Successfully reported this slideshow.
Your SlideShare is downloading. ×

Canberra Executive Breakfast - A Citizen-Centric Approach to Identity

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 62 Ad
Advertisement

More Related Content

Slideshows for you (20)

Viewers also liked (20)

Advertisement

Similar to Canberra Executive Breakfast - A Citizen-Centric Approach to Identity (20)

More from ForgeRock (20)

Advertisement

Canberra Executive Breakfast - A Citizen-Centric Approach to Identity

  1. 1. © 2016 ForgeRock. All rights reserved. A Citizen-Centric Approach to Identity ForgeRock Executive Breakfast
  2. 2. © 2016 ForgeRock. All rights reserved. FORGEROCK IS THE LEADING, NEXT- GENERATION, IDENTITY SECURITY SOFTWARE PLATFORM. 2010 Founded 10 Offices worldwide with headquarters in San Francisco 350+ Employees 450+ Customers 30+ Countries $52M Funding to date (thru Series C) by Accel Partners, Foundation Capital and Meritech Capital Partners
  3. 3. © 2016 ForgeRock. All rights reserved. Improving the Quality of Government Services with Citizen-Focused Identity Management Daniel Raskin SVP Product Management
  4. 4. © 2016 ForgeRock. All rights reserved. What are the trends?
  5. 5. © 2016 ForgeRock. All rights reserved. Hype Cycle for Digital Government Technology, 2016
  6. 6. © 2016 ForgeRock. All rights reserved. The Top 10 Strategic Technology Trends for Government in 2016
  7. 7. © 2016 ForgeRock. All rights reserved. Top Investment Areas CIOs in the Asia/Pacific and EMEA regions indicate digitalization is a much higher priority than their North American peers.
  8. 8. © 2016 ForgeRock. All rights reserved. Digital Transformation – Top Three Expected Outcomes
  9. 9. © 2016 ForgeRock. All rights reserved. 2016 CIO Agenda: A Government Perspective Key Findings •Digital service transformation is at the embryonic stage of maturity in government •Analytics, infrastructure and cloud computing continue to be the top three technology priorities for government CIOs in all tiers and regions – however security and privacy concerns at an all-time high •CIOs report a 34% adoption rate of bimodal IT in government, slightly lagging behind private industry (38%)
  10. 10. © 2016 ForgeRock. All rights reserved. What is the role of identity?
  11. 11. © 2016 ForgeRock. All rights reserved. Identity Access Management Identity Relationship Management Customers (millions) On-premises People Applications and data PCs Endpoints Workforce (thousands) Partners and Suppliers Customers (millions) On-premises Public Cloud Private Cloud People Things (Tens of millions) Applications and data PCs PhonesTablets Smart Watches Endpoints Digital Transformation & Customer Engagement Require Identity Relationship Management (IRM) PROPRIETARY AND CONFIDENTIAL
  12. 12. © 2016 ForgeRock. All rights reserved. Unified, Omnichannel Citizen Experience Single View Contextual Adaptive Privacy & Consent IntelligenceSecurity Persistent Identity Persistent Identity Across Government Channels PROPRIETARY AND CONFIDENTIAL Mobile ReadyOpen DataCitizen ServicesBusiness ServicesSmart City
  13. 13. © 2016 ForgeRock. All rights reserved. Identity Management Evolves to Relationship Management Identity Lifecycle Management Users, Devices, Things & Services
  14. 14. © 2016 ForgeRock. All rights reserved. Contextual Security Taking Safety to the Next Level Passwordless Authentication Register Device for First Time Authorize Access to Citizen Services Authorize family members to use account Authorize Data to Device / Thing
  15. 15. © 2016 ForgeRock. All rights reserved. Did you just submit your taxes? Did you just register a new car? Kayoko is requesting access to your 2015 taxes. Ok? Did you just conduct a transaction on our citizen portal? We noticed your are using a new iPhone. Would you like to register this device? Did you request access to your birth certificate online? Contextual Identity Enriching the Experience
  16. 16. © 2016 ForgeRock. All rights reserved. Contextual Identity Authentication, Authorization and Consent Mobile PassportCitizen Government Official
  17. 17. © 2016 ForgeRock. All rights reserved. SOA is Dead, but Services on the Rise! 1990s and Early Pre-SOA Monolith to change 2000s Traditional SOA Autonomous but coordinated Present Microservices Decoupled and Independent PWC, Agile coding in enterprise IT: Code small and local
  18. 18. © 2016 ForgeRock. All rights reserved. SOA is Dead, but Services on the Rise! 1990s and Early Pre-SOA Monolith to change 2000s Traditional SOA Autonomous but coordinated Present Microservices Decoupled and Independent PWC, Agile coding in enterprise IT: Code small and local
  19. 19. © 2016 ForgeRock. All rights reserved. Service to Service Interaction Authentication, Authorization and Consent https://api.australia.gov/v1/userinfo Authenticate API Authorize API Calls Authenticate API
  20. 20. © 2016 ForgeRock. All rights reserved. Scaling to Support Distributed Cloud Archs Stateless Architecture • Flexible deployment option to address cloud elasticity and massive horizontal scalability • Configuration can be on a per- realm basis • Stateless = state information is encoded in JWT token • Stateful = tokens persisted in the Core Token Service OpenAM Server OpenAM Server OpenAM Server AWS1 AWS2 AWS3 Microservices Client App Distributed Cloud Environment
  21. 21. © 2016 ForgeRock. All rights reserved.
  22. 22. © 2016 ForgeRock. All rights reserved. The Cloud Conundrum No Portability! Identity Baked in and Constrained to Each Cloud!
  23. 23. © 2016 ForgeRock. All rights reserved. OAuth2/OIDC OAuth2/OIDC OAuth2/OID C OAuth2 The Abstraction of Identity … Again
  24. 24. © 2016 ForgeRock. All rights reserved. Cloud Automation
  25. 25. © 2016 ForgeRock. All rights reserved. Cloud Native: Cattle versus Pets
  26. 26. © 2016 ForgeRock. All rights reserved. Cloud Native: Kangaroos versus Koala Bears
  27. 27. © 2016 ForgeRock. All rights reserved. Cloud Native: Cattle versus Pets Cattle •Cattle are numbers •They are almost identical •When ill, get another (Kill it!) •Thousands of cattle on farm Pets •Pets have names like “pussnboots” •They are lovingly hand raised •When ill, nursed back to health •1 or 2 pets in house Elastic Inelastic
  28. 28. © 2016 ForgeRock. All rights reserved. Container Management & Deployment Product Configuration Product Manifests ForgeRock Images Java Image Tomcat Image … Other Images DOCKER REPOSITORY
  29. 29. © 2016 ForgeRock. All rights reserved. Platform Ubiquity
  30. 30. © 2016 ForgeRock. All rights reserved. We Must Be Better Authentication Authorization Multi-Factor Adaptive Risk Self Service Directory API Security GRC …
  31. 31. © 2016 ForgeRock. All rights reserved. Unified Platform UMA Provider Mobile OTP App Synchronization Auditing LDAPv3 REST/JSON Replication Access Control Schema Management Caching Auditing Monitoring Groups Password Policy Active Directory Pass-thru Reporting Authentication Authorization Provisioning User Self-Service Authentication OIDC / OAuth2 Federation / SSO User Self-Service Workflow Engine Reconciliation Password Replay SAML2 Adaptive Risk Stateless/Stateful Registration Role Provisioning Message Transformation API Security Scripting Built from Open Source Projects: UMA Resource Access Management Identity Management Identity Gateway Directory Services
  32. 32. © 2016 ForgeRock. All rights reserved. U.S. Federal Customers Homeland Security Navy DISA Labor Treasury Energy Commerce Defense
  33. 33. © 2016 ForgeRock. All rights reserved. Norway All Gov’t Agencies Global Government Success … Belgium Citizen ID Canada Citizen Services New Zealand Citizen Services France Unemployment, Retiree Services Australia Tax Office UK NHS, BBC Switzerland National Court System
  34. 34. © 2016 ForgeRock. All rights reserved. Identity Relationship Management: Talkin’ Bout a Revolution Relationship Management Cloud Automation Cloud Readiness Platform Ubiquity Microservices Architecture Contextual Identity
  35. 35. © 2016 ForgeRock. All rights reserved. Thank You
  36. 36. © 2016 ForgeRock. All rights reserved. Doing Authorisation, Consent, and Delegation Right With UMA Eve Maler VP Innovation & Emerging Technology @xmlgrrl
  37. 37. © 2016 ForgeRock. All rights reserved. 37 flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0
  38. 38. © 2016 ForgeRock. All rights reserved. flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0
  39. 39. © 2016 ForgeRock. All rights reserved. flickr.com/photos/delmo-baggins/3143080675 CC BY-ND 2.0
  40. 40. © 2016 ForgeRock. All rights reserved. Attribute sharing scenarios In the next stage of the project … [t]he team will be investigating and testing this to further address the thorny issues of trust and transparency when gaining citizens’ permission. … “[E]ligibility for some services can be quite dynamic, for example, as the level of an individual’s in-work benefits varies, and it may be necessary to carry out on-going eligibility checks from time to time. UMA gives the individual a place to go online where they can see and manage all the consents they have given to different organisations. Until now, managing ongoing consent was tricky,” [Ian Litton] added. “Typically, you asked individuals to consent at a point in time. They tick the T&Cs, which they never see again. UMA should fix that problem.” -- UKA Local Digital, 3 March 2016
  41. 41. © 2016 ForgeRock. All rights reserved. Consumer/clinical health IoT scenarios
  42. 42. © 2016 ForgeRock. All rights reserved. resource owner requesting party authorization server resource server manage delegate control negotiateprotect authorize access manage client consent revoke deny Bruce Wayne shares device data with Dr. McCoy
  43. 43. © 2016 ForgeRock. All rights reserved.
  44. 44. © 2016 ForgeRock. All rights reserved.
  45. 45. © 2016 ForgeRock. All rights reserved.
  46. 46. © 2016 ForgeRock. All rights reserved.
  47. 47. © 2016 ForgeRock. All rights reserved.
  48. 48. © 2016 ForgeRock. All rights reserved.
  49. 49. © 2016 ForgeRock. All rights reserved.
  50. 50. © 2016 ForgeRock. All rights reserved.
  51. 51. © 2016 ForgeRock. All rights reserved.
  52. 52. © 2016 ForgeRock. All rights reserved.
  53. 53. © 2016 ForgeRock. All rights reserved.
  54. 54. © 2016 ForgeRock. All rights reserved. Why enable personal data sharing? clinical research better caredata accuracy
  55. 55. © 2016 ForgeRock. All rights reserved. Why ensure personal control of sharing? new IoT needs new regulatory pressures
  56. 56. © 2016 ForgeRock. All rights reserved. The same architecture applies to Google Apps-style delegation “The enterprise interprets access control as damage and routes around it.”
  57. 57. © 2016 ForgeRock. All rights reserved. Why enable constrained delegation? security/authn governance APIs/IoT
  58. 58. © 2016 ForgeRock. All rights reserved. Why formalize federated authorization? business ownership standard access model
  59. 59. © 2016 ForgeRock. All rights reserved. The CMO and the CPO can and must meet in the middle “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. … In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller…” We value personal data as an asset Our customers’ wishes have value Our customers have their own reasons to share, not share, and mash up data, which we can address as value-add Risk management perspective Business perspective
  60. 60. © 2016 ForgeRock. All rights reserved. The ForgeRock Identity Platform includes two UMA components authorization server resource server client (sample code provided) UMA Provider (access management) UMA Protector (gateway)
  61. 61. © 2016 ForgeRock. All rights reserved. ForgeRock ForgeRock ForgeRockIdentity ForgeRock Forgerock.com Forgerock.com/blog Thank you!
  62. 62. © 2016 ForgeRock. All rights reserved. Questions? Wrap Up •Feedback Forms •Your Local ForgeRock Team Adam Butler Federal Government Director Adam Biviano Senior Solutions Architect

Editor's Notes

  • Give a little background about ForgeRock
    Securing over 500 Million Identities
    Built for telco-scale
    Huge enterprise implementations
    Capital efficient
    Truly global in nature
    Multi-national engineering centers
    400+ large enterprise & government customers
  • Daniel
  • We have been helping governments worldwide and, in addition to Norway, have a number of impressive deployments.
  • Consumer trust of businesses has never been great.
    But it’s demonstrably at an ebb in the post-Snowden era when it comes to personal data.
    There’s qualitative and quantitative evidence telling the story.
    Image source: https://www.flickr.com/photos/vincrosbie/16301598031/
  • Latest evidence:
    Spotify last August: simple privacy policy change alarmed customers
    Complaints, threats to leave (e.g. new Apple Music)
    Lesson: commoditized? low switching costs, lack of sensitivity can hurt you even if the change wasn’t materially negative
    Mobile Ecosystem Forum IoT consumer survey: trust issues biggest concern
    NEW: On The Dark Web, Medical Records Are A Hot Commodity: Medical records go for US$60 each
    NEW: “In January of this year, Melbourne’s largest hospital network was significantly impacted when a computer virus affected the hospitals Windows XP systems disrupting meal delivery and pathology results.”
    (See: http://www.dw.com/en/spotify-feels-the-burn-after-privacy-policy-flub/a-18665269)
    (See: http://www.fastcompany.com/3061543/on-the-dark-web-medical-records-are-a-hot-commodity)
    (See: http://securityaffairs.co/wordpress/49472/data-breach/data-breaches-healthcare-sector.html)
    (See: http://www.bizreport.com/2016/04/21-globally-have-concerns-that-iot-machines-will-take-over-t.html)
    Image source: https://www.flickr.com/photos/vincrosbie/16301598031/
  • It’s imperative to build and maintain trusted digital relationships
  • The project involved a collaboration between Government Digital Service, Department for Work and Pensions, Warwickshire County Council, Mydex and Verizon to design an attribute exchange hub. The hub was built by Verizon with Warwickshire County Council building the relying party gateway to the hub. The attribute provider components were built by Verizon.
    The project team designed the attribute exchange hub based on [Separate identity assurance and attribute exchange hubs with attributes passing through the attribute exchange hub]. This was selected for a number of reasons:
    ●  identity assurance has already been designed and developed as a common capability within the government platform (ie GOV.UK Verify)
    ●  identity assurance and attribute exchange can be treated as separate “services”, each simpler in its own right and each able to develop at its own speed
    ●  sending all of the messaging via the hub, rather than point to point between relying parties and attribute providers, simplifies on-boarding, and provides a consistent point for logging, auditing and billing. It better meets a number of the design principles established in the Discovery project
    (See: http://www.ukauthority.com/UKA-Local-Digital/entry/5958/local-and-central-government-work-together-to-explore-online-eligibility-checking-within-digitised-services)
  • Okay, so why enable personal data sharing?
    Data quality and accuracy -- one US study: only 5% agreement between medications listed in EHRs and what patients actually take
    This gap affects cost, efficiency, and satisfaction as well
    Improved clinical research sets – one UK study: over half the respondents supported use of their data by commercial organizations for research
    A floor of 17% were not willing to share data at all
    Better care – Philips did a study with Banner Health
    Patients with chronic disease using a smart device and an app would tend to leverage continuously monitored vital signs
    Shorter, less expensive, less ER-intensive stay: savings averaged 10 days/year and $27K/year
    (See: http://well.blogs.nytimes.com/2016/03/31/let-patients-read-their-medical-records/?_r=0)
    (See: http://www.wellcome.ac.uk/News/Media-office/Press-releases/2016/WTP060240.htm)
    Image sources:
    http://www.serkworks.com/rocket-surgery-institute/
    https://upload.wikimedia.org/wikipedia/en/d/dc/Lab_Rats_Film_Poster.jpg
    http://www.mastgeneralstore.com/products/id-1426/magnet_-_i_love_lucy_vitameatavegamin
  • So that’s a business-based reward-centric viewpoint
    Beyond the business-based risk-centric viewpoint of regulatory compliance, why should businesses do what individuals want regarding personal control?
    The IoT brings new volumes and sources of data, and new use cases for people wanting to share that data
    CareKit added person-to-person sharing in the Apple ecosystem
    Dumb socks vs. smart socks – need a solution in wider ecosystems
  • With apologies to John Gilmore’s famous saying about the ‘net and censorship
    You have to make the right thing to do be the easiest thing to do
    IT manages hundreds of API-fronted apps in the enterprise (and some outside). Alice is an employee who needs to delegate constrained access to app features/functions to fellow employees and partners within the ecosystem, giving IT – and herself – centralized visibility into the access granted.
    Image source:
    "John Gilmore Portrait" by Neurosynthetic - Own work. Licensed under CC BY-SA 4.0 via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:John_Gilmore_Portrait.jpg#/media/File:John_Gilmore_Portrait.jpg
  • Bringing the business owner closer to permission management and providing a standardized API access model
  • New regulations are not just codifying current data protection practice
    Many are giving user consent a much greater role in the privacy picture
    At the same time, more organizations are recognizing that personal data has got to be a shared asset
    You need to provide custodianship but also a relationship
    (See: https://iapp.org/media/pdf/resource_center/GDPR-final.pdf)
  • The UMA architecture has these three pieces. ForgeRock will deliver the two key pieces on the top in order to help you protect your API/application (policy enforcement points) and let your users set up sharing preferences (policy decision point).

×