Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
1 like1,087 views
The document outlines Forgerock's identity security solutions addressing privacy, security, and IoT challenges in a rapidly evolving digital landscape. It emphasizes the significance of user-managed access and consent in establishing trusted digital relationships, highlighting the potential revenue and trust losses for businesses that fail to engage effectively with consumers. Additionally, it discusses major trends in identity management and the importance of an identity-centric approach for digital businesses.
![© 2016 ForgeRock. All rights reserved.
How Dire is the Consent Technology
Situation?
9 percent [of companies]
believe current methods (i.e., check
boxes, cookie acknowledgment)
used to ensure data privacy and
consent will be able to adapt to the
needs of the emerging digital
economy.
– ForgeRock global survey conducted by
TechValidate, 16 Mar 2016](https://image.slidesharecdn.com/digitaltrustwebinarmay172016-160517181341/85/Digital-Trust-How-Identity-Tackles-the-Privacy-Security-and-IoT-Challenge-14-320.jpg)
Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
- 1. © 2016 ForgeRock. All rights reserved. Digital Trust How Identity Tackles the Privacy, Security, and IoT Challenge Eve Maler, VP Innovation & Emerging Technology Jessica Morrison, Product Marketing Director 1
- 2. © 2016 ForgeRock. All rights reserved. 2010 Founded 10 Offices worldwide with headquarters in San Francisco 350+ Employees 450+ Customers 30+ Countries $52M Funding to date (thru Series C) by Accel Partners, Foundation Capital and Meritech Capital Partners ForgeRock The leading, next-generation, identity security software platform.
- 3. © 2016 ForgeRock. All rights reserved. $25 Billion Est. Size of Consumer IoT Market in 2019 20% Of Annual Security Budgets Will Be Spent on IoT Security in 2020 5.5 Million New Things Will Be Connected Every Day in 2016 $11.1 Trillion Est. Total Economic Impact of the IoT 20.8 Billion Connected Devices by 2020 $2.5 Billion Est. Retailer Spend on the IoT by 2020 Gartner Research, McKinsey Global Institute Juniper Research, CCS Insight Global IoT Trends
- 4. © 2016 ForgeRock. All rights reserved. Major Trends We Are Seeing in Identity… Privacy and Consent Contextual Identity IoT Ready Open Source Scalable Unified Platform Single Customer View
- 5. © 2016 ForgeRock. All rights reserved. From IAM to Identity Relationship Management… Digital business requires an identity-centric approach Identity Access Management Identity Relationship Management Customers (millions) On-premises People Applications and data PCs Endpoints Workforce (thousands) Partners and Suppliers Customers (millions) On-premises Public Cloud Private Cloud People Things (Tens of millions) Applications and data PCs PhonesTablets Smart Watches Endpoints Source: Forrester Research
- 6. © 2016 ForgeRock. All rights reserved. ForgeRock Identity Platform • Simple • Scalable • Modular • Common services architecture • Community participation
- 7. © 2016 ForgeRock. All rights reserved. USER-MANAGED ACCESS (UMA) A new standard for sharing Regard for one's wishes and preferences The true ability to say no and change one's mind The ability to share just the right amount The right moment to make the decision to share Context Control RespectChoice
- 8. © 2016 ForgeRock. All rights reserved. 8 flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0
- 10. © 2016 ForgeRock. All rights reserved. What Happens When Businesses Can’t Form Trusted Digital Relationships With Consumers? • Revenue loss • Brand damage • Loss of trust • Missing out on opportunities • Compliance costs and penalties? flickr.com/photos/delmo-baggins/3143080675 CC BY-ND 2.0 Source: Accenture, 2016 Technology Vision report
- 11. © 2016 ForgeRock. All rights reserved. Why Enable Personal Data Sharing? Let’s Use Health Relationship Trust as an Example
- 12. © 2016 ForgeRock. All rights reserved. data quality and accuracy improved clinical data better care
- 13. © 2016 ForgeRock. All rights reserved. Why Ensure Personal Control of Sharing?
- 14. © 2016 ForgeRock. All rights reserved. How Dire is the Consent Technology Situation? 9 percent [of companies] believe current methods (i.e., check boxes, cookie acknowledgment) used to ensure data privacy and consent will be able to adapt to the needs of the emerging digital economy. – ForgeRock global survey conducted by TechValidate, 16 Mar 2016
- 15. © 2016 ForgeRock. All rights reserved. A Consumer Scenario Alice wants to allow her accountant to import her tax data directly from her employer’s site into the tax return app he uses, with the ability to revoke that consent. • ProacMve sharing (“pushing” her consent to him) without giving away her password • Could grant “read” but not “print” permissions • She can decide to grant “print” later • She can revoke his access • She can Mme-‐out his access
- 16. © 2016 ForgeRock. All rights reserved. authorizaMon server resource owner requesMng party client manage control protect delegate revoke authorize manageaccess negotiate deny An Enterprise Scenario IT manages hundreds of API-‐ fronted apps in the enterprise (and some outside). Alice is an employee who needs to delegate constrained access to app features/funcMons to fellow employees and partners within the ecosystem, giving IT – and herself – centralized visibility into the access granted. resource server
- 17. © 2016 ForgeRock. All rights reserved. A Deep Dive on a Consumer Health IoT Scenario
- 30. © 2016 ForgeRock. All rights reserved. OAuth does “RESTful WS- Security,” capturing user consent for app access and respecting its withdrawal RS resource server AS authorization server C client Both servers are run by the same organization; RO goes to AS in each ecosystem to revoke its token Standard OAuth endpoints that manage access token issuance API endpoints that deliver the data or other “value-add” App gets the consent based on the API “scopes” (permissions) it requested; is uniquely identified vs. the user RO resource owner Authorizes (consents) at run time after authenticating
- 31. © 2016 ForgeRock. All rights reserved. OpenID Connect Turns Single Sign-On Into an OAuth-Protected Identity API SAML 2, OpenID 2 OAuth 2 OpenID Connect Initiating user’s login session Collecting user consent High-security identity tokens Distributed/aggregated claims Dynamic introduction (OpenID only) Session management No sessions Collecting user consent No identity tokens per se No claims per se Dynamic introduction (new) No sessions X X X X X X X Initiating user’s login session Collecting user consent High-security identity tokens Distributed/aggregated claims Dynamic introduction Session management (draft)
- 32. © 2016 ForgeRock. All rights reserved. UMA adds party-to-party, asynchronous, scope-grained delegation and control to OAuth Loosely coupled to enable centralized authorization and a central sharing management hub Enables party-to-party sharing – without credential sharing – driven by “scope-grained” policy rather than run-time opt-in consent Tested for suitability through trust elevation, e.g. step-up authn or “claims-based access control” (optionally using OIDC), captured in a specially powerful access token borne by the client Subsidiary access tokens protect UMA’s standardized endpoints and represent each party’s authorization (consent) to engage with the central server
- 33. © 2016 ForgeRock. All rights reserved. The CMO and the CPO Can and Must Meet in the Middle “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. … In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller…” We value personal data as an asset Our customers’ wishes have value Our customers have their own reasons to share, not share, and mash up data, which we can address as value-add Risk management perspective Business perspective
- 34. © 2016 ForgeRock. All rights reserved. ForgeRock Identity Platform UMA Provider Mobile App Synchronization Auditing LDAPv3 REST/JSON Replication Access Control Schema Management Caching Auditing Monitoring Groups Password Policy Active Directory Pass-thru Reporting Authentication Authorization Provisioning User Self-Service Authentication OIDC / OAuth2 Federation / SSO User Self-Service Workflow Engine Reconciliation Password Replay SAML2 Adaptive Risk Stateless/Stateful Registration Aggregated User View Message Transformation API Security Scripting Built from Open Source Projects: UMA Protector Access Management Identity Management Identity Gateway Directory Services CommonRESTAPI CommonUserInterface CommonAudit/Logging CommonScripting
- 35. © 2016 ForgeRock. All rights reserved. Thank You