Embed Size (px)
Citation preview
IDoT: Why We Need an Identity Layer
IoT Slam 2016 – April 28, 2016
Marc-Anthony Signorino, IDESG Executive Director
www.IDESG.org
The Identity Ecosystem Steering Group (IDESG) is the source of expertise, guidance, best practices, and tools for trusted digital identities.
Welcome to the Identity Ecosystem
2
www.IDESG.org
Today’s Goal: Getting Identity Right
Customers will
understand
policies, control
their identities
Manage risk
through common
sense identity
credentials, data
minimization
Create an ecosystem
that encourages
consumer trust,
enables safer
transactions
Ensuring civil liberties
are protected by
using strong
authentication for IoT
users
E M P O W E R R I S K S A F E F U T U R E
3
Who We Are
The Path to More Trustworthy
Digital Identity Credentials
www.IDESG.org
“By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation.”
— President Barack Obama, April 2011National Strategy for Trusted Identities in Cyberspace
5
www.IDESG.org
85,611,528
17.6
85
39
62
Identity by the
Numbers
6
www.IDESG.org 7
records were exposed in 783 U.S. data
breaches in 2014
U.S. residents age 16 or older experienced
identity theft in 2014
of people took some action to prevent identity theft
used mobile banking in 2014 (based on mobile phone owners
with a bank account)
did not use mobile banking and cited concern about security
as a reason
85,611,528
17.6 mil
85%
39%
62%
www.IDESG.org
Building a Better Ecosystem
Identity Ecosystem Framework
8
www.IDESG.org
What Is the IDEF?
9
1First rules of the road for
navigating the evolving
landscape of online
identity
Asserts capabilities and
responsibilities for
individuals, companies,
government agencies
and organizations in the
identity ecosystem
Creates policy
foundation for
strengthening privacy
and security protections
for organizations and
consumers alike
2 3
www.IDESG.org
IDEF by stakeholder group
Drives business value
and consumer trust for
those issuing or
consuming credentials
10
Enables truly
trustworthy digital
credentials to protect
identities
Offers foundational set of
principles to which all
frameworks can align
to demonstrate
interoperability
Trust Frameworks Relying Parties Consumers
www.IDESG.org
The Intersection of Identity Management & The Internet of Things
IDentity of Things (IDoT)
www.IDESG.org
IoT is Booming
Juniper: $100B to be spent on Smart home
tech by 2020 ($43B now)
Gartner: 25B networked devices by 2020
IDC: IoT Market to reach $3.04T by 2020
www.IDESG.org
A Paradigm in Dynamic Relationships
IDoT covers ALL entity identities and relationships:
• Device/Human
• Device/Device
• Device/Application~Service
• Human/Application~Service
Must draw on IAM, IT Asset Mgt, S/W Asset Mgt
www.IDESG.org
Governance of Object Data
Objects in the "Internet of Things" produce data.
These data might lead to personally identifiable
information (PII). A car for example is able to
track GPS positions and to provide a complete
movement profile of a certain person.
How do you handle the users and their data?
www.IDESG.org
Beware of the Regulatory Cacodemons
The path forward for IoT is promising, but if we’re
not careful, will create policy problems that will
summon the worst Washington, DC has to offer:
www.IDESG.org
Beware of the Regulatory Cacodemons
The path forward for IoT is promising, but if we’re
not careful, will create policy problems that will
summon the worst Washington, DC has to offer:
A well-intentioned Congress.
Hypothetical #1
My Connected Vehicle and the Meat-Head Kid Next Door
www.IDESG.org
Issues Raised in Connected Vehicles
• Data ownership/control – who owns it?• Truck manufacturer? Dealer?
• Service Provider (repair shop)
• Truck owner, Bank who holds the note, Insurance Company?
• Truck users (employees, clients, prospective buyers, family members, etc)
• Passengers whose GPS locations become known?
• 3rd Parties providing sensors for service (data for subscription svc, driver
behavior data to determine insurance rates, government?)
What about multiple devices controlled by multiple parties? What if sold?
www.IDESG.org
Issues Raised in Connected Vehicles
• Consent for interactions w/ numerous sensors,
controllers, and reporting devices• If an auto mfr owns data collected by a vehicle, will it require consent from
the vehicle owner and svc provider?
• Will each user be required to provide consent for data generated while
driving?
• 5th Amendment, State Privacy Laws, etc.
Hypothetical #3
Wearables: How Could I Run 10 Miles Today
If I Weighed 350 lbs.?
www.IDESG.org
Issues Raised by IDoT in Healthcare
• Identity Impersonation• How will devices preclude impersonation of the other devices with which
they exchange data?
• Will each device the might generate, process, or report private, sensitive,
or confidential data be required to provide its own IAM capabilities to
prevent fraudulent use?
• Will devices be required to develop UN/PW to interact with other devices?• If so, who sets UN/PW criteria? How will data be stored securely? How will it be modified and updated?
• Hello HIPAA/HI-TECH
Hypothetical #3
Education: Keeping McGuffey’s Reader From
Becoming WKRP in Cincinnati
www.IDESG.org
Top 10 Current Smart Techs in Ed
• Interactive Whiteboards
• Cameras & Video
• Tablets & eBooks
• Student ID Cards
• 3D Printers
• Smart HVAC Systems
• Lighting/Maintenance
• Temperature Sensors
• Attendance Tracking
• Wireless Door Locks
www.IDESG.org
Issues Raised in Connected Education
• Identity discovery• Will owners/users have the ability to prevent their devices from being
discovered?
• Will they have selectivity about who can discover their devices?
• Will they have some control over who can interrogate their devices?
• Which Regulatory Schemes are Implicated?• COPPA (Children’s Online Privacy Protection Act)
• FERPA (Family Educational Rights Privacy Act)
The Path Forward
Creating an Identity Layer in IoT
www.IDESG.org
IDEF Shows the Way
• Transparency
• User Authentication & Authorization
• Data Minimization / Data Collection (in advance)
• Consent
• Collection for specific use, not just get all the
data
www.IDESG.org
Solutions
• IDEF allows innovators to build privacy, security,
UX in before hand• Use the Identity Ecosystem Framework’s Baseline Requirements as a
guide for identifying issues and resolving them
www.IDESG.org
Solutions
• Federated Identity• Reduce the number of PWs required to authenticate diff applications,
devices and trust domains through federation.
• Allows users to authenticate only once with an existing credential to a
trusted domain and be issued a token that allows it to authenticate to other
actors and domains
• Federated Single Sign On allows PWs to be replaced with standardized
security tokens for everyday tools and services such as email, Social
media
www.IDESG.org
Solutions
• Federated Single Sign On• Allows PWs to be replaced with standardized security tokens for everyday
tools and services such as email, Social media.
• Tokens issued by a site the user logged into directly, but simultaneously
gives access to a range of other applications – mitigating PW explosion
• Allows specific devices to be tied to a particular user by issuing tokens
specific to a relationship
• Smart car to send a ‘close’ msg to a garage door controller from a diff MFR
if sensed a growing distance between the car and the garage.
