Canberra Executive Breakfast - A Citizen-Centric Approach to Identity

© 2016 ForgeRock. All rights reserved.

A Citizen-Centric Approach to Identity

ForgeRock Executive Breakfast


FORGEROCK IS THE LEADING, NEXT-GENERATION, IDENTITY SECURITY SOFTWARE PLATFORM.

2010 Founded

10 Offices worldwide with headquarters in San Francisco

350+ Employees

450+ Customers

30+ Countries

$52M Funding to date (thru Series C) by Accel Partners, Foundation Capital and Meritech Capital Partners


Improving the Quality of Government Services with Citizen-Focused Identity

Management

Daniel RaskinSVP Product Management


What are the trends?


Hype Cycle for Digital Government Technology, 2016


The Top 10 Strategic Technology Trends for Government in

2016


Top Investment Areas

CIOs in the Asia/Pacific and EMEA regions indicate digitalization is a much higher priority than their North American peers.


Digital Transformation – Top Three Expected Outcomes


2016 CIO Agenda: A Government PerspectiveKey Findings•Digital service transformation is at the embryonic stage of maturity in government •Analytics, infrastructure and cloud computing continue to be the top three technology priorities for government CIOs in all tiers and regions – however security and privacy concerns at an all-time high •CIOs report a 34% adoption rate of bimodal IT in government, slightly lagging behind private industry (38%)


What is the role of identity?


Identity Access Management Identity Relationship ManagementCustomers(millions)

On-premises

People

Applicationsand data

PCs

Endpoints

Workforce(thousands)

Partners andSuppliers

Customers(millions)

On-premises PublicCloud

PrivateCloud

People

Things(Tens of millions)

Applicationsand data

PCs PhonesTabletsSmart

WatchesEndpoints

Digital Transformation & Customer Engagement RequireIdentity Relationship Management (IRM)

PROPRIETARY AND CONFIDENTIAL


Unified, Omnichannel Citizen Experience

Single View Contextual Adaptive Privacy & ConsentIntelligenceSecurity

Persistent Identity

Persistent Identity Across Government Channels

PROPRIETARY AND CONFIDENTIAL

Mobile ReadyOpen DataCitizen ServicesBusiness ServicesSmart City


Identity Management Evolves to Relationship Management

Identity Lifecycle Management Users, Devices, Things & Services


Contextual SecurityTaking Safety to the Next Level

Passwordless Authentication

Register Device for First Time

Authorize Access to Citizen Services

Authorize family members to use account

Authorize Data to Device / Thing


Did you just submit your taxes?

Did you just register a new car?

Kayoko is requesting access to your 2015 taxes. Ok?

Did you just conduct a transaction on our citizen portal?

We noticed your are using a new iPhone.

Would you like to register this device?

Did you request access to your birth certificate online?

Contextual IdentityEnriching the Experience


Contextual IdentityAuthentication, Authorization and Consent

Mobile PassportCitizen Government Official


SOA is Dead, but Services on the Rise!

1990s and EarlyPre-SOA

Monolith to change

2000sTraditional SOA

Autonomous but coordinated

PresentMicroservices

Decoupled and Independent

PWC, Agile coding in enterprise IT: Code small and local


Service to Service InteractionAuthentication, Authorization and Consent

https://api.australia.gov/v1/userinfo

Authenticate API Authorize API Calls Authenticate API


Scaling to Support Distributed Cloud ArchsStateless Architecture

• Flexible deployment option to address cloud elasticity and massive horizontal scalability

• Configuration can be on a per-realm basis

• Stateless = state information is encoded in JWT token

• Stateful = tokens persisted in the Core Token Service

OpenAM Server

OpenAM Server

OpenAM Server

AWS1 AWS2 AWS3

Microservices Client App

Distributed Cloud Environment


The Cloud Conundrum

No Portability! Identity Baked in and Constrained to Each Cloud!


OAuth2/OIDC OAuth2/OIDC OAuth2/OIDC

OAuth2

The Abstraction of Identity … Again


Cloud Automation


Cloud Native: Cattle versus Pets


Cloud Native: Kangaroos versus Koala Bears


Cloud Native: Cattle versus Pets

Cattle•Cattle are numbers•They are almost identical•When ill, get another (Kill it!)•Thousands of cattle on farm

Pets•Pets have names like “pussnboots”•They are lovingly hand raised•When ill, nursed back to health•1 or 2 pets in house

Elastic Inelastic


Container Management & Deployment

ProductConfiguration

ProductManifests

ForgeRock Images

JavaImage

TomcatImage

…Other Images

DOCKER REPOSITORY


PlatformUbiquity


We Must Be Better

Authentication Authorization Multi-Factor Adaptive Risk Self Service Directory API Security GRC …


Unified Platform

UMA Provider Mobile OTP App Synchronization Auditing

LDAPv3 REST/JSON

Replication Access Control

Schema Management

Caching

Auditing

Monitoring

Groups

Password Policy

Active Directory Pass-thru

Reporting

Authentication Authorization Provisioning User Self-Service Authentication OIDC / OAuth2

Federation / SSO User Self-Service Workflow Engine Reconciliation Password Replay SAML2

Adaptive Risk Stateless/Stateful Registration Role Provisioning Message Transformation

API Security Scripting

Built from Open Source Projects:

UMA Resource

Access Management Identity Management Identity Gateway

Directory Services


U.S. Federal Customers

Homeland Security

Navy

DISA

Labor

Treasury

Energy

Commerce

Defense


NorwayAll Gov’t Agencies

Global Government Success …

BelgiumCitizen ID

CanadaCitizen Services

New ZealandCitizen Services

FranceUnemployment, Retiree Services

AustraliaTax Office

UKNHS, BBC

SwitzerlandNational Court

System


Identity Relationship Management: Talkin’ Bout a Revolution

Relationship Management

CloudAutomation

CloudReadiness

PlatformUbiquity

MicroservicesArchitecture

Contextual Identity


Thank You


Doing Authorisation, Consent, and Delegation

Right With UMAEve Maler

VP Innovation & Emerging Technology@xmlgrrl


flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0


Attribute sharing scenariosIn the next stage of the project … [t]he team will be investigating and testing this to further address the thorny issues of trust and transparency when gaining citizens’ permission. … “[E]ligibility for some services can be quite dynamic, for example, as the level of an individual’s in-work benefits varies, and it may be necessary to carry out on-going eligibility checks from time to time. UMA gives the individual a place to go online where they can see and manage all the consents they have given to different organisations. Until now, managing ongoing consent was tricky,” [Ian Litton] added. “Typically, you asked individuals to consent at a point in time. They tick the T&Cs, which they never see again. UMA should fix that problem.”-- UKA Local Digital, 3 March 2016


Consumer/clinical health IoT scenarios


resourceowner

requestingparty

authorizationserver

resourceserver

managedelegate

control

negotiateprotect

authorize

access manage

client

consentrevokedeny

Bruce Wayne shares device data with Dr. McCoy


Why enable personal data sharing?

clinical research better caredata accuracy


Why ensure personal control of sharing?

new IoT needs new regulatory pressures


The same architecture applies to Google Apps-style delegation

“The enterprise interpretsaccess controlas damage and routes around it.”


Why enable constrained delegation?

security/authn governance APIs/IoT


Why formalize federated authorization?

business ownership standard access model


The CMO and the CPO can and must meet in the middle

“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. …In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller…”

We value personal data as an assetOur customers’ wishes have valueOur customers have their own reasons to share, not share, and mash up data, which we can address as value-add

Risk management perspective Business perspective


The ForgeRock Identity Platform includes two UMA components

authorization serverresource server

client(sample code

provided)

UMA Provider(access management)

UMA Protector(gateway)


ForgeRock

ForgeRock

ForgeRockIdentity

ForgeRock

Forgerock.com

Forgerock.com/blog

Thank you!

https://www.youtube.com/user/ForgeRock


Questions?

Wrap Up•Feedback Forms•Your Local ForgeRock Team

Adam ButlerFederal Government Director

Adam BivianoSenior Solutions Architect

Canberra Executive Breakfast - A Citizen-Centric Approach to Identity

Software

Transcript of Canberra Executive Breakfast - A Citizen-Centric Approach to Identity