Everywhere Identity Matters

(1)

Solving today’s critical personal identity

challenges by implementing trusted identity

solutions, including hosted, multi-modal

biometrics

OCTOBER 2015

IDENTIX® PLATFORM IS OFFERED BY MORPHOTRUST USA, LLC

(2)

(3)

3

Introduction

Identity matters more than ever. It matters when trying to identify persons of interest, when identifying those who attempt to remain anonymous or hide their identity, and when establishing the true identity of someone who has assumed one or more false identities.

Whether implemented on premises, in the field or in investigatory workflows, the practical use of identity technologies enhance our nation’s security,

heighten our force protection capabilities, augment intelligence operations and improve other vital missions where identity assurance is paramount.

Our solutions are widely recognized as the leading multi-modal software solution for trusted identities, and are optimized for managing and verifying identity, including business process management, identity record keeping, verification, de-duplication and identification functionality. To date, many state and federal agencies successfully use our biometric solutions to process, store, create, search, share, and compare biometric identity records using face, iris, fingerprint, palm print and other biometric modalities, individually or in combination.

“With the commercial introduction of the Identix Trusted

Identity-as-a-Service (TIaaS) platform, we have opened a new

front in the battle to protect consumers, businesses, and

government agencies from the growing threats of identity risk

– bringing the power of multimodal biometrics, authentication

and search engine technology to the cloud.”

Bob Eckel – CEO, MorphoTrust USA

Biometric Search Engine: As an essential part of the Identix Trusted Identity as a

Service (TIaaS) solution – the engine has repeatedly proven its efficacy using top-rated algorithms for face, iris, fingerprint, and palm print recognition. The processing capabilities include biometric matching, image pre-processing, and quality analysis based on industry standards as well as our proprietary metrics. We continue to invest in innovation and in enhancing and extending its

biometric capabilities – enabling the integration of best-in-class algorithms, and customer driven architectures in a cutting-edge solution that is more flexible than traditional closed-system deployments. This hosted solution offers a

Key Takeaways

• You know the trade name Identix, and now these technologies are available in a hosted environment, including with APIs and SDKs for application development.

• Whether implemented on premises, in the field or in investigatory workflows, the practical use of identity technologies enhance our nation’s security, heighten our force protection capabilities, augment intelligence operations and improve other vital

missions where identity assurance is paramount. • The Identix platform is

uniquely qualified to meet demanding and large-scale identity assurance

(5)

5

reduction in capital and operational expenditures, usage-based distribution of resources, enhanced systems and IT interoperability through APIs, centralized configuration and monitoring, and a much faster and more efficient process for managing system upgrades and software patches.

And because we understand some of our customers and partners may not have the option of a pure cloud-based solution, qualified organizations have the option of managing the Identix solution in a variety of more traditional architectures dictated by their requirements.

Large-Scale: We offer you expertise based on our specialization in the area of

large-scale multi-modal biometric search and years of experience and technology leadership. We are now very excited to offer the Identix platform (described in detail below) which is fully cloud-capable and can support DNA and other biometric modalities, including finger, iris and face technologies from third-party vendors. In this paper, we will discuss multi-modal fusion, an area we pioneered and have considerable real-world experience in, as well as a new technique for finding additional efficacy in biometric search, which we call Winnowing. Finally, we will discuss approaches to decreasing operational and maintenance costs, highlighting our virtualization capability and touching on customer-driven licensing models.

Sophisticated: Our focus on driving innovation in core biometric algorithms,

multi-modal analysis, scalability, and robust search and identity management solutions have resulted in a trusted partnership with the federal government that has endured for decades. We intend to continue to earn your trust as a world-class technology provider and advisor through the next generation of biometric and biographic-based identification capabilities. Our solution is the next generation biometric matching and fusion solution, delivering a highly scalable, standards driven, COTS-based solution, without the traditional limitations presented by hardware and software licenses.

Next Generation Identification and Authentication

The Identix platform is the next generation industry-leading multi-modal biometric solution, building upon the leadership and maturity of over four decades of identification technologies including identification and biometric innovation.

And while Federal agencies have relied on our biometric search solutions for over 12 years, the platform is more than a multi-modal search engine. It is a comprehensive and growing identification and authentication software platform for building multi-biometric identity management solutions. Solutions include

(6)

6

business process management, identity record keeping, verification, de-duplication, and identification functionality. The solution provides configurable solutions to process, store, create, search, and compare biometric identity records using face, fingerprint, and iris biometric modes, individually and in combination. The processing capabilities include biometric matching as well as image processing and image quality analysis based on industry standards and proprietary metrics, and with this next generation, we now enable optional virtualization, cloud-based deployments, and service-based payment model options.

The platform has been optimized to support IT best practices for security, distributed systems integration, efficient operation and communications. The highly modular and open architecture provides world-class biometrics services with built-in high-availability support required for mission-critical operations. The solution also includes built-in monitoring services that connect to customer IT systems. This combination of best practice alignment and built-in capabilities minimizes potential project risks typically associated with large integration efforts, and delivers an operating environment that supports ongoing scalability and changes in performance needs.

Data storage is secure, and distributed disk storage ensures reliable database transactions. Only templates are stored in the search engine, while original images and associated demographic information are stored in the customer’s repository, or optionally, in the hosted environment. Storage is also speed-optimized for biometric operations and provides exemplary data safety and replication.

The system offers incremental and full back-up capabilities, restoration to point of failure, and easily integrated system-to-system data replication. The backup and restoration features are specifically designed for the most advanced backup methods in the industry, capable of performing these functions and ensuring full restoration in minutes.

The Identix® Platform – The Proven Solution

With the Identix platform as the foundation for development, the solution benefits from the maturity and history of innovation, and is a robust solution for biometric search and identity management with over 100 years of cumulative person-hours in development and refinement of the software.

• Our original biometric technologies were launched in 2001 as a face-based search engine, resulting from an evolutionary, customer-driven development process. Early large-scale deployments include facial

(7)

7

recognition solutions used by motor vehicle and benefits agencies to deter identity fraud.

• In 2006, we launched as the first truly large-scale multi-modal solution in the industry.

• A year later, the core algorithms were greatly enhanced with the goal of increasing the speed and accuracy.

• Then we released the most significant upgrade of the system

architecture since the initial launch, by introducing capacity, high-throughput and high-availability design concepts supporting national identity systems deployments around the world.

• The Identix SaaS solution further expands the solution's unique functionality by providing a plug-in architecture for new biometric algorithms from third parties or new modalities, such as voice and DNA recognition, via a standard API.

• Other enhancements include simplification of systems management in the administrative domain to further empower users and features that enable deployment of the Search Engine in cloud and virtual machine implementations.

Pluggable Search Engine Architecture

The Identix solution is designed to be open and extensible to additional algorithms – meeting customer requests by ensuring they are not locked into a proprietary technology. Open architecture and standards-compliance became primary design priorities.

Standardized APIs ease integration for third-party products as needed. The design of the standardized API supports any third-party or custom SDKs with an interface that can be exported, either directly or remotely, to a Java interface (including C, C++, or other export via JNI) using basic biometric APIs. The plug-in with its API becomes tightly integrated into the search engine’s Stateful and Spare Pool Biometric Services, and can be managed and scaled seamlessly via standard conventions.

At a minimum the solution provides quality checks, template creation, record search, record enrollment, update, and deletion. Example code is provided to third-party developers to help jumpstart implementation. The Java source contains all methods, is pre-instrumented to function as an example, and can be used directly by renaming, repackaging, and inserting calls to the desired third-party product as indicated in the comments. It is also possible to write a plug-in by simply implementing the proper interface. Inputs and outputs to a

(8)

8

party library use the same communications objects as the native Foundation SDK. This prevents the architecture from imposing too much structure on a third-party implementation.

We are working with a number of biometric algorithm vendors to ensure seamless integration of their technology into the Identix solution. We are investigating additional face and finger algorithms as well as new modalities such as DNA and voice. Our research team is testing and evaluating the effectiveness of incorporating third-party algorithms with orthogonal

techniques to improve system performance. Our approach is to maintain vendor neutrality while maximizing the efficacy of the solution as new algorithms and modalities are added.

DNA and Other Potential Plugins

The Identix platform supports the addition of new modalities to search any biometric data of interest via a single user interface and software solution. Examples of pluggable technologies and capabilities are voice recognition, DNA, and third-party face, finger, and iris algorithms.

RapidHIT® is available for the collection and processing of DNA, with results in approximately 90 minutes. A reference matching architecture for a DNA plug-in is also available, as is a core DNA matching technology for complete profiles. With all of these components and requisite expertise, we are well prepared to provide DNA matching and storage solutions.

Except for identical twins, each person’s DNA is unique, and can be considered a ‘perfect’ modality for identity verification. DNA identification techniques look at specific areas within the long human DNA sequence, which are known to vary widely between people. The accuracy of this technique is very high, and allows both identification and verification that cannot be spoofed, faked, or

fraudulently presented.

A reference architecture for DNA is available for use as a gallery in the Identix Search Engine, with template storage and the ability to match full DNA profiles. The process is very straightforward and requires the simple matching of some standard pairs of loci. (There are several different standards. One of the most common uses 13 pairs to match and determine identity.) There is no ranking of similarity involved; either the pairs are all identical matches or they’re not. In this case, Identix Search Engine algorithms to not apply thresholds, and there is no False Accept or False Reject rate.

(9)

9

Speaker Recognition Technology

Our Research and Development team has evaluated leading technologies for speaker recognition, in coordination with the respective providers. Using our pluggable architecture, we have tested how to best implement the most accurate or fastest of these (depending on the customer’s use case) in our Search Engine. However, we note that this type of biometric does not scale as well as finger, iris and face recognition.

Improved Efficiencies in Finger, Iris and Face

The platform adds efficiencies to the processing of the three primary modalities using proven, best-in-the-industry algorithms:

• Our Daugman-based iris technology supports industry leading accuracy and speed in an extremely efficient template

• BioEngine fingerprint combines minutiae and pattern-based approaches to provide the optimal balance between accuracy and speed tailored for a given implementation

• Our face recognition solutions have been an industry leading technology since the early days of the biometrics industry

Our world-class algorithms and research team continue to push the technology forward. Today, we offer leading biometric technologies and intellectual property in fingerprint, iris and face matching modalities, with a distinguished history of top-tier performance in industry benchmark tests.

Biometric Fusion

Our matching engine is unique in the biometric industry because it is specifically designed to be multi-modal. Our technology portfolio includes iris and face captured through any still or video device, fingerprint captured via any device that outputs a standards-compliant template or image format, and whole or partial palm prints.

The R&D team continues to strive for improved accuracy in each of these areas. A major advantage of the matching engine’s multi-modal design is the ability to provide better identification, through multi-modal fusion, even with less than ideal data.

Fusion can be performed on samples from independent biometric modes or multiple samples from the same biometric mode. Any two or more biometric modalities can be fused together to improve accuracy. Face, finger, palm, and iris modalities are complementary as they are statistically uncorrelated –

(10)

10

meaning imposter matches and quality problems are only weakly correlated or are uncorrelated between biometrics. Therefore, fusion across modalities can decrease false match and false reject rates, which is particularly beneficial when individual biometrics lack sufficient quality.

Systems offering multiple configurable decision thresholds can handle the scoring of biometric images in any combination, depending on image availability. Multiple match thresholds can be configured based on the modalities presented for the biometric match allowing, for example, more rigorous thresholds to be placed on single modality matches than multi-modal matches.

Multi-modal fusion typically occurs in either the decision subsystem, using decision-level fusion, or in the matching subsystem, using score-level fusion. In decision-level fusion each modality calculates its decision independently. The separate decisions are fused using methods such as majority voting, weight voting and Boolean logic rules. In score-level fusion, matching scores returned from each modality’s matching algorithms are combined. When fusing matching scores from different modality algorithms, the scores need to be normalized so that they have equivalent interpretations for comparison.

The Neyman-Pearson model that we use for score-level fusion normalizes scores based on both the imposter and genuine distributions. Neyman-Pearson-based score-level fusion provides for fusion of any values which control a system’s Type-1 and Type-2 errors (false rejection and false acceptance rates). In biometrics, this value is the match similarity score returned from a search. This combined match score is then compared to a configured match threshold. Our research team has investigated the difference in accuracy between

decision-level and score-level fusion. When setting thresholds at extremely high or low false acceptance rates, decision-level fusion tends to perform as well as score-level fusion. However, when operating at the moderate false acceptance rate range typical for most applications, score-level fusion outperforms

decision-level fusion.

This same fusion model can accommodate soft biometrics, which are physical traits that provide information about an individual, but cannot be used alone to accurately identify individuals (e.g. eye color, hair color, presence of mustache, height, weight, gait, presence of tattoos). It can also handle demographic values, including a person’s geolocation, place of birth, and country of

departure when traveling, after they are calibrated by their Type-1 and Type-2 errors. Fusing soft biometrics and demographics with biometric scores results in

(11)

11

a statistically meaningful score based on multiple types of information. These capabilities offer significant value in making a final identity match decision. Because fusion increases accuracy, and thereby decreases the number of search results requiring final human review, it can also decrease the total cost of operations. Currently, we are not aware of any architectural limitations of fusion with either data processing or the data repository. When fusion

technology is implemented in Workflow Manager, data can reside in a number of locations. Workflow Manager sends out search requests, accepts candidate list results, normalizes scores, if required, executes the logic mechanism behind the fusion, and provides a final candidate list based on all available information. Since fusion can be implemented in a number of ways, it is important to select a method that is flexible in managing the required data flows and logic

mechanisms behind the fusing of the values. The conditional pipeline scheme has the added effect of maximizing efficiency based on data quality. As the data available to an agency changes, the middleware Workflow Manager uses must be adaptable to incorporate new data sources and deprecate sources no longer relevant to the decision-making process.

A particularly powerful fusion technique that we have employed is one we call “conditional piping”. Conditional piping realizes the full power of a multi-modal system, as has been successfully proven in India’s Universal ID Program. A conditional pipe is a workflow that automatically adjusts the computational intensity of a search based on biometric sample quality, priority of the search, and other factors. Computational intensity is decreased by relying primarily on the biometric modality that provides the greatest efficiency (accuracy and speed combination) and utilizing another modality or modalities when the primary one is unavailable, or of insufficient quality, or the priority is such that a full multi-modal comparison is warranted.

Winnowing – A Method for Decreasing

Computational Intensity and Increasing Accuracy

As database size increases, accuracy in identification (1:N searches) decreases. For biometrics with lower accuracy rates, very large database searching with using a single modality can negatively impact results. One way of maintaining accuracy is to decrease the number of gallery images to which the probe image is compared.

(12)

12

Different techniques can be utilized to reduce the search space, including: • Binning partitions the data into as many subsets as there are categories.

Binning creates permanent gallery partitions based on:

• Exogenous data: external to biometric trait (e.g. country of birth, gender, age), or

• Endogenous data: derived from biometric data (e.g. in fingerprint modality, whorls or loops).

• Filtering builds an ad hoc subset of data based on categories selected at the time of the search.

• Indexing assigns a numerical value to each database entry. For example, matching reference samples against an archetypal gallery and creating a composite index code based on matching scores. Then comparing the probe image against that same archetypal gallery and searching references based on the probe's index scores.

In all cases, the probe is only matched on those images in the gallery that fall into the category selected when the search transaction is initiated. This decreases the false match rate (FMR). The decrease in FMR is based on the biometric trait used as well the reduction of enrollments in the search space. Winnowing will also decrease search time as fewer enrollments are compared against the probe.

The use of winnowing techniques in searching opens up the potential of a new pre-selection error rate which occurs when the corresponding enrollment is not in the pre-selected subset of candidates presented for matching against the probe. A mistake in the entry of the associated demographic data used to partition the data can cause a pre-selection error. This type of error is most critical when using binning, as the enrollment would be placed in the incorrect partition never matched against the probe.

There are trade-offs with the use of winnowing techniques that need to be considered before implementing any of these in a biometric system. However, winnowing can be a very effective means of reducing the computational

requirements required for large-scale database searches and thereby increasing speed and accuracy. If the demographic data available for use in winnowing based on exogenous data (country of birth, gender, age) is accurate, this is often a convenient use of that readily available information to improve system

(13)

13

Moving to the Cloud

The Identix® Platform incorporates the features and benefits NIST identifies as the “five essential characteristics” of a cloud service. This next generation solution meets NIST’s five essential cloud characteristics:

• On-demand self-service • Broad network access • Resource pooling • Rapid elasticity; and • Measured Service

While cloud computing is a relatively new technology, it is important to

understand it did not develop in a vacuum, but has evolved through continuous innovation in hardware and software. As such, current deployments are already cloud-like, with many capabilities we associate with a cloud environment. These include:

• Metered services help control costs: Supporting “identity as a service”, what may have been a capital expense is now available in multiple business models, including “pay-as-you-go” models. This significantly reduces upfront implementation costs as well as ongoing operations and maintenance costs.

• Scalable for performance: Easily scales through the addition of new compute resources, with the processing load automatically distributed for optimal system performance.

• Efficient system management: Centralized dashboard facilitates access, configuration and monitoring of services, access to the API Catalog, and provides reporting and tools to manage the distributed system

effectively.

• Flexible deployment models to meet your needs: OpenStack®, Amazon Web Services® and traditional/on-premise data center deployments are available to meet your specific needs for the processing, storage and networking that powers the platform.

• Simplify application development via REST: Representational State Transfer (REST) is an architectural style that supports system

interoperability via HTTP verbs (GET, POST, PUT, DELETE, etc.). REST enables ease of integration into existing business logic, resulting in faster time-to-market for your authentication and identification applications.

• Virtualization: VMs are a key component of any cloud implementation. Virtualization often comes for “free.” That is, the complexity of the

(14)

14

application(s) running on a VM is relatively low, thereby requiring minimal performance benchmarking and optimization. However, in the case of biometric matching, significant computing resources are

consumed to achieve the required gallery sizes and associated matching speed. This requires a quantitative analysis of the available computing resources, impacts of multi-tenancy, system performance requirements and a host of other factors that must be considered to achieve the necessary performance.

Next-Generation Cloud Infrastructure

The platform will extend cloud-based capabilities across a number of

dimensions, as the hosting environment is not just about the infrastructure, but the services architecture as well.

Deployment patterns: We are working to ensure the utmost in deployment pattern flexibility, offering private, public, and hybrid cloud capabilities, as well as support for traditional data center deployment when maximum control, security and isolation are required to meet mission objectives. The solution will operate on industry-leading cloud management solutions, further extending customer choice and operational control.

Multi-tenancy: A key concept in cloud computing, and one identified in NIST’s key characteristics, is multi-tenancy, or the use of shared compute resources by multiple applications and consumers. The key benefits are:

• Centralized infrastructure to reduce real estate, electrical and other costs

• Ability to dynamically adjust the compute resources to handle peak-load situations

• Increased system utilization and efficiency

Note that multi-tenancy is not appropriate for every deployment, due to security or other restrictions.

Metered services: A central underlying capability of supporting multi-tenancy is the ability to provide metered services, otherwise known as a “pay-as-you-go” model. Metered services offers two critical benefits to the service recipient:

• What was formerly a capital expenditure is now an operational

expenditure, significantly reducing or even eliminating the upfront costs of implementing a new service. Users pay only for the services they use, when they use them.

(15)

15

• With metered services, and the inclusion of other core cloud

capabilities, an agency could re-sell their services to another agency. For example, a local law enforcement agency could submit a set of

fingerprints for searching to another local law enforcement agency or to the FBI for matching. The agencies providing the service could charge the requestor, not only to recoup their costs, but to realize a service fee as well.

Thin-client (a.k.a. web browser) examination: No longer just a simple

application for displaying web pages, the modern browser has evolved into a full provider of application services that is quickly replacing the “thick” clients of old. Users will no longer need to acquire examination workstations for a

particular operating system or hardware solution, nor will they be “locked in” to one physical device. Thin-client examination provides ubiquitous access to examination services through a range of devices. It also eliminates issues associated with updating client systems with new software versions and mitigates forward/backward compatibility issues.

NoSQL: In a cloud environment, a relational database management system (RDBMS) can be particularly hard to scale as data needs grow. NoSQL databases power some of the world’s largest repositories of information (e.g., Google and Facebook), and offer simplicity in design, horizontal scaling, finer control over availability, low latency and increased throughput.

The platform incorporates a mature set of infrastructure services to provide a cloud-based identity solution and software applications that can easily assemble complex systems for diverse business needs.

• Automated provisioning features enable on-demand scaling to support immediate identification needs of a major event and the release of resources afterward for consumption by other applications.

• Workflow traffic management scales to offer consistent throughput during peak daily, weekly and event-based demand cycles.

• Standards-based infrastructure is optimized to operate efficiently on minimum viable infrastructure and take full advantage of resources offered by large, multi-server, high-availability architectures.

• Metering and tracking services facilitate cost and budget sharing across agencies based on actual usage.

In addition to enhancements to the core product in support of private cloud environments, we also support public and community cloud configurations.

(16)

16

The solution provides for orchestrating concurrent deployment of multiple versions of applications and underlying solution dependencies. Workflow Manager is a central component to seamlessly support transitional stages to new software and standards versions. Workflow Manager business processes can dynamically adjust processing to handle requests simultaneously from multiple software and standards versions, allowing parallel operations. We applications, including the Search Engine feature forward-compatible APIs and internal messaging formats enable rolling upgrades of software with minimal impact to operational system capacity. Forward/backward compatibility and minimization of system downtime are priorities for our mission-critical

customers, and we lead the industry in developing software and processes that address this requirement.

The platform supports dynamic registration/de-registration of biometric gallery data and underlying computing resources, both physical and virtual. This ability allows for a rolling approach to be used during the transition from the current methodology to a virtualized or cloud environment, whereby legacy resources can be released as cloud resources are assigned to the system. With this capability, the transition can be orchestrated without impact to Disaster Recovery compliance requirements.

Cloud and Virtualization Capable

The platform supports deployment and operation in multiple contexts as defined by NIST. The customer is given access to application programming interfaces (API) on demand. In this model, the customer does not have to be concerned with installation, setup, or running of the application, as we or another service provider would provide that function.

The programmable solution provides integration through standards-based web-services interfaces. Customer systems are integrated on a subscription basis, with usage fees and data retention subject to an appropriate licensing model. License terms are tailored for the specific usage pattern and operational needs; several options are available, such as per transaction and/or per identity record capacity cost models, or a site license.

The solution is built to be deployed and managed via common industry methods found in infrastructure-as-a-service (IaaS) systems. Due to the strong alignment with IaaS, we are able to integrate into a private cloud, hosted cloud or hybrid service architecture. We can also provide cloud-based operations workflows for enabling identity-related processes, including standard Types of Transactions (TOTs).

(17)

17

The operational benefits in deployment orchestration are applicable to legacy fixed-workload environments as well. For customers who choose not to deploy in a cloud environment, our software applications offer the best of cloud-readiness. The open-standards based APIs, deployment automation, and operational efficiency can be leveraged within the customer’s traditional data center environment. The platform offers a state of the art identity matching solution with scalability and proven, best value technology as its underpinnings – yet brings powerful new capabilities and flexibility for customer driven architectural requirements to virtualized, cloud-based environments as required.

Search Engine

The engine is configured to ensure no single point of failure with Active-Active load sharing out of the box. Client systems can communicate with any

integration point (Integration Service) in the cluster and have full access to all system services. Every component is clustered and fault tolerant, ensuring no single point of failure or repair.

Support of the Red Hat Enterprise Linux and CentOS operating systems allows for lower operating system costs. Importantly, Red Hat Enterprise Linux implements redundancies in all aspects of its operating system capabilities so that the Search Engine can be configured with no single point of failure and no required downtime for routine maintenance. With this OS, the Search Engine can support very high availability (99.9% uptime) requirements.

Moving forward, we will look to continue to improve transaction processing rates with each new release. Our historical track record has demonstrated our ability to show faster and faster speeds, with no negative impact on accuracy.

Scalability

The platform is designed to scale from small, portable systems to very large, national systems, with single mode or multi-modal biometric services in one integrated software package. The configuration of the required production hardware depends on a number of factors, including database size, throughput, and availability requirements.

The environment supports both Windows and Linux solutions for alignment with existing IT enterprise solutions. And the solution can be deployed on your choice of COTS servers running Microsoft 64 bit Windows Server 2012 or Red Hat Enterprise Linux 7. This ensures customers of a low overall cost of

operation, with the ability to easily scale and integrate with current and future systems as needs change and grow. Designed with a high level of internal

(18)

18

configurability, the components run on the next generation of multi-core processors with no software change required due to software abstractions that are all openly described and configurable by the customer.

Recognizing that customer solutions do not always align with the release schedules of COTS hardware providers, We has given the core distribution design the ability to incorporate multiple generations of hardware, with varying capacities and throughputs, into a single unified search that automatically corresponds to the speed of the underlying hardware.

Peak performance is assured as the system evolves: hardware with higher processing capacity enhances the performance of individual components and optimizes the performance of heterogeneous hardware environments, so the Search Engine self-optimizes its performance on multi-generational hardware, self-managed server farms, and “in-the-cloud” virtual server services.

We can integrate into infrastructure as a service and solution as a service implementations using OpenStack in a private solution. Our system architecture makes it straightforward to add hardware without taking the system offline. Systems can be scaled in four dimensions within a single system footprint:

• Vertical Scaling - addition of processing cores, RAM and hard drive capacity on a single hardware server.

• Horizontal Scaling - addition of vertically scaled machines to the Group of Biometric Services supporting each gallery to reduce search latency. • Parallel Scaling - addition of multiple gallery replicas to increase search

throughput.

• Partitioned Scaling - division of galleries into separately resourced partitions.

Biometric Services (BS): The biometric services provide all primary biometric

processing. They perform identification, verification, template creation, quality analysis, segmentation, and sequence checking. As galleries are “stateful” – meaning they contain quantities and types of template data – galleried biometric services are able to detect when a set of servers constituting the gallery is nearing maximum capacity. When this occurs, the system re-assigns a Spare Pool server to gallery membership, providing the additional template storage needed. This enables the Search Engine to automatically expand to accommodate increased server utilization and offers a simple method for adding new servers via the Spare Pool. Bringing one or more new BSs on-line to increase system capacity does not affect normal operations. We designed our

(19)

19

communication to be low-latency so that when hardware is added, transaction number scales linearly.

WorkFlow Manager

Workflow Manager (WFM) is a software application that serves as a framework upon which to build different kinds of activators, communications protocols and standards. Workflow Manager contains an embedded Business Process and Rules engine that allows flexibility and configurability in developing complex process decisions, including the decisions needed to implement standards conformance and interoperability with other biometric systems. The SOA architecture allows for drop-in adapters and activators to interface with new services. The benefit is modern flexibility for the customer with a SOA-based solution that requires less vendor support and is easily integrated with other existing and future components.

Workflow Manager is capable of implementing rules related to data sharing between agencies and data access based on clearance levels. Multiple agencies have implemented data sharing agreements restricting fields that can be shared depending on the submitting and receiving entities. Rules can be built based on policies developed in interagency Memorandums of Understanding and data classifications allowing for automated customized access to data. Checking these rules at the time of transaction receipt and each point of data transfer (e.g. search request of an external system or building of a response request) will prevent unauthorized transactions and data access.

A business process can be defined to act dynamically based upon the content of the request and the requestor. The business process can dynamically:

• Select which biometric standard/application profile to use for reading incoming requests, allowing requests from a variety of sources using different standards to be handled automatically. Continuing backward compatibility allows agencies to upgrade older collection devices at convenient points in their technology lifecycles, reducing acquisition and training costs as well as operational disruptions.

• Determine which biometric systems to access to fulfill the request and convert from one biometric standard to another, if necessary, to complete the transaction.

• Determine if the requestor has authorization to perform the transaction and ensure that returning data conforms to data security policies for that specific requestor.

(20)

20

Workflow Manager Scalability

Workflow Manager features a micro-service architecture, with all components deployed as self-contained services and each focused on one area. This architecture allows for dynamic allocation of system resources to areas of transaction processing that need them the most. This approach lends itself to parallel processing of transactions and independent scaling for specific transactional needs across the lifecycle of the solution. This also allows

Workflow Manager to perform parallel processing of transactions based on the data in the transaction or specific rules defined for the solution, while

independently scaling specific areas to meet associated SLA requirements for a given transaction’s type or priority.

Identity Manager

Identity Manager features a standards-based integration interface built on WSI-Basic Profile Web services and J2EE. Identity Manager can serve as a durable repository for encounter and identity data as part of a system of record. And the Identity Manager manages information about identities – specifically biometric properties of identities – and distinguishes between Encounter Data and Identity Data. The most reliable identity data available can be organized in a single “Golden Record” within the Identity Manager framework. We refer to this as the Active Set in the information below and it should be noted that a Golden Record is meant to include only the most accurate biographic and biometric information, data that has been verified in some manner. We differentiate the concept of source data (encounters, i.e. individual interactions with a given person), on the one hand, from the concept of identity (the meaning of those data, based on biometric and biographic information), on the other hand. This allows agencies to maintain high-level identity records with the best available biographic and biometric data in a way that is separate from, but directly related to, data collected during one or more encounters with an individual. The data collected during those encounters may differ over time as a person

relocates to a different address, changes nationalities or marital status (last name for some women), crosses borders, or interacts with law enforcement agencies, for instance.

Identity Manager allows custom rule-based processing of encounter data to define the basis of an identity decision, for example, biometric validation versus external system reference versus biographic data amongst the encounters, etcetera. This processing can incorporate manual biographic data entry and is dynamic in that it can result in controlled, ongoing updates to identity

(21)

21

associations with underlying encounter data. Since all operations can affect identity disposition, they are audited and traceable.

Using Identity Manager to organize biographic and biometric data provides agencies with a means to determine a specific level of confidence. Since the Active Set is a record that includes the latest available biographic information (e.g. current address), and best quality or most recent biometric data

(depending on modality), Identity Manager does implicitly improve the level of confidence that the collection of identity-related information truly describes a unique person.

Establishing a Trusted Golden Record

Through the successful delivery of identity services and solutions to support the largest enterprise-level, mission-critical identity programs, We has developed systems, lessons learned, and expertise to design standards-driven construction of a “Golden Record”—the single authoritative record holding comprehensive unique data associated with an individual. The solution cleanses data, builds associations, and links identities to ensure there is no duplication of data pieces. This helps to reduce fraud and ensures secure credentials are only issued to the correct individual and that there is only one record associated with each person in a system of record.

Persistent Vetting

Persistent vetting is another area in which we are investing resources. For certain identity-related tasks, it is not enough to identify a person once via biometric and/or biographic data. Watchlisted individuals and other high risk profiles should be monitored continuously, requiring real-time identification to watch for anomalies. Biometrics, biographic data, “patterns of life”,

opinion/intent and behavior data exist in various databases across agencies. Much of the data collected is not leveraged yet and could be with appropriate algorithms and data interfaces. There is increasing need to provide not only a Golden Record and point-in-time background checking, but real-time, ongoing threat analysis. This is where persistent vetting can be applied.

We are a global leader in biometric algorithms and have a world-class research team well-versed in machine learning techniques that can branch out into textual and other data sources, in addition to fusing varied data for usable intelligence. We software engineers can also integrate data and services and have extensive qualifications in full scope concept of operations

(22)

22

evaluation systems (Universal Enrollment Solution, E-CAT) that can aggregate risk determinations from real-time data feeds.

Summary

With the introduction of the Identix TIaaS platform, we continue our role as a thought leader in biometric identification and transaction processing, allowing agencies such as you to address real world identification challenges with best in class solutions and technology. We welcome the opportunity for continued discussion with you on any of the topics addressed in this paper.

All trademarks and registered trademarks are the property of their respective owners.