Post on 15-Apr-2017
© 2016 ForgeRock. All rights reserved.
Doing Authorization, Consent, and Delegation
Right With UMAEve Maler
VP Innovation & Emerging Technology@xmlgrrl
© 2016 ForgeRock. All rights reserved. 2flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0
flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0
© 2016 ForgeRock. All rights reserved.
What happens when businesses can’t form trusted digital relationships with consumers?
• Revenue loss• Brand damage• Loss of trust
• Missing out on opportunities
• Compliance costs and penalties?
flickr.com/photos/delmo-baggins/3143080675 CC BY-ND 2.0
© 2016 ForgeRock. All rights reserved.
Why enable personal data sharing?Let’s use Health Relationship Trust as an example
© 2016 ForgeRock. All rights reserved.
data qualityand accuracy
improvedclinical data
better care
© 2016 ForgeRock. All rights reserved.
Why ensure personal control of sharing?
© 2016 ForgeRock. All rights reserved.
How dire is the consent technology situation?
9 percent [of companies] believe current methods (i.e., check boxes, cookie acknowledgment) used to ensure data privacy and consent will be able to adapt to the needs of the emerging digital economy.
– ForgeRock global survey conducted by TechValidate, 16 Mar 2016
© 2016 ForgeRock. All rights reserved.
A government attribute sharing scenario
+A place to go online where citizens can see and manage all the consents they have given to different organizations
© 2016 ForgeRock. All rights reserved.
authorizationserver
resourceowner
requestingparty
client
manage
control
protect
delegaterevoke
authorize
manageaccess
negotiate
deny
An enterprise scenario
IT manages hundreds of API-fronted apps in the enterprise (and some outside). Alice is an employee who needs to delegate constrained access to app features/functions to fellow employees and partners within the ecosystem, giving IT – and herself – centralized visibility into the access granted.
resourceserver
© 2016 ForgeRock. All rights reserved.
A deep dive on a consumer health IoT scenario
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
The CMO and the CPO can and must meet in the middle
“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. …In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller…”
We value personal data as an assetOur customers’ wishes have valueOur customers have their own reasons to share, not share, and mash up data, which we can address as value-add
Risk management perspective Business perspective
© 2016 ForgeRock. All rights reserved.
The ForgeRock Identity Platform includes two UMA components
authorization serverresource server
client(sample code
provided)
UMA Provider(access management)
UMA Protector(gateway)
© 2016 ForgeRock. All rights reserved.
ForgeRock
ForgeRock
ForgeRockIdentity
ForgeRock
Forgerock.com
Forgerock.com/blog
Thank you!