Con8823 access management for the internet of things-final


Published on

Kanishk Mahajan's OOW2013 presentation

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The concept of the Internet of Things includes network-enabling virtually any type of product or machinery so that data about the object can be captured and communicated. In effect, these networked Things become "smart objects" that can become part of the Internet and active participants in business processes. The Internet of Things describes a world where humans are surrounded by machines that communicate with each other and with them. People need an understanding of this multi-device environment and the network needs a representation of “who” the user is.The Internet of Things defines a virtual identity as the endpoint of communication - independent of the device - allowing users to interact with several devices, seamlessly, under one name. The user may have several virtual identities to represent the different personas and aspects of their service usage.
  • Identities may represent entities of all kinds including persons, devices and software. The internet of Things defines two types of identities: - an Identinet where identities are at the end point of all communications. These identities may represent entities of all kinds including persons, devices and software. - a digital shadow –also called a virtual identity or a composite identity – represents the digital shadow of entities in the digital world. The digital shadow designates the concept of entities using services, nodes, equipment and infrastructure in a specific context which allows users to attach their identity to a Thing- a service, node or infrastructure based on their interaction with that Thing. By attaching a user identity to a Thing based on the user’s usage of the Thing – users attach multiple entry points into the physical Internet without losing a consistent view on that dataUsers have Many/Many relationships with Things. For e.g. Many cars in the family: All family members drive all cars but each has specific privileges with their own individual cars. Other common scenarios include rental car scenarios or where service equipment is shared by several field employees.
  • In a social network- individuals only connect with thosethey know ANDwith those who are interested in following their activity—without the expectation of reciprocationIn the above description:1) is relevant to the Internet of Things as people not only share relations with friends, but they also have relations toThings - to favoritebooks, movies, gadget, items, products, food, devices, automobiles…2) is very relevant to the Internet of Things as it allows building a technical publish/subscribe type of network where various sensorsand actuators post their state. For e.g. Twitter is a commonly used online social network that allows plugins (publishers/subscribers) topost events from selectedsensors to Twitter and listen for Tweets themselves from devices they are interested in.--the washingmachine twittering when it has done its job, the stereo telling the worldabout the music you are listening to, or the mobile phone announcing the callsyou have made recently.
  • Most Things on the Internet are : Autonomous Independent Things i.e. 1. don’t require another device (such as a smartphone or web service) to function2. able to sense contextand are able to autonomously interact with other things, sensors, and services.The graphic depicts a WiFi enabled toaster that makes light fun of this. However, consider the “Smart” refrigerator:Stage 1: Non autonomous i.e. provides value to users using interaction with other devices such as smartphones : The refrigerator owner scans cartons of milk with his smartphone, which triggers a reminder when the milk expireStage 2: Partially autonomous: The refrigerator detects the milk on its own and issues reminders across a broader range of connected appsStage3: Autonomous Independent: The refrigerator orders replacement milk just before it’s empty or expires — entirely on its own.
  • OAM provides an easy framework for applications to connect and integrate with social networks. OAM Social also provides out of the box integration with trust for social logins (use for initial authn, step up for anything else). Built-in integration with Federation provides linking local to social accounts and new capabilities such as Oauth server support provides the ability to build private social networks while allowing for the capability to leverage public OAuth servers such as FaceBook or Twitter and OpenID authentication via Google.
  • Oracle Adaptive Access ManagerDevice Fingerprinting and Registration DatabaseRisk-Based Authentication that Factors Mobile ContextOracle ApplicationGatewayEnables Mobile Application REST API’s and protects API’s, webservices, and SOA infrastructure from external threats and invalid / suspicious requestsExtends Access Management with authentication, authorization, audit to REST API’s, web servicesOracle Entitlement ServerMake AuthorizationDecisions and Redact Data based on User,Mobile, or any other ContextExternalize AuthorizationPolicies from Application CodeOracle Access Management : Mobile & SocialMobile Identity and Access GatewayAuthentication, Registration, and User Profile Services for MobileOracle Web Services ManagerLast mile security for an organizations backend web services and SOA infrastructure Embedded agentsNative Mobile Security SDKNative Login Screens / Secure Credential StorageEasy Integration w/ SSO and Web Services SecurityNative Mobile Security AppsLogin App for Native and Web Apps Providing Device ContextNative White Pages App Integrated w/ User Profile Services
  • Consider using OAM,OAM M&S and OAG to validate and secure JWT tokens during various REST invocations for service to service interactions between the apps on the vehicle, dealer, vendor and the user. Several of these services are invoked from native mobile apps on the vehicle or the dealer or the user. The tokens are validated with policies configured on Oracle M&S that include device registration and device fingerprinting.
  • Uses the Oauth 2.0 client credentials grant flow—the client is also the resource ownerThe client credentials grant uses client credentials as an authorization grant. This grant makes sense when the client is also the resource owner.The following sequence diagram shows the successful process.
  • Username and PasswordSocial LogonStep up Auth and OTP, can be applied:-first time with this device (device registration)-sensitive application-high risk score-user with high level of access to application
  • Mobile Application Access SecurityIntegrates native mobile apps, mobile web with corporate systems & informationAccess management, authorizations, API security, and fraud detectionDevice context based fine grained authorizationSupport for iOS Mobile Device Security ElementsDevice security – jailbreak detection at loginDevice lifecycle – white-list/blacklist/lost device managementDevice fingerprinting
  • With Fusion Middleware, you can extend and maximize your existing technology investment with the same technologies used in Fusion Applications, including embedded analytics and social collaboration, and mobile and cloud computing. Oracle’s complete SOA platform lets your IT organization rapidly design, assemble, deploy, and manage adaptable business applications and—with Oracle’s business process management tools—even bring the task of modeling business processes directly to the business analysts. Oracle Business Intelligence foundation brings together all your enterprise data sources in a single, easy-to-use solution, delivering consistent insights whether it’s through ad hoc queries and analysis, interactive dashboards, scorecards, OLAP, or reporting. And, your existing enterprise applications can leverage the rich social networking capabilities and content sharing that users have come to expect in consumer software. Oracle Fusion Middleware is based on 100 percent open standards, so you aren’t locked into one deployment model when your business requirements change.
  • Con8823 access management for the internet of things-final

    1. 1. Access Management for the Internet of Things Kanishk Mahajan Principal Product Manager Oracle Identity & Access Management
    2. 2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 2 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    3. 3. Program Agenda  Introducing Identity for the Internet Of Things  Security Challenges for the Internet of Things  Oracle Access Management 11gR2- Securing access for the Internet of Things  Customer Case Study  Demo  Q&A 3
    4. 4. Introducing Identity for the Internet of Things 4
    5. 5. Internet Of Things Internet of Things • Refers to the general idea of things, including everyday objects that are: • Readable/recognizable • Locatable/Addressable • Controllable • Communicable 5
    6. 6. Identity for the Internet Of Things Composite Identities • Identity as a communication endpoint: • User • Service • Device • Software Module • Sensor • User identities are tied to Things based on: • Interaction • Context 6
    7. 7. Identity for the Internet of Things Social Networks • Connect, Communicate, Share • Use public or private social networks • Link physical and virtual Things, services, devices, APIs • Allow reacting to events 7
    8. 8. Identity for the Internet of Things Securing the “Smart Toaster” • Securing Autonomous Independent Things • Context Aware Authentication • Securing Communication • Person to Thing Communication • Thing to Thing Communication 8
    9. 9. Security Challenges for the Internet of Things 9
    10. 10. Security is a Barrier for Adoption of IoT “The horizontal evolution of M2M will require full end-to-end security. Significant efforts need to be invested into M2M application security in order for the M2M market to fully evolve. Whether this is through open source initiatives or standards development, the demand for increased M2M application security will have to be answered, and sooner rather than later.” ABI Research, M2M Dream Challenged by Alarming Security Concerns, Feb 2013 40% 30% Of embedded systems and applications developers have not proactively addressed security in existing development projects Median CAGR growth (2011-2014) in shipments of security solutions for industrial automation, medical devices, consumer electronics, automotive and retail Source: VDC Research Strategic Insights 2012: Embedded Software & Tools Market, Security Development & Runtime Solutions 10
    11. 11. Challenges in IoT Security Control • What protection measures are possible as thousands of intelligent things cooperate with other real and virtual entities in random and unpredictable ways? • How do you ensure security given IoT’s highly distributed nature and use of fragile technologies, such as limited-function embedded devices? • How do you leverage investments in existing internet security technologies for the highly fragmented IoT networks? • How can you define and enable trust in a dynamic IoT network with weak trust links between network nodes? Access • Typical challenges for IoT service providers 11
    12. 12. Key IoT Security Requirements Onboarding & Enrollment Authentication & Authorization Device Metadata & Control Policy & Key Management Application Management & Provisioning • Mutual authentication between devices and server • Confidentiality of data transfer over multi-protocol networks • Device data management • Governance of trust relationships in IoT networks • Device applications provisioning & management 12
    13. 13. Oracle IoT Security Solution Overview Intranet DMZ Short Range Networks (BT, Zigbee, Serial) Non-IP protocol Oracle Access Manager REST/OAUTH HTTP/SMTP/COAP/ App Oracle Unified Gateway OAM Protected With M&S and Adaptive Access App Resources Device Enrollment Device Operations Oracle Identity Governance 13
    14. 14. Oracle Access Management Securing Access for the Internet of Things 14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    15. 15. Internet Of Things – Use Case Vehicle Telematics and a Social Network for Cars  Private social network that connects customers with their cars, their dealership, and with the manufacturer – Customers can choose to extend their network to family, friends, and others using public social networks such as Twitter and Facebook  Vehicle Telematics allows the cars to communicate with customers, the manufacturer and the dealership 15 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    16. 16. Access Management 11gR2 – Securing Social Access Step-up  Turns social integration into an administrator action  Provides out-of-the-box support for leading social providers  Provides increased levels of assurance as user progresses to more secure services  Simplifies registration and single sign-on from multiple providers 16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. authentication Simplified OAUTH Registration Tick-box configuration SIMPLE & SECURE Federation
    17. 17. Securing Internet of Things using OAM 11gR2 Social Securing a Social Network for Cars OAUTH SIMPLE & SECURE Federation 17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    18. 18. Oracle Mobile & Social Access Management Deployment Architecture Corporate DMZ Corporate Network Oracle Access Manager OAM Agent Directory Services OES PDP Mobile and Social Oracle Adaptive Access Manager OES PDP Oracle Enterprise Gateway Web Services Manager Service Bus HTTP/REST/SOAP/OAuth Clients 18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Context Aware Authorization and Data Redaction 18 SOAP/REST and Legacy Web Services
    19. 19. Securing Internet of Things using OAM 11gR2 Mobile and Gateway Securing Vehicle Telematics HTTP / REST / SOAP / OAuth Clients 19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. REST/SOAP Oracle Application Gateway Oracle Mobile & Social Manufacturer
    20. 20. Internet Of Things – Use Case Smart Home Appliances  A Refrigerator actively manages its energy consumption by securely communicating with the electric utility company – automatically moves its defrost cycle to a non-peak time based on response from the utility company 20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    21. 21. Oracle Access Management – OAuth 2.0 Server  OAuth Server – Provides OAuth Authorization Server, Resource Server and Client – Supports 3-legged and 2-legged OAuth – Shares same client framework as Mobile & Social – Provides OAuth user profile service and custom scope definition 21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    22. 22. 2-legged OAuth Service to Service ① The requesting service (OAuth Client) preregisters with the OAuth Authorization Server and receives client credentials ② The requesting service uses its client credentials to connect to a resource server ③ The Resource server validates the clients credentials and provides the requested content 22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    23. 23. Securing Internet of Things using OAM 11gr2 OAuth 2.0 Service Securing Smart Home Appliances Refrigerator (OAuth Client) Authorization Server (OAM 11gR2) Electric Utility Company (Resource Server) 0. Pre-register with the OAuth Az Server (OAM) 0. Client Credentials 1 Authenticate with Client Credentials 2. Access Token 3. Access Token  Client must request token from OAM token endpoint after successful authn  OAM must sign the access token  Resource Server validates the token against OAM 23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    24. 24. Internet Of Things – Use Case Mobile Access to Things  Use a mobile device as a remote control hub to monitor and manage interconnected devices and Things 24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    25. 25. Example Login Flow – Native App with OAM Client App(Mobile) 1 Mobile and Social Server(Server) Security App (Mobile) Request Access Token 2 - If valid token in local credential store, return token to App, else continue below. - 4 Extracts device attributes and ID contexts - Use token to make calls to server application protected by OAM Accept username/password - 5 Present login page - Oracle SDK Makes authentication call with user/password, device attributes and device tokens - - Registers Device/App if unregistered - Authenticates with OAM Server - Publishes ID context to OAM Server and OES for authorization decisions - Invokes OAAM for risk analysis - Responds User/Access Tokens Stores User/Access Token - 3 - Validates device tokens Returns token to Client App 25
    26. 26. Oracle Access Management Client SDKs Native Libraries for iOS, Android and JAVA Store/Access Keys, Tokens, Handles and other secure data Access Mobile Device Information (OS, Carrier, Geolocation, IP/MAC) Quickly build security into your mobile applications Support KBA, OTP via Email and SMS Manage Single Sign-on Copyright © 2012, Oracle and/or its affiliates. All right 26
    27. 27. Mobile Authentication Flexible Options for Devices, Applications and Users Copyright © 2012, Oracle and/or its affiliates. All right 27
    28. 28. Securing Internet of Things using OAM 11gr2 Mobile Service Securing Mobile Access to Things Device Fingerprinting & Tracking Device Registration Lost & Stolen Devices GPS/WIFI Location Awareness Risk-based KBA & OTP Transactional risk analysis 28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    29. 29. Customer Case Study Copyright © 2012, Oracle and/or its affiliates. All right 29
    30. 30. Demo Copyright © 2012, Oracle and/or its affiliates. All right 30
    31. 31. Questions Copyright © 2011, Oracle and/or its affiliates. All right 31
    32. 32. Other Identity Management Sessions Thursday 09/26, CON8836 11:00AM Thursday 09/26, CON 4342 12:30PM Thursday 09/26, CON9024 2:00PM Thursday, 09/26 CON8902 2:00PM Thursday, 09/26, CON8826 3:30PM Moscone West, Room 2018 Moscone West, Room 2018 Moscone West, Room 2018 Marriot Marquis – Golden Gate C3 Moscone West, Room 2018 Copyright © 2011, Oracle and/or its affiliates. All right Leveraging the Cloud to simplify your Guru Shashikumar, Identity Management implementation Oracle Identity Services in the New GM IT GM Next Generation Optimized Directory - Etienne Remillon, Oracle Unified Directory Oracle Developing Secure Mobile Applications Mark Wilcox, Oracle Zero Capital Investment by leveraging Mike Neuenschwander, Identity Management as a Service Oracle 32
    33. 33. Oracle Fusion Middleware Business Innovation Platform for the Enterprise and Cloud  Complete and Integrated Web Social Mobile  Best-in-class User Engagement Business Process Management  Open standards Content Management Service Integration Business Intelligence Data Integration Identity Management Development Tools Cloud Application Foundation  On-premise and Cloud  Foundation for Oracle Fusion Applications and Oracle Cloud Enterprise Management 33
    34. 34. 34
    35. 35. 35