information:
See Lenel's full announcement on the IdentityDefender system