cis13: follow the money
Post on 18-Oct-2014
343 Views
Preview:
DESCRIPTION
TRANSCRIPT
Follow the Money
Business Filters on Technology
Things don’t get simpler … • Iden:ty is no longer about 3 par:es • A?ributes are as interes:ng as iden:fiers • Fresh informa:on is a business driver • Iden:ty assurance is giving way to
a?ribute confidence • Consumer IDPs are in full swing • Useful systems can be built without being
the account owner • Brand recogni:on is as important as trust Internet ID is not just about anonymity • Iden::es and a?ributes are a mul:-‐
variable calculus
UMA
Identity Provider
RelyingParty
The 3-Party Model
User
Iden:ty Ecosystem En::es
Attribute ExchangeAttribute
Providers
Identity Provider
RelyingParties
User
AuthorizationManager
Who Adds Value & What is it? • Aggrega:on of service capabili:es tends to confuse the conversa:on – Not clear that *any* provider can cover all aspects
• Authen:ca:on services don’t provide iden:ty • IDP’s may provide iden::es, more frequently provide iden:fiers
• IDPs outside of enterprise context do not originate iden:ty a?ributes – Not authorita:ve(?) ¬ a fresh source
• Internet2 work on a?ribute format – Seman:cs are less understood
Verified Phone #’s
• Any may be “correct” or sufficient • It costs more to do “be?er” • Most of these may be devalued by so\ mobile providers including Twilio
Syntac'cally Correct
Allocated #
Response Consistently Asserted
Account Holder Name
Match
Posi've Event
Temporal/ Spa'al
Correla'on
Authorita:ve Sources • Loca:on – No longer the purview of telcos – compliance constraints
• Sources of a “verified” mobile # – OnTrac, UPS, FEDEX enable package tracking – Yelp delivers recommenda:ons to my phone – Not :ed to an “address” – Usually :ed to an iden:fier
Fresh Informa:on Delivery • When is fresh informa:on delivered? • My iden:ty validated and an iden:fier issued 5 years ago – As useful as a birth cer:ficate – Not appropriate for transac:onal value
• What channels are used – IDPs may not wish to be in the informa:on flow – Fresh data criteria may be different to session limits and may be set by different policy domains
• AXN A?ribute Criteria – Refresh Rate
Deriving A?ribute Confidence
Data Type Metric Availability/ Timing Metric Geographic
Coverage Metric Refresh Rate Metric
Authorita:ve 5 Real-‐:me 1 Global 3 Real-‐Time 5 Aggregated 4 Not Real-‐:me 0 Na:onal 2 Daily 4
Direct Captured 3 State/Provence 1 Weekly 3 Self Asserted 2 N/A 0 Monthly 2
Derived 1 Annually 1 N/A 0 Never 0
This is a derived a+ribute
Verifica'on Method Metric Level of Confidence Metric Coverage Amount Metric Currency/ Refresh Date
Verified by Issuer 4 High 3 Full 3 Actual Date Verified by 3rd Party 3 Med 2 Par:al 2
Out of Band 2 Low 1 Minimal 1 Not Verified 1 None 0 N/A 0
N/A 0
LOC (level of confidence) = fcn(Data Type, Verifica'on Method, Refresh Rate, Currency) Pricing = fcn (LOC, Coverage, AMribute Type)
A?ribute Exchange Networks
Attribute Exchange
Attribute Providers Relying
Parties
AttributesSource
Attributes
Simple Attribute Exchange
A?ribute Redistribu:on in the Enterprise
Attribute Exchange
Attribute Providers
Enterprise Relying PartiesAttributes
SourceAttributes
Enterprise Internal Attribute Distribution
IDP Trusted Iden:ty Establishment
Attribute Exchange
Attribute Providers
Identity Provider
VerifiedIdentity
LoginClient
Verified Identity/Credential Establishment & Use
Trusted IDs with Associated A?ributes
Attribute Exchange
Attribute Providers
Identity Providers
VerifiedIdentity
IdentityAttributes
Verified Identity/Credential + Attribute Exchange
USER RELYING PARTY
If I had more :me, I would have wri?en less…
Direct A?ribute Associa:on
Attribute ExchangeAttribute
ProvidersRelyingParties
Attributes
Direct to RP Model
Policy based Facilita:on
Attribute ExchangeAttribute
ProvidersRelyingParties
Attributes
Control +AccountingControl +
Accounting
Facilitated Direct to RP Model
Layered Ecosystem
• Why is it everyone talks about authen:ca:on? • Our ubiquitous biometrics sign-‐in apis suppor:ng mul:ple biometrics types will solve all your problems
• I have TPMs in every xyz product on earth – I should be in the Iden:ty Business
• I own 70% of the PC market – I should be an IDP
Abstract
Despite what we may wish to implement in our iden:ty architectures, large-‐scale iden:ty deployments are driven by financial value. This session examines recent thinking on how iden:ty a?ribute models are likely to be deployed, the values and roles of the various par:cipants and the challenges of how value is distributed among the par:cipants.
top related