Post on 15-Apr-2017
© 2016 ForgeRock. All rights reserved.
Digital Trust How Identity Tackles the Privacy, Security, and IoT Challenge
Eve Maler, VP Innovation & Emerging Technology
Jessica Morrison, Product Marketing Director
1
© 2016 ForgeRock. All rights reserved.
2010 Founded
10 Offices worldwide with headquarters in San Francisco
350+ Employees
450+ Customers
30+ Countries
$52M Funding to date (thru Series C) by Accel Partners, Foundation Capital and Meritech Capital Partners
ForgeRock The leading, next-generation, identity security software platform.
© 2016 ForgeRock. All rights reserved.
$25 Billion Est. Size of Consumer IoT Market in 2019
20% Of Annual Security Budgets Will Be Spent on IoT Security in 2020
5.5 Million New Things Will Be Connected Every Day in 2016
$11.1 Trillion Est. Total Economic Impact of the IoT
20.8 Billion Connected Devices by 2020
$2.5 Billion Est. Retailer Spend on the IoT by 2020
Gartner Research, McKinsey Global Institute Juniper Research, CCS Insight
Global IoT Trends
© 2016 ForgeRock. All rights reserved.
Major Trends We Are Seeing in Identity…
Privacy and
Consent
Contextual Identity
IoT Ready
Open Source
Scalable Unified
Platform
Single Customer
View
© 2016 ForgeRock. All rights reserved.
From IAM to Identity Relationship Management…
Digital business requires an identity-centric approach
Identity Access Management Identity Relationship ManagementCustomers (millions)
On-premises
People
Applications and data
PCs
Endpoints
Workforce (thousands)
Partners and Suppliers
Customers (millions)
On-premises Public Cloud
Private Cloud
People
Things (Tens of millions)
Applications and data
PCs Phones Tablets Smart
Watches Endpoints
Source: Forrester Research
© 2016 ForgeRock. All rights reserved.
ForgeRock Identity Platform• Simple • Scalable • Modular • Common services architecture • Community participation
© 2016 ForgeRock. All rights reserved.
USER-MANAGED ACCESS (UMA)A new standard for sharing
Regard for one's wishes and preferences
The true ability to say no and change one's mind
The ability to share just the right
amount
The right moment to make the decision to share
Context Control
Respect Choice
© 2016 ForgeRock. All rights reserved. 8 flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0
flickr.com/photos/vincrosbie/16301598031/ CC BY-‐ND 2.0
© 2016 ForgeRock. All rights reserved.
What Happens When Businesses Can’t Form Trusted Digital Relationships With Consumers?
• Revenue loss • Brand damage • Loss of trust
• Missing out on opportunities
• Compliance costs and penalties?
flickr.com/photos/delmo-baggins/3143080675 CC BY-ND 2.0
Source: Accenture, 2016 Technology Vision report
© 2016 ForgeRock. All rights reserved.
Why Enable Personal Data Sharing?Let’s Use Health Relationship Trust as an Example
© 2016 ForgeRock. All rights reserved.
data qualityand accuracy
improvedclinical data
better care
© 2016 ForgeRock. All rights reserved.
Why Ensure Personal Control of Sharing?
© 2016 ForgeRock. All rights reserved.
How Dire is the Consent Technology Situation?
9 percent [of companies] believe current methods (i.e., check boxes, cookie acknowledgment) used to ensure data privacy and consent will be able to adapt to the needs of the emerging digital economy.
– ForgeRock global survey conducted by TechValidate, 16 Mar 2016
© 2016 ForgeRock. All rights reserved.
A Consumer Scenario
Alice wants to allow her accountant to import her tax data directly from her employer’s site into the tax return app he uses, with the ability to revoke that consent.
• ProacMve sharing (“pushing” her consent to him) without giving away her password
• Could grant “read” but not “print” permissions
• She can decide to grant “print” later • She can revoke his access • She can Mme-‐out his access
© 2016 ForgeRock. All rights reserved.
authorizaMon server
resource owner
requesMng party
client
manage
control
protect
delegate revoke
authorize
manage access
negotiate
deny
An Enterprise Scenario
IT manages hundreds of API-‐fronted apps in the enterprise (and some outside). Alice is an employee who needs to delegate constrained access to app features/funcMons to fellow employees and partners within the ecosystem, giving IT – and herself – centralized visibility into the access granted.
resource server
© 2016 ForgeRock. All rights reserved.
A Deep Dive on a Consumer Health IoT Scenario
© 2016 ForgeRock. All rights reserved.
OAuth does “RESTful WS-Security,” capturing user consent for app access and respecting its withdrawal
RS resource
server
AS authorization
server
C client
Both servers are run by the same organization; RO goes to AS in each ecosystem to revoke its token
Standard OAuth endpoints that manage access token issuance
API endpoints that deliver the data or other “value-add”
App gets the consent based on the API “scopes” (permissions) it requested; is uniquely identified vs. the user
RO resource
owner
Authorizes (consents) at run time after authenticating
© 2016 ForgeRock. All rights reserved.
OpenID Connect Turns Single Sign-On Into an OAuth-Protected Identity API
SAML 2, OpenID 2 OAuth 2 OpenID Connect
Initiating user’s login session
Collecting user consent
High-security identity tokens
Distributed/aggregated claims
Dynamic introduction (OpenID only)
Session management
No sessions
Collecting user consent
No identity tokens per se
No claims per se
Dynamic introduction (new)
No sessions
X
X
X X
X
X
X Initiating user’s login session
Collecting user consent
High-security identity tokens
Distributed/aggregated claims
Dynamic introduction
Session management (draft)
© 2016 ForgeRock. All rights reserved.
UMA adds party-to-party, asynchronous, scope-grained delegation and control to OAuth
Loosely coupled to enable centralized authorization and a central sharing management hub
Enables party-to-party sharing – without credential sharing – driven by “scope-grained” policy rather than run-time opt-in consent
Tested for suitability through trust elevation, e.g. step-up authn or “claims-based access control” (optionally using OIDC), captured in a specially powerful access token borne by the client
Subsidiary access tokens protect UMA’s standardized endpoints and represent each party’s authorization (consent) to engage with the central server
© 2016 ForgeRock. All rights reserved.
The CMO and the CPO Can and Must Meet in the Middle
“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. … In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller…”
We value personal data as an asset Our customers’ wishes have value Our customers have their own reasons to share, not share, and mash up data, which we can address as value-add
Risk management perspective Business perspective
© 2016 ForgeRock. All rights reserved.
ForgeRock Identity Platform
UMA Provider Mobile App Synchronization Auditing
LDAPv3 REST/JSON
Replication Access Control
Schema Management
Caching
Auditing
Monitoring
Groups
Password Policy
Active Directory Pass-thru
Reporting
Authentication Authorization Provisioning User Self-Service Authentication OIDC / OAuth2
Federation / SSO User Self-Service Workflow Engine Reconciliation Password Replay SAML2
Adaptive Risk Stateless/Stateful Registration Aggregated User View
Message Transformation
API Security Scripting
Built from Open Source Projects:
UMA Protector
Access Management Identity Management Identity Gateway
Directory Services
Com
mon
RES
T AP
I
Com
mon
Use
r Int
erfa
ce
Com
mon
Aud
it/Lo
ggin
g
Com
mon
Scr
iptin
g
© 2016 ForgeRock. All rights reserved.
Thank You