Identity Assurance for HSPD-12

Novell's Identity Assurance solution enables federal agencies to comply with the physical and logical access requirements of Homeland Security Presidential Directive 12 (HSPD-12). Novell's solution provides convenient yet controlled access to disparate logical IT systems and physical facilities using combinations of biometrics, passwords, personal identification numbers, smart cards, X.509 digital certificates and other forms of advanced authentication.

Solution Resources

Additional Resources

Solution Overview

The solution is based on Novell® Identity Assurance which combines best-in-class directory services, authentication, credentialing, provisioning, auditing and identity synchronization capabilities to securely deliver information to users based on their roles and relationships with the organization. This solution will protect highly sensitive information while improving end user productivity; provide convenient, single sign-on access to logical systems; and support compliance with myriad government regulations.

Identity Assurance addresses the highest priorities of HSPD-12. With the Novell solution federal employees and contractors can authenticate to multiple logical IT systems using their standard-issue Personal Identity Verification card along with a combination of identification technologies (passwords, personal identification number, biometric, digital certificates and other forms of advanced authentication) — eliminating the inherent vulnerabilities and administrative overhead of password authentication, while creating an authentication process that is easy to use and administer.

The Novell Identity Assurance Solution for HSPD-12 PIV is comprised of four key sub-systems: 1) Enrollment and Registration, 2) Card Issuance and Maintenance, 3) Physical and Logical Access Control and 4) Event Monitoring and Management:

Enrollment and Registration

The processes for a government employee or contractor to request and obtain a PIV card are automated through a series of customizable workflows and email notifications. The applicant, sponsor, registrar, enrollment officer and card issuance officer are guided through the steps required to validate the applicants’ identity and complete the identity proofing and verification process. The Enrollment sub-system not only manages the workflows and sends email notifications to complete the verification and vetting process, it also integrates with 3rd party systems such as Daon, Viisage, Lenel, EDS, etc. and existing HR or contractor management systems.

Card Issuance and Maintenance

The card issuance process automates the creation of a PIV card for federal employees and contractors who have successfully completed the enrollment and identity verification process (based on individual agency guidelines). The applicants’ identity information is passed to the Card Management System (CMS) and the CMS automatically sends the information and digital certificate to a card production and badging station for card creation. Once the card is created, the applicant is notified and makes arrangements to obtain their PIV card from the issuing officer and securely receive their PIN. The PIV card unique identifier is automatically captured in a central repository that holds the identity profile for the federal employees or contractors.

The card issuance and maintenance systems are also designed to support typical life-cycle maintenance processes including:

Card issuance
Card replacement and temporary card issuance
Card termination

The Novell Identity Assurance Solution is designed with extensibility in mind. In addition to meeting PIV solution requirements, this solution can easily be extended to integrate with employee and contractor systems of record (a.k.a. authoritative data sources) and provision them to the appropriate physical and logical IT systems based on their role. In addition, this solution can be further extended to support typical employee and contractor life-cycle activities such as the following:

Employee or contractor termination
Employee role changes (transfers between departments / locations, etc.)
Employee information changes (name, address, etc.)

When a federal employee or contractor is terminated or fails the vetting process, their access rights are revoked instantaneously and the card management system receives instructions to terminate the card. Upon receiving this notification, the CMS system disassociates the user from the card and revokes the digital certificate on the PIV card rendering it invalid.

Logical and Physical Access Control

The Logical & Physical Access Control sub-system is responsible for enforcing access control policies at run time when the federal employee or contractor tries to access the logical IT systems or physical facilities. Access control policies are enforced based on the federal employee or contractor identity and authentication credentials stored on the PIV card issued by the card issuance and maintenance sub-system.

Event Monitoring and Management

The Event Monitoring and Management sub-system is an optional component of the Novell Identity Assurance Solution for HSPD-12 PIV.

The PIV event monitoring system provides a flexible and scalable solution to capture events that are triggered during the PIV card life cycle activities. This system provides a set of reports that allows authorized users to see the state of the PIV processes in real time; it can also be extended to support enterprise-level security event monitoring and management needs as well audit and compliance reporting requirements. Custom reports and graphs to monitor a variety of conditions can also be created.

Preserving Your Investments

The platform-independent nature of the Novell solution enables federal agencies to build on its existing smart card and public key infrastructure (PKI) investments, instead of ripping and replacing systems to install proprietary alternatives. In fact, the solution provides freedom of choice in server hardware and operating system selection. The solution provides a standards-based authentication overlay that lets users log in to all network resources. It makes the authentication process transparent for users and easily manageable for the IT staff via a Java-based management console. The solution also scales from workgroup-level applications to the largest global enterprise environments, and will interoperate with any internal or external certificate authority. Another benefit from this comprehensive solution is improved business continuity by supporting disconnected users and temporary authentication for users who have lost or forgotten their Personal Identity Verification card.

Identity-Driven Computing: Planning Beyond HSPD-12

If you expand your concept of identity, you’ll see that its power extends far beyond authentication to encompass every enterprise asset today. A comprehensive Identity management solution affects everything from identity proofing and smart card issuance to safeguarding sensitive information from unauthorized access and regulatory compliance. It means that your government agency is able to adapt—to be flexible and to gracefully address needs as they arise.

Consider investigating solutions that extend the power of identity to all facets of your organization’s computing infrastructure. By embracing identity-driven computing, you build substantial benefits. You can automate the management and security of your organization—beyond the requirements of HSPD-12—improve user productivity, increase service levels and enable secure inter-agency information sharing.

Novell works with many of the integrators that service federal agencies to ensure that the solution meets each agency’s unique requirements. For more information contact your Novell Solutions Provider, your Novell representative or call 1-888-321-4272.