© 2016 ForgeRock. All rights reserved.
Doing Authorisation, Consent, and Delegation Right with UMA
Eve Maler | VP Innovation & Emerging Technology | @xmlgrrlParis Identity Summit15 November 2016
© 2016 ForgeRock. All rights reserved.
flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0
In 2Q2016, US mobile operators added connected cars faster than mobile devices – and also faster than anything else
Apr 2016
© 2016 ForgeRock. All rights reserved.
Digital transformation challenges
End users
Regulations
IndustryYour organization
© 2016 ForgeRock. All rights reserved.
Challenge scenarios
© 2016 ForgeRock. All rights reserved.
Scenario 1:Citizen attribute sharing for benefit management
Basic profile data
service
Eligibility answer service
Handicap badge
issuer app
Consent and
delegation manager
• Monitor and make changes over time
• Holds no PII itself• Data lives in multiple
services natively
In the next stage of the project … [t]he team will be investigating and testing this to further address thethorny issues of trust and transparency when gaining citizens’ permission. … “[E]ligibility for some services can be quite dynamic, for example, as the level of an individual’s in-work benefits varies, and it may be necessary to carry out on-going eligibility checks from time to time. [A new technology would give] the individual a place to go online where they can see and manage all the consents they have given to different organisations. Until now, managing ongoing consent was tricky,” [Ian Litton] added. “Typically, you asked individuals to consent at a point in time. They tick the T&Cs, which they never see again.”
UK Authority Local Digital, 3rd March 2016
Health status service
© 2016 ForgeRock. All rights reserved.
Employer-run tax data
service
Accounting app
Employer-run
sharing manager
• Sharing with other parties• Implemented cross-
service• Buy vs. build
Scenario 2: Tax data sharing with an accountant
© 2016 ForgeRock. All rights reserved.
Scenario 3:Sharing health data access in an ecosystem
Fitness watch with
cloud service
MRI machine
with cloud service
Physician portal
Health cloud with
sharing manager
EHRservice
PHRapp
3rd party smart scale with cloud
service
Clinical research
• Selective sharing for multi-way data flows
• Enabling partner ecosystems
© 2016 ForgeRock. All rights reserved.
Bonus scenario 3a:Family caregiver prescription management
Inconsistency across the departments [makes it hard]. It would be easier if every department followed the same process even if you had to do it for each different requirements depending on who you are dealing with.
72 year old Aroha takes a number of prescriptions she asks her son to help her manage them through her patient portal.
Aroha gives her son Bailey access to view her prescriptions through her patient portal.
Bailey then asks the portal to send him notifications of his mum’s blood sugar levels.
© 2016 ForgeRock. All rights reserved.
Introducing User-Managed Access (UMA)
© 2016 ForgeRock. All rights reserved.
Privacy is not secrecy and privacy is not encryption
ContextControlChoice
Respect
The right moment to make the decision to shareThe ability to share just the right amountThe true ability to say no and to change one’s mindRegard for one’s wishes and preferences
© 2016 ForgeRock. All rights reserved.
resourceserver
authorizationserver
resourceowner
requestingparty
client
manage
control
protect
delegaterevoke
authorize
manage
access
negotiate
deny
A federated authorization architecture in action
data service
sharing manager
© 2016 ForgeRock. All rights reserved.
An experience of selectively sharing health data with UMA
Patient view Doctor view
© 2016 ForgeRock. All rights reserved.
“The enterprise interpretsaccess controlas damage and routes around it.”
© 2016 ForgeRock. All rights reserved.
Scenario 4:Business app access sharing with partners
Custom app/
service ZZ
In-house IdP/AS
Custom app/
service AA
…
Custom app/
service ZZ
Custom app/
service AA
…
• Constrained delegated access• Central management of
cloud/partner/app interactions• Automated pairing of services
and entitlement provisioning
© 2016 ForgeRock. All rights reserved.
Key benefits to users• Sharing, unsharing, and editing of sharing preferences allowed at any
time, without external influence• Not just opt-in or opt-out when asked• A selective sharing paradigm for an IoT landscape that demands it
• Possible to offer a service that centralizes sharing preference management across data services for user convenience• The central service doesn’t see any of the data• Data is fed fresh from each individual service
• The user can selectively share whatever “grain” of access each data service offers• Such as read vs. write, or weight vs. fat mass
© 2016 ForgeRock. All rights reserved.
Key benefits to service operators: consumer-facing• A permission model that scales for user
growth
• Enables living up to a promise of transparency and building trusted digital relationships
• Enables addressing new regulations that demand freer choice in consent
© 2016 ForgeRock. All rights reserved.
Key benefits to service operators:for the enterprise• Enables centralizing delegation and access control in loosely
coupled environments for better governance• CASBs are built for SaaS vendor solutions, not internal apps
• Standard security model based on existing well-understood technologies reduces complexity• OAuth, JWT, OpenID Connect...
• Standard permission model encourages business ownership of entitlements • Too often, they’re still buried in procedural code
© 2016 ForgeRock. All rights reserved.
Key benefits to service operators:for all use cases • Constrained delegation of
resource access vs. impersonation• Now required when multiple
factors – or no passwords at all – are in the mix
• Also required for protecting API and streaming data
© 2016 ForgeRock. All rights reserved.
Let me sum up
© 2016 ForgeRock. All rights reserved.
The CMO and the CPO can and must meet in the middle
“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. …In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller…”
We value personal data as an assetOur customers’ wishes have valueOur customers have their own reasons to share, not share, and mash up data, which we can address as value-add
Risk management perspective Business perspective
© 2016 ForgeRock. All rights reserved.
Thank you!
