Post on 19-Jan-2017
© 2016 ForgeRock. All rights reserved.
A Citizen-Centric Approach to Identity
ForgeRock Executive Breakfast
© 2016 ForgeRock. All rights reserved.
FORGEROCK IS THE LEADING, NEXT-GENERATION, IDENTITY SECURITY SOFTWARE PLATFORM.
2010 Founded
10 Offices worldwide with headquarters in San Francisco
350+ Employees
450+ Customers
30+ Countries
$52M Funding to date (thru Series C) by Accel Partners, Foundation Capital and Meritech Capital Partners
© 2016 ForgeRock. All rights reserved.
Improving the Quality of Government Services with Citizen-Focused Identity
Management
Daniel RaskinSVP Product Management
© 2016 ForgeRock. All rights reserved.
What are the trends?
© 2016 ForgeRock. All rights reserved.
Hype Cycle for Digital Government Technology, 2016
© 2016 ForgeRock. All rights reserved.
The Top 10 Strategic Technology Trends for Government in
2016
© 2016 ForgeRock. All rights reserved.
Top Investment Areas
CIOs in the Asia/Pacific and EMEA regions indicate digitalization is a much higher priority than their North American peers.
© 2016 ForgeRock. All rights reserved.
Digital Transformation – Top Three Expected Outcomes
© 2016 ForgeRock. All rights reserved.
2016 CIO Agenda: A Government PerspectiveKey Findings•Digital service transformation is at the embryonic stage of maturity in government •Analytics, infrastructure and cloud computing continue to be the top three technology priorities for government CIOs in all tiers and regions – however security and privacy concerns at an all-time high •CIOs report a 34% adoption rate of bimodal IT in government, slightly lagging behind private industry (38%)
© 2016 ForgeRock. All rights reserved.
What is the role of identity?
© 2016 ForgeRock. All rights reserved.
Identity Access Management Identity Relationship ManagementCustomers(millions)
On-premises
People
Applicationsand data
PCs
Endpoints
Workforce(thousands)
Partners andSuppliers
Customers(millions)
On-premises PublicCloud
PrivateCloud
People
Things(Tens of millions)
Applicationsand data
PCs PhonesTabletsSmart
WatchesEndpoints
Digital Transformation & Customer Engagement RequireIdentity Relationship Management (IRM)
PROPRIETARY AND CONFIDENTIAL
© 2016 ForgeRock. All rights reserved.
Unified, Omnichannel Citizen Experience
Single View Contextual Adaptive Privacy & ConsentIntelligenceSecurity
Persistent Identity
Persistent Identity Across Government Channels
PROPRIETARY AND CONFIDENTIAL
Mobile ReadyOpen DataCitizen ServicesBusiness ServicesSmart City
© 2016 ForgeRock. All rights reserved.
Identity Management Evolves to Relationship Management
Identity Lifecycle Management Users, Devices, Things & Services
© 2016 ForgeRock. All rights reserved.
Contextual SecurityTaking Safety to the Next Level
Passwordless Authentication
Register Device for First Time
Authorize Access to Citizen Services
Authorize family members to use account
Authorize Data to Device / Thing
© 2016 ForgeRock. All rights reserved.
Did you just submit your taxes?
Did you just register a new car?
Kayoko is requesting access to your 2015 taxes. Ok?
Did you just conduct a transaction on our citizen portal?
We noticed your are using a new iPhone.
Would you like to register this device?
Did you request access to your birth certificate online?
Contextual IdentityEnriching the Experience
© 2016 ForgeRock. All rights reserved.
Contextual IdentityAuthentication, Authorization and Consent
Mobile PassportCitizen Government Official
© 2016 ForgeRock. All rights reserved.
SOA is Dead, but Services on the Rise!
1990s and EarlyPre-SOA
Monolith to change
2000sTraditional SOA
Autonomous but coordinated
PresentMicroservices
Decoupled and Independent
PWC, Agile coding in enterprise IT: Code small and local
© 2016 ForgeRock. All rights reserved.
SOA is Dead, but Services on the Rise!
1990s and EarlyPre-SOA
Monolith to change
2000sTraditional SOA
Autonomous but coordinated
PresentMicroservices
Decoupled and Independent
PWC, Agile coding in enterprise IT: Code small and local
© 2016 ForgeRock. All rights reserved.
Service to Service InteractionAuthentication, Authorization and Consent
https://api.australia.gov/v1/userinfo
Authenticate API Authorize API Calls Authenticate API
© 2016 ForgeRock. All rights reserved.
Scaling to Support Distributed Cloud ArchsStateless Architecture
• Flexible deployment option to address cloud elasticity and massive horizontal scalability
• Configuration can be on a per-realm basis
• Stateless = state information is encoded in JWT token
• Stateful = tokens persisted in the Core Token Service
OpenAM Server
OpenAM Server
OpenAM Server
AWS1 AWS2 AWS3
Microservices Client App
Distributed Cloud Environment
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
The Cloud Conundrum
No Portability! Identity Baked in and Constrained to Each Cloud!
© 2016 ForgeRock. All rights reserved.
OAuth2/OIDC OAuth2/OIDC OAuth2/OIDC
OAuth2
The Abstraction of Identity … Again
© 2016 ForgeRock. All rights reserved.
Cloud Automation
© 2016 ForgeRock. All rights reserved.
Cloud Native: Cattle versus Pets
© 2016 ForgeRock. All rights reserved.
Cloud Native: Kangaroos versus Koala Bears
© 2016 ForgeRock. All rights reserved.
Cloud Native: Cattle versus Pets
Cattle•Cattle are numbers•They are almost identical•When ill, get another (Kill it!)•Thousands of cattle on farm
Pets•Pets have names like “pussnboots”•They are lovingly hand raised•When ill, nursed back to health•1 or 2 pets in house
Elastic Inelastic
© 2016 ForgeRock. All rights reserved.
Container Management & Deployment
ProductConfiguration
ProductManifests
ForgeRock Images
JavaImage
TomcatImage
…Other Images
DOCKER REPOSITORY
© 2016 ForgeRock. All rights reserved.
PlatformUbiquity
© 2016 ForgeRock. All rights reserved.
We Must Be Better
Authentication Authorization Multi-Factor Adaptive Risk Self Service Directory API Security GRC …
© 2016 ForgeRock. All rights reserved.
Unified Platform
UMA Provider Mobile OTP App Synchronization Auditing
LDAPv3 REST/JSON
Replication Access Control
Schema Management
Caching
Auditing
Monitoring
Groups
Password Policy
Active Directory Pass-thru
Reporting
Authentication Authorization Provisioning User Self-Service Authentication OIDC / OAuth2
Federation / SSO User Self-Service Workflow Engine Reconciliation Password Replay SAML2
Adaptive Risk Stateless/Stateful Registration Role Provisioning Message Transformation
API Security Scripting
Built from Open Source Projects:
UMA Resource
Access Management Identity Management Identity Gateway
Directory Services
© 2016 ForgeRock. All rights reserved.
U.S. Federal Customers
Homeland Security
Navy
DISA
Labor
Treasury
Energy
Commerce
Defense
© 2016 ForgeRock. All rights reserved.
NorwayAll Gov’t Agencies
Global Government Success …
BelgiumCitizen ID
CanadaCitizen Services
New ZealandCitizen Services
FranceUnemployment, Retiree Services
AustraliaTax Office
UKNHS, BBC
SwitzerlandNational Court
System
© 2016 ForgeRock. All rights reserved.
Identity Relationship Management: Talkin’ Bout a Revolution
Relationship Management
CloudAutomation
CloudReadiness
PlatformUbiquity
MicroservicesArchitecture
Contextual Identity
© 2016 ForgeRock. All rights reserved.
Thank You
© 2016 ForgeRock. All rights reserved.
Doing Authorisation, Consent, and Delegation
Right With UMAEve Maler
VP Innovation & Emerging Technology@xmlgrrl
© 2016 ForgeRock. All rights reserved. 37flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0
© 2016 ForgeRock. All rights reserved.
flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0
© 2016 ForgeRock. All rights reserved.flickr.com/photos/delmo-baggins/3143080675 CC BY-ND 2.0
© 2016 ForgeRock. All rights reserved.
Attribute sharing scenariosIn the next stage of the project … [t]he team will be investigating and testing this to further address the thorny issues of trust and transparency when gaining citizens’ permission. … “[E]ligibility for some services can be quite dynamic, for example, as the level of an individual’s in-work benefits varies, and it may be necessary to carry out on-going eligibility checks from time to time. UMA gives the individual a place to go online where they can see and manage all the consents they have given to different organisations. Until now, managing ongoing consent was tricky,” [Ian Litton] added. “Typically, you asked individuals to consent at a point in time. They tick the T&Cs, which they never see again. UMA should fix that problem.”-- UKA Local Digital, 3 March 2016
© 2016 ForgeRock. All rights reserved.
Consumer/clinical health IoT scenarios
© 2016 ForgeRock. All rights reserved.
resourceowner
requestingparty
authorizationserver
resourceserver
managedelegate
control
negotiateprotect
authorize
access manage
client
consentrevokedeny
Bruce Wayne shares device data with Dr. McCoy
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
Why enable personal data sharing?
clinical research better caredata accuracy
© 2016 ForgeRock. All rights reserved.
Why ensure personal control of sharing?
new IoT needs new regulatory pressures
© 2016 ForgeRock. All rights reserved.
The same architecture applies to Google Apps-style delegation
“The enterprise interpretsaccess controlas damage and routes around it.”
© 2016 ForgeRock. All rights reserved.
Why enable constrained delegation?
security/authn governance APIs/IoT
© 2016 ForgeRock. All rights reserved.
Why formalize federated authorization?
business ownership standard access model
© 2016 ForgeRock. All rights reserved.
The CMO and the CPO can and must meet in the middle
“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. …In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller…”
We value personal data as an assetOur customers’ wishes have valueOur customers have their own reasons to share, not share, and mash up data, which we can address as value-add
Risk management perspective Business perspective
© 2016 ForgeRock. All rights reserved.
The ForgeRock Identity Platform includes two UMA components
authorization serverresource server
client(sample code
provided)
UMA Provider(access management)
UMA Protector(gateway)
© 2016 ForgeRock. All rights reserved.
ForgeRock
ForgeRock
ForgeRockIdentity
ForgeRock
Forgerock.com
Forgerock.com/blog
Thank you!
© 2016 ForgeRock. All rights reserved.
Questions?
Wrap Up•Feedback Forms•Your Local ForgeRock Team
Adam ButlerFederal Government Director
Adam BivianoSenior Solutions Architect