doing authorisation, consent, and delegation right with uma - london identity summit
TRANSCRIPT
© 2016 ForgeRock. All rights reserved.
Doing Authorisation, Consent, and Delegation
Right with UMAEve Maler, VP Innovation & Emerging Technology
@xmlgrrlForgeRock #IdentitySummit
19th October 2016
© 2016 ForgeRock. All rights reserved.
flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0
In 2Q2016, US mobile operators added connected cars faster than mobile devices – and also faster than anything else
Apr 2016
© 2016 ForgeRock. All rights reserved.
A passel of digital transformation challenges
End users
Regulations
Your organization Industry
© 2016 ForgeRock. All rights reserved.
Challenge scenarios
© 2016 ForgeRock. All rights reserved.
Scenario 1:Citizen attribute sharing for benefit management
Basic profile data
service
Eligibility data
service
Handicap badge
issuer app
Consent and
delegation manager
• Monitor and make changes over time
• Holds no PII itself
In the next stage of the project … [t]he team will be investigating and testing this to further address thethorny issues of trust and transparency when gaining citizens’ permission. … “[E]ligibility for some servicescan be quite dynamic, for example, as the level of an individual’s in-work benefits varies, and it may benecessary to carry out on-going eligibility checks from time to time. UMA gives the individual a place to goonline where they can see and manage all the consents they have given to different organisations. Untilnow, managing ongoing consent was tricky,” [Ian Litton] added. “Typically, you asked individuals to consentat a point in time. They tick the T&Cs, which they never see again. UMA should fix that problem.”
UKA Local Digital, 3rd March 2016
© 2016 ForgeRock. All rights reserved.
Employer-run tax data
service
Accounting app
Employer-run
sharing manager
• Sharing with other parties• Implemented cross-
service• Buy vs. build
Scenario 2:Tax data sharing with an accountant
© 2016 ForgeRock. All rights reserved.
Scenario 3:Sharing health data access in an ecosystem
Fitness watch with
cloud service
MRI machine
with cloud service
Physician portal
Health cloud with
sharing manager
EHRservice
PHRapp
3rd party smart scale with cloud
service
Clinical research
• Selective sharing for multi-way data flows
• Enabling partner ecosystems
© 2016 ForgeRock. All rights reserved.
Bonus scenario 3a:Family caregiver prescription management
Inconsistency across the departments [makes it hard]. It would be easier if every department followed the same process even if you had to do it for each different requirements depending on who you are dealing with.
72 year old Aroha takes a number of prescriptions she asks her son to help her manage them through her patient portal.
Aroha gives her son Bailey access to view her prescriptions through her patient portal.
Bailey then asks the portal to send him notifications of his mum’s blood sugar levels.
© 2016 ForgeRock. All rights reserved.
Introducing User-Managed Access (UMA)
© 2016 ForgeRock. All rights reserved.
Privacy is not secrecy and privacy is not encryption
ContextControlChoice
Respect
The right moment to make the decision to shareThe ability to share just the right amountThe true ability to say no and to change one’s mindRegard for one’s wishes and preferences
© 2016 ForgeRock. All rights reserved.
resourceserver
authorizationserver
resourceowner
requestingparty
client
manage
control
protect
delegaterevoke
authorize
manage
access
negotiate
deny
A federated authorization architecture in action
© 2016 ForgeRock. All rights reserved.
An experience of selectively sharing health data with UMA
Patient view Doctor view
© 2016 ForgeRock. All rights reserved.
“The enterprise interpretsaccess controlas damage and routes around it.”
© 2016 ForgeRock. All rights reserved.
Scenario 4:Business app access sharing with partners
Custom app/
service ZZ
In-house IdP/AS
Custom app/
service AA
…
Custom app/
service ZZ
Custom app/
service AA
…
• Constrained delegated access• Central management of
cloud/partner interactions
© 2016 ForgeRock. All rights reserved.
Key benefits to users• Sharing, unsharing, and editing of sharing preferences allowed at any
time, without external influence• Not just opt-in or opt-out when asked• A selective sharing paradigm for an IoT landscape that demands it
• Possible to offer a service that centralizes sharing preference management across data services for user convenience• The central service doesn’t see any of the data• Data is fed fresh from each individual service
• The user can selectively share whatever “grain” of access each data service offers• Such as read vs. write, or weight vs. fat mass
© 2016 ForgeRock. All rights reserved.
Key benefits to service operatorssecurity centralization APIs/IoT
© 2016 ForgeRock. All rights reserved.
Key benefits to service operatorsbusiness ownership standard model regulations
© 2016 ForgeRock. All rights reserved.
Let me sum up
© 2016 ForgeRock. All rights reserved.
The CMO and the CPO can and must meet in the middle
“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. …In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller…”
We value personal data as an assetOur customers’ wishes have valueOur customers have their own reasons to share, not share, and mash up data, which we can address as value-add
Risk management perspective Business perspective
© 2016 ForgeRock. All rights reserved.
The ForgeRock Identity Platform includes two UMA components
authorization serverresource server
client(sample code
provided)
UMA Provider(access management)
UMA Protector(gateway)
© 2016 ForgeRock. All rights reserved.
Demo!