User-Managed Access: key to Life Management Platform
Domenico Catalano, Oracle Italy Maciej Machulak, Cloud Identity Limited
European Identity Conference 2014
1
Agenda
Personal Data and Emerging Trends
Life Management Platforms
UMA Concepts
Use Cases
Demo
Q&A
2
3
What is Personal Data…
Personal Data is the Life Blood of the Information Age
3
What is Personal Data…
Personal Data is the Life Blood of the Information Age
3
Personal Data is the New “Oil of the Internet”
What is Personal Data…
Personal Data is the Life Blood of the Information Age
3
Personal Data is the New “Oil of the Internet”
Personal Data is the new currency
What is Personal Data…
Personal Data and new forms of economic and social value
4
Big Data
Explosive growthof Personal
Data
New forms of economic and social value
Quantity and quality
Mobile ComputingSocial NetworkingInternet ofTHINGS
How to measure the value of Personal Data
• Market capitalization
• Revenue per record/user
• Market Price
• Cost of data breach
• Pay to protect
5
Streat address
Data of Birth
Social Number
Military record
0 10 20 30 40
Source: OECD (2013), “Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value”
$112 per user record
USD 1.7 per recordData breach cost $171M
USD
Externalities: Socio-economic impact
• Personal data to avoid duplicative testing/misdiagnosis, etc., in healthcare.
6
Electronic Health Record
Financial BenefitsPatient Value Social Value
Improved treatment Reduced Cost research into new drugs,improved medical protocols
Source: OECD (2013), “Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value”
Risks about Personal Data
7
Individual Organization
“72% of European citizens are concerned that their personal data may be misused…”
Individuals have little visibility into the practices of the organizations they are putting their trust in – until their data is breached or misused.
EU commission survey 2012
Risks: Loss of Trust
Personal Data
…t e n s i o n…
Challenges to mitigate Risks
• Protection and Security
‣ New approaches for decentralized and distributed network environment.
• Accountability
‣ Who has data about you? Where is the data about you located?
• Right and Responsibility for using personal data
‣ New approaches that help individuals understand how and when data is collected.
‣ How the data is being used and the implications of these actions.
‣ Empower individual more effectively and efficiently.
‣ Context aware.
8
Source: World Economic Forum 2013 Report: Unlocking the Value of Personal Data: From Collection to Usage
Personal Data Ecosystem Emerging Trends: Data Lockers
9
PersonalData Store
Personal Clouds
Life Management Platforms
Native Data Store
App App
InformedPull
ControlledPush
Life Management Platforms
10
Life Management Platforms
• The concept of Life Management Platforms (LMPs) was introduced in 2012 by Kuppinger-Cole.
10
Life Management Platforms
• The concept of Life Management Platforms (LMPs) was introduced in 2012 by Kuppinger-Cole.
• LMP allows individual to consolidate all relevant data from life, e.g. bank account information, insurance information, health information, etc.
10
Life Management Platforms
• The concept of Life Management Platforms (LMPs) was introduced in 2012 by Kuppinger-Cole.
• LMP allows individual to consolidate all relevant data from life, e.g. bank account information, insurance information, health information, etc.
• The platform concept provides the tools to manage the essential information of every person’s life and making it usable for other parties.
10
Life Management Platform: Key features
11
AccessLMPRequesting
PartyData
StoresData
Control
Informed Pull
Controlled Push
Data Sharing Policy
Individual ControlBank
healthcare
Home
Car
Life Management Platform: Key features
11
AccessLMPRequesting
PartyData
StoresData
Control
Informed Pull
Controlled Push
Data Sharing Policy
Individual ControlBank
healthcare
Home
Car
Secure Store of Information
Life Management Platform: Key features
11
AccessLMPRequesting
PartyData
StoresData
Control
Informed Pull
Controlled Push
Data Sharing Policy
Individual ControlBank
healthcare
Home
Car
Secure Store of Information
Information control remains with
Individual
Life Management Platform: Key features
11
AccessLMPRequesting
PartyData
StoresData
Control
Informed Pull
Controlled Push
Data Sharing Policy
Individual ControlBank
healthcare
Home
Car
Secure Store of Information
Information control remains with
Individual
Granular Access Control for Data
Life Management Platform: Key features
11
AccessLMPRequesting
PartyData
StoresData
Control
Informed Pull
Controlled Push
Data Sharing Policy
Individual ControlBank
healthcare
Home
Car
Secure Store of Information
Advanced Data Sharing
Models
Information control remains with
Individual
Granular Access Control for Data
User-Managed Access (UMA)
UMA defines how an individual can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and
where a centralized authorization server governs access based on individual policy.
12
tinyurl.com/umawg
UMA is...• A web protocol that lets you control access by anyone to
all your online stuff from one place
• A set of draft specifications, free for anyone to implement
• Undergoing multiple implementation efforts
• A Work Group of the Kantara Initiative, free for anyone to join and contribute to
• Simple, OAuth-based, identifier-agnostic, RESTful, modular, generative, and developed rapidly
• Contributed to the IETF for consideration:draft-hardjono-oauth-umacore
• Currently undergoing interop testing and increased OpenID Connect integration
13
UMA Architecture
14
User-Managed Access for LMP
15
AccessLMPRequesting
PartyData
StoresData
Control
Informed Pull
Controlled Push
Data Sharing Policy
Individual ControlBank
healthcare
Home
Car
User-Managed Access for LMP
15
LMP Requesting Party
Data Stores
Bank
healthcare
Home
Car
User-Managed Access for LMP
15
LMP Requesting Party
Data Stores
Bank
healthcare
Home
Car
Resource Owner
Client
UMA AS
User-Managed Access for LMP
15
LMP Requesting Party
Data Stores
Bank
healthcare
Home
Car
Resource Owner
Client
manage
control
protect UMA AS
User-Managed Access for LMP
15
LMP Requesting Party
Data Stores
Bank
healthcare
Home
Car
Resource Owner
Client
manage
consentcontrol
protect negotiate
manage
UMA AS
User-Managed Access for LMP
15
LMP Requesting Party
Data Stores
Bank
healthcare
Home
Car
Resource Owner
Client
manage
consentcontrol
protect
authorize
negotiate
manage
access
UMA AS
UMA for LMP Use Cases
• Personal Loan (Informed Pull)
• CV Sharing (Controlled Push)
16
UMA for LMP Use Case: Informed Pull
• An Individual issues a request for information (RFI) to a group of financial services to obtain the best offer for a personal loan.
• Life Connections represent the Individual’s Personal Information requested (i.e Bank Account and Credit Score), for issuing the RFI, protected by UMA AS.
• LMP provides the Apps for typical Life events (i.e. Personal Loan Request).
17
Informed Pull Model
18
LMP Financial Service
Bank
Credit Score
!Request for Information
!Authorize/Access
!Offer
!UMA-Enabled
Loan App
Life Connections Request
www.uma4lmp.com/am/informed_pull
Life Management Platform
Life ApplicationsRequest for Information
UMA4LMP: Informed Pull
19
Home
Bank
Healthcare
Car
Credit Score
LoanApplication
healthcareInsurance
Drag request template here
Life Connections Request
www.uma4lmp.com/am/informed_pull
Life Management Platform
Life ApplicationsRequest for Information
UMA4LMP: Informed Pull
19
Home
Bank
Healthcare
Car
Credit Score
LoanApplication
healthcareInsurance
Life Connections Request
www.uma4lmp.com/am/informed_pull
Life Management Platform
Life ApplicationsRequest for Information
UMA4LMP: Informed Pull
19
Home
Bank
Healthcare
Car
Credit Score
healthcareInsurance+ +
Bank Account Credit Score
Personal Information
Request Info
Loan amount: Period:
Data sharing Policy
Claim-based authorizationValidity:
Cancel Run NowSave as Template
Data Purpose:
/ /
Requesting Party Marketing related useOnly for this request
Life Connections Request
www.uma4lmp.com/am/informed_pull
Life Management Platform
Life ApplicationsRequest for Information
UMA4LMP: Informed Pull
19
Home
Bank
Healthcare
Car
Credit Score
healthcareInsurance+ +
Bank Account Credit Score
Personal Information
Request Info
Loan amount: Period:
Data sharing Policy
Claim-based authorizationValidity:
OnlineBank.com
Shareable Bank AccountPrivacy impact: MediumData Access: Read
View Data
Cancel Run NowSave as Template
Data Purpose:
/ /
Requesting Party Marketing related useOnly for this request
Life Connections Request
www.uma4lmp.com/am/informed_pull
Life Management Platform
Life ApplicationsRequest for Information
UMA4LMP: Informed Pull
19
Home
Bank
Healthcare
Car
Credit Score
healthcareInsurance+ +
Bank Account Credit Score
Personal Information
Request Info
Loan amount: Period:
Data sharing Policy
Claim-based authorizationValidity:
Cancel Run NowSave as Template
Data Purpose:
/ /
Requesting Party Marketing related useOnly for this request
Life Connections Request
www.uma4lmp.com/am/informed_pull
Life Management Platform
Life ApplicationsRequest for Information
UMA4LMP: Informed Pull
19
Home
Bank
Healthcare
Car
Credit Score
healthcareInsurance+ +
Bank Account Credit Score
Personal Information
Request Info
Loan amount: Period:
Data sharing Policy
Claim-based authorizationValidity:
Cancel Run NowSave as Template
Data Purpose:
/ /
Requesting Party Marketing related useOnly for this request
Life Connections Request
www.uma4lmp.com/am/informed_pull
Life Management Platform
Life ApplicationsRequest for Information
UMA4LMP: Informed Pull
19
Home
Bank
Healthcare
Car
Credit Score
healthcareInsurance+ +
Bank Account Credit Score
Personal Information
Request Info
Loan amount: Period:
Data sharing Policy
Claim-based authorizationValidity:
10000
24
Cancel Run NowSave as Template
Data Purpose:
/ /
Requesting Party Marketing related useOnly for this request
UMA4LMP: Informed Pull
20
Personal Loan App Results
www.uma4lmp.com/am/informed_pull
Life Management Platform
Vendor
10.000
10.000
Interest Rates
View details
View details
View details6.00%
5.30%
10.000
5.25%
OnlineLoan.com 5.1%
View details
Bestloan.com
FinancialOne.com 10.000
10.000
Amount
ConsumerBank.com
6.70%
Details
View detailsCreditMarket.com
UMA4LMP: Informed Pull
20
Personal Loan App Results
www.uma4lmp.com/am/informed_pull
Life Management Platform
Vendor
10.000
10.000
Interest Rates
View details
View details
View details6.00%
5.30%
10.000
5.25%
OnlineLoan.com 5.1%
View details
Bestloan.com
FinancialOne.com 10.000
10.000
Amount
ConsumerBank.com
6.70%
Details
View detailsCreditMarket.com
UMA for LMP Use Case: Controlled Push
• A student interacts with online job application system.
• Student shares their exam marks, certificates references, etc.
• Data is stored at their various Higher Education institution.
• Employers can ask for additional information to be provided during the application process.
21
UMA4LMP: Controlled Push
22
UMA4LMP: Controlled Push
23
UMA4LMP: Controlled Push
24
Student, Job Seeker
UMA4LMP: Controlled Push
25
Student, Job Seeker
Employer
26
DEMO
Why UMA
• UMA provides a new approach to protect personal information in a decentralized and distributed network.
• UMA provides a new way to create a trust relationship in a distributed environment.
• UMA provides a new way to control of what is happening to personal data.
• UMA provides a new way to help individuals understand how personal data is used.
27
Benefits of UMA applied to LMP
28
Authorize
Client ResourceServer
AuthorizationServer
Protect
Access(on behalf of
Requesting Party)
ResourceOwner
Protection and Security AccountabilityRight and Responsibility for using personal data
Benefits of UMA applied to LMP
28
Authorize
Client ResourceServer
AuthorizationServer
Protect
Access(on behalf of
Requesting Party)
ResourceOwner
Individual protects the distributed resource which is collecting the personal data with a centralized Authorization Server.
Protection and Security AccountabilityRight and Responsibility for using personal data
Benefits of UMA applied to LMP
28
Authorize
Client ResourceServer
AuthorizationServer
Protect
Access(on behalf of
Requesting Party)
ResourceOwner
Individual is active part of defining the how the personal information will be handled in the data sharing process (Controlled Push or Informed Pull).
Individual protects the distributed resource which is collecting the personal data with a centralized Authorization Server.
Protection and Security AccountabilityRight and Responsibility for using personal data
Benefits of UMA applied to LMP
28
Authorize
Client ResourceServer
AuthorizationServer
Protect
Access(on behalf of
Requesting Party)
ResourceOwner
Individual is active part of defining the how the personal information will be handled in the data sharing process (Controlled Push or Informed Pull).
Individual is able to define sharing policy for what purposes the personal data is shared (or collected)
Individual protects the distributed resource which is collecting the personal data with a centralized Authorization Server.
Protection and Security AccountabilityRight and Responsibility for using personal data
Benefits of UMA applied to LMP
28
Authorize
Client ResourceServer
AuthorizationServer
Protect
Access(on behalf of
Requesting Party)
ResourceOwner
Individual is active part of defining the how the personal information will be handled in the data sharing process (Controlled Push or Informed Pull).
Individual is able to define sharing policy for what purposes the personal data is shared (or collected)
Individual protects the distributed resource which is collecting the personal data with a centralized Authorization Server.
Protection and Security AccountabilityRight and Responsibility for using personal data
Individual can selectively share personal data with Requesting Party through a Claim-based authorization system
Benefits of UMA applied to LMP
28
Authorize
Client ResourceServer
AuthorizationServer
Protect
Access(on behalf of
Requesting Party)
ResourceOwner
Individual is active part of defining the how the personal information will be handled in the data sharing process (Controlled Push or Informed Pull).
Individual is able to define sharing policy for what purposes the personal data is shared (or collected)
Policy Enforcement Point at Resource Server allows to intercept any request to access to personal data
Individual protects the distributed resource which is collecting the personal data with a centralized Authorization Server.
Protection and Security AccountabilityRight and Responsibility for using personal data
Individual can selectively share personal data with Requesting Party through a Claim-based authorization system
Questions?
29
30
Eve L. Maler UMA WG Chair
Thomas Hardjono UMA WG Specification Editor
Members of the UMA WG
Thank You /Acknowledgement
Thanks!
31
@UMAWG tinyurl.com/umawg |tinyurl.com/umafaq