SlideShare uma empresa Scribd logo

WP-Privacy-IoT-Era - PRODUCTION

John Pinson
John Pinson

The document discusses the new version of ForgeRock's Identity Platform and how it addresses data privacy and consent issues. It implements the User-Managed Access (UMA) standard, which gives individuals centralized control over authorizing access to their digital data and services from various sources like cloud, mobile, and IoT devices. This approach is needed as regulations tighten around data privacy, the number of connected devices grows rapidly through IoT, and businesses increasingly rely on digital services. UMA allows for flexible, fine-grained consent over how data is shared and accessed.

1 de 8
Baixar para ler offline
Copyright © 2016 ForgeRock, All Rights Reserved. 1 Introduction In January 2016, ForgeRock released the latest version of its Identity Platform. The ForgeRock Identity Platform makes it easier for organizations to establish trusted digital relationships with customers, and address rapidly changing data privacy regulations. Incorporating consent-by-default and consent-by-design principles, the ForgeRock Identity Platform is the first identity management platform to implement the User-Managed Access (UMA) standard. These features make the ForgeRock Identity Platform ideal for the new-era business environment shaped by more rigorous privacy demands, the fast-expanding Internet of Things (IoT), and the growing API economy. The Future of Privacy in the IoT Era From Data Protection to Consent and User Control Eve Maler @xmlgrrl VP Innovation & Emerging Technology ForgeRock Office of the CTO
Copyright © 2016 ForgeRock, All Rights Reserved. 2 What is disrupting the practice of privacy? There are three major forces undermining the data privacy status quo: 1. A rapidly shifting regulatory environment. In October 2015, the European Court of Justice called into question the international Safe Harbor Privacy Principles. The ruling against Safe Harbor was a watershed event because it essentially dismantled the long-standing framework that enabled U.S. enterprises to comply most expediently with the EU Directive on the protection of personal data transferred to the US. A “Safe Harbor 2.0” solution may arise. In early February 2016 the vice president of the European Commission in charge of the digital single market announced a new framework, called the EU-US Privacy Shield. This new mechanism was described as “robust” with “strong protections in place” to protect EU citizens’ data. Yet with critics inside and outside the EU characterizing the proposed Privacy Shield as having the same legal frailties as Safe Harbor, it is likely that the regulatory situation will remain unresolved for months to come. In the meantime, the European Union’s emerging General Data Protection Regulation (GDPR) takes as a basic principle that individuals have fundamental rights and freedoms regarding control of and consent over their data. Because the bar for meeting regulations is rising, it is likely that tactical compliance efforts will provide a temporary solution at best. 2. The Internet of Things. Gartner, Inc. forecasts that the Internet of Things (IoT) – the fast-emerging world of smart cars, smart homes, smart cities, cloud-connected healthcare devices and processor-enabled appliances – will bring 6.4 billion connected things into use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day. This astonishingly rapid pace of change will pose enormous challenges to businesses and the public sector in terms of securely connecting devices, cloud services and things to individual customers and citizens. IoT means more data sources, more data volume, and a greater ability for organizations to create big-data insights that threaten people’s sense of privacy. But it also means individuals have a greater ability to harness an organization’s power to use these insights for their own benefit as long as the use of the data was consented to and transparent. 3. Digital transformation, disruption and the API economy. Organizations within many industries are pursuing “digital transformation” strategies, prioritizing new processes and workflows that use cloud and social platforms to build on and integrate with on-premise applications. This trend is driven largely by the fact that the world is currently going through a massive transition where longstanding industry business models are being disrupted by innovators using mobile and cloud services. We’ve seen this with Uber upending taxis and car services, Netflix quickly outpacing Blockbuster, Airbnb transforming the hospitality industry, and on and on. The API economy is changing the way businesses monetize their offerings, and technology innovations make it possible for businesses to reach out to bigger audiences. In turn, businesses need to be ready to manage large volumes of data securely. The mordern IoT is an outgrowth of the API economy, leading to an explosion of business opportunities that can be tapped if technology can provide a safe and secure mode of interaction. Given this context, enterprise security and identity management have acquired a whole new meaning, as identities now have to work seamlessly across hybrid IT environments that include cloud and on-premise solutions. ForgeRock conducted a survey of IT security and privacy experts in early 2016, finding near unanimous agreement that data privacy has become a central business concern across multiple industry sectors. Data Privacy is Top of Mind 95% of surveyed IT organizations agree that individuals are becoming increasingly more concerned about their personal data privacy and their ability to control, manage and share data about themselves online.
Copyright © 2016 ForgeRock, All Rights Reserved. 3 What does the EU General Data Protection Regulation mean outside Europe? The General Data Protection Regulation is the proposed law designed to strengthen and unify data protection and privacy for individuals within the European Union (EU), and is expected to be ratified at some point in 2016. If you are responsible for business outside of Europe, the GDPR will be important on a variety of levels. But until it passes into law, businesses will need to cope with a period of regulatory uncertainty. Since there is currently no single EU data privacy standard, organizations doing business with EU consumers will be subject to the various laws of the 28 individual EU states. Does this mean the new regulatory regime will force the hand of businesses wanting to take advantage of the IoT? Yes, but it’s not just the legal ramifications of web and mobile apps scraping personal information. When it comes to the IoT, it’s also about the sheer number of data sources, the impracticality of limiting collection, and the inability to manage literal explicit consent to collection one by one. You can’t keep clicking “I agree” every time your smart socks want to record a heel strike, or your smart bed senses you getting up in the night. People will have to get ahead of the curve – and they often have positive reasons to want to share that data, but only with personal trainers, doctors, and third-party marathon training apps. As the IoT matures, consent will need to adhere to a set of characteristics that support a range of relationships and situations. The ForgeRock Identity Platform with its UMA capabilities is designed for exactly this kind of data privacy environment. Regulations Demand Increased Data Privacy 96% of surveyed IT organizations agree that the emerging European regulations for data protection create a need for better tools and standards for ensuring personal data protection, privacy and consent. 1 EU-US Safe Harbor: Model Clauses – Not All They’re Cracked Up to Be…, Cloud Security Industry Blog, October 25, 2015. https://blog.cloudsecurityalliance.org/2015/10/21/eu-us-safe-harbor-model-clauses-not-all-theyre-cracked-up-to-be/ As the influence of the IoT spreads to all aspects of our lives, the ability to adapt access management capabilities quickly will become pivotal to future business success. Furthermore, with consumer expectations surrounding data security and privacy higher than ever before, standards such as UMA will soon become the industry benchmark to which all organizations must conform. “ ”—Martin Kuppinger Founder and Principal Analyst KuppingerCole
Copyright © 2016 ForgeRock, All Rights Reserved. 4 What will access control and consent look like in the emerging GDPR era? With the uncertainty surrounding Safe Harbor and the imminent dawning of GDPR, it’s becoming clear that we’re heading toward a data privacy future that will need to be built on individual consent. And not just one-time, click on an “I Agree” to terms and conditions button on/off consent, but ongoing, fine-grained, proactive, scalable consent. This has been a challenge to date because “consent tech” has been thin on the ground until recently, unless you count opt-in checkboxes, cookie directive acknowledgment buttons, and the like. But using the examples of successful online services that have built-in data sharing and control features – think Share buttons – for mutual user-business benefit, we see a way forward. The only thing left is honest, genuine consent. Privacy Concerns Reach the Boardroom Only 4% of surveyed IT organizations agree that customer data privacy concerns are not a critical issue at the C-level How individuals could control personal data and device access in the IoT environment To gain the trust of individuals, ecosystems, and regulators in the digital economy, businesses must possess strong security and ethics at each stage of the customer journey. And new products and services must be ethical- and secure-by-design. Businesses that get this right will enjoy such high levels of trust that their customers will look to them as guides for the digital future. “ ”—Accenture Technology Vision 2016 People First: The Primacy of People in a Digital Age
Copyright © 2016 ForgeRock, All Rights Reserved. 5 User-Managed Access – what is it exactly? User-Managed Access (UMA) is an OAuth-based standard designed to give an individual a unified control point for authorizing who and what can get access to a variety of cloud, mobile, and IoT data sources. OAuth focuses on service-to-app connections on behalf of a single party (let’s call her Alice), and the consent interaction takes place alongside Alice’s authentication into the service, and enables Alice to go back to each service to withdraw her consent for each app’s access. OAuth in it’s typical deployment models solves for person-to-self sharing (that is, Alice is the person using both the client app and the resource server app). UMA is designed to enable Alice, in addition, to share data and API access selectively with other parties entirely (for example, Bob); to withdraw consent for that sharing in finer-grained fashion so that other data feeds can remain unperturbed; and to be able to manage delegation, consent, and withdrawal more conveniently from a central sharing hub. Further, the services that are authoritative for the data and APIs of interest and the central authorization service can conveniently establish mutual trust and interact with each other in a standardized fashion. What could “fine grain” mean in such an environment? It depends on the service and the digital resource in question. For an IoT watch that measures and streams out different kinds of data, Alice could control whether Charlie (perhaps her husband or doctor) sees her pulse or sleep data. For an online social profile, Alice could control whether DavidCo (a marketing company requesting data access) sees her geolocation and behavioral data. OAuth OAuth is an open standard for authorization, commonly used as a way for Internet users to log into third party websites using their Google, Facebook or Twitter accounts without exposing their password as well as to connect mobile apps to online services for personal data transfer and service connection purposes. For example, third- party apps that offer to connect to your Google Drive files won’t see your password, but require you to authorize their access to your Google account in order to function. In an era of very public data breaches and heightened consumer awareness, ‘fostering trusted digital relationships’ can’t be considered a buzz phrase. Privacy strategy must include a consent-to-share strategy that looks after the top line of the business. The UMA standard was created to give an individual a unified control point for authorizing who and what can get access to their digital data, content and services, no matter where all those things live. The new ForgeRock Identity Platform enables private and public organizations to quickly deploy secure identity services based on UMA principles. “ ”—Mike Ellis CEO, ForgeRock
Copyright © 2016 ForgeRock, All Rights Reserved. 6 The UMA user experience – how will it work? If you’ve ever used the sharing feature in Google Docs, the experience of delegating data access to others through UMA-enabled services will likely be familiar. Using a Share button for your digital data can be handy! One big difference is that Google’s Share implementation is proprietary and specific to its own applications, while app ecosystems can add support for the UMA standard even when they span many partner organizations. Another big difference is that, within such an ecosystem, you will be able to manage all the threads of data sharing and control from a single place known as an authorization service. Why is it valuable to have a standard that has these capabilities? It could be done proprietarily, of course, as Google does with its share button. Having a standard, however, provides tremendous value to all stakeholders – individuals, businesses, governments – at a time when multiple worlds are colliding. For instance, consider that there is no such thing as a single, pure use case for sharing healthcare data that is not perhaps also a consumer use case, or that is not also perhaps a financial use case. Consider a few more scenarios where UMA could come into play. More Convenient Everyday Interactions 1. If you’re trying to deliver online financial services, to support small businesses or tax reporting, these scenarios are filled with requirements and opportunities for delegating access to others. An employee wants to give her accountant access to her last year’s earnings statement, or a sole proprietor wants to give his contract bookkeeper selective access to some accounts. Maybe you want to give your tax accountant access to your bank accounts but only for the duration of tax season. 2. Recently we saw a story in the news about a Jeep that had been stolen. The vehicle was equipped with an onboard connectivity system, and the thieves’ smartphones all synched to that system via Bluetooth, and that helped law enforcement track down the perpetrators. Had the onboard connectivity system been equipped with UMA-based identity capabilities, however, the crime could have been stopped or prevented altogether. For instance, consent to operate the vehicle could only happen if the owner’s smartphone synched with the system. 3. Citizens traveling across borders and those trying to access government services often have reason to authorize access by others to attributes about them, such as their financial status, to enable access to government services. This shouldn’t just be a matter of passive consent; it could be a matter of a long-running relationship. 4. Imagine that you have a house chock-full of smart light bulbs and kitchen appliances made by different manufacturers. You’ve set them all up to work the way you want. Now you leave for a week, and you rent your place out through AirBnB. You want to give partial access to a partially trusted stranger, but only for a week! And then you want all the entitlements to expire. Identity technology based on the UMA standard makes it possible to do this conveniently from a single console. New Privacy and Consent Methods Needed 91% of surveyed IT organizations agree that the current methods ( i.e. check boxes, cookie acknowledgement) used to ensure data privacy and consent will not be able to adapt to the needs of the emerging digital economy.
Copyright © 2016 ForgeRock, All Rights Reserved. 7 Are there business benefits to using the new consent tools beyond simple regulatory compliance? Yes, there are many. Coping with regulation – privacy or otherwise – is seen primarily as a cost center for most organizations. An exception might be banks and other financial services organizations that, wisely, compete to demonstrate their dedication to customer privacy. As IoT devices and technologies take on a greater role in public and private life, the business value of demonstrating this kind of commitment will only grow, as will the value of designing-in privacy in ways that increase utility and convenience. Organizations clinging to legacy identity and data privacy infrastructure will be at a serious disadvantage. Because even if traditional styles of consent interaction comply with regulations and have been deployed with a robust application of privacy discipline, they do not serve individuals particularly well. At the same time, the more innovative consent interactions that “draw outside the lines” of privacy conversations will show important hints of improvement for many aspects of personal interactions with applications, devices and things: Choice: Maximize opportunities for individual authorization for, and mutual agreement to, personal data sharing. Relevance: Capture consent at a time and in a manner most relevant to and convenient for the individual. Granularity: Enable differentiation of the parameters of consent, including data sources, data items, receiving parties, and modification of consent parameters over time, including revocation, again in a manner most relevant to and convenient for the individual. Scalability: Enable consent interactions, processes, and systems to scale to accommodate the numbers of data sources, data items, and consent functions that individuals experience. Automation: Enable machine processing and recording of consent functions to improve speed of handling, accuracy of fulfillment, and auditability. Reciprocity: Capture the consent of data-receiving parties in dealing with the individual, along with capturing the consent of the individual in sharing data. The FCC Makes Its Move On March 10, 2016, just a few days before this white paper was scheduled to publish, the U.S. Federal Communications Commission (FCC) released proposed new regulations that would prohibit ISPs from selling customer data without prior consent, and restrict the ways ISPs can market new offerings. Wired magazine identified the new FCC action as potentially “the largest and most stringent set of privacy regulations on the US technology industry to date.” As with pending EU regulations, it’s likely that the proposed FCC rules will not go into effect till late 2016 at the very earliest, and could quite possibly get challenged in court. The outlook on privacy in the IoT era: stormy. Choice Relevance Granularity Scalability Reciprocity Automation ConsciousnessMannerTime Sources Data items Parties Modification Sources Data items Consent Interactions Processing Recording Consent of resource owner to share Consent of requesting party to be recognized Requirements for Consent that Freshen up our Aspirations
Copyright © 2016 ForgeRock, All Rights Reserved. 8 Conclusion With the undermining of the Safe Harbor consensus and the emergence of the GDPR, the public and private sectors globally stand at a data privacy crossroads. Where exactly EU and US regulators draw the line on what is and what is not acceptable in moving personal data across international borders remains an open question. But regardless of where and when that question is settled, it goes without saying that any enterprise planning on fully participating in the IoT economy will need to present customers with options to proactively delegate, and revoke, data access to others. Identity technologies built on the UMA standard represent the most robust and strategic option for leapfrogging the emerging global regulatory framework for protecting the personal data of the individual. Indeed, it’s foolish to take baby steps when businesses could also be building trusted digital relationships no matter what government regulators are doing. Organizations that get this right – enabling individuals to consent to data access that was requested and to deny requested access, to monitor data access they have consented to over time, and to adjust that access upwards and downwards whenever they wish – will drive the pace of change in the emerging IoT era. https://www.accenture.com/us-en/insight-digital-data-security

Recomendados

Iot Security and Privacy at Scale
Iot Security and Privacy at ScaleIot Security and Privacy at Scale
Iot Security and Privacy at ScaleWinston Morton
 
Internet of everything #IoE
Internet of everything #IoEInternet of everything #IoE
Internet of everything #IoEMatteo Masi
 
Security of iot device
Security of iot deviceSecurity of iot device
Security of iot deviceMayank Pandey
 
Practical IoT Security in the Enterprise
Practical IoT Security in the EnterprisePractical IoT Security in the Enterprise
Practical IoT Security in the EnterpriseDaniel Miessler
 
Overview of IoT and Security issues
Overview of IoT and Security issuesOverview of IoT and Security issues
Overview of IoT and Security issuesAnastasios Economides
 
Odoo iot box integration
Odoo iot box integrationOdoo iot box integration
Odoo iot box integrationCeline George
 
IoT Security Risks and Challenges
IoT Security Risks and ChallengesIoT Security Risks and Challenges
IoT Security Risks and ChallengesOWASP Delhi
 
IOT - Internet of Things - September 2017
IOT - Internet of Things - September 2017IOT - Internet of Things - September 2017
IOT - Internet of Things - September 2017paul young cpa, cga
 

Recomendados

Iot Security and Privacy at Scale
Iot Security and Privacy at ScaleIot Security and Privacy at Scale
Iot Security and Privacy at ScaleWinston Morton
 
Internet of everything #IoE
Internet of everything #IoEInternet of everything #IoE
Internet of everything #IoEMatteo Masi
 
Security of iot device
Security of iot deviceSecurity of iot device
Security of iot deviceMayank Pandey
 
Practical IoT Security in the Enterprise
Practical IoT Security in the EnterprisePractical IoT Security in the Enterprise
Practical IoT Security in the EnterpriseDaniel Miessler
 
Overview of IoT and Security issues
Overview of IoT and Security issuesOverview of IoT and Security issues
Overview of IoT and Security issuesAnastasios Economides
 
Odoo iot box integration
Odoo iot box integrationOdoo iot box integration
Odoo iot box integrationCeline George
 
IoT Security Risks and Challenges
IoT Security Risks and ChallengesIoT Security Risks and Challenges
IoT Security Risks and ChallengesOWASP Delhi
 
IOT - Internet of Things - September 2017
IOT - Internet of Things - September 2017IOT - Internet of Things - September 2017
IOT - Internet of Things - September 2017paul young cpa, cga
 
IoT Analytics From Data to Decision Making - Trends & Challenges
IoT Analytics From Data to Decision Making - Trends & ChallengesIoT Analytics From Data to Decision Making - Trends & Challenges
IoT Analytics From Data to Decision Making - Trends & ChallengesDr. Mazlan Abbas
 
LIFT OFF 2017: IoT and MSS Deep Dive
LIFT OFF 2017: IoT and MSS Deep DiveLIFT OFF 2017: IoT and MSS Deep Dive
LIFT OFF 2017: IoT and MSS Deep DiveRobert Herjavec
 
Keynote Session : Internet Of Things (IOT) Security Taskforce
Keynote Session : Internet Of Things (IOT) Security TaskforceKeynote Session : Internet Of Things (IOT) Security Taskforce
Keynote Session : Internet Of Things (IOT) Security TaskforcePriyanka Aash
 
É possível existir segurança para IoT?
É possível existir segurança para IoT?É possível existir segurança para IoT?
É possível existir segurança para IoT?Anchises Moraes
 
IoT-The Internet of Things
IoT-The Internet of ThingsIoT-The Internet of Things
IoT-The Internet of ThingsTushar Sharma
 
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPTInternet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPTMultisoft Virtual Academy
 
Encryption by Default BoF by Gihan Dias [APRICOT 2015]
Encryption by Default BoF by Gihan Dias [APRICOT 2015]Encryption by Default BoF by Gihan Dias [APRICOT 2015]
Encryption by Default BoF by Gihan Dias [APRICOT 2015]APNIC
 
Scaling IoT Security
Scaling IoT SecurityScaling IoT Security
Scaling IoT SecurityBill Harpley
 
STUDY OF VARIOUS INTERNET OF THINGS PLATFORMS
STUDY OF VARIOUS INTERNET OF THINGS PLATFORMSSTUDY OF VARIOUS INTERNET OF THINGS PLATFORMS
STUDY OF VARIOUS INTERNET OF THINGS PLATFORMSIJCSES Journal
 
Chris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupChris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupCohesive Networks
 
ForgeRock Open Identity Stack Summit - Kick-off by Mike Ellis
ForgeRock Open Identity Stack Summit - Kick-off by Mike EllisForgeRock Open Identity Stack Summit - Kick-off by Mike Ellis
ForgeRock Open Identity Stack Summit - Kick-off by Mike EllisForgeRock
 
IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)
IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)
IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)MicheleNati
 
Securing the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOSecuring the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOThe Economist Media Businesses
 
Smart Network Infrastructure for Mission Critical Data from Industrial IoT - ...
Smart Network Infrastructure for Mission Critical Data from Industrial IoT - ...Smart Network Infrastructure for Mission Critical Data from Industrial IoT - ...
Smart Network Infrastructure for Mission Critical Data from Industrial IoT - ...WithTheBest
 
Successful Industrial IoT patterns
Successful Industrial IoT patterns Successful Industrial IoT patterns
Successful Industrial IoT patterns John Mathon
 
Building the Internet of Everything
Building the Internet of Everything Building the Internet of Everything
Building the Internet of Everything Cisco Canada
 
Getting started with IoT
Getting started with IoTGetting started with IoT
Getting started with IoTMaroua Saoud
 
IoT
IoTIoT
IoTMphasis
 
Iot how it works
Iot how it worksIot how it works
Iot how it worksS SIVARAMAKRISHNAN
 
Security and Privacy challenges of the Internet of Things (IoT) | Sysfore
Security and Privacy challenges of the Internet of Things (IoT) | SysforeSecurity and Privacy challenges of the Internet of Things (IoT) | Sysfore
Security and Privacy challenges of the Internet of Things (IoT) | SysforeSysfore Technologies
 
Automatski - The Internet of Things - Privacy in IoT
Automatski - The Internet of Things - Privacy in IoTAutomatski - The Internet of Things - Privacy in IoT
Automatski - The Internet of Things - Privacy in IoTautomatskicorporation
 
IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015HildebrandTech
 

Mais conteúdo relacionado

Mais procurados

IoT Analytics From Data to Decision Making - Trends & Challenges
IoT Analytics From Data to Decision Making - Trends & ChallengesIoT Analytics From Data to Decision Making - Trends & Challenges
IoT Analytics From Data to Decision Making - Trends & ChallengesDr. Mazlan Abbas
 
LIFT OFF 2017: IoT and MSS Deep Dive
LIFT OFF 2017: IoT and MSS Deep DiveLIFT OFF 2017: IoT and MSS Deep Dive
LIFT OFF 2017: IoT and MSS Deep DiveRobert Herjavec
 
Keynote Session : Internet Of Things (IOT) Security Taskforce
Keynote Session : Internet Of Things (IOT) Security TaskforceKeynote Session : Internet Of Things (IOT) Security Taskforce
Keynote Session : Internet Of Things (IOT) Security TaskforcePriyanka Aash
 
É possível existir segurança para IoT?
É possível existir segurança para IoT?É possível existir segurança para IoT?
É possível existir segurança para IoT?Anchises Moraes
 
IoT-The Internet of Things
IoT-The Internet of ThingsIoT-The Internet of Things
IoT-The Internet of ThingsTushar Sharma
 
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPTInternet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPTMultisoft Virtual Academy
 
Encryption by Default BoF by Gihan Dias [APRICOT 2015]
Encryption by Default BoF by Gihan Dias [APRICOT 2015]Encryption by Default BoF by Gihan Dias [APRICOT 2015]
Encryption by Default BoF by Gihan Dias [APRICOT 2015]APNIC
 
Scaling IoT Security
Scaling IoT SecurityScaling IoT Security
Scaling IoT SecurityBill Harpley
 
STUDY OF VARIOUS INTERNET OF THINGS PLATFORMS
STUDY OF VARIOUS INTERNET OF THINGS PLATFORMSSTUDY OF VARIOUS INTERNET OF THINGS PLATFORMS
STUDY OF VARIOUS INTERNET OF THINGS PLATFORMSIJCSES Journal
 
Chris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupChris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupCohesive Networks
 
ForgeRock Open Identity Stack Summit - Kick-off by Mike Ellis
ForgeRock Open Identity Stack Summit - Kick-off by Mike EllisForgeRock Open Identity Stack Summit - Kick-off by Mike Ellis
ForgeRock Open Identity Stack Summit - Kick-off by Mike EllisForgeRock
 
IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)
IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)
IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)MicheleNati
 
Securing the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOSecuring the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOThe Economist Media Businesses
 
Smart Network Infrastructure for Mission Critical Data from Industrial IoT - ...
Smart Network Infrastructure for Mission Critical Data from Industrial IoT - ...Smart Network Infrastructure for Mission Critical Data from Industrial IoT - ...
Smart Network Infrastructure for Mission Critical Data from Industrial IoT - ...WithTheBest
 
Successful Industrial IoT patterns
Successful Industrial IoT patterns Successful Industrial IoT patterns
Successful Industrial IoT patterns John Mathon
 
Building the Internet of Everything
Building the Internet of Everything Building the Internet of Everything
Building the Internet of Everything Cisco Canada
 
Getting started with IoT
Getting started with IoTGetting started with IoT
Getting started with IoTMaroua Saoud
 
Security and Privacy challenges of the Internet of Things (IoT) | Sysfore
Security and Privacy challenges of the Internet of Things (IoT) | SysforeSecurity and Privacy challenges of the Internet of Things (IoT) | Sysfore
Security and Privacy challenges of the Internet of Things (IoT) | SysforeSysfore Technologies
 

Mais procurados (20)

IoT Analytics From Data to Decision Making - Trends & Challenges
IoT Analytics From Data to Decision Making - Trends & ChallengesIoT Analytics From Data to Decision Making - Trends & Challenges
IoT Analytics From Data to Decision Making - Trends & Challenges
 
LIFT OFF 2017: IoT and MSS Deep Dive
LIFT OFF 2017: IoT and MSS Deep DiveLIFT OFF 2017: IoT and MSS Deep Dive
LIFT OFF 2017: IoT and MSS Deep Dive
 
Keynote Session : Internet Of Things (IOT) Security Taskforce
Keynote Session : Internet Of Things (IOT) Security TaskforceKeynote Session : Internet Of Things (IOT) Security Taskforce
Keynote Session : Internet Of Things (IOT) Security Taskforce
 
É possível existir segurança para IoT?
É possível existir segurança para IoT?É possível existir segurança para IoT?
É possível existir segurança para IoT?
 
IoT-The Internet of Things
IoT-The Internet of ThingsIoT-The Internet of Things
IoT-The Internet of Things
 
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPTInternet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
 
Encryption by Default BoF by Gihan Dias [APRICOT 2015]
Encryption by Default BoF by Gihan Dias [APRICOT 2015]Encryption by Default BoF by Gihan Dias [APRICOT 2015]
Encryption by Default BoF by Gihan Dias [APRICOT 2015]
 
Scaling IoT Security
Scaling IoT SecurityScaling IoT Security
Scaling IoT Security
 
STUDY OF VARIOUS INTERNET OF THINGS PLATFORMS
STUDY OF VARIOUS INTERNET OF THINGS PLATFORMSSTUDY OF VARIOUS INTERNET OF THINGS PLATFORMS
STUDY OF VARIOUS INTERNET OF THINGS PLATFORMS
 
Chris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupChris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' Meetup
 
ForgeRock Open Identity Stack Summit - Kick-off by Mike Ellis
ForgeRock Open Identity Stack Summit - Kick-off by Mike EllisForgeRock Open Identity Stack Summit - Kick-off by Mike Ellis
ForgeRock Open Identity Stack Summit - Kick-off by Mike Ellis
 
IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)
IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)
IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)
 
Securing the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOSecuring the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEO
 
Smart Network Infrastructure for Mission Critical Data from Industrial IoT - ...
Smart Network Infrastructure for Mission Critical Data from Industrial IoT - ...Smart Network Infrastructure for Mission Critical Data from Industrial IoT - ...
Smart Network Infrastructure for Mission Critical Data from Industrial IoT - ...
 
Successful Industrial IoT patterns
Successful Industrial IoT patterns Successful Industrial IoT patterns
Successful Industrial IoT patterns
 
Building the Internet of Everything
Building the Internet of Everything Building the Internet of Everything
Building the Internet of Everything
 
Getting started with IoT
Getting started with IoTGetting started with IoT
Getting started with IoT
 
IoT
IoTIoT
IoT
 
Iot how it works
Iot how it worksIot how it works
Iot how it works
 
Security and Privacy challenges of the Internet of Things (IoT) | Sysfore
Security and Privacy challenges of the Internet of Things (IoT) | SysforeSecurity and Privacy challenges of the Internet of Things (IoT) | Sysfore
Security and Privacy challenges of the Internet of Things (IoT) | Sysfore
 

Destaque

Automatski - The Internet of Things - Privacy in IoT
Automatski - The Internet of Things - Privacy in IoTAutomatski - The Internet of Things - Privacy in IoT
Automatski - The Internet of Things - Privacy in IoTautomatskicorporation
 
IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015HildebrandTech
 
IoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsIoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsKenny Huang Ph.D.
 
Privacy, Drones, and IoT
Privacy, Drones, and IoTPrivacy, Drones, and IoT
Privacy, Drones, and IoTLAURA VIVET
 
Internet of Things: Challenges and Issues
Internet of Things: Challenges and IssuesInternet of Things: Challenges and Issues
Internet of Things: Challenges and Issuesrjain51
 

Destaque (7)

Automatski - The Internet of Things - Privacy in IoT
Automatski - The Internet of Things - Privacy in IoTAutomatski - The Internet of Things - Privacy in IoT
Automatski - The Internet of Things - Privacy in IoT
 
IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015
 
IoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsIoT Security and Privacy Considerations
IoT Security and Privacy Considerations
 
Privacy, Drones, and IoT
Privacy, Drones, and IoTPrivacy, Drones, and IoT
Privacy, Drones, and IoT
 
The Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security IssuesThe Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security Issues
 
Internet of Things: Challenges and Issues
Internet of Things: Challenges and IssuesInternet of Things: Challenges and Issues
Internet of Things: Challenges and Issues
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
 

Semelhante a WP-Privacy-IoT-Era - PRODUCTION

IoT Trends to Drive Innovation for Business 2019-2020
IoT Trends to Drive Innovation for Business 2019-2020IoT Trends to Drive Innovation for Business 2019-2020
IoT Trends to Drive Innovation for Business 2019-2020Takayuki Yamazaki
 
5 Infrastructure Trends That Will Reshape IT By 2023.docx
5 Infrastructure Trends That Will Reshape IT By 2023.docx5 Infrastructure Trends That Will Reshape IT By 2023.docx
5 Infrastructure Trends That Will Reshape IT By 2023.docxjustspamxox
 
Gilbert + Tobin Innovation Insights
Gilbert + Tobin Innovation InsightsGilbert + Tobin Innovation Insights
Gilbert + Tobin Innovation InsightsSue-Ann Wilson
 
A Guide To The Internet Of Things
A Guide To The Internet Of ThingsA Guide To The Internet Of Things
A Guide To The Internet Of ThingsBryan K. O'Rourke
 
State of the internet of things (IoT) market 2016 edition
State of the internet of things (IoT) market 2016 editionState of the internet of things (IoT) market 2016 edition
State of the internet of things (IoT) market 2016 editionPrayukth K V
 
state-of-the-internet-of-things-market-report-2016
state-of-the-internet-of-things-market-report-2016state-of-the-internet-of-things-market-report-2016
state-of-the-internet-of-things-market-report-2016Martin Marshall
 
Top Strategic Tech Trend Predictions For 2020
Top Strategic Tech Trend Predictions For 2020Top Strategic Tech Trend Predictions For 2020
Top Strategic Tech Trend Predictions For 2020Rock Interview
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
Impact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesImpact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesEquiGov Institute
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
 
Cognitive IoT Whitepaper_Dec 2015
Cognitive IoT Whitepaper_Dec 2015Cognitive IoT Whitepaper_Dec 2015
Cognitive IoT Whitepaper_Dec 2015Nikhil Dikshit
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
10 technology trends that will shape security industry 2018
10 technology trends that will shape security industry 201810 technology trends that will shape security industry 2018
10 technology trends that will shape security industry 2018Axis Communications
 
IoT Breakfast Briefing
IoT Breakfast BriefingIoT Breakfast Briefing
IoT Breakfast BriefingSomo
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänsterTranscendent Group
 

Semelhante a WP-Privacy-IoT-Era - PRODUCTION (20)

IoT Trends to Drive Innovation for Business 2019-2020
IoT Trends to Drive Innovation for Business 2019-2020IoT Trends to Drive Innovation for Business 2019-2020
IoT Trends to Drive Innovation for Business 2019-2020
 
5 Infrastructure Trends That Will Reshape IT By 2023.docx
5 Infrastructure Trends That Will Reshape IT By 2023.docx5 Infrastructure Trends That Will Reshape IT By 2023.docx
5 Infrastructure Trends That Will Reshape IT By 2023.docx
 
Gilbert + Tobin Innovation Insights
Gilbert + Tobin Innovation InsightsGilbert + Tobin Innovation Insights
Gilbert + Tobin Innovation Insights
 
Interner of Things Iinsurance gateway
Interner of Things Iinsurance gateway Interner of Things Iinsurance gateway
Interner of Things Iinsurance gateway
 
A Guide To The Internet Of Things
A Guide To The Internet Of ThingsA Guide To The Internet Of Things
A Guide To The Internet Of Things
 
State of the internet of things (IoT) market 2016 edition
State of the internet of things (IoT) market 2016 editionState of the internet of things (IoT) market 2016 edition
State of the internet of things (IoT) market 2016 edition
 
state-of-the-internet-of-things-market-report-2016
state-of-the-internet-of-things-market-report-2016state-of-the-internet-of-things-market-report-2016
state-of-the-internet-of-things-market-report-2016
 
Top Strategic Tech Trend Predictions For 2020
Top Strategic Tech Trend Predictions For 2020Top Strategic Tech Trend Predictions For 2020
Top Strategic Tech Trend Predictions For 2020
 
Apt 510 slideshare
Apt 510 slideshareApt 510 slideshare
Apt 510 slideshare
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for Businesses
 
Io t white-paper-final-fr-1
Io t white-paper-final-fr-1Io t white-paper-final-fr-1
Io t white-paper-final-fr-1
 
Impact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesImpact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economies
 
Top 14 IoT Trends to Emerge in 2023.pdf
Top 14 IoT Trends to Emerge in 2023.pdfTop 14 IoT Trends to Emerge in 2023.pdf
Top 14 IoT Trends to Emerge in 2023.pdf
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technology
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
 
Cognitive IoT Whitepaper_Dec 2015
Cognitive IoT Whitepaper_Dec 2015Cognitive IoT Whitepaper_Dec 2015
Cognitive IoT Whitepaper_Dec 2015
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
 
10 technology trends that will shape security industry 2018
10 technology trends that will shape security industry 201810 technology trends that will shape security industry 2018
10 technology trends that will shape security industry 2018
 
IoT Breakfast Briefing
IoT Breakfast BriefingIoT Breakfast Briefing
IoT Breakfast Briefing
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänster
 

WP-Privacy-IoT-Era - PRODUCTION

  • 1. Copyright © 2016 ForgeRock, All Rights Reserved. 1 Introduction In January 2016, ForgeRock released the latest version of its Identity Platform. The ForgeRock Identity Platform makes it easier for organizations to establish trusted digital relationships with customers, and address rapidly changing data privacy regulations. Incorporating consent-by-default and consent-by-design principles, the ForgeRock Identity Platform is the first identity management platform to implement the User-Managed Access (UMA) standard. These features make the ForgeRock Identity Platform ideal for the new-era business environment shaped by more rigorous privacy demands, the fast-expanding Internet of Things (IoT), and the growing API economy. The Future of Privacy in the IoT Era From Data Protection to Consent and User Control Eve Maler @xmlgrrl VP Innovation & Emerging Technology ForgeRock Office of the CTO
  • 2. Copyright © 2016 ForgeRock, All Rights Reserved. 2 What is disrupting the practice of privacy? There are three major forces undermining the data privacy status quo: 1. A rapidly shifting regulatory environment. In October 2015, the European Court of Justice called into question the international Safe Harbor Privacy Principles. The ruling against Safe Harbor was a watershed event because it essentially dismantled the long-standing framework that enabled U.S. enterprises to comply most expediently with the EU Directive on the protection of personal data transferred to the US. A “Safe Harbor 2.0” solution may arise. In early February 2016 the vice president of the European Commission in charge of the digital single market announced a new framework, called the EU-US Privacy Shield. This new mechanism was described as “robust” with “strong protections in place” to protect EU citizens’ data. Yet with critics inside and outside the EU characterizing the proposed Privacy Shield as having the same legal frailties as Safe Harbor, it is likely that the regulatory situation will remain unresolved for months to come. In the meantime, the European Union’s emerging General Data Protection Regulation (GDPR) takes as a basic principle that individuals have fundamental rights and freedoms regarding control of and consent over their data. Because the bar for meeting regulations is rising, it is likely that tactical compliance efforts will provide a temporary solution at best. 2. The Internet of Things. Gartner, Inc. forecasts that the Internet of Things (IoT) – the fast-emerging world of smart cars, smart homes, smart cities, cloud-connected healthcare devices and processor-enabled appliances – will bring 6.4 billion connected things into use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day. This astonishingly rapid pace of change will pose enormous challenges to businesses and the public sector in terms of securely connecting devices, cloud services and things to individual customers and citizens. IoT means more data sources, more data volume, and a greater ability for organizations to create big-data insights that threaten people’s sense of privacy. But it also means individuals have a greater ability to harness an organization’s power to use these insights for their own benefit as long as the use of the data was consented to and transparent. 3. Digital transformation, disruption and the API economy. Organizations within many industries are pursuing “digital transformation” strategies, prioritizing new processes and workflows that use cloud and social platforms to build on and integrate with on-premise applications. This trend is driven largely by the fact that the world is currently going through a massive transition where longstanding industry business models are being disrupted by innovators using mobile and cloud services. We’ve seen this with Uber upending taxis and car services, Netflix quickly outpacing Blockbuster, Airbnb transforming the hospitality industry, and on and on. The API economy is changing the way businesses monetize their offerings, and technology innovations make it possible for businesses to reach out to bigger audiences. In turn, businesses need to be ready to manage large volumes of data securely. The mordern IoT is an outgrowth of the API economy, leading to an explosion of business opportunities that can be tapped if technology can provide a safe and secure mode of interaction. Given this context, enterprise security and identity management have acquired a whole new meaning, as identities now have to work seamlessly across hybrid IT environments that include cloud and on-premise solutions. ForgeRock conducted a survey of IT security and privacy experts in early 2016, finding near unanimous agreement that data privacy has become a central business concern across multiple industry sectors. Data Privacy is Top of Mind 95% of surveyed IT organizations agree that individuals are becoming increasingly more concerned about their personal data privacy and their ability to control, manage and share data about themselves online.
  • 3. Copyright © 2016 ForgeRock, All Rights Reserved. 3 What does the EU General Data Protection Regulation mean outside Europe? The General Data Protection Regulation is the proposed law designed to strengthen and unify data protection and privacy for individuals within the European Union (EU), and is expected to be ratified at some point in 2016. If you are responsible for business outside of Europe, the GDPR will be important on a variety of levels. But until it passes into law, businesses will need to cope with a period of regulatory uncertainty. Since there is currently no single EU data privacy standard, organizations doing business with EU consumers will be subject to the various laws of the 28 individual EU states. Does this mean the new regulatory regime will force the hand of businesses wanting to take advantage of the IoT? Yes, but it’s not just the legal ramifications of web and mobile apps scraping personal information. When it comes to the IoT, it’s also about the sheer number of data sources, the impracticality of limiting collection, and the inability to manage literal explicit consent to collection one by one. You can’t keep clicking “I agree” every time your smart socks want to record a heel strike, or your smart bed senses you getting up in the night. People will have to get ahead of the curve – and they often have positive reasons to want to share that data, but only with personal trainers, doctors, and third-party marathon training apps. As the IoT matures, consent will need to adhere to a set of characteristics that support a range of relationships and situations. The ForgeRock Identity Platform with its UMA capabilities is designed for exactly this kind of data privacy environment. Regulations Demand Increased Data Privacy 96% of surveyed IT organizations agree that the emerging European regulations for data protection create a need for better tools and standards for ensuring personal data protection, privacy and consent. 1 EU-US Safe Harbor: Model Clauses – Not All They’re Cracked Up to Be…, Cloud Security Industry Blog, October 25, 2015. https://blog.cloudsecurityalliance.org/2015/10/21/eu-us-safe-harbor-model-clauses-not-all-theyre-cracked-up-to-be/ As the influence of the IoT spreads to all aspects of our lives, the ability to adapt access management capabilities quickly will become pivotal to future business success. Furthermore, with consumer expectations surrounding data security and privacy higher than ever before, standards such as UMA will soon become the industry benchmark to which all organizations must conform. “ ”—Martin Kuppinger Founder and Principal Analyst KuppingerCole
  • 4. Copyright © 2016 ForgeRock, All Rights Reserved. 4 What will access control and consent look like in the emerging GDPR era? With the uncertainty surrounding Safe Harbor and the imminent dawning of GDPR, it’s becoming clear that we’re heading toward a data privacy future that will need to be built on individual consent. And not just one-time, click on an “I Agree” to terms and conditions button on/off consent, but ongoing, fine-grained, proactive, scalable consent. This has been a challenge to date because “consent tech” has been thin on the ground until recently, unless you count opt-in checkboxes, cookie directive acknowledgment buttons, and the like. But using the examples of successful online services that have built-in data sharing and control features – think Share buttons – for mutual user-business benefit, we see a way forward. The only thing left is honest, genuine consent. Privacy Concerns Reach the Boardroom Only 4% of surveyed IT organizations agree that customer data privacy concerns are not a critical issue at the C-level How individuals could control personal data and device access in the IoT environment To gain the trust of individuals, ecosystems, and regulators in the digital economy, businesses must possess strong security and ethics at each stage of the customer journey. And new products and services must be ethical- and secure-by-design. Businesses that get this right will enjoy such high levels of trust that their customers will look to them as guides for the digital future. “ ”—Accenture Technology Vision 2016 People First: The Primacy of People in a Digital Age
  • 5. Copyright © 2016 ForgeRock, All Rights Reserved. 5 User-Managed Access – what is it exactly? User-Managed Access (UMA) is an OAuth-based standard designed to give an individual a unified control point for authorizing who and what can get access to a variety of cloud, mobile, and IoT data sources. OAuth focuses on service-to-app connections on behalf of a single party (let’s call her Alice), and the consent interaction takes place alongside Alice’s authentication into the service, and enables Alice to go back to each service to withdraw her consent for each app’s access. OAuth in it’s typical deployment models solves for person-to-self sharing (that is, Alice is the person using both the client app and the resource server app). UMA is designed to enable Alice, in addition, to share data and API access selectively with other parties entirely (for example, Bob); to withdraw consent for that sharing in finer-grained fashion so that other data feeds can remain unperturbed; and to be able to manage delegation, consent, and withdrawal more conveniently from a central sharing hub. Further, the services that are authoritative for the data and APIs of interest and the central authorization service can conveniently establish mutual trust and interact with each other in a standardized fashion. What could “fine grain” mean in such an environment? It depends on the service and the digital resource in question. For an IoT watch that measures and streams out different kinds of data, Alice could control whether Charlie (perhaps her husband or doctor) sees her pulse or sleep data. For an online social profile, Alice could control whether DavidCo (a marketing company requesting data access) sees her geolocation and behavioral data. OAuth OAuth is an open standard for authorization, commonly used as a way for Internet users to log into third party websites using their Google, Facebook or Twitter accounts without exposing their password as well as to connect mobile apps to online services for personal data transfer and service connection purposes. For example, third- party apps that offer to connect to your Google Drive files won’t see your password, but require you to authorize their access to your Google account in order to function. In an era of very public data breaches and heightened consumer awareness, ‘fostering trusted digital relationships’ can’t be considered a buzz phrase. Privacy strategy must include a consent-to-share strategy that looks after the top line of the business. The UMA standard was created to give an individual a unified control point for authorizing who and what can get access to their digital data, content and services, no matter where all those things live. The new ForgeRock Identity Platform enables private and public organizations to quickly deploy secure identity services based on UMA principles. “ ”—Mike Ellis CEO, ForgeRock
  • 6. Copyright © 2016 ForgeRock, All Rights Reserved. 6 The UMA user experience – how will it work? If you’ve ever used the sharing feature in Google Docs, the experience of delegating data access to others through UMA-enabled services will likely be familiar. Using a Share button for your digital data can be handy! One big difference is that Google’s Share implementation is proprietary and specific to its own applications, while app ecosystems can add support for the UMA standard even when they span many partner organizations. Another big difference is that, within such an ecosystem, you will be able to manage all the threads of data sharing and control from a single place known as an authorization service. Why is it valuable to have a standard that has these capabilities? It could be done proprietarily, of course, as Google does with its share button. Having a standard, however, provides tremendous value to all stakeholders – individuals, businesses, governments – at a time when multiple worlds are colliding. For instance, consider that there is no such thing as a single, pure use case for sharing healthcare data that is not perhaps also a consumer use case, or that is not also perhaps a financial use case. Consider a few more scenarios where UMA could come into play. More Convenient Everyday Interactions 1. If you’re trying to deliver online financial services, to support small businesses or tax reporting, these scenarios are filled with requirements and opportunities for delegating access to others. An employee wants to give her accountant access to her last year’s earnings statement, or a sole proprietor wants to give his contract bookkeeper selective access to some accounts. Maybe you want to give your tax accountant access to your bank accounts but only for the duration of tax season. 2. Recently we saw a story in the news about a Jeep that had been stolen. The vehicle was equipped with an onboard connectivity system, and the thieves’ smartphones all synched to that system via Bluetooth, and that helped law enforcement track down the perpetrators. Had the onboard connectivity system been equipped with UMA-based identity capabilities, however, the crime could have been stopped or prevented altogether. For instance, consent to operate the vehicle could only happen if the owner’s smartphone synched with the system. 3. Citizens traveling across borders and those trying to access government services often have reason to authorize access by others to attributes about them, such as their financial status, to enable access to government services. This shouldn’t just be a matter of passive consent; it could be a matter of a long-running relationship. 4. Imagine that you have a house chock-full of smart light bulbs and kitchen appliances made by different manufacturers. You’ve set them all up to work the way you want. Now you leave for a week, and you rent your place out through AirBnB. You want to give partial access to a partially trusted stranger, but only for a week! And then you want all the entitlements to expire. Identity technology based on the UMA standard makes it possible to do this conveniently from a single console. New Privacy and Consent Methods Needed 91% of surveyed IT organizations agree that the current methods ( i.e. check boxes, cookie acknowledgement) used to ensure data privacy and consent will not be able to adapt to the needs of the emerging digital economy.
  • 7. Copyright © 2016 ForgeRock, All Rights Reserved. 7 Are there business benefits to using the new consent tools beyond simple regulatory compliance? Yes, there are many. Coping with regulation – privacy or otherwise – is seen primarily as a cost center for most organizations. An exception might be banks and other financial services organizations that, wisely, compete to demonstrate their dedication to customer privacy. As IoT devices and technologies take on a greater role in public and private life, the business value of demonstrating this kind of commitment will only grow, as will the value of designing-in privacy in ways that increase utility and convenience. Organizations clinging to legacy identity and data privacy infrastructure will be at a serious disadvantage. Because even if traditional styles of consent interaction comply with regulations and have been deployed with a robust application of privacy discipline, they do not serve individuals particularly well. At the same time, the more innovative consent interactions that “draw outside the lines” of privacy conversations will show important hints of improvement for many aspects of personal interactions with applications, devices and things: Choice: Maximize opportunities for individual authorization for, and mutual agreement to, personal data sharing. Relevance: Capture consent at a time and in a manner most relevant to and convenient for the individual. Granularity: Enable differentiation of the parameters of consent, including data sources, data items, receiving parties, and modification of consent parameters over time, including revocation, again in a manner most relevant to and convenient for the individual. Scalability: Enable consent interactions, processes, and systems to scale to accommodate the numbers of data sources, data items, and consent functions that individuals experience. Automation: Enable machine processing and recording of consent functions to improve speed of handling, accuracy of fulfillment, and auditability. Reciprocity: Capture the consent of data-receiving parties in dealing with the individual, along with capturing the consent of the individual in sharing data. The FCC Makes Its Move On March 10, 2016, just a few days before this white paper was scheduled to publish, the U.S. Federal Communications Commission (FCC) released proposed new regulations that would prohibit ISPs from selling customer data without prior consent, and restrict the ways ISPs can market new offerings. Wired magazine identified the new FCC action as potentially “the largest and most stringent set of privacy regulations on the US technology industry to date.” As with pending EU regulations, it’s likely that the proposed FCC rules will not go into effect till late 2016 at the very earliest, and could quite possibly get challenged in court. The outlook on privacy in the IoT era: stormy. Choice Relevance Granularity Scalability Reciprocity Automation ConsciousnessMannerTime Sources Data items Parties Modification Sources Data items Consent Interactions Processing Recording Consent of resource owner to share Consent of requesting party to be recognized Requirements for Consent that Freshen up our Aspirations
  • 8. Copyright © 2016 ForgeRock, All Rights Reserved. 8 Conclusion With the undermining of the Safe Harbor consensus and the emergence of the GDPR, the public and private sectors globally stand at a data privacy crossroads. Where exactly EU and US regulators draw the line on what is and what is not acceptable in moving personal data across international borders remains an open question. But regardless of where and when that question is settled, it goes without saying that any enterprise planning on fully participating in the IoT economy will need to present customers with options to proactively delegate, and revoke, data access to others. Identity technologies built on the UMA standard represent the most robust and strategic option for leapfrogging the emerging global regulatory framework for protecting the personal data of the individual. Indeed, it’s foolish to take baby steps when businesses could also be building trusted digital relationships no matter what government regulators are doing. Organizations that get this right – enabling individuals to consent to data access that was requested and to deny requested access, to monitor data access they have consented to over time, and to adjust that access upwards and downwards whenever they wish – will drive the pace of change in the emerging IoT era. https://www.accenture.com/us-en/insight-digital-data-security