User-Access Manager: Key to Life Management Platform

User-Managed Access: key to Life Management Platform

Domenico Catalano, Oracle Italy Maciej Machulak, Cloud Identity Limited

European Identity Conference 2014

1

http://kantarainitiative.org/confluence/display/uma/Home

http://kantarainitiative.org/

Agenda

Personal Data and Emerging Trends

Life Management Platforms

UMA Concepts

Use Cases

Demo

Q&A

2

3

What is Personal Data…

Personal Data is the Life Blood of the Information Age

3



3

Personal Data is the New “Oil of the Internet”



3

Personal Data is the New “Oil of the Internet”

Personal Data is the new currency


Personal Data and new forms of economic and social value

4

Big Data

Explosive growthof Personal

Data

New forms of economic and social value

Quantity and quality

Mobile ComputingSocial NetworkingInternet ofTHINGS

How to measure the value of Personal Data

• Market capitalization

• Revenue per record/user

• Market Price

• Cost of data breach

• Pay to protect

5

Streat address

Data of Birth

Social Number

Military record

0 10 20 30 40

Source: OECD (2013), “Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value”

$112 per user record

USD 1.7 per recordData breach cost $171M

USD

Externalities: Socio-economic impact

• Personal data to avoid duplicative testing/misdiagnosis, etc., in healthcare.

6

Electronic Health Record

Financial BenefitsPatient Value Social Value

Improved treatment Reduced Cost research into new drugs,improved medical protocols

Source: OECD (2013), “Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value”

Risks about Personal Data

7

Individual Organization

“72% of European citizens are concerned that their personal data may be misused…”

Individuals have little visibility into the practices of the organizations they are putting their trust in – until their data is breached or misused.

EU commission survey 2012

Risks: Loss of Trust

Personal Data

…t e n s i o n…

Challenges to mitigate Risks

• Protection and Security

‣ New approaches for decentralized and distributed network environment.

• Accountability

‣ Who has data about you? Where is the data about you located?

• Right and Responsibility for using personal data

‣ New approaches that help individuals understand how and when data is collected.

‣ How the data is being used and the implications of these actions.

‣ Empower individual more effectively and efficiently.

‣ Context aware.

8

Source: World Economic Forum 2013 Report: Unlocking the Value of Personal Data: From Collection to Usage

Personal Data Ecosystem Emerging Trends: Data Lockers

9

PersonalData Store

Personal Clouds


Native Data Store

App App

InformedPull

ControlledPush


10


• The concept of Life Management Platforms (LMPs) was introduced in 2012 by Kuppinger-Cole.

10



• LMP allows individual to consolidate all relevant data from life, e.g. bank account information, insurance information, health information, etc.

10



• LMP allows individual to consolidate all relevant data from life, e.g. bank account information, insurance information, health information, etc.

• The platform concept provides the tools to manage the essential information of every person’s life and making it usable for other parties.

10

Life Management Platform: Key features

11

AccessLMPRequesting

PartyData

StoresData

Control

Informed Pull

Controlled Push

Data Sharing Policy

Individual ControlBank

healthcare

Home

Car


11

AccessLMPRequesting

PartyData

StoresData

Control

Informed Pull

Controlled Push

Data Sharing Policy


healthcare

Home

Car

Secure Store of Information


11

AccessLMPRequesting

PartyData

StoresData

Control

Informed Pull

Controlled Push

Data Sharing Policy


healthcare

Home

Car


Information control remains with

Individual


11

AccessLMPRequesting

PartyData

StoresData

Control

Informed Pull

Controlled Push

Data Sharing Policy


healthcare

Home

Car



Individual

Granular Access Control for Data


11

AccessLMPRequesting

PartyData

StoresData

Control

Informed Pull

Controlled Push

Data Sharing Policy


healthcare

Home

Car


Advanced Data Sharing

Models


Individual

Granular Access Control for Data

User-Managed Access (UMA)

UMA defines how an individual can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and

where a centralized authorization server governs access based on individual policy.

12

tinyurl.com/umawg

UMA is...• A web protocol that lets you control access by anyone to

all your online stuff from one place

• A set of draft specifications, free for anyone to implement

• Undergoing multiple implementation efforts

• A Work Group of the Kantara Initiative, free for anyone to join and contribute to

• Simple, OAuth-based, identifier-agnostic, RESTful, modular, generative, and developed rapidly

• Contributed to the IETF for consideration:draft-hardjono-oauth-umacore

• Currently undergoing interop testing and increased OpenID Connect integration

13

http://tinyurl.com/umawg

http://kantarainitiative.org/confluence/display/uma/Working+Drafts

http://kantarainitiative.org/confluence/display/uma/Implementations


http://kantarainitiative.org/

http://signup.kantarainitiative.org/?selectedGroup=11

http://www.ietf.org/dyn/wg/charter/oauth-charter.html

http://tools.ietf.org/html/draft-hardjono-oauth-umacore

http://openid.net/connect/

UMA Architecture

14

User-Managed Access for LMP

15

AccessLMPRequesting

PartyData

StoresData

Control

Informed Pull

Controlled Push

Data Sharing Policy


healthcare

Home

Car


15

LMP Requesting Party

Data Stores

Bank

healthcare

Home

Car


15


Data Stores

Bank

healthcare

Home

Car

Resource Owner

Client

UMA AS


15


Data Stores

Bank

healthcare

Home

Car

Resource Owner

Client

manage

control

protect UMA AS


15


Data Stores

Bank

healthcare

Home

Car

Resource Owner

Client

manage

consentcontrol

protect negotiate

manage

UMA AS


15


Data Stores

Bank

healthcare

Home

Car

Resource Owner

Client

manage

consentcontrol

protect

authorize

negotiate

manage

access

UMA AS

UMA for LMP Use Cases

• Personal Loan (Informed Pull)

• CV Sharing (Controlled Push)

16

UMA for LMP Use Case: Informed Pull

• An Individual issues a request for information (RFI) to a group of financial services to obtain the best offer for a personal loan.

• Life Connections represent the Individual’s Personal Information requested (i.e Bank Account and Credit Score), for issuing the RFI, protected by UMA AS.

• LMP provides the Apps for typical Life events (i.e. Personal Loan Request).

17

Informed Pull Model

18

LMP Financial Service

Bank

Credit Score

!Request for Information

!Authorize/Access

!Offer

!UMA-Enabled

Loan App

Life Connections Request

www.uma4lmp.com/am/informed_pull

Life Management Platform

Life ApplicationsRequest for Information

UMA4LMP: Informed Pull

19

Home

Bank

Healthcare

Car

Credit Score

LoanApplication

healthcareInsurance

Drag request template here






19

Home

Bank

Healthcare

Car

Credit Score

LoanApplication

healthcareInsurance






19

Home

Bank

Healthcare

Car

Credit Score

healthcareInsurance+ +

Bank Account Credit Score

Personal Information

Request Info

Loan amount: Period:

Data sharing Policy

Claim-based authorizationValidity:

Cancel Run NowSave as Template

Data Purpose:

/ /

Requesting Party Marketing related useOnly for this request






19

Home

Bank

Healthcare

Car

Credit Score




Request Info


Data sharing Policy


OnlineBank.com

Shareable Bank AccountPrivacy impact: MediumData Access: Read

View Data


Data Purpose:

/ /







19

Home

Bank

Healthcare

Car

Credit Score




Request Info


Data sharing Policy



Data Purpose:

/ /







19

Home

Bank

Healthcare

Car

Credit Score




Request Info


Data sharing Policy


10000

24


Data Purpose:

/ /



20

Personal Loan App Results



Vendor

10.000

10.000

Interest Rates

View details

View details

View details6.00%

5.30%

10.000

5.25%

OnlineLoan.com 5.1%

View details

Bestloan.com

FinancialOne.com 10.000

10.000

Amount

ConsumerBank.com

6.70%

Details

View detailsCreditMarket.com

UMA for LMP Use Case: Controlled Push

• A student interacts with online job application system.

• Student shares their exam marks, certificates references, etc.

• Data is stored at their various Higher Education institution.

• Employers can ask for additional information to be provided during the application process.

21

UMA4LMP: Controlled Push

22


23


24

Student, Job Seeker


25

Student, Job Seeker

Employer

26

DEMO

Why UMA

• UMA provides a new approach to protect personal information in a decentralized and distributed network.

• UMA provides a new way to create a trust relationship in a distributed environment.

• UMA provides a new way to control of what is happening to personal data.

• UMA provides a new way to help individuals understand how personal data is used.

27

Benefits of UMA applied to LMP

28

Authorize

Client ResourceServer

AuthorizationServer

Protect

Access(on behalf of

Requesting Party)

ResourceOwner

Protection and Security AccountabilityRight and Responsibility for using personal data


28

Authorize


AuthorizationServer

Protect

Access(on behalf of

Requesting Party)

ResourceOwner

Individual protects the distributed resource which is collecting the personal data with a centralized Authorization Server.



28

Authorize


AuthorizationServer

Protect

Access(on behalf of

Requesting Party)

ResourceOwner

Individual is active part of defining the how the personal information will be handled in the data sharing process (Controlled Push or Informed Pull).




28

Authorize


AuthorizationServer

Protect

Access(on behalf of

Requesting Party)

ResourceOwner


Individual is able to define sharing policy for what purposes the personal data is shared (or collected)




28

Authorize


AuthorizationServer

Protect

Access(on behalf of

Requesting Party)

ResourceOwner





Individual can selectively share personal data with Requesting Party through a Claim-based authorization system


28

Authorize


AuthorizationServer

Protect

Access(on behalf of

Requesting Party)

ResourceOwner



Policy Enforcement Point at Resource Server allows to intercept any request to access to personal data



Individual can selectively share personal data with Requesting Party through a Claim-based authorization system

Questions?

29

30

Eve L. Maler UMA WG Chair

[email protected] !

Thomas Hardjono UMA WG Specification Editor

[email protected] !

Members of the UMA WG

Thank You /Acknowledgement

Thanks!

31

@UMAWG tinyurl.com/umawg |tinyurl.com/umafaq

http://tinyurl.com/umawg

http://tinyurl.com/umafaq


User-Access Manager: Key to Life Management Platform

Internet

Transcript of User-Access Manager: Key to Life Management Platform