Novell Home

 

Imagine being responsible for controlling physical and logical access to literally thousands of Federal government facilities and information systems around the world. That means providing 11 million people, in an overwhelming number of different roles, with access to the facilities and systems they need to do their jobs while also delivering secure, reliable identity credentials that work across agencies, reduce identity fraud and guard against criminal and terrorist use. Wide variations in the quality and security of the forms of identification currently used to gain access to these facilities and systems leave our government and other organizations vulnerable to terrorist attacks and other malicious activity.

To address this challenge for the United States Federal government, in 2004 President Bush issued the Presidential Directive known as "The Homeland Security Presidential Directive–12" or HSPD12. The directive instructs Federal officials including the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Management and Budget and the Director of the Office of Science and Technology Policy to work together in creating a common standard for credentialing employees and contractors working at Federal facilities. (The complete text of the directive can be read online.) The directive defines the standards for a common Federal identification credential. The overarching goal of the program is to achieve appropriate security assurance by verifying the identity of individuals seeking access to federally controlled government facilities and government information systems.

What's in this Article?

  • HSPD12: Creating a Common Standard for Credentialing Employees and Contractors
  • Technology Standards for HSPD12
  • Personal Identification Verification (PIV) System
  • Solution Architecture
  • Capabilities
 

> Technology Standards for HSPD12
The National Institute of Standards and Technology (NIST) has defined the technology standards to support implementation of HSPD12. The result is the Federal Information Processing Standard 201 (FIPS201). FIPS201 is defined by two main parts:

  • specifications for technical interoperability between Personal Identification Verification (PIV) systems; these specifications detail the cards elements, interfaces and security controls required to securely store, process and retrieve identity credentials
  • personal identity proofing, registration and issuance of credentials (the PIV card).

The foundation of the FIPS201 standard is the PIV card. As defined by FIPS201, the PIV card is a multipurpose "smart card" used for both identification and access control. It can be used to control access to both physical and logical resources. The PIV must be issued based on sound criteria for verifying an individual's identity and be strongly resistant to identity fraud, tampering or counterfeiting. The card must be able to be rapidly authenticated electronically and is issued only by providers whose reliability has been established by an official accreditation process.

NIST has published a System Reference Model called the PIV System Notional Model. (see figure 1.) Figure 1 shows the three major components: PIV Card Issuance and Management, PIV Front- End and Access Control, and the directional flow of the data.

  • The PIV Card Issuance and Management component is responsible for identity proofing and registration, card and key issuance and management and the repositories and services that comprise the verification infrastructure.
  • The PIV Front-End component is the actual PIV card, the card and biometric readers, and PIN input device. The person or holder of the PIV card uses these components to gain logical and/or physical access to resources.
  • The Access Control components are the physical and logical access control systems, the assets and resources being protected and the authorization data.

The overarching goal of the program is to achieve appropriate security assurance by verifying the identity of individuals seeking access to federally controlled government facilities and government information systems.

These components work together to automate the identity assurance process. Novell delivers an open standards-based identity and access management system that validates identities and authenticates users for a comprehensive identity management and security monitoring solution called the Novell Identity Assurance Solution.

> Architecture Overview
The Novell Identity Assurance Solution has 4 main components:
(see figure 2.)

  • Enrollment
  • Card Issuance and Maintenance
  • Access Control
  • PIV Event Monitoring System

Enrollment and Registration
A series of customizable workflows and e-mail notifications automates the process of requesting and issuing PIV cards for government employees and contractors. The system guides the applicant, sponsor, registrar, enrollment officer and card issuance officer through the steps required to validate the applicant's identity and complete the identity proofing and verification process. The Enrollment subsystem not only manages the workflows and sends e-mail notifications to complete the verification and vetting process, but it also integrates with third-party systems such as Daon, Viisage, Lenel, EDS and existing HR or contractor management systems.

Card Issuance and Maintenance
The applicant's identity information moves to the Card Management System (CMS) and the CMS automatically sends the information and digital certificate to a card production and badging station for card creation. Once the cards are created, the applicant is notified and can make arrangements to obtain their PIV card from the issuing officer and securely receive their PINs. The PIV card unique identifier is automatically captured in a central repository that holds the identity profile for all employees or contractors. The card issuance and maintenance systems support typical lifecycle maintenance processes including:

  • Card issuance
  • Card replacement and temporary card issuance
  • Card termination
 

When an employee or contractor is terminated or fails the vetting process, all access rights are revoked instantaneously and the card management system receives instructions to terminate the card. Upon receiving this notification, the CMS system disassociates the user from the card and revokes the digital certificate on the PIV card, rendering it invalid.

Logical and Physical Access Control
The Logical and Physical Access Control subsystem enforces access control policies at run time when the employee or contractor tries to access logical IT systems or physical facilities. Access control policies are established and enforced based on the identity and authentication credentials stored on the PIV card.

 

Event Monitoring and Management
The Event Monitoring and Management subsystem is an optional component of the Novell Identity Assurance Solution. The event monitoring system provides a flexible and scalable solution to capture events triggered during PIV card lifecycle activities. This system provides reports that allow users to see the state of the PIV processes in real time; it can also be extended to support enterprise-level security event monitoring and management needs in addition to audit and compliance reporting requirements. You can also create custom reports to monitor a variety of conditions.

> Capabilities
Automating processes from a lifecycle perspective allows users to be much more efficient as they work toward HSPD12 or other regulatory compliance standards.

Figure 3 illustrates a summary of PIV card lifecycle activities. Audit data is captured to track every step in the process so managers can monitor and report system status. The solution can also provide identity and password synchronization across dissimilar systems to simplify a user's authentication to multiple applications, databases and directories. Multiple advanced authentication methods maximize convenience and minimize complexity of the administrative overhead associated with password maintenance. Graduated levels of access criteria ensure flexibility in selecting the appropriate level of security for each protected government resource. Disconnected users in the field use smart-card-based authentication to their workstation even when it is disconnected from the network. Temporary smart cards can be issued to users who have lost or forgotten their cards. Automated password renewal at regular intervals is convenient and already incorporated into the solution. Workstation lockdown will prevent unauthorized access after authorized individuals remove their smart cards.

> Extensibility
The Novell Identity Assurance Solution is designed with extensibility in mind. This solution easily integrates with employee and contractor systems of record (in other words, authoritative data sources). It can also automatically provision users with access to the appropriate physical and logical IT systems based on their roles. This solution can be further extended to support typical employee and contractor lifecycle activities such as:

  • employee or contractor termination
  • employee role changes (for example, transfers between departments)
  • changes to employee information, such as name and address

> Solution Overview
The solution integrates software from multiple vendors that works together for a comprehensive solution. The Identity Assurance Solution can work with many vendors who provide components such as the User Enrollment/Biometric Capture, Smart Card Management Systems and Physical Access Control Systems. For the purposes of this discussion, Novell selected specific vendors to demonstrate a complete system: Novell, Active Identity, Imageware and Honeywell. The following sections provide details about each component of the system, including screen captures of what you might see when administering the solution, depending on your organizational role. Common roles include system architect, system administrator, security manager, security guard, sponsor, enrollment manager, card issuer and adjudicator.

Novell delivers an open standards-based identity and access management system that validates identities and authenticates users for a comprehensive identity management and security monitoring solution.

Novell Identity Manager
Novell Identity Manager acts as the hub, providing connectors to all the major systems that enable bidirectional communication and enabling workflow approval-based provisioning/deprovisioning. Each step in the process is ordered and controlled by a predefined policy, which can be easily changed to accommodate unique organizational needs and policies even as those needs change and evolve. The solution includes four specific Novell product components:

  • Novell Identity Manager 3.0.1
  • Novell Enhanced Smart Card Method 3.0
  • Identity Assurance Module
  • Novell Identity Manager User Provisioning Module

Figure 4 shows a summary of the system connectors from an administrator's perspective. This perspective allows you to manage connectors.

Figure 5 is a view from an architect's perspective showing attribute data flow detail. Workflow items created according to the FIPS201 standard enables the automation of the approval-based provisioning and deprovisioning.

Novell delivers an open standards-based identity and access management system that validates identities and authenticates users for a comprehensive identity management and security monitoring solution.

Active Identity—Card Management System
Active Identity provides a secure, proven and extensible solution to issue and manage smart cards (PIV Compliant) and the ability to securely update the applications and credentials on the cards after issuance to end users. Figure 6 shows the beginning of the card issuance process.

Pro-Watch Security Management
Software Suite from Honeywell

The Pro-Watch Security Management Software Suite from Honeywell offers a complete security management solution including access control, alarm monitoring and CCTV system interface.

The Enterprise Edition of Pro-Watch allows management of a multilocation, enterprise-wide security system from a single point while maintaining local operational autonomy. (see figure 7 and figure 8.)

 

Imageware
Imageware provides the capability for capturing data such as picture, finger prints, important documents and signature. (see figure 9.)

Novell® Sentinel™
Sentinel provides a centralized, automated control center for capturing, correlating and reporting on events emerging from any component of the Identity Assurance system, instead of relying on individual system administrators to capture the data and correlate it manually. The system automatically creates an audit trail of activities happening on the system and any necessary remediation activities. The reporting engine in Sentinel can be configured to produce reports on system health, authentication and access events, and even specialized compliance reporting for HSPD12 or other regulatory audits.

 

> Conclusion
With this solution, you can easily manage identity and access controls for any number of users, from 11 to 11 million. Using a multivendor system designed to work together, the Identity Assurance Solution provides the workflow approval-based provisioning to:

  • automate and standardize logical and physical access provisioning
  • guarantee the identities of those obtaining access
  • ensure that the right people have the right access to the right resources, and
  • deliver the reports needed to prove compliance with HSPD12
  • and other regulations and standards

Although the Identity Assurance Solution was originally created for use by government agencies and contractors affected by HSPD12, it's clear this solution could be applied to many other types of organizations, particularly those with widely distributed, multilocation workforces and those who may be affected by other IT-compliance regulations and standards such as Sarbanes-Oxley, HIPAA or ISO17799.

For more details about the Identity Assurance Solution, visit the web site or download the evaluation version.

What is an Assured Identity?
  • It is an identity that is bound to a strong authentication device.
  • It follows a rigorous, consistent process that tracks approvers and places data into the audit system for non-repudiation.
  • It does not compromise an individual's personal information.
  • It easily manages the lifecycles of both employee access-control privileges and the card lifecycle.

© 2014 Novell