Access Management for the Internet of ThingsKanishk MahajanPrincipal Product ManagerOracle Identity & Access Management

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.2

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3

Program Agenda

Introducing Identity for the Internet Of Things

Security Challenges for the Internet of Things

Oracle Access Management 11gR2- Securing access for the

Internet of Things

Customer Case Study

Demo

Q&A

4

Introducing Identity for the Internet of Things

5

• Refers to the general idea of things, including everyday objects that are:• Readable/recognizable• Locatable/Addressable• Controllable• Communicable

Internet of Things

Internet Of Things

6

• Identity as a communication endpoint:• User• Service• Device• Software Module• Sensor

• User identities are tied to Things based on:• Interaction• Context

Composite Identities

Identity for the Internet Of Things

7

• Connect, Communicate, Share• Use public or private social

networks• Link physical and virtual

Things, services, devices, APIs

• Allow reacting to events

Social Networks

Identity for the Internet of Things

8

• Securing Autonomous Independent Things• Context Aware Authentication• Securing Communication

• Person to Thing Communication

• Thing to Thing Communication

Securing the “Smart Toaster”

Identity for the Internet of Things

9

Security Challenges for the Internet of Things

10

Security is a Barrier for Adoption of IoT

40% Of embedded systems and applications developers have

not proactively addressed security in existing

development projects

30% Median CAGR growth (2011-2014) in shipments of security solutions for industrial

automation, medical devices, consumer electronics, automotive and retail

Source: VDC ResearchStrategic Insights 2012: Embedded Software & Tools Market,

Security Development & Runtime Solutions

“The horizontal evolution of M2M will require full end-to-end security. Significant efforts need to be invested into M2M application security in order for the M2M market to fully evolve. Whether this is through open source initiatives or standards development, the demand for increased M2M application security will have to be answered, and sooner rather than later.” ABI Research, M2M Dream Challenged by Alarming Security Concerns, Feb 2013

11

Challenges in IoT Security• Typical challenges for IoT service

providers• What protection measures are possible as thousands of

intelligent things cooperate with other real and virtual entities in random and unpredictable ways?

• How do you ensure security given IoT’s highly distributed nature and use of fragile technologies, such as limited-function embedded devices?

• How do you leverage investments in existing internet security technologies for the highly fragmented IoT networks?

• How can you define and enable trust in a dynamic IoT network with weak trust links between network nodes?

Acc

ess

Co

ntr

ol

12

Key IoT Security Requirements

• Mutual authentication between devices and server

• Confidentiality of data transfer over multi-protocol networks

• Device data management• Governance of trust relationships

in IoT networks• Device applications provisioning

& management

Onboarding & Enrollment

Authentication & Authorization

Device Metadata & Control

Policy & Key Management

Application Management & Provisioning

13

Oracle IoT Security Solution

DMZ Intranet

Oracle Access Manager

With M&S and Adaptive AccessOAM Protected

Resources

Oracle Unified Gateway

HT

TP

/SM

TP

/CO

AP

/

RE

ST

/OA

UT

H

Short Range Networks (BT, Zigbee, Serial)

Oracle Identity Governance

Non-IP protocol

Device Enrollment

Device Operations

App

App

Overview

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.14

Oracle Access Management Securing Access for the Internet of Things

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.15

Private social network that connects customers with their cars, their dealership, and with the manufacturer

– Customers can choose to extend their network to family, friends, and others using public social networks such as Twitter and Facebook

Vehicle Telematics allows the cars to communicate with customers, the manufacturer and the dealership

Vehicle Telematics and a Social Network for Cars

Internet Of Things – Use Case

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.16

Access Management 11gR2 – Securing Social Access

Turns social integration into an administrator action

Provides out-of-the-box support for leading social providers

Provides increased levels of assurance as user progresses to more secure services

Simplifies registration and single sign-on from multiple providers

SOCIAL LOGIN

SIMPLE & SECURE

Step-up

authentication

FederationTick-box

configuration

OAUTHSimplified

Registration

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.17

SOCIAL LOGIN

SIMPLE & SECURE

Securing Internet of Things using OAM 11gR2 SocialSecuring a Social Network for Cars

Federation

OAUTH

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.18 18

Oracle Mobile & Social Access Management Deployment Architecture

Corporate DMZ Corporate Network

HTTP/REST/SOAP/OAuth Clients

Oracle Adaptive Access Manager

Mobile and Social

OAM Agent

SOAP/REST and Legacy Web Services

Remote Token Request

LDAP

Secondary Authentication

Oracle Access Manager

Directory Services

Oracle Enterprise Gateway

Web Services Manager Service Bus

Context Aware Authorizationand Data Redaction

OES PDP

OES PDP

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.19

Securing Internet of Things using OAM 11gR2 Mobile and GatewaySecuring Vehicle Telematics

REST/SOAP

Oracle Application GatewayOracle Mobile & Social

HT

TP

/ RE

ST

/ SO

AP

/ OA

uth

Clie

nts

Manufacturer

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.20

A Refrigerator actively manages its energy consumption by securely communicating with the electric utility company

– automatically moves its defrost cycle to a non-peak time based on response from the utility company

Smart Home Appliances

Internet Of Things – Use Case

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.21

OAuth Server– Provides OAuth Authorization Server, Resource

Server and Client– Supports 3-legged and 2-legged OAuth– Shares same client framework as Mobile & Social– Provides OAuth user profile service and custom

scope definition

Oracle Access Management – OAuth 2.0 Server

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.22

① The requesting service (OAuth Client) preregisters with the OAuth Authorization Server and receives client credentials

② The requesting service uses its client credentials to connect to a resource server

③ The Resource server validates the clients credentials and provides the requested content

Service to Service

2-legged OAuth

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.23

0. Pre-register with the OAuth Az Server (OAM)

Refrigerator (OAuth Client)

Electric Utility Company (Resource Server)

Authorization Server (OAM 11gR2)

0. Client Credentials

1 Authenticate with Client Credentials2. Access Token

3. Access Token

Client must request token from OAM token endpoint after successful authn

OAM must sign the access token

Resource Server validates the token against OAM

Securing Internet of Things using OAM 11gr2 OAuth 2.0ServiceSecuring Smart Home Appliances

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.24

Use a mobile device as a remote control hub to monitor and manage interconnected devices and Things

Mobile Access to Things

Internet Of Things – Use Case

25

Example Login Flow – Native App with OAM

Client App(Mobile)

Request Access Token

Security App (Mobile)

- If valid token in local credential store, return token to App, else continue below.

- Present login page

- Accept username/password

- Extracts device attributes and ID contexts

- Makes authentication call with user/password, device attributes and device tokens

Mobile and Social Server(Server)

- Validates device tokens

- Registers Device/App if unregistered

- Authenticates with OAM Server

- Publishes ID context to OAM Server and OES for authorization decisions

- Invokes OAAM for risk analysis

- Responds User/Access Tokens

- Stores User/Access Token

- Returns token to Client App

Use token to make calls to

server application

protected by OAM

12 3

4

5

Oracle SDK

26Copyright © 2012, Oracle and/or its affiliates. All right

Oracle Access Management Client SDKsNative Libraries for iOS, Android and JAVA

Store/Access Keys, Tokens, Handles and other secure data

Access Mobile Device Information (OS, Carrier, Geolocation, IP/MAC)

Support KBA, OTP via Email and SMS

Manage Single Sign-on

Quickly build security into your mobile applications

27Copyright © 2012, Oracle and/or its affiliates. All right

Mobile AuthenticationFlexible Options for Devices, Applications and Users

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.28

Securing Internet of Things using OAM 11gr2 Mobile ServiceSecuring Mobile Access to Things

Device RegistrationDevice Registration

Lost & Stolen DevicesLost & Stolen Devices

GPS/WIFI Location AwarenessGPS/WIFI Location Awareness

Device Fingerprinting & TrackingDevice Fingerprinting & Tracking

Risk-based KBA & OTPRisk-based KBA & OTP

Transactional risk analysisTransactional risk analysis

29Copyright © 2012, Oracle and/or its affiliates. All right

Customer Case Study

30Copyright © 2012, Oracle and/or its affiliates. All right

Demo

31Copyright © 2011, Oracle and/or its affiliates. All right

Questions

32Copyright © 2011, Oracle and/or its affiliates. All right

Other Identity Management SessionsCON8836 Thursday 09/26,

11:00AM

Moscone West, Room 2018

Leveraging the Cloud to simplify your Identity Management implementation

Guru Shashikumar, Oracle

CON 4342 Thursday 09/26, 12:30PM

Moscone West, Room 2018

Identity Services in the New GM IT GM

CON9024 Thursday 09/26, 2:00PM

Moscone West, Room 2018

Next Generation Optimized Directory - Oracle Unified Directory

Etienne Remillon, Oracle

CON8902 Thursday, 09/26 2:00PM

Marriot Marquis – Golden Gate C3

Developing Secure Mobile Applications

Mark Wilcox, Oracle

CON8826 Thursday, 09/26, 3:30PM

Moscone West, Room 2018

Zero Capital Investment by leveraging Identity Management as a Service

Mike Neuenschwander, Oracle

33

Oracle Fusion MiddlewareBusiness Innovation Platform for the Enterprise and Cloud

Complete and Integrated

Best-in-class

Open standards

On-premise and Cloud Foundation for Oracle

Fusion Applications and Oracle Cloud

User Engagement

Identity Management

Business Process

Management

Content Management

Business Intelligence

Service Integration Data Integration

Development Tools

Cloud Application Foundation

Enterprise Management

Web Social Mobile

34

35