SlideShare uma empresa Scribd logo
1 de 33
Baixar para ler offline
Consumerizing Industrial 
IoT Access Control 
Using UMA to Add Privacy and 
Usability to Strong Security 
FORGEROCK.COM 
Eve Maler 
VP Innovation & Emerging Technology 
eve.maler@forgerock.com 
@xmlgrrl 
October 2014
2 
Agenda 
■ Who am I? 
■ Authorization challenges 
■ Testing out web authorization solutions 
■ Introducing User-Managed Access (UMA) 
■ Conclusions and future work
Constrained environments 
present major authorization 
challenges 
h/t @gffletch, @domcat
4 
We need it for Internet-connected 
dishwashers… 
flickr.com | n1ct4yl0r | CC BY-NC-ND 2.0 | link
5 
…smart medical thingies…
6 
…and Solar Freakin’ Roadways
7 
What are the requirements? 
Scale Discovery
8 
What are the requirements? 
Privacy Flexibility 
flickr.com | ahilliker | CC BY-NC-ND 2.0 | link
9 
What are the requirements? 
Partitioning
How far do existing web 
authorization and consent 
technologies take us? 
flickr.com | smemon | CC BY 2.0 | link
11 
Extensible Access Control 
Markup Language (XACML) 
Scale 
Discovery 
Privacy 
Flexibility 
Partitioning 
X 
X 
? 
X 
?
12 
OAuth 2.0 Authorization 
Framework 
Scale 
Discovery 
Privacy 
Flexibility 
Partitioning 
? 
? 
? 
?
13 
How do we share data informally 
on the web? It’s not good…
flickr.com | thomashawk | CC BY-NC 2.0 | link 
Introducing User-Managed 
Access (UMA)
15 
UMA in a nutshell 
■ Draft standard for “authorization V.next” 
■ Profile and application of OAuth V2.0 
■ Set of authorization, privacy, and consent APIs 
■ Work Group of the Kantara Initiative 
■ Founder, chair, and “chief UMAnitarian”: 
■ Heading to V1.0 in Q1 2015 
■ In interop testing now
16 
The UMA protocol enables key 
new selective sharing options 
I want to share this stuff 
selectively 
• Among my own apps 
• With family and friends 
• With organizations 
I want to protect this stuff 
from being seen by everyone 
in the world 
I want to control access 
proactively, not just feel forced 
to consent over and over
17 
Under the hood, it’s “OAuth++” 
Loosely coupled to enable 
an AS to onboard multiple 
RS’s, residing in any security 
domains 
This concept is new, to enable 
person-to-person sharing 
driven by RO policy vs. run-time 
consent
18 
UMA is about interoperable, 
RESTful authorization-as-a-service 
Has standardized APIs 
for privacy and 
“selective sharing” 
Outsources protection to 
a centralizable 
authorization server 
“authz 
provider” 
(AzP) 
“authz 
relying 
party” 
(AzRP) 
identity 
provider 
(IdP) 
SSO 
relying 
party 
(RP)
19 
UMA-enabled systems can 
respect policies such as… 
Only let my tax preparer with email 
TP1234@gmail.com and using client 
app TaxThis access my bank account 
data if they have authenticated 
strongly, and not after tax season is 
over. 
Let my health aggregation app, my 
doctor’s office client app, and the 
client for my husband’s employer’s 
insurance plan (which covers me) 
get access to my wifi-enabled scale 
API and my fitness wearable API to 
read the results they generate. 
When a person driving a vehicle with an 
unknown ID comes into contact with 
my Solar Freakin’ Driveway, alert me 
and require my access approval.
20 
The user 
experience 
can simulate 
OAuth or 
proprietary 
sharing 
paradigms, or 
even be invisible 
(“better than 
OAuth”)
21 
The RS 
exposes 
whatever 
value-add API 
it wants, 
protected by 
an AS 
The RPT is the main 
“access token” and (by 
default – it’s profilable) is 
associated with time-limited, 
scoped 
permissions 
App-specific API 
UMA-enabled 
client 
RPT 
requesting party 
token
22 
The AS 
exposes an 
UMA-standardized 
protection 
API to the RS 
The PAT protects the 
API and binds the RO, 
RS, and AS 
Protection API 
Protection client 
PAT 
protection API token 
• Resource registration endpoint 
• Permission registration endpoint 
• Token introspection endpoint
23 
The AS 
exposes an 
UMA-standardized 
authorization 
API to the 
client 
The AAT protects the API 
and binds the RqP, client, 
and AS 
The client may be told: 
“need_claims” 
Authorization API 
AAT 
Authorization client 
authorization API token 
• Authorization request endpoint
24 
The AS can collect requesting 
party “claims” to assess policy 
A “claims-aware” client can 
proactively push an OpenID 
Connect ID token, a SAML 
assertion, a SCIM record, or 
other available user data to the 
AS per the access federation’s 
trust framework 
A “claims-unaware” client can, at 
minimum, redirect the 
requesting party to the AS to log 
in, press an “I Agree” button, fill 
in a form, follow a NASCAR for 
federated login, etc.
25 
Applying the UMA paradigm to a 
fitness wearable use case 
■ The device user is the resource owner, 
with discretionary resource access 
control rights 
– Access control confers proactive privacy 
capabilities through policy 
■ The device+service combination is likely 
to use an (out-of-band wrt UMA) 
constrained-device IoT protocol
26 
Benefits of the approach 
■ Flexibility in binding an individual to a device and to a corresponding service 
account 
– Enables persistent or temporary device controllers 
■ Flexibility and centralization in letting an individual choose sharing settings 
– Accommodating OAuth-style sharing with apps that the device user himself uses and also third 
parties 
■ Comprehensive yet simple platform approach to device service protection 
and access control 
– Enabling third-party services and devices to join an ecosystem 
■ Future-proofing if the platform operator needs to outsource protection to 
regulation-driven, consumer-driven, or healthcare-ecosystem-driven 
authorization services
27 
Concept mappings 
■ Device user 
■ Device + service 
■ Device certificate 
■ Service APIs exposing PII 
■ IoT identity/authorization platform 
■ PII-accessing web/native app 
■ PII-accessing app credentials 
■ User of PII-accessing app 
■ Onboarding device + user 
■ Onboarding app + user 
■ Device user sharing policy 
■ Dynamic entitlement management 
■ UMA resource owner (RO) 
■ UMA resource server (RS) 
■ UMA RS OAuth client credentials 
■ UMA protected resources 
■ UMA authz server (AS) 
■ UMA client 
■ UMA client OAuth client credentials 
■ UMA requesting party (RqP) 
■ Protection API token (PAT) 
■ Authz API token (AAT) 
■ RqP claims-gathering 
■ UMA requesting party token (RPT)
Conclusion and next steps
29 
UMA use-case scenario domains 
Health 
Financial 
Education 
Personal 
Citizen 
Media 
Behavioral 
Web 
Mobile 
API 
IoT
30 
UMA wrt the the “ACE actors” 
Partitioning
31 
How does User-Managed 
Access do? 
Scale 
Discovery 
Privacy 
Flexibility 
Partitioning 
?
32 
Next steps and future work 
■ A variety of IoT, web, and API case studies have been 
contributed 
■ Enterprise API use cases have been deployed in 
production 
■ Open source is available and more is expected 
■ Intel has done an experimental industrial IoT 
implementation in node.js 
■ V1.0 of the protocol is slated to be completed in Q1 
2015 
■ Further IoT investigation on disconnected operation 
modes, proof-of-possession tokens, etc. is warranted
Thank you! 
FORGEROCK.COM 
Eve Maler 
VP Innovation & Emerging Technology 
eve.maler@forgerock.com 
@xmlgrrl

Mais conteúdo relacionado

Mais procurados

FUTURE-PROOFING CONSUMER IDENTITY AND ACCESS MANAGEMENT
FUTURE-PROOFING CONSUMER IDENTITY AND ACCESS MANAGEMENTFUTURE-PROOFING CONSUMER IDENTITY AND ACCESS MANAGEMENT
FUTURE-PROOFING CONSUMER IDENTITY AND ACCESS MANAGEMENTForgeRock
 
Kantara - Consent & Information Sharing WG Update
Kantara - Consent & Information Sharing WG UpdateKantara - Consent & Information Sharing WG Update
Kantara - Consent & Information Sharing WG Updatekantarainitiative
 
IAM for the Masses: Managing Consumer Identities
IAM for the Masses: Managing Consumer Identities IAM for the Masses: Managing Consumer Identities
IAM for the Masses: Managing Consumer Identities ForgeRock
 
Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018Ubisecure
 
The Road to Intelligent Authentication Journeys
The Road to Intelligent Authentication JourneysThe Road to Intelligent Authentication Journeys
The Road to Intelligent Authentication JourneysForgeRock
 
2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity management2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity managementshivan82
 
Spellpoint - Securing Access for Microservices
Spellpoint - Securing Access for MicroservicesSpellpoint - Securing Access for Microservices
Spellpoint - Securing Access for MicroservicesUbisecure
 
Inside Security - Strong Authentication with Smartphones
Inside Security - Strong Authentication with SmartphonesInside Security - Strong Authentication with Smartphones
Inside Security - Strong Authentication with SmartphonesUbisecure
 
Kantara a Global Context 2011
Kantara a Global Context 2011Kantara a Global Context 2011
Kantara a Global Context 2011kantarainitiative
 
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity ForgeRock
 
CIS 2015 Modernize IAM with UnboundID and Ping Identity - Terry Sigle & B. Al...
CIS 2015 Modernize IAM with UnboundID and Ping Identity - Terry Sigle & B. Al...CIS 2015 Modernize IAM with UnboundID and Ping Identity - Terry Sigle & B. Al...
CIS 2015 Modernize IAM with UnboundID and Ping Identity - Terry Sigle & B. Al...CloudIDSummit
 
Applying Innovative Tools for GDPR Success
Applying Innovative Tools for GDPR SuccessApplying Innovative Tools for GDPR Success
Applying Innovative Tools for GDPR SuccessForgeRock
 
BUSINESS CASES AND IDENTITY RELATIONSHIP MANAGEMENT
BUSINESS CASES AND IDENTITY RELATIONSHIP MANAGEMENTBUSINESS CASES AND IDENTITY RELATIONSHIP MANAGEMENT
BUSINESS CASES AND IDENTITY RELATIONSHIP MANAGEMENTForgeRock
 
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User ExperienceForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User ExperienceForgeRock
 
Identity Summit UK: STEPPING UP TO NEW DATA PROTECTION CHALLENGES
Identity Summit UK: STEPPING UP TO NEW DATA PROTECTION CHALLENGESIdentity Summit UK: STEPPING UP TO NEW DATA PROTECTION CHALLENGES
Identity Summit UK: STEPPING UP TO NEW DATA PROTECTION CHALLENGESForgeRock
 
Aditro - IAM as part of Cloud Business strategy
Aditro - IAM as part of Cloud Business strategyAditro - IAM as part of Cloud Business strategy
Aditro - IAM as part of Cloud Business strategyUbisecure
 
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...apidays
 
Cloud identity access management market
Cloud identity access management marketCloud identity access management market
Cloud identity access management marketAllied Market Research
 
GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your C...
GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your C...GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your C...
GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your C...ForgeRock
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateBjorn Hjelm
 

Mais procurados (20)

FUTURE-PROOFING CONSUMER IDENTITY AND ACCESS MANAGEMENT
FUTURE-PROOFING CONSUMER IDENTITY AND ACCESS MANAGEMENTFUTURE-PROOFING CONSUMER IDENTITY AND ACCESS MANAGEMENT
FUTURE-PROOFING CONSUMER IDENTITY AND ACCESS MANAGEMENT
 
Kantara - Consent & Information Sharing WG Update
Kantara - Consent & Information Sharing WG UpdateKantara - Consent & Information Sharing WG Update
Kantara - Consent & Information Sharing WG Update
 
IAM for the Masses: Managing Consumer Identities
IAM for the Masses: Managing Consumer Identities IAM for the Masses: Managing Consumer Identities
IAM for the Masses: Managing Consumer Identities
 
Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018
 
The Road to Intelligent Authentication Journeys
The Road to Intelligent Authentication JourneysThe Road to Intelligent Authentication Journeys
The Road to Intelligent Authentication Journeys
 
2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity management2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity management
 
Spellpoint - Securing Access for Microservices
Spellpoint - Securing Access for MicroservicesSpellpoint - Securing Access for Microservices
Spellpoint - Securing Access for Microservices
 
Inside Security - Strong Authentication with Smartphones
Inside Security - Strong Authentication with SmartphonesInside Security - Strong Authentication with Smartphones
Inside Security - Strong Authentication with Smartphones
 
Kantara a Global Context 2011
Kantara a Global Context 2011Kantara a Global Context 2011
Kantara a Global Context 2011
 
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
 
CIS 2015 Modernize IAM with UnboundID and Ping Identity - Terry Sigle & B. Al...
CIS 2015 Modernize IAM with UnboundID and Ping Identity - Terry Sigle & B. Al...CIS 2015 Modernize IAM with UnboundID and Ping Identity - Terry Sigle & B. Al...
CIS 2015 Modernize IAM with UnboundID and Ping Identity - Terry Sigle & B. Al...
 
Applying Innovative Tools for GDPR Success
Applying Innovative Tools for GDPR SuccessApplying Innovative Tools for GDPR Success
Applying Innovative Tools for GDPR Success
 
BUSINESS CASES AND IDENTITY RELATIONSHIP MANAGEMENT
BUSINESS CASES AND IDENTITY RELATIONSHIP MANAGEMENTBUSINESS CASES AND IDENTITY RELATIONSHIP MANAGEMENT
BUSINESS CASES AND IDENTITY RELATIONSHIP MANAGEMENT
 
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User ExperienceForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
 
Identity Summit UK: STEPPING UP TO NEW DATA PROTECTION CHALLENGES
Identity Summit UK: STEPPING UP TO NEW DATA PROTECTION CHALLENGESIdentity Summit UK: STEPPING UP TO NEW DATA PROTECTION CHALLENGES
Identity Summit UK: STEPPING UP TO NEW DATA PROTECTION CHALLENGES
 
Aditro - IAM as part of Cloud Business strategy
Aditro - IAM as part of Cloud Business strategyAditro - IAM as part of Cloud Business strategy
Aditro - IAM as part of Cloud Business strategy
 
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
apidays LIVE London 2021 - Open Insurance & Smart Contracts by Giovanni Lesna...
 
Cloud identity access management market
Cloud identity access management marketCloud identity access management market
Cloud identity access management market
 
GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your C...
GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your C...GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your C...
GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your C...
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
 

Semelhante a Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usability to Strong Security

NEW INNOVATIONS IN CONSENT, PRIVACY, AND USER-MANAGED ACCESS
NEW INNOVATIONS IN CONSENT, PRIVACY, AND USER-MANAGED ACCESSNEW INNOVATIONS IN CONSENT, PRIVACY, AND USER-MANAGED ACCESS
NEW INNOVATIONS IN CONSENT, PRIVACY, AND USER-MANAGED ACCESSForgeRock
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
An Overview of OPC UA Security
An Overview of OPC UA SecurityAn Overview of OPC UA Security
An Overview of OPC UA SecuritySadatulla Zishan
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsGeorge Fletcher
 
API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?Akana
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
Datasheet over privileged_users
Datasheet over privileged_usersDatasheet over privileged_users
Datasheet over privileged_usersCristian Garcia G.
 
OAuth 2 Spring Boot 3 Integration Presentation
OAuth 2 Spring Boot 3 Integration PresentationOAuth 2 Spring Boot 3 Integration Presentation
OAuth 2 Spring Boot 3 Integration PresentationKnoldus Inc.
 
CIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCloudIDSummit
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFernando Lopez Aguilar
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfMohitRampal5
 
API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?Akana
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational TeleportTeleport
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE ArchitecturesFIWARE
 
Con8823 access management for the internet of things-final
Con8823   access management for the internet of things-finalCon8823   access management for the internet of things-final
Con8823 access management for the internet of things-finalOracleIDM
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 

Semelhante a Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usability to Strong Security (20)

UMA for ACE
UMA for ACEUMA for ACE
UMA for ACE
 
Uma webinar 2014 03-20
Uma webinar 2014 03-20Uma webinar 2014 03-20
Uma webinar 2014 03-20
 
NEW INNOVATIONS IN CONSENT, PRIVACY, AND USER-MANAGED ACCESS
NEW INNOVATIONS IN CONSENT, PRIVACY, AND USER-MANAGED ACCESSNEW INNOVATIONS IN CONSENT, PRIVACY, AND USER-MANAGED ACCESS
NEW INNOVATIONS IN CONSENT, PRIVACY, AND USER-MANAGED ACCESS
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
An Overview of OPC UA Security
An Overview of OPC UA SecurityAn Overview of OPC UA Security
An Overview of OPC UA Security
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open Standards
 
Oauth ebook-2012-02
Oauth ebook-2012-02Oauth ebook-2012-02
Oauth ebook-2012-02
 
API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
 
Datasheet over privileged_users
Datasheet over privileged_usersDatasheet over privileged_users
Datasheet over privileged_users
 
OAuth 2 Spring Boot 3 Integration Presentation
OAuth 2 Spring Boot 3 Integration PresentationOAuth 2 Spring Boot 3 Integration Presentation
OAuth 2 Spring Boot 3 Integration Presentation
 
CIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open Standards
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdf
 
API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE Architectures
 
Con8823 access management for the internet of things-final
Con8823   access management for the internet of things-finalCon8823   access management for the internet of things-final
Con8823 access management for the internet of things-final
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 

Mais de ForgeRock

Digital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at ScaleDigital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at ScaleForgeRock
 
Get the Exact Identity Solution You Need - In the Cloud - AWS and Beyond
Get the Exact Identity Solution You Need - In the Cloud - AWS and BeyondGet the Exact Identity Solution You Need - In the Cloud - AWS and Beyond
Get the Exact Identity Solution You Need - In the Cloud - AWS and BeyondForgeRock
 
Identity Live Sydney: Identity Management - A Strategic Opportunity
Identity Live Sydney: Identity Management  - A Strategic OpportunityIdentity Live Sydney: Identity Management  - A Strategic Opportunity
Identity Live Sydney: Identity Management - A Strategic OpportunityForgeRock
 
Identity Live Singapore: Transform Your Cybersecurity Capability
Identity Live Singapore: Transform Your Cybersecurity CapabilityIdentity Live Singapore: Transform Your Cybersecurity Capability
Identity Live Singapore: Transform Your Cybersecurity CapabilityForgeRock
 
Identity Live Singapore 2018 Keynote Presentation
Identity Live Singapore 2018 Keynote PresentationIdentity Live Singapore 2018 Keynote Presentation
Identity Live Singapore 2018 Keynote PresentationForgeRock
 
Identity Live Sydney 2018 Keynote Presentation
Identity Live Sydney 2018 Keynote PresentationIdentity Live Sydney 2018 Keynote Presentation
Identity Live Sydney 2018 Keynote PresentationForgeRock
 
Identity Live Singapore: Just Ask 'Em
Identity Live Singapore: Just Ask 'EmIdentity Live Singapore: Just Ask 'Em
Identity Live Singapore: Just Ask 'EmForgeRock
 
Identity Live Singapore: Building Trust & Privacy in a Connected Society
Identity Live Singapore: Building Trust & Privacy in a Connected SocietyIdentity Live Singapore: Building Trust & Privacy in a Connected Society
Identity Live Singapore: Building Trust & Privacy in a Connected SocietyForgeRock
 
Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication ForgeRock
 
Identity Live Sydney: Building Trust and Privacy in a Connected Society
Identity Live  Sydney:  Building Trust and Privacy in a Connected SocietyIdentity Live  Sydney:  Building Trust and Privacy in a Connected Society
Identity Live Sydney: Building Trust and Privacy in a Connected SocietyForgeRock
 
Get the Exact Identity Solution you Need in the Cloud - Deep Dive
Get the Exact Identity Solution you Need in the Cloud - Deep DiveGet the Exact Identity Solution you Need in the Cloud - Deep Dive
Get the Exact Identity Solution you Need in the Cloud - Deep DiveForgeRock
 
Get the Exact Identity Solution You Need - In the Cloud - Overview
Get the Exact Identity Solution You Need - In the Cloud - OverviewGet the Exact Identity Solution You Need - In the Cloud - Overview
Get the Exact Identity Solution You Need - In the Cloud - OverviewForgeRock
 
Opening Keynote (Identity Live Berlin 2018)
Opening Keynote (Identity Live Berlin 2018)Opening Keynote (Identity Live Berlin 2018)
Opening Keynote (Identity Live Berlin 2018)ForgeRock
 
Steinberg - Customer identity as the cornerstone of our approach to digitaliz...
Steinberg - Customer identity as the cornerstone of our approach to digitaliz...Steinberg - Customer identity as the cornerstone of our approach to digitaliz...
Steinberg - Customer identity as the cornerstone of our approach to digitaliz...ForgeRock
 
BMW Group - Identity Enables the Next 100 Years.. (Identity Live Berlin 2018)
BMW Group - Identity Enables the Next 100 Years..  (Identity Live Berlin 2018)BMW Group - Identity Enables the Next 100 Years..  (Identity Live Berlin 2018)
BMW Group - Identity Enables the Next 100 Years.. (Identity Live Berlin 2018)ForgeRock
 
Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...
Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...
Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...ForgeRock
 
Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...
Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...
Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...ForgeRock
 
Shift from GDPR readiness to sustained compliance to improve your business an...
Shift from GDPR readiness to sustained compliance to improve your business an...Shift from GDPR readiness to sustained compliance to improve your business an...
Shift from GDPR readiness to sustained compliance to improve your business an...ForgeRock
 
Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication  (Identity Live Berlin 2018)Intelligent Authentication  (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)ForgeRock
 
Customer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah KhalilCustomer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah KhalilForgeRock
 

Mais de ForgeRock (20)

Digital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at ScaleDigital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
 
Get the Exact Identity Solution You Need - In the Cloud - AWS and Beyond
Get the Exact Identity Solution You Need - In the Cloud - AWS and BeyondGet the Exact Identity Solution You Need - In the Cloud - AWS and Beyond
Get the Exact Identity Solution You Need - In the Cloud - AWS and Beyond
 
Identity Live Sydney: Identity Management - A Strategic Opportunity
Identity Live Sydney: Identity Management  - A Strategic OpportunityIdentity Live Sydney: Identity Management  - A Strategic Opportunity
Identity Live Sydney: Identity Management - A Strategic Opportunity
 
Identity Live Singapore: Transform Your Cybersecurity Capability
Identity Live Singapore: Transform Your Cybersecurity CapabilityIdentity Live Singapore: Transform Your Cybersecurity Capability
Identity Live Singapore: Transform Your Cybersecurity Capability
 
Identity Live Singapore 2018 Keynote Presentation
Identity Live Singapore 2018 Keynote PresentationIdentity Live Singapore 2018 Keynote Presentation
Identity Live Singapore 2018 Keynote Presentation
 
Identity Live Sydney 2018 Keynote Presentation
Identity Live Sydney 2018 Keynote PresentationIdentity Live Sydney 2018 Keynote Presentation
Identity Live Sydney 2018 Keynote Presentation
 
Identity Live Singapore: Just Ask 'Em
Identity Live Singapore: Just Ask 'EmIdentity Live Singapore: Just Ask 'Em
Identity Live Singapore: Just Ask 'Em
 
Identity Live Singapore: Building Trust & Privacy in a Connected Society
Identity Live Singapore: Building Trust & Privacy in a Connected SocietyIdentity Live Singapore: Building Trust & Privacy in a Connected Society
Identity Live Singapore: Building Trust & Privacy in a Connected Society
 
Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication
 
Identity Live Sydney: Building Trust and Privacy in a Connected Society
Identity Live  Sydney:  Building Trust and Privacy in a Connected SocietyIdentity Live  Sydney:  Building Trust and Privacy in a Connected Society
Identity Live Sydney: Building Trust and Privacy in a Connected Society
 
Get the Exact Identity Solution you Need in the Cloud - Deep Dive
Get the Exact Identity Solution you Need in the Cloud - Deep DiveGet the Exact Identity Solution you Need in the Cloud - Deep Dive
Get the Exact Identity Solution you Need in the Cloud - Deep Dive
 
Get the Exact Identity Solution You Need - In the Cloud - Overview
Get the Exact Identity Solution You Need - In the Cloud - OverviewGet the Exact Identity Solution You Need - In the Cloud - Overview
Get the Exact Identity Solution You Need - In the Cloud - Overview
 
Opening Keynote (Identity Live Berlin 2018)
Opening Keynote (Identity Live Berlin 2018)Opening Keynote (Identity Live Berlin 2018)
Opening Keynote (Identity Live Berlin 2018)
 
Steinberg - Customer identity as the cornerstone of our approach to digitaliz...
Steinberg - Customer identity as the cornerstone of our approach to digitaliz...Steinberg - Customer identity as the cornerstone of our approach to digitaliz...
Steinberg - Customer identity as the cornerstone of our approach to digitaliz...
 
BMW Group - Identity Enables the Next 100 Years.. (Identity Live Berlin 2018)
BMW Group - Identity Enables the Next 100 Years..  (Identity Live Berlin 2018)BMW Group - Identity Enables the Next 100 Years..  (Identity Live Berlin 2018)
BMW Group - Identity Enables the Next 100 Years.. (Identity Live Berlin 2018)
 
Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...
Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...
Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...
 
Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...
Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...
Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...
 
Shift from GDPR readiness to sustained compliance to improve your business an...
Shift from GDPR readiness to sustained compliance to improve your business an...Shift from GDPR readiness to sustained compliance to improve your business an...
Shift from GDPR readiness to sustained compliance to improve your business an...
 
Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication  (Identity Live Berlin 2018)Intelligent Authentication  (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)
 
Customer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah KhalilCustomer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah Khalil
 

Último

UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 

Último (20)

UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 

Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usability to Strong Security

  • 1. Consumerizing Industrial IoT Access Control Using UMA to Add Privacy and Usability to Strong Security FORGEROCK.COM Eve Maler VP Innovation & Emerging Technology eve.maler@forgerock.com @xmlgrrl October 2014
  • 2. 2 Agenda ■ Who am I? ■ Authorization challenges ■ Testing out web authorization solutions ■ Introducing User-Managed Access (UMA) ■ Conclusions and future work
  • 3. Constrained environments present major authorization challenges h/t @gffletch, @domcat
  • 4. 4 We need it for Internet-connected dishwashers… flickr.com | n1ct4yl0r | CC BY-NC-ND 2.0 | link
  • 5. 5 …smart medical thingies…
  • 6. 6 …and Solar Freakin’ Roadways
  • 7. 7 What are the requirements? Scale Discovery
  • 8. 8 What are the requirements? Privacy Flexibility flickr.com | ahilliker | CC BY-NC-ND 2.0 | link
  • 9. 9 What are the requirements? Partitioning
  • 10. How far do existing web authorization and consent technologies take us? flickr.com | smemon | CC BY 2.0 | link
  • 11. 11 Extensible Access Control Markup Language (XACML) Scale Discovery Privacy Flexibility Partitioning X X ? X ?
  • 12. 12 OAuth 2.0 Authorization Framework Scale Discovery Privacy Flexibility Partitioning ? ? ? ?
  • 13. 13 How do we share data informally on the web? It’s not good…
  • 14. flickr.com | thomashawk | CC BY-NC 2.0 | link Introducing User-Managed Access (UMA)
  • 15. 15 UMA in a nutshell ■ Draft standard for “authorization V.next” ■ Profile and application of OAuth V2.0 ■ Set of authorization, privacy, and consent APIs ■ Work Group of the Kantara Initiative ■ Founder, chair, and “chief UMAnitarian”: ■ Heading to V1.0 in Q1 2015 ■ In interop testing now
  • 16. 16 The UMA protocol enables key new selective sharing options I want to share this stuff selectively • Among my own apps • With family and friends • With organizations I want to protect this stuff from being seen by everyone in the world I want to control access proactively, not just feel forced to consent over and over
  • 17. 17 Under the hood, it’s “OAuth++” Loosely coupled to enable an AS to onboard multiple RS’s, residing in any security domains This concept is new, to enable person-to-person sharing driven by RO policy vs. run-time consent
  • 18. 18 UMA is about interoperable, RESTful authorization-as-a-service Has standardized APIs for privacy and “selective sharing” Outsources protection to a centralizable authorization server “authz provider” (AzP) “authz relying party” (AzRP) identity provider (IdP) SSO relying party (RP)
  • 19. 19 UMA-enabled systems can respect policies such as… Only let my tax preparer with email TP1234@gmail.com and using client app TaxThis access my bank account data if they have authenticated strongly, and not after tax season is over. Let my health aggregation app, my doctor’s office client app, and the client for my husband’s employer’s insurance plan (which covers me) get access to my wifi-enabled scale API and my fitness wearable API to read the results they generate. When a person driving a vehicle with an unknown ID comes into contact with my Solar Freakin’ Driveway, alert me and require my access approval.
  • 20. 20 The user experience can simulate OAuth or proprietary sharing paradigms, or even be invisible (“better than OAuth”)
  • 21. 21 The RS exposes whatever value-add API it wants, protected by an AS The RPT is the main “access token” and (by default – it’s profilable) is associated with time-limited, scoped permissions App-specific API UMA-enabled client RPT requesting party token
  • 22. 22 The AS exposes an UMA-standardized protection API to the RS The PAT protects the API and binds the RO, RS, and AS Protection API Protection client PAT protection API token • Resource registration endpoint • Permission registration endpoint • Token introspection endpoint
  • 23. 23 The AS exposes an UMA-standardized authorization API to the client The AAT protects the API and binds the RqP, client, and AS The client may be told: “need_claims” Authorization API AAT Authorization client authorization API token • Authorization request endpoint
  • 24. 24 The AS can collect requesting party “claims” to assess policy A “claims-aware” client can proactively push an OpenID Connect ID token, a SAML assertion, a SCIM record, or other available user data to the AS per the access federation’s trust framework A “claims-unaware” client can, at minimum, redirect the requesting party to the AS to log in, press an “I Agree” button, fill in a form, follow a NASCAR for federated login, etc.
  • 25. 25 Applying the UMA paradigm to a fitness wearable use case ■ The device user is the resource owner, with discretionary resource access control rights – Access control confers proactive privacy capabilities through policy ■ The device+service combination is likely to use an (out-of-band wrt UMA) constrained-device IoT protocol
  • 26. 26 Benefits of the approach ■ Flexibility in binding an individual to a device and to a corresponding service account – Enables persistent or temporary device controllers ■ Flexibility and centralization in letting an individual choose sharing settings – Accommodating OAuth-style sharing with apps that the device user himself uses and also third parties ■ Comprehensive yet simple platform approach to device service protection and access control – Enabling third-party services and devices to join an ecosystem ■ Future-proofing if the platform operator needs to outsource protection to regulation-driven, consumer-driven, or healthcare-ecosystem-driven authorization services
  • 27. 27 Concept mappings ■ Device user ■ Device + service ■ Device certificate ■ Service APIs exposing PII ■ IoT identity/authorization platform ■ PII-accessing web/native app ■ PII-accessing app credentials ■ User of PII-accessing app ■ Onboarding device + user ■ Onboarding app + user ■ Device user sharing policy ■ Dynamic entitlement management ■ UMA resource owner (RO) ■ UMA resource server (RS) ■ UMA RS OAuth client credentials ■ UMA protected resources ■ UMA authz server (AS) ■ UMA client ■ UMA client OAuth client credentials ■ UMA requesting party (RqP) ■ Protection API token (PAT) ■ Authz API token (AAT) ■ RqP claims-gathering ■ UMA requesting party token (RPT)
  • 29. 29 UMA use-case scenario domains Health Financial Education Personal Citizen Media Behavioral Web Mobile API IoT
  • 30. 30 UMA wrt the the “ACE actors” Partitioning
  • 31. 31 How does User-Managed Access do? Scale Discovery Privacy Flexibility Partitioning ?
  • 32. 32 Next steps and future work ■ A variety of IoT, web, and API case studies have been contributed ■ Enterprise API use cases have been deployed in production ■ Open source is available and more is expected ■ Intel has done an experimental industrial IoT implementation in node.js ■ V1.0 of the protocol is slated to be completed in Q1 2015 ■ Further IoT investigation on disconnected operation modes, proof-of-possession tokens, etc. is warranted
  • 33. Thank you! FORGEROCK.COM Eve Maler VP Innovation & Emerging Technology eve.maler@forgerock.com @xmlgrrl