Post on 14-Jul-2015
Protecting Personal Data in an IoT Network with UMA
A Patient Centric use case
Domenico Catalano, Oracle ItalyMaciej Machulak, Cloud Identity Limited
Kantara Initiative Workshop 3rd Nov. 2014 - Dublin
1
Agenda
Personal Data in an IoT Network
Risks and Challenges about Personal Data
UMA Approach and Use case
Conclusion
Q&A
2
3
With more than seven billion people and businesses, and at least 35 billion devices, communicating, transacting, and even negotiating with each other, a new world comes into being:
The World of Digital Business
4
Nike’s Digital Master
Nike’s Fuelband allows athletes to track their workouts, share their performance online, and even receive an advice from digital “coaches”. Meanwhile both social media and digital products provide Nike with rich data on customers, their activities, and their preferences.
Risks about Personal Data
5
Individual
Organization
Individuals have little visibility into the practices of the organizations they are putting their trust in – until their data is breached or misused.
Fully 78% of consumers think it is hard to trust companies when it comes to use of their personal data.”
“Orange, The Future of Digital Trust, 2014
Challenges to Mitigate RisksUnlocking the value of Personal Data: From Collection to Usage
6
Protection and Security
Accountability
Right and Responsibility for using Personal Data
New approaches for decentralized and distributed network environment.
Who has data about you? Where is the data about you located?
New approaches that help individuals understand how and when data is collected.
How the data is being used and the implications of these actions.
Empower individual more effectively and efficiently.
Context Aware
Source:World Economic Forum 2013 Report: Unlocking the Value of Personal Data: From Collection to Usage
Personal Data Management Services A mapping of Market
7Source: Word Economic Forum Report (2014): Rethinking Personal Data: A new lens for Strengthening Trust
User-Managed Access (UMA) Concept and Terminology
8
UMA defines how to:Protect resourcesAuthorize accessEnforce policyA centralized Authorization Server governs access based on Individual Policy.
Ubiquitous Networking of IoT
9
TVPC
PDA
Vehicle
Home Electronics
Sensors
Camera
SmartCard
TelematicsNavigation
DeviceMedicalDevice
Home ServerGateway
MobileDevice
WearablePC
Data, Resource,Web/ApplicationServer, Content
Object-to-Object Communication
Human-to-Human Communication
Human-to-Object Communication
Human withAttached Device Objects
Internet
Source: Shaping Future Service Environments with the Cloud and Internet of Things: Networking Challenges and Service Evolution
RFIDtag
A simplified IoT Taxonomy
10
Dumb Thing Intelligence Thing Smart Thing
Intelligence
Web-based Service
Context-awareness
End-to-End connectivity
Data handling and processing capabilities
Real-time identification and tracking of object Network capability
Context-aware
Connecting to anything
Tag-based
UMA for IoT Network
11
SmartThingIntelligence
Thing
DumbThing
IoT Network
UMA for IoT Network
12
A patient-centric use case
Patient-Centric Use caseActors and Roles
13
Patient
Doctor
Electronic Stethoscope
Client
RS
EHR
Patient Monitor
Client
Smart ThingIntelligence Thing
RFIDtag
Patient-Centric Use caseSecurity Domains and Goals
14
Doctor’s SecurityDomain
Patient’s SecurityDomain
Hospital’s SecurityDomain
Heartbeatsdata
Control andauthorize
data sharing
EHR
ResourceOwner
ResourceOwner Requesting
Party
Preventunauthorized
objectconnection
Patient-Centric scenarioUMA Features
15
Resource Protection Authorization Patient Consent
Resource ProtectionUMA Dynamic Registration
16OAuth 2.0 Dynamic Client Registration Protocol
ElectronicStethoscope
IoT Network
PatientMonitor
RFIDtag
UMA PersonalAuthorization Server
Day HospitalRequest
Patient Registration
Secret
Department
Doctor’s team
sw_stmt
17
UMA as Authorization Mechanism for IoT
Authorization FlowAuthentication and Authorization in Constrained
Environment (ACE)
18
ResourceServer
IntelligenceThing
UMAAuthorization
Server
AuthNManager
Authentication andAuthorization
http://tools.ietf.org/pdf/draft-gerdes-ace-actors-01.pdf
Department
Doctor’s team
Policy
Doctor Patient
Authorization FlowRevealing Electronic Stethoscope
19
Pairing withElectronic Stethoscope
Authorization Requested…
20
National Healthcare SystemAuthentication Process
Fingerprint
Authorization FlowAuthentication and Authorization
21
Electronic StethoscopeData Uploading
Creating a Protected ResourcePatient’s Data Association
New Protected ResourcePatient Notification
22
View Close
Personal UMA ASHeartbeat data added as protected
resource
Patient
EHR Client Access and Patient ConsentUMA Flow
23
PAT: Permission Access TokenAAT: Authorization Access TokenRPT: Requesting Party Token
Heartbeats data
PatientResource Owner
Authorization Server
Authorization API
EHR SystemUMA Client
Prot
ectio
n AP
I
manage
Consent
PAT
RPT AATAccesswith RPT
Protect with PAT
Client redirects theRequesting Party to AS
Patient Monitor
IdP/Claim Provider Requesting Party
Cla
im C
lient
Authenticate
Req
uest
Use
rInfo
EHR: Electronic Healthcare Record
RS
Patient-Centric Platform
24
Healthcare Patient Platform
My Team My Day My Health Data
Main DoctorDr. Alan SmithCardiologists
Dr. Peter DooleRadiologist
Dr. Alice GaleHematologist
8.00-9.00 Cardio Therapy
About Me
Heartbeats
X-Ray
Electro CardioGraph
Mrs. Mary Davidson, 72
Chat with a doctor
Ask
Share my data
Who has data about me
My Consent
Add more12.00 Lunch
Patient-Centric Platform
25
Healthcare Patient Platform
Research
X-Ray
Medical Doctor
Radiology Departiment
Diagnostic research
BiomedicalSaint James
Hospital
X-RAY Specialists
X-Ray Operators
Peter Doole
LifeScienceHospital
Healthdata
Alice Gale
Hospitals
Who has data about me: X-ray< Back
Advantages of UMA Approach
26
Applicable to constrained resources, different nature of things, data and owners.
Designed for centralising the Authorization process for distributed resources.
Developed to meet the Privacy By Design principles.
UMA for Patient-Centric ScenarioBenefits
• Improve Patient-centric Experience.
• Prevent medical errors through authorization processes.
• Empower Patients on controlling their Personal data (healthcare data).
27
Future Works
• Inheriting Data sharing policy
• Delegation with Notification
28
In the News
29
https://kantarainitiative.org/uma-takes-home-award-from-eic-2014/
• User-Managed Access (UMA) Core Protocol
• OAuth 2.0 Dynamic Client Registration Protocol
• Securing Internet of Things
• Actors in the ACE Architecture
• Rethinking Personal Data: A New Lens for Strengthening Trust
30
References
Acknowledgements
• Eve Maler (Chair UMA WG), Adrian Gropper (Hearthurl), George Fletcher (AOL)
• UMA Work Group
31
Questions?Thank you
@UMAWGtinyurl.com/umawg |tinyurl.com/umafaq