User-Access Manager: Key to Life Management Platform

transcript

User-Managed Access: key to Life Management Platform

Domenico Catalano, Oracle Italy Maciej Machulak, Cloud Identity Limited

European Identity Conference 2014

Agenda

Personal Data and Emerging Trends

Life Management Platforms

UMA Concepts

Use Cases

What is Personal Data…

Personal Data is the Life Blood of the Information Age

Personal Data is the New “Oil of the Internet”

Personal Data is the new currency

Personal Data and new forms of economic and social value

Big Data

Explosive growthof Personal

New forms of economic and social value

Quantity and quality

Mobile ComputingSocial NetworkingInternet ofTHINGS

How to measure the value of Personal Data

• Market capitalization

• Revenue per record/user

• Market Price

• Cost of data breach

• Pay to protect

Streat address

Data of Birth

Social Number

Military record

0 10 20 30 40

Source: OECD (2013), “Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value”

$112 per user record

USD 1.7 per recordData breach cost $171M

Externalities: Socio-economic impact

• Personal data to avoid duplicative testing/misdiagnosis, etc., in healthcare.

Electronic Health Record

Financial BenefitsPatient Value Social Value

Improved treatment Reduced Cost research into new drugs,improved medical protocols

Source: OECD (2013), “Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value”

Risks about Personal Data

Individual Organization

“72% of European citizens are concerned that their personal data may be misused…”

Individuals have little visibility into the practices of the organizations they are putting their trust in – until their data is breached or misused.

EU commission survey 2012

Risks: Loss of Trust

Personal Data

…t e n s i o n…

Challenges to mitigate Risks

• Protection and Security

‣ New approaches for decentralized and distributed network environment.

• Accountability

‣ Who has data about you? Where is the data about you located?

• Right and Responsibility for using personal data

‣ New approaches that help individuals understand how and when data is collected.

‣ How the data is being used and the implications of these actions.

‣ Empower individual more effectively and efficiently.

‣ Context aware.

Source: World Economic Forum 2013 Report: Unlocking the Value of Personal Data: From Collection to Usage

Personal Data Ecosystem Emerging Trends: Data Lockers

PersonalData Store

Personal Clouds

Native Data Store

App App

InformedPull

ControlledPush

• The concept of Life Management Platforms (LMPs) was introduced in 2012 by Kuppinger-Cole.

• LMP allows individual to consolidate all relevant data from life, e.g. bank account information, insurance information, health information, etc.

• The platform concept provides the tools to manage the essential information of every person’s life and making it usable for other parties.

Life Management Platform: Key features

AccessLMPRequesting

PartyData

StoresData

Control

Informed Pull

Controlled Push

Data Sharing Policy

Individual ControlBank

healthcare

AccessLMPRequesting

PartyData

StoresData

Control

Informed Pull

Controlled Push

Data Sharing Policy

healthcare

Secure Store of Information

AccessLMPRequesting

PartyData

StoresData

Control

Informed Pull

Controlled Push

Data Sharing Policy

healthcare

Information control remains with

Individual

AccessLMPRequesting

PartyData

StoresData

Control

Informed Pull

Controlled Push

Data Sharing Policy

healthcare

Individual

Granular Access Control for Data

AccessLMPRequesting

PartyData

StoresData

Control

Informed Pull

Controlled Push

Data Sharing Policy

healthcare

Advanced Data Sharing

Models

Individual

Granular Access Control for Data

User-Managed Access (UMA)

UMA defines how an individual can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and

where a centralized authorization server governs access based on individual policy.

tinyurl.com/umawg

UMA is...• A web protocol that lets you control access by anyone to

all your online stuff from one place

• A set of draft specifications, free for anyone to implement

• Undergoing multiple implementation efforts

• A Work Group of the Kantara Initiative, free for anyone to join and contribute to

• Simple, OAuth-based, identifier-agnostic, RESTful, modular, generative, and developed rapidly

• Contributed to the IETF for consideration:draft-hardjono-oauth-umacore

• Currently undergoing interop testing and increased OpenID Connect integration

UMA Architecture

User-Managed Access for LMP

AccessLMPRequesting

PartyData

StoresData

Control

Informed Pull

Controlled Push

Data Sharing Policy

healthcare

LMP Requesting Party

Data Stores

healthcare

Data Stores

healthcare

Resource Owner

Client

UMA AS

Data Stores

healthcare

Resource Owner

Client

manage

control

protect UMA AS

Data Stores

healthcare

Resource Owner

Client

manage

consentcontrol

protect negotiate

manage

UMA AS

Data Stores

healthcare

Resource Owner

Client

manage

consentcontrol

protect

authorize

negotiate

manage

access

UMA AS

UMA for LMP Use Cases

• Personal Loan (Informed Pull)

• CV Sharing (Controlled Push)

UMA for LMP Use Case: Informed Pull

• An Individual issues a request for information (RFI) to a group of financial services to obtain the best offer for a personal loan.

• Life Connections represent the Individual’s Personal Information requested (i.e Bank Account and Credit Score), for issuing the RFI, protected by UMA AS.

• LMP provides the Apps for typical Life events (i.e. Personal Loan Request).

Informed Pull Model

LMP Financial Service

Credit Score

!Request for Information

!Authorize/Access

!Offer

!UMA-Enabled

Loan App

Life Connections Request

www.uma4lmp.com/am/informed_pull

Life Management Platform

Life ApplicationsRequest for Information

UMA4LMP: Informed Pull

Healthcare

Credit Score

LoanApplication

healthcareInsurance

Drag request template here

Healthcare

Credit Score

LoanApplication

healthcareInsurance

Healthcare

Credit Score

healthcareInsurance+ +

Bank Account Credit Score

Personal Information

Request Info

Loan amount: Period:

Data sharing Policy

Claim-based authorizationValidity:

Cancel Run NowSave as Template

Data Purpose:

Requesting Party Marketing related useOnly for this request

Healthcare

Credit Score

Request Info

Data sharing Policy

OnlineBank.com

Shareable Bank AccountPrivacy impact: MediumData Access: Read

View Data

Data Purpose:

Healthcare

Credit Score

Request Info

Data sharing Policy

Data Purpose:

Healthcare

Credit Score

Request Info

Data sharing Policy

Data Purpose:

Healthcare

Credit Score

Request Info

Data sharing Policy

Data Purpose:

Personal Loan App Results

Vendor

10.000

Interest Rates

View details

View details6.00%

10.000

OnlineLoan.com 5.1%

View details

Bestloan.com

FinancialOne.com 10.000

10.000

Amount

ConsumerBank.com

Details

View detailsCreditMarket.com

Personal Loan App Results

Vendor

10.000

Interest Rates

View details

View details6.00%

10.000

OnlineLoan.com 5.1%

View details

Bestloan.com

FinancialOne.com 10.000

10.000

Amount

ConsumerBank.com

Details

View detailsCreditMarket.com

UMA for LMP Use Case: Controlled Push

• A student interacts with online job application system.

• Student shares their exam marks, certificates references, etc.

• Data is stored at their various Higher Education institution.

• Employers can ask for additional information to be provided during the application process.

UMA4LMP: Controlled Push

Student, Job Seeker

UMA4LMP: Controlled Push

Student, Job Seeker

Employer

Why UMA

• UMA provides a new approach to protect personal information in a decentralized and distributed network.

• UMA provides a new way to create a trust relationship in a distributed environment.

• UMA provides a new way to control of what is happening to personal data.

• UMA provides a new way to help individuals understand how personal data is used.

Benefits of UMA applied to LMP

Authorize

Client ResourceServer

AuthorizationServer

Protect

Access(on behalf of

Requesting Party)

ResourceOwner

Protection and Security AccountabilityRight and Responsibility for using personal data

Authorize

AuthorizationServer

Protect

Access(on behalf of

Requesting Party)

ResourceOwner

Individual protects the distributed resource which is collecting the personal data with a centralized Authorization Server.

Authorize

AuthorizationServer

Protect

Access(on behalf of

Requesting Party)

ResourceOwner

Individual is active part of defining the how the personal information will be handled in the data sharing process (Controlled Push or Informed Pull).

Authorize

AuthorizationServer

Protect

Access(on behalf of

Requesting Party)

ResourceOwner

Individual is able to define sharing policy for what purposes the personal data is shared (or collected)

Authorize

AuthorizationServer

Protect

Access(on behalf of

Requesting Party)

ResourceOwner

Individual can selectively share personal data with Requesting Party through a Claim-based authorization system

Authorize

AuthorizationServer

Protect

Access(on behalf of

Requesting Party)

ResourceOwner

Policy Enforcement Point at Resource Server allows to intercept any request to access to personal data

Individual can selectively share personal data with Requesting Party through a Claim-based authorization system

Questions?

Eve L. Maler UMA WG Chair

emaler@forrester.com !

Thomas Hardjono UMA WG Specification Editor

hardjono@mit.edu !

Members of the UMA WG

Thank You /Acknowledgement

Thanks!

@UMAWG tinyurl.com/umawg |tinyurl.com/umafaq