FiXs: One Security/Credit Card to Rule Them All at the 2012 Olympics

Rob Enderle

I'm a big Lord of the Rings fan, and if you live on this planet you've likely either read the books or seen the movies. The central component of the story is a set of rings that identified the leaders of various races and gave them powers (permissions) and one ring that dominated them.


In the security space, FiXs is emerging as the standard that may become the security and credit card equivalent to the "One Ring." What they are doing with this for the 2012 Olympics looks absolutely amazing.


Let's talk about what FiXs is and why it is so potentially powerful, and close with the work being done for the London Olympics that ties it all together.


FiXs: The Federated Trust Primer


FiXs,the Federation for Identity and Cross-Credentialing Systems, was formed to take advantage of a similar technology being deployed by the U.S. government to deal with the nightmare of identity management between massive government entities. The problems the U.S. government has in managing identities, keeping out unauthorized parties and assuring the identities of those in sensitive jobs (like the military) makes the kind of security problems most of us deal with seem trivial.


However, after 9/11 the U.S. government issued HSPD-12, which mandated cleanup of the massive mess associated with providing critical access to government systems by those who both needed it and were authorized to have it. Authorities believed it likely was easier to hack into many systems than it was to get authorized access to them, which significantly hindered the U.S.'s ability to defend itself. This created the DCCIS (you really learn to HATE acronyms in this business), or the Defense Cross-Credentialing Identification System.


This system is currently under deployment and is believed to be the most comprehensive of its type. Why it is important to you is that companies doing business with the U.S. government -- and businesses doing business with those businesses -- will likely have to comply with this system in some shape or form. If you want the U.S. government to sign off on your security you are likely going to need something that is DCCIS compliant, and the only thing out there is FiXs, which is basically the civilian form of DCCIS and the only system that meets the HSPD-12 requirements.


This won't happen overnight, but companies that are compliant will likely not only increasingly have competitive advantages in government deals but also in deals with other large U.S. based national and multi-national defense and government contractors. They likely will also enjoy a rather pronounced security advantage as well, given the nature of this system.


But it's not just the U.S. According to Northrop-Grumman Corp., this technology is moving into Europe with a vengeance because of their need to better track citizens, entitlements and access. This is why it is slated to be used as the core policy behind the 2012 London Olympics.


FiXs: Olympic Star in the Making


The Olympics, particularly during times of war, has to be one of the biggest security nightmares on the planet. Not only do you have to manage tens of thousands of employees, volunteers, athletes, coaches, related families, contractors and security personnel, you have to manage over a million attendees without making the experience so annoying they promise never to come back.


This is not a case where you can trade off speed, ease of access and security -- you have to be able to provide all of the above. Granted, part of this solution is likely the most comprehensive deployment of security cameras in the world, which includes beat cops and all of London (and is already being deployed).


But for access and cash transactions (the event is going paperless), the FiXs solution -- coupled with biometrics and a smart card -- is being readied to do the heavy lifting. There will be a lot of vendors, both U.S. and European, handling the technology side of the solution (FiXs is a consortium of vendors), but the success of this deployment could well establish this solution as the gold standard for access.


In a nutshell, for anyone going to the Olympics that year, you'll buy your tickets online as always, go to a kiosk at the venue and identify yourself using at least two factors. You'll then be scanned (likely a fingerprint reader, but could be a face scan) and be given your universal card. The card will know what venues you are allowed to go into and what seats you have. You can also use the kiosk to buy transportation tokens (which the card will hold) and fund the card so you can buy things.


If you lose the card, you simply go to another kiosk and use the same biometric marker to invalidate the lost card and grant you a new card with all of your stuff on it again. No one else can use your card and, without cash or physical tokens, transactions should happen more quickly and lines move more rapidly.


The Olympics officials will know with certainty who is actually attending events and, should there be a crime, have a high likelihood of quickly identifying the very likely suspects and a high probability of keeping them out of the games in the first place.


This will likely be a managed service, which means no up-front cost but a charge per transaction that will pay for the system. This will help fix a little budget problem that has recently popped up. Maybe they thought the IT stuff was free?


Wrapping Up


I worked on a project for Disney a few years back that tried to do something similar, and the technology just wasn't to this level yet. I think the Disney folks would have thought they had died and gone to heaven if they could have this level of capability at one of their parks, let alone what this could do to secure buildings and better protect employees and company assets.


I'm sure there are privacy concerns surrounding tight tracking like this, but given the information that identifies you as you and the systems that provide the permissions are separate, you would think the result would be less, not more, redundant information and, in the end, a much greater protection over your identity.


Regardless, with two major governments using FiXs as a central federated identity policy vehicle, the likelihood that most of us will fall under this in the next five to seven years is high. It's probably time to come up to speed if you are in the security business and aren't aware of this.

Add Comment      Leave a comment on this blog post
Aug 6, 2007 9:47 AM Salvatore D'Agostino Salvatore D'Agostino  says:
Rather than depending on a database back end and the subsequent security, scale, performance and cost of ownership issues that arise, a number of large scale credential programs have chosen to take advantage of distributed credential validation. One example is the First Responder Authentication Credential (FRAC). The system allows multiple issuing organizations to manage privileges associated with a credential issued to common standards. This solution is being rolled out to million of people today, is already in production use, and provides better performance, privacy and security than a databased back-end approach. Take a look at recent DHS demonstrations "winter Storm" and "Summer Breeze" for some more details on the program. Reply
Aug 6, 2007 12:36 PM Michael J. Mestrovich Michael J. Mestrovich  says:
Mr. D'Agostino fails to mention that the solution he is referring to lacks interoperability with other solutions and has not standard enrollment process prior to issuing a credential. Sincs DHS funds the program thru "grants" there is little that the receiving organizations can say about how it is run, the technology used, and the issued credentials' ability to be used in day to day operations at the stae and local level. If his assertions were totally accepted as the "FRAC case" then why did the House pass legislation last week calling for new and improved standards for credentialing FRAC's? Reply
Aug 13, 2007 1:39 AM Salvatore D'Agostino Salvatore D'Agostino  says:
The interoperability is around leveraging the credential and the infrastructure (e.g. the shared service and associated public key infrastructure). Interoperability in Virginia has been demonstrated between credentials issued by FiXs and the Pentagon Force Protection Agency. The credentials are used every day across Federal, State and local entities. The solution has addresses legacy credentials as well as those using PKI. Grants are one source of funding but the states decide how to use these funds. The recent legislation leaves FIPS 201 in place as the model for establishing identity, unless I missed something, the recent legislation only will strengthen only this position. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.