Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge

© 2016 ForgeRock. All rights reserved.

Digital Trust How Identity Tackles the Privacy, Security, and IoT Challenge

Eve Maler, VP Innovation & Emerging Technology

Jessica Morrison, Product Marketing Director

1


2010 Founded

10 Offices worldwide with headquarters in San Francisco

350+ Employees

450+ Customers

30+ Countries

$52M Funding to date (thru Series C) by Accel Partners, Foundation Capital and Meritech Capital Partners

ForgeRock The leading, next-generation, identity security software platform.


$25 Billion Est. Size of Consumer IoT Market in 2019

20% Of Annual Security Budgets Will Be Spent on IoT Security in 2020

5.5 Million New Things Will Be Connected Every Day in 2016

$11.1 Trillion Est. Total Economic Impact of the IoT

20.8 Billion Connected Devices by 2020

$2.5 Billion Est. Retailer Spend on the IoT by 2020

Gartner Research, McKinsey Global Institute Juniper Research, CCS Insight

Global IoT Trends


Major Trends We Are Seeing in Identity…

Privacy and

Consent

Contextual Identity

IoT Ready

Open Source

Scalable Unified

Platform

Single Customer

View


From IAM to Identity Relationship Management…

Digital business requires an identity-centric approach

Identity Access Management Identity Relationship ManagementCustomers (millions)

On-premises

People

Applications and data

PCs

Endpoints

Workforce (thousands)

Partners and Suppliers

Customers (millions)

On-premises Public Cloud

Private Cloud

People

Things (Tens of millions)

Applications and data

PCs Phones Tablets Smart

Watches Endpoints

Source: Forrester Research


ForgeRock Identity Platform• Simple • Scalable • Modular • Common services architecture • Community participation


USER-MANAGED ACCESS (UMA)A new standard for sharing

Regard for one's wishes and preferences

The true ability to say no and change one's mind

The ability to share just the right

amount

The right moment to make the decision to share

Context Control

Respect Choice

flickr.com/photos/vincrosbie/16301598031/ CC BY-‐ND 2.0


What Happens When Businesses Can’t Form Trusted Digital Relationships With Consumers?

• Revenue loss •  Brand damage •  Loss of trust

• Missing out on opportunities

• Compliance costs and penalties?

flickr.com/photos/delmo-baggins/3143080675 CC BY-ND 2.0

Source: Accenture, 2016 Technology Vision report


Why Enable Personal Data Sharing?Let’s Use Health Relationship Trust as an Example


data qualityand accuracy

improvedclinical data

better care


Why Ensure Personal Control of Sharing?


How Dire is the Consent Technology Situation?

9 percent [of companies] believe current methods (i.e., check boxes, cookie acknowledgment) used to ensure data privacy and consent will be able to adapt to the needs of the emerging digital economy.

– ForgeRock global survey conducted by TechValidate, 16 Mar 2016


A Consumer Scenario

Alice wants to allow her accountant to import her tax data directly from her employer’s site into the tax return app he uses, with the ability to revoke that consent.

•  ProacMve sharing (“pushing” her consent to him) without giving away her password

•  Could grant “read” but not “print” permissions

•  She can decide to grant “print” later •  She can revoke his access •  She can Mme-‐out his access


authorizaMon server

resource owner

requesMng party

client

manage

control

protect

delegate revoke

authorize

manage access

negotiate

deny

An Enterprise Scenario

IT manages hundreds of API-‐fronted apps in the enterprise (and some outside). Alice is an employee who needs to delegate constrained access to app features/funcMons to fellow employees and partners within the ecosystem, giving IT – and herself – centralized visibility into the access granted.

resource server


A Deep Dive on a Consumer Health IoT Scenario


OAuth does “RESTful WS-Security,” capturing user consent for app access and respecting its withdrawal

RS resource

server

AS authorization

server

C client

Both servers are run by the same organization; RO goes to AS in each ecosystem to revoke its token

Standard OAuth endpoints that manage access token issuance

API endpoints that deliver the data or other “value-add”

App gets the consent based on the API “scopes” (permissions) it requested; is uniquely identified vs. the user

RO resource

owner

Authorizes (consents) at run time after authenticating


OpenID Connect Turns Single Sign-On Into an OAuth-Protected Identity API

SAML 2, OpenID 2 OAuth 2 OpenID Connect

Initiating user’s login session

Collecting user consent

High-security identity tokens

Distributed/aggregated claims

Dynamic introduction (OpenID only)

Session management

No sessions


No identity tokens per se

No claims per se

Dynamic introduction (new)

No sessions

X

X

X X

X

X

X Initiating user’s login session


High-security identity tokens

Distributed/aggregated claims

Dynamic introduction

Session management (draft)


UMA adds party-to-party, asynchronous, scope-grained delegation and control to OAuth

Loosely coupled to enable centralized authorization and a central sharing management hub

Enables party-to-party sharing – without credential sharing – driven by “scope-grained” policy rather than run-time opt-in consent

Tested for suitability through trust elevation, e.g. step-up authn or “claims-based access control” (optionally using OIDC), captured in a specially powerful access token borne by the client

Subsidiary access tokens protect UMA’s standardized endpoints and represent each party’s authorization (consent) to engage with the central server


The CMO and the CPO Can and Must Meet in the Middle

“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. … In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller…”

We value personal data as an asset Our customers’ wishes have value Our customers have their own reasons to share, not share, and mash up data, which we can address as value-add

Risk management perspective Business perspective


ForgeRock Identity Platform

UMA Provider Mobile App Synchronization Auditing

LDAPv3 REST/JSON

Replication Access Control

Schema Management

Caching

Auditing

Monitoring

Groups

Password Policy

Active Directory Pass-thru

Reporting

Authentication Authorization Provisioning User Self-Service Authentication OIDC / OAuth2

Federation / SSO User Self-Service Workflow Engine Reconciliation Password Replay SAML2

Adaptive Risk Stateless/Stateful Registration Aggregated User View

Message Transformation

API Security Scripting

Built from Open Source Projects:

UMA Protector

Access Management Identity Management Identity Gateway

Directory Services

Com

mon

RES

T AP

I

Com

mon

Use

r Int

erfa

ce

Com

mon

Aud

it/Lo

ggin

g

Com

mon

Scr

iptin

g


Thank You

Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge

Software

Transcript of Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge