NYC Identity Summit Business Day: Doing Authorization, Consent, and Delegation Right with UMA
•Download as PPTX, PDF•
1 like•427 views
NYC Identity Summit Business Day presentation by Eve Maler, VP Innovation & Emerging Technology, ForgeRock.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to NYC Identity Summit Business Day: Doing Authorization, Consent, and Delegation Right with UMA
Similar to NYC Identity Summit Business Day: Doing Authorization, Consent, and Delegation Right with UMA (20)
More from ForgeRock
More from ForgeRock (20)
Recently uploaded
Recently uploaded (20)
NYC Identity Summit Business Day: Doing Authorization, Consent, and Delegation Right with UMA
- 1. © 2016 ForgeRock. All rights reserved. Doing Authorization, Consent, and Delegation Right With UMA Eve Maler VP Innovation & Emerging Technology @xmlgrrl
- 2. © 2016 ForgeRock. All rights reserved. 2 flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0
- 4. © 2016 ForgeRock. All rights reserved. What happens when businesses can’t form trusted digital relationships with consumers? • Revenue loss • Brand damage • Loss of trust • Missing out on opportunities • Compliance costs and penalties? flickr.com/photos/delmo-baggins/3143080675 CC BY-ND 2.0
- 5. © 2016 ForgeRock. All rights reserved. Why enable personal data sharing? Let’s use Health Relationship Trust as an example
- 6. © 2016 ForgeRock. All rights reserved. data quality and accuracy improved clinical data better care
- 7. © 2016 ForgeRock. All rights reserved. Why ensure personal control of sharing?
- 8. © 2016 ForgeRock. All rights reserved. How dire is the consent technology situation? 9 percent [of companies] believe current methods (i.e., check boxes, cookie acknowledgment) used to ensure data privacy and consent will be able to adapt to the needs of the emerging digital economy. – ForgeRock global survey conducted by TechValidate, 16 Mar 2016
- 9. © 2016 ForgeRock. All rights reserved. A government attribute sharing scenario + A place to go online where citizens can see and manage all the consents they have given to different organizations
- 10. © 2016 ForgeRock. All rights reserved. authorization server resource owner requesting party client manage control protect delegate revoke authorize manage access negotiate deny An enterprise scenario IT manages hundreds of API- fronted apps in the enterprise (and some outside). Alice is an employee who needs to delegate constrained access to app features/functions to fellow employees and partners within the ecosystem, giving IT – and herself – centralized visibility into the access granted. resource server
- 11. © 2016 ForgeRock. All rights reserved. A deep dive on a consumer health IoT scenario
- 19. © 2016 ForgeRock. All rights reserved.
- 20. © 2016 ForgeRock. All rights reserved.
- 21. © 2016 ForgeRock. All rights reserved.
- 22. © 2016 ForgeRock. All rights reserved.
- 23. © 2016 ForgeRock. All rights reserved.
- 24. © 2016 ForgeRock. All rights reserved. The CMO and the CPO can and must meet in the middle “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. … In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller…” We value personal data as an asset Our customers’ wishes have value Our customers have their own reasons to share, not share, and mash up data, which we can address as value-add Risk management perspective Business perspective
- 25. © 2016 ForgeRock. All rights reserved. The ForgeRock Identity Platform includes two UMA components authorization server resource server client (sample code provided) UMA Provider (access management) UMA Protector (gateway)
- 26. © 2016 ForgeRock. All rights reserved. ForgeRock ForgeRock ForgeRockIdentity ForgeRock Forgerock.com Forgerock.com/blog Thank you!
Editor's Notes
- Consumer trust of businesses has never been great. But it’s demonstrably at an ebb in the post-Snowden era when it comes to personal data. There’s qualitative and quantitative evidence telling the story. Image source: https://www.flickr.com/photos/vincrosbie/16301598031/
- Latest evidence: Spotify last August: simple privacy policy change alarmed customers Complaints, threats to leave (e.g. new Apple Music) Lesson: commoditized? low switching costs, lack of sensitivity can hurt you even if the change wasn’t materially negative Mobile Ecosystem Forum IoT consumer survey: trust issues biggest concern (See: http://www.dw.com/en/spotify-feels-the-burn-after-privacy-policy-flub/a-18665269) (See: http://www.bizreport.com/2016/04/21-globally-have-concerns-that-iot-machines-will-take-over-t.html) Image source: https://www.flickr.com/photos/vincrosbie/16301598031/
- Spotify shows how businesses can lose when you can’t sustain trustworthiness Cash economy means you might have had only a single customer interaction – digital economy nearly always means repeated interactions This makes the game theoretical stakes higher In a moment we’ll talk about the upside potential What about the compliance costs and penalties? They’re more substantial than ever (GDPR: up to 4% of worldwide turnover, DPO, etc.) But they’re clearly not about relationships with customers and end-users Image sources: https://www.flickr.com/photos/delmo-baggins/3143080675 http://www.huffingtonpost.com/marguerite-orane/worklife-not-balanced-enj_b_7189918.html
- Use health, including consumer and clinical health devices, as an example The HEART Work Group at OpenID Foundation is working on a use case I’m a co-chair of the group Alice Selectively Shares Health-Related Data with Physicians and Others For example, one flow enables Alice to choose to share basic data about herself with a doctor before her first visit Another lets Alice monitor and control access There’s a flow involving Alice sharing the list of her medications with her spouse And one where Alice agrees to donate data to clinical research in deidentified fashion (See: Economics of Privacy: p. 15: “strategic consumers may make a firm worse off in the context of dynamic targeted pricing”) (See: https://bitbucket.org/openid/heart/wiki/Alice_Shares_with_Physicians_and_Others_UMA_FHIR)
- Okay, so why enable personal data sharing? Data quality and accuracy -- one US study: only 5% agreement between medications listed in EHRs and what patients actually take This gap affects cost, efficiency, and satisfaction as well Improved clinical research sets – one UK study: over half the respondents supported use of their data by commercial organizations for research A floor of 17% were not willing to share data at all Better care – Philips did a study with Banner Health Patients with chronic disease using a smart device and an app would tend to leverage continuously monitored vital signs Shorter, less expensive, less ER-intensive stay: savings averaged 10 days/year and $27K/year (See: http://well.blogs.nytimes.com/2016/03/31/let-patients-read-their-medical-records/?_r=0) (See: http://www.wellcome.ac.uk/News/Media-office/Press-releases/2016/WTP060240.htm) Image sources: http://www.serkworks.com/rocket-surgery-institute/ https://upload.wikimedia.org/wikipedia/en/d/dc/Lab_Rats_Film_Poster.jpg http://www.mastgeneralstore.com/products/id-1426/magnet_-_i_love_lucy_vitameatavegamin
- So that’s a business-based reward-centric viewpoint Beyond the business-based risk-centric viewpoint of regulatory compliance, why should businesses do what individuals want regarding personal control? The IoT brings new volumes and sources of data, and new use cases for people wanting to share that data CareKit added person-to-person sharing in the Apple ecosystem Dumb socks vs. smart socks – need a solution in wider ecosystems
- How can we meet these needs? Are the tools and technologies we have available actually ready? ForgeRock asked companies if current methods such as opt-in checkboxes and cookie acknowledgment flows can adapt Only 9% think they can However, all is not lost. (See: https://www.forgerock.com/about-us/press-releases/new-global-survey-finds-companies-lack-adequate-data-privacy-consent-tools-todays-evolving-regulations-dynamic-digital-economy/) Image source: https://www.etsy.com/listing/184845181/quotation-marks-temporary-tattoo-set-of
- The project involved a collaboration between Government Digital Service, Department for Work and Pensions, Warwickshire County Council, Mydex and Verizon to design an attribute exchange hub. The hub was built by Verizon with Warwickshire County Council building the relying party gateway to the hub. The attribute provider components were built by Verizon. The project team designed the attribute exchange hub based on [Separate identity assurance and attribute exchange hubs with attributes passing through the attribute exchange hub]. This was selected for a number of reasons: ● identity assurance has already been designed and developed as a common capability within the government platform (ie GOV.UK Verify) ● identity assurance and attribute exchange can be treated as separate “services”, each simpler in its own right and each able to develop at its own speed ● sending all of the messaging via the hub, rather than point to point between relying parties and attribute providers, simplifies on-boarding, and provides a consistent point for logging, auditing and billing. It better meets a number of the design principles established in the Discovery project
- New regulations are not just codifying current data protection practice Many are giving user consent a much greater role in the privacy picture At the same time, more organizations are recognizing that personal data has got to be a shared asset You need to provide custodianship but also a relationship (See: https://iapp.org/media/pdf/resource_center/GDPR-final.pdf)
- The UMA architecture has these three pieces. ForgeRock will deliver the two key pieces on the top in order to help you protect your API/application (policy enforcement points) and let your users set up sharing preferences (policy decision point).