The IdentityCollector portion of the system then feeds that data (in many cases, this would be the photo, fingerprint and essential identity information) back into the IdentityDirector server, where it's saved and processed. Data can be automatically fed to the OPM (federal Office of Personnel Management) and the FBI for employee background checks. Again, says Larsen, the advantage is that the system automates the workflow, and takes out the human errors from the equation.
The IdentityDirector system can then notify the registrant that the identity information has been checked and the background review completed, and then it feeds the registrant's data for an automatic review by the registrar. From there, the Lenel system offers the IdentityProducer system which can auto-integrate card management and card printing for pre-personalization of a card and for badge printing. Essentially, this part of the process securely "preps" the card for final issuance.
Added to that is the IdentityActivator module, which before the badge is activated, uses a process to re-verify the original biometric data against the intended card recipient, and once that can be verified, writes the private keys to the card, biometric data, and alerts access control systems that the badge has been activated, says Larsen. There's also an ancillary product called IdentityEnforcer which oversees network access control in a single-sign-on fashion.
The design of the system, says Larsen, answers not only the requirements of FIPS 201 -- and he notes that it's the only system available to manage complete identity verification and card issuance requirements of FIPS 201 -- but the add-on, module-style design also solves the perennial problem of government budgets.
"The big concern is that you have a security mandate, but the funding for it is very limited, and they have to get very creative on how they can find that funding," says Larsen. "Maybe they've already invested in other systems, like access control management systems and the Department of Defense Common Access Card or with an ActiveIdentity system."
By going modular in design, explains Larsen, the government agency can pick and choose what parts of the IdentityDefender system it needs (data collection, data verification, secure card pre-personalization, validation, etc.). It is designed with APIs that allow it to integrate directly to existing physical and logical access control databases, rather than requiring government agencies gut their existing systems.
"What we wanted to do was to create government clients a system for managing the process of issuing a credential," says Larsen. "They want a solution that puts a workflow in place, so the credential is secure and in the right hands."
The Lenel system, while a robust solution on its own, also strikes as a harbinger of changes to come as this October's HSPD-12 deadlines looms, requiring federal agencies to begin issuing FIPS 201 compliant cards by the 27th of that month. It's a sign that FIPS 201 compliancy is ready to move, especially as compliance deadlines loom, and as vendors begin to understand not only the processes and challenges that federal security managers are facing in meeting the FIPS 201/HSPD-12 requirements, but also the budgetary limitations.
See Lenel's full announcement on the IdentityDefender system