doing authorisation, consent, and delegation right with uma - london identity summit

© 2016 ForgeRock. All rights reserved.

Doing Authorisation, Consent, and Delegation

Right with UMAEve Maler, VP Innovation & Emerging Technology

@xmlgrrlForgeRock #IdentitySummit

19th October 2016


flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0

In 2Q2016, US mobile operators added connected cars faster than mobile devices – and also faster than anything else

Apr 2016


A passel of digital transformation challenges

End users

Regulations

Your organization Industry


Challenge scenarios


Scenario 1:Citizen attribute sharing for benefit management

Basic profile data

service

Eligibility data

service

Handicap badge

issuer app

Consent and

delegation manager

• Monitor and make changes over time

• Holds no PII itself

In the next stage of the project … [t]he team will be investigating and testing this to further address thethorny issues of trust and transparency when gaining citizens’ permission. … “[E]ligibility for some servicescan be quite dynamic, for example, as the level of an individual’s in-work benefits varies, and it may benecessary to carry out on-going eligibility checks from time to time. UMA gives the individual a place to goonline where they can see and manage all the consents they have given to different organisations. Untilnow, managing ongoing consent was tricky,” [Ian Litton] added. “Typically, you asked individuals to consentat a point in time. They tick the T&Cs, which they never see again. UMA should fix that problem.”

UKA Local Digital, 3rd March 2016


Employer-run tax data

service

Accounting app

Employer-run

sharing manager

• Sharing with other parties• Implemented cross-

service• Buy vs. build

Scenario 2:Tax data sharing with an accountant


Scenario 3:Sharing health data access in an ecosystem

Fitness watch with

cloud service

MRI machine

with cloud service

Physician portal

Health cloud with

sharing manager

EHRservice

PHRapp

3rd party smart scale with cloud

service

Clinical research

• Selective sharing for multi-way data flows

• Enabling partner ecosystems


Bonus scenario 3a:Family caregiver prescription management

Inconsistency across the departments [makes it hard]. It would be easier if every department followed the same process even if you had to do it for each different requirements depending on who you are dealing with.

72 year old Aroha takes a number of prescriptions she asks her son to help her manage them through her patient portal.

Aroha gives her son Bailey access to view her prescriptions through her patient portal.

Bailey then asks the portal to send him notifications of his mum’s blood sugar levels.


Introducing User-Managed Access (UMA)


Privacy is not secrecy and privacy is not encryption

ContextControlChoice

Respect

The right moment to make the decision to shareThe ability to share just the right amountThe true ability to say no and to change one’s mindRegard for one’s wishes and preferences


resourceserver

authorizationserver

resourceowner

requestingparty

client

manage

control

protect

delegaterevoke

authorize

manage

access

negotiate

deny

A federated authorization architecture in action


An experience of selectively sharing health data with UMA

Patient view Doctor view


“The enterprise interpretsaccess controlas damage and routes around it.”


Scenario 4:Business app access sharing with partners

Custom app/

service ZZ

In-house IdP/AS

Custom app/

service AA

…

Custom app/

service ZZ

Custom app/

service AA

…

• Constrained delegated access• Central management of

cloud/partner interactions


Key benefits to users• Sharing, unsharing, and editing of sharing preferences allowed at any

time, without external influence• Not just opt-in or opt-out when asked• A selective sharing paradigm for an IoT landscape that demands it

• Possible to offer a service that centralizes sharing preference management across data services for user convenience• The central service doesn’t see any of the data• Data is fed fresh from each individual service

• The user can selectively share whatever “grain” of access each data service offers• Such as read vs. write, or weight vs. fat mass


Key benefits to service operatorssecurity centralization APIs/IoT


Key benefits to service operatorsbusiness ownership standard model regulations


Let me sum up


The CMO and the CPO can and must meet in the middle

“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. …In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller…”

We value personal data as an assetOur customers’ wishes have valueOur customers have their own reasons to share, not share, and mash up data, which we can address as value-add

Risk management perspective Business perspective


The ForgeRock Identity Platform includes two UMA components

authorization serverresource server

client(sample code

provided)

UMA Provider(access management)

UMA Protector(gateway)


Demo!

doing authorisation, consent, and delegation right with uma - london identity summit

Software