Embed Size (px)
Citation preview
STEPPING UP TO NEWDATA PROTECTION CHALLENGES
USER-MANAGED ACCESS FOR GENUINE CONSENT
Eve Maler (@xmlgrrl)
Hard truths about the business of data privacy
Copyright © Identity Summit 2015, all rights reserved.
From the webto the IoT,
the “fear/greed” tension around data sharing is only going to
grow
Copyright © Identity Summit 2015, all rights reserved.
“In order to ensure free consent, it should be clarified that consent does
not provide a valid legal ground where the individual has no genuine and free choice and is subsequently
not able to refuse to withdraw consent without detriment. …. The data subject shall have the right to withdraw his or her consent at any
time.”
The Chief Privacy Officer and Chief Digital Officer need to meet in the middle
Copyright © Identity Summit 2015, all rights reserved.
1. We value personal data as an asset2. We value our customers’ wishes3. Our customers have their own
reasons to share, not share, and mash up data
4. Privacy can never simply be secrecy5. Privacy is, fundamentally:
a. Contextb. Controlc. Choiced. Respect
Digital consent tools through time
Copyright © Identity Summit 2015, all rights reserved.
Web
API economy
IoT economy
• Browse-wrap• Click-notice• Opt-in• Opt-out• Cookies• “Share”
• API-wrap• Mobile app store
download opt-in• OAuth
• Consent receipts• UMA• …
The two most familiar “emerging” consent tools only take us so far
Standard, constrainable consent for app access…but run-time and point-to-point
Constrainable “consented delegation” to other parties…but proprietary and limited
Copyright © Identity Summit 2015, all rights reserved.
“Share” OAuth
The new Venn of access
control and consent
Copyright © Identity Summit 2015, all rights reserved.
The mechanism:
federated authorization
on top of OAuth
Loosely coupled to enablecentralized authorization-as-a-service and a central sharing management hub
Enables party-to-party sharing – without credential sharing – driven by fine-grained policy rather than run-time opt-in consent
The requesting party is tested for authorization suitability through trust elevation, e.g. step-up authentication or “claims-based access control”
Copyright © Identity Summit 2015, all rights reserved.
Why is it valuable to use a standard fornext-generation digital consent?
Copyright © Identity Summit 2015, all rights reserved.
This isn’t just slideware – see our live demo in the CTO Technology
Preview!
Copyright © Identity Summit 2015, all rights reserved.
ForgeRock is delivering two key UMA components not long from now
(client)
OpenAM 13-basedUMA Provider
OpenIG 4-basedUMA Protector
Copyright © Identity Summit 2015, all rights reserved.
resource server authorization server
ForgeRock helps you deliver customer consent and delegation
capabilities for successfuldigital transformation in aprivacy-sensitive world
Copyright © Identity Summit 2015, all rights reserved.
THANKS!
Eve Maler (@xmlgrrl)
