The document discusses ForgeRock's approach to identity and access management. It highlights trends toward citizen-centric identity management and relationship management rather than just identity access management. This allows linking identities across contexts and channels to provide a unified citizen experience. ForgeRock proposes the concept of contextual security and identity to improve authentication, authorization, and consent on mobile and cloud platforms. The document also discusses challenges of scaling identity services and portability across cloud platforms.
Give a little background about ForgeRock
Securing over 500 Million Identities
Built for telco-scale
Huge enterprise implementations
Capital efficient
Truly global in nature
Multi-national engineering centers
400+ large enterprise & government customers
Daniel
We have been helping governments worldwide and, in addition to Norway, have a number of impressive deployments.
Consumer trust of businesses has never been great.
But it’s demonstrably at an ebb in the post-Snowden era when it comes to personal data.
There’s qualitative and quantitative evidence telling the story.
Image source: https://www.flickr.com/photos/vincrosbie/16301598031/
Latest evidence:
Spotify last August: simple privacy policy change alarmed customers
Complaints, threats to leave (e.g. new Apple Music)
Lesson: commoditized? low switching costs, lack of sensitivity can hurt you even if the change wasn’t materially negative
Mobile Ecosystem Forum IoT consumer survey: trust issues biggest concern
NEW: On The Dark Web, Medical Records Are A Hot Commodity: Medical records go for US$60 each
NEW: “In January of this year, Melbourne’s largest hospital network was significantly impacted when a computer virus affected the hospitals Windows XP systems disrupting meal delivery and pathology results.”
(See: http://www.dw.com/en/spotify-feels-the-burn-after-privacy-policy-flub/a-18665269)
(See: http://www.fastcompany.com/3061543/on-the-dark-web-medical-records-are-a-hot-commodity)
(See: http://securityaffairs.co/wordpress/49472/data-breach/data-breaches-healthcare-sector.html)
(See: http://www.bizreport.com/2016/04/21-globally-have-concerns-that-iot-machines-will-take-over-t.html)
Image source: https://www.flickr.com/photos/vincrosbie/16301598031/
It’s imperative to build and maintain trusted digital relationships
The project involved a collaboration between Government Digital Service, Department for Work and Pensions, Warwickshire County Council, Mydex and Verizon to design an attribute exchange hub. The hub was built by Verizon with Warwickshire County Council building the relying party gateway to the hub. The attribute provider components were built by Verizon.
The project team designed the attribute exchange hub based on [Separate identity assurance and attribute exchange hubs with attributes passing through the attribute exchange hub]. This was selected for a number of reasons:
● identity assurance has already been designed and developed as a common capability within the government platform (ie GOV.UK Verify)
● identity assurance and attribute exchange can be treated as separate “services”, each simpler in its own right and each able to develop at its own speed
● sending all of the messaging via the hub, rather than point to point between relying parties and attribute providers, simplifies on-boarding, and provides a consistent point for logging, auditing and billing. It better meets a number of the design principles established in the Discovery project
(See: http://www.ukauthority.com/UKA-Local-Digital/entry/5958/local-and-central-government-work-together-to-explore-online-eligibility-checking-within-digitised-services)
Okay, so why enable personal data sharing?
Data quality and accuracy -- one US study: only 5% agreement between medications listed in EHRs and what patients actually take
This gap affects cost, efficiency, and satisfaction as well
Improved clinical research sets – one UK study: over half the respondents supported use of their data by commercial organizations for research
A floor of 17% were not willing to share data at all
Better care – Philips did a study with Banner Health
Patients with chronic disease using a smart device and an app would tend to leverage continuously monitored vital signs
Shorter, less expensive, less ER-intensive stay: savings averaged 10 days/year and $27K/year
(See: http://well.blogs.nytimes.com/2016/03/31/let-patients-read-their-medical-records/?_r=0)
(See: http://www.wellcome.ac.uk/News/Media-office/Press-releases/2016/WTP060240.htm)
Image sources:
http://www.serkworks.com/rocket-surgery-institute/
https://upload.wikimedia.org/wikipedia/en/d/dc/Lab_Rats_Film_Poster.jpg
http://www.mastgeneralstore.com/products/id-1426/magnet_-_i_love_lucy_vitameatavegamin
So that’s a business-based reward-centric viewpoint
Beyond the business-based risk-centric viewpoint of regulatory compliance, why should businesses do what individuals want regarding personal control?
The IoT brings new volumes and sources of data, and new use cases for people wanting to share that data
CareKit added person-to-person sharing in the Apple ecosystem
Dumb socks vs. smart socks – need a solution in wider ecosystems
With apologies to John Gilmore’s famous saying about the ‘net and censorship
You have to make the right thing to do be the easiest thing to do
IT manages hundreds of API-fronted apps in the enterprise (and some outside). Alice is an employee who needs to delegate constrained access to app features/functions to fellow employees and partners within the ecosystem, giving IT – and herself – centralized visibility into the access granted.
Image source:
"John Gilmore Portrait" by Neurosynthetic - Own work. Licensed under CC BY-SA 4.0 via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:John_Gilmore_Portrait.jpg#/media/File:John_Gilmore_Portrait.jpg
Bringing the business owner closer to permission management and providing a standardized API access model
New regulations are not just codifying current data protection practice
Many are giving user consent a much greater role in the privacy picture
At the same time, more organizations are recognizing that personal data has got to be a shared asset
You need to provide custodianship but also a relationship
(See: https://iapp.org/media/pdf/resource_center/GDPR-final.pdf)
The UMA architecture has these three pieces. ForgeRock will deliver the two key pieces on the top in order to help you protect your API/application (policy enforcement points) and let your users set up sharing preferences (policy decision point).