I'm a big Lord of the Rings fan, and if you live on this planet you've likely either read the books or seen the movies. The central component of the story is a set of rings that identified the leaders of various races and gave them powers (permissions) and one ring that dominated them.
In the security space, FiXs is emerging as the standard that may become the security and credit card equivalent to the "One Ring." What they are doing with this for the 2012 Olympics looks absolutely amazing.
Let's talk about what FiXs is and why it is so potentially powerful, and close with the work being done for the London Olympics that ties it all together.
FiXs: The Federated Trust Primer
FiXs,the Federation for Identity and Cross-Credentialing Systems, was formed to take advantage of a similar technology being deployed by the U.S. government to deal with the nightmare of identity management between massive government entities. The problems the U.S. government has in managing identities, keeping out unauthorized parties and assuring the identities of those in sensitive jobs (like the military) makes the kind of security problems most of us deal with seem trivial.
However, after 9/11 the U.S. government issued HSPD-12, which mandated cleanup of the massive mess associated with providing critical access to government systems by those who both needed it and were authorized to have it. Authorities believed it likely was easier to hack into many systems than it was to get authorized access to them, which significantly hindered the U.S.'s ability to defend itself. This created the DCCIS (you really learn to HATE acronyms in this business), or the Defense Cross-Credentialing Identification System.
This system is currently under deployment and is believed to be the most comprehensive of its type. Why it is important to you is that companies doing business with the U.S. government -- and businesses doing business with those businesses -- will likely have to comply with this system in some shape or form. If you want the U.S. government to sign off on your security you are likely going to need something that is DCCIS compliant, and the only thing out there is FiXs, which is basically the civilian form of DCCIS and the only system that meets the HSPD-12 requirements.
This won't happen overnight, but companies that are compliant will likely not only increasingly have competitive advantages in government deals but also in deals with other large U.S. based national and multi-national defense and government contractors. They likely will also enjoy a rather pronounced security advantage as well, given the nature of this system.
But it's not just the U.S. According to Northrop-Grumman Corp., this technology is moving into Europe with a vengeance because of their need to better track citizens, entitlements and access. This is why it is slated to be used as the core policy behind the 2012 London Olympics.
FiXs: Olympic Star in the Making
The Olympics, particularly during times of war, has to be one of the biggest security nightmares on the planet. Not only do you have to manage tens of thousands of employees, volunteers, athletes, coaches, related families, contractors and security personnel, you have to manage over a million attendees without making the experience so annoying they promise never to come back.
This is not a case where you can trade off speed, ease of access and security -- you have to be able to provide all of the above. Granted, part of this solution is likely the most comprehensive deployment of security cameras in the world, which includes beat cops and all of London (and is already being deployed).
But for access and cash transactions (the event is going paperless), the FiXs solution -- coupled with biometrics and a smart card -- is being readied to do the heavy lifting. There will be a lot of vendors, both U.S. and European, handling the technology side of the solution (FiXs is a consortium of vendors), but the success of this deployment could well establish this solution as the gold standard for access.
In a nutshell, for anyone going to the Olympics that year, you'll buy your tickets online as always, go to a kiosk at the venue and identify yourself using at least two factors. You'll then be scanned (likely a fingerprint reader, but could be a face scan) and be given your universal card. The card will know what venues you are allowed to go into and what seats you have. You can also use the kiosk to buy transportation tokens (which the card will hold) and fund the card so you can buy things.
If you lose the card, you simply go to another kiosk and use the same biometric marker to invalidate the lost card and grant you a new card with all of your stuff on it again. No one else can use your card and, without cash or physical tokens, transactions should happen more quickly and lines move more rapidly.
The Olympics officials will know with certainty who is actually attending events and, should there be a crime, have a high likelihood of quickly identifying the very likely suspects and a high probability of keeping them out of the games in the first place.
This will likely be a managed service, which means no up-front cost but a charge per transaction that will pay for the system. This will help fix a little budget problem that has recently popped up. Maybe they thought the IT stuff was free?
I worked on a project for Disney a few years back that tried to do something similar, and the technology just wasn't to this level yet. I think the Disney folks would have thought they had died and gone to heaven if they could have this level of capability at one of their parks, let alone what this could do to secure buildings and better protect employees and company assets.
I'm sure there are privacy concerns surrounding tight tracking like this, but given the information that identifies you as you and the systems that provide the permissions are separate, you would think the result would be less, not more, redundant information and, in the end, a much greater protection over your identity.
Regardless, with two major governments using FiXs as a central federated identity policy vehicle, the likelihood that most of us will fall under this in the next five to seven years is high. It's probably time to come up to speed if you are in the security business and aren't aware of this.