CIS13: Follow the Money


Published on

Andrew Nash
Despite what we may wish to implement in our identity architectures, large-scale identity deployments are driven by financial value. This session examines recent thinking on how identity attribute models are likely to be deployed, the values and roles of the various participants and the challenges of how value is distributed among the participants.

Published in: Technology, Business
  • Be the first to comment

CIS13: Follow the Money

  1. 1. Follow  the  Money   Business  Filters  on  Technology  
  2. 2. Things  don’t  get  simpler  …   •  Iden:ty  is  no  longer  about  3  par:es   •  A?ributes  are  as  interes:ng  as  iden:fiers   •  Fresh  informa:on  is  a  business  driver   •  Iden:ty  assurance  is  giving  way  to   a?ribute  confidence   •  Consumer  IDPs  are  in  full  swing   •  Useful  systems  can  be  built  without  being   the  account  owner   •  Brand  recogni:on  is  as  important  as  trust     Internet  ID  is  not  just  about  anonymity   •  Iden::es  and  a?ributes  are  a  mul:-­‐ variable  calculus   UMA   Identity Provider Relying Party The 3-Party Model User
  3. 3. Iden:ty  Ecosystem  En::es   Attribute Exchange Attribute Providers Identity Provider Relying Parties User Authorization Manager
  4. 4. Who  Adds  Value  &  What  is  it?   •  Aggrega:on  of  service  capabili:es  tends  to  confuse  the   conversa:on   –  Not  clear  that  *any*  provider  can  cover  all  aspects   •  Authen:ca:on  services  don’t  provide  iden:ty   •  IDP’s  may  provide  iden::es,  more     frequently  provide  iden:fiers   •  IDPs  outside  of  enterprise  context     do  not  originate  iden:ty  a?ributes   –  Not  authorita:ve(?)  &not  a  fresh  source   •  Internet2  work  on  a?ribute  format   –  Seman:cs  are  less  understood  
  5. 5. Verified  Phone  #’s   •  Any  may  be  “correct”  or  sufficient   •  It  costs  more  to  do  “be?er”   •  Most  of  these  may  be  devalued  by  so  mobile   providers  including  Twilio   Syntac'cally   Correct   Allocated   #   Response  Consistently   Asserted   Account   Holder  Name   Match   Posi've   Event   Temporal/   Spa'al   Correla'on  
  6. 6. Authorita:ve  Sources   •  Loca:on   – No  longer  the  purview  of  telcos   –   compliance  constraints   •  Sources  of  a  “verified”  mobile  #   – OnTrac,  UPS,  FEDEX  enable  package  tracking   – Yelp  delivers  recommenda:ons  to  my  phone   – Not  :ed  to  an  “address”   – Usually  :ed  to  an  iden:fier  
  7. 7. Fresh  Informa:on  Delivery   •  When  is  fresh  informa:on  delivered?   •  My  iden:ty  validated  and  an     iden:fier  issued  5  years  ago   –  As  useful  as  a  birth  cer:ficate   –  Not  appropriate  for  transac:onal  value   •  What  channels  are  used   –  IDPs  may  not  wish  to  be  in  the  informa:on  flow   –  Fresh  data  criteria  may  be  different  to  session  limits   and  may  be  set  by  different  policy  domains   •  AXN  A?ribute  Criteria   –  Refresh  Rate  
  8. 8. Deriving  A?ribute     Confidence   Data  Type   Metric   Availability/   Timing   Metric   Geographic   Coverage   Metric   Refresh  Rate   Metric   Authorita:ve   5   Real-­‐:me   1   Global   3   Real-­‐Time   5   Aggregated   4   Not  Real-­‐:me   0   Na:onal   2   Daily   4   Direct  Captured   3   State/Provence   1   Weekly   3   Self  Asserted   2   N/A   0   Monthly   2   Derived   1   Annually   1   N/A   0   Never   0   This  is  a    derived  a+ribute   Verifica'on  Method   Metric   Level  of  Confidence   Metric   Coverage  Amount   Metric   Currency/   Refresh  Date   Verified  by  Issuer   4   High   3   Full   3   Actual  Date   Verified  by  3rd  Party   3   Med   2   Par:al   2   Out  of  Band   2   Low   1   Minimal   1   Not  Verified   1   None   0   N/A   0   N/A   0   LOC  (level  of  confidence)  =  fcn(Data  Type,  Verifica'on  Method,  Refresh  Rate,  Currency)   Pricing  =  fcn  (LOC,  Coverage,  AMribute  Type)  
  9. 9. A?ribute  Exchange  Networks   Attribute Exchange Attribute Providers Relying Parties Attributes Source Attributes Simple Attribute Exchange
  10. 10. A?ribute  Redistribu:on     in  the  Enterprise   Attribute Exchange Attribute Providers Enterprise Relying PartiesAttributes Source Attributes Enterprise Internal Attribute Distribution
  11. 11. IDP     Trusted  Iden:ty  Establishment   Attribute Exchange Attribute Providers Identity Provider Verified Identity Login Client Verified Identity/Credential Establishment & Use
  12. 12. Trusted  IDs  with     Associated  A?ributes   Attribute Exchange Attribute Providers Identity Providers Verified Identity Identity Attributes Verified Identity/Credential + Attribute Exchange
  13. 13. USER   RELYING  PARTY   If  I  had  more  :me,  I  would  have   wri?en  less…  
  14. 14. Direct  A?ribute  Associa:on   Attribute Exchange Attribute Providers Relying Parties Attributes Direct to RP Model
  15. 15. Policy  based  Facilita:on   Attribute Exchange Attribute Providers Relying Parties Attributes Control + AccountingControl + Accounting Facilitated Direct to RP Model
  16. 16. Layered  Ecosystem   •  Why  is  it  everyone  talks  about  authen:ca:on?   •  Our  ubiquitous  biometrics  sign-­‐in  apis   suppor:ng  mul:ple  biometrics  types  will  solve   all  your  problems   •  I  have  TPMs  in  every  xyz  product  on  earth  –  I   should  be  in  the  Iden:ty  Business   •  I  own  70%  of  the  PC  market  –  I  should  be  an   IDP  
  17. 17. Abstract   Despite  what  we  may  wish  to  implement  in  our   iden:ty  architectures,  large-­‐scale  iden:ty   deployments  are  driven  by  financial  value.  This   session  examines  recent  thinking  on  how   iden:ty  a?ribute  models  are  likely  to  be   deployed,  the  values  and  roles  of  the  various   par:cipants  and  the  challenges  of  how  value  is   distributed  among  the  par:cipants.