18
Follow the Money Business Filters on Technology

CIS13: Follow the Money

  • View
    343

  • Download
    1

Embed Size (px)

DESCRIPTION

Andrew Nash Despite what we may wish to implement in our identity architectures, large-scale identity deployments are driven by financial value. This session examines recent thinking on how identity attribute models are likely to be deployed, the values and roles of the various participants and the challenges of how value is distributed among the participants.

Citation preview

Page 1: CIS13: Follow the Money

Follow  the  Money  

Business  Filters  on  Technology  

Page 2: CIS13: Follow the Money

Things  don’t  get  simpler  …  •  Iden:ty  is  no  longer  about  3  par:es  •  A?ributes  are  as  interes:ng  as  iden:fiers  •  Fresh  informa:on  is  a  business  driver  •  Iden:ty  assurance  is  giving  way  to  

a?ribute  confidence  •  Consumer  IDPs  are  in  full  swing  •  Useful  systems  can  be  built  without  being  

the  account  owner  •  Brand  recogni:on  is  as  important  as  trust    Internet  ID  is  not  just  about  anonymity  •  Iden::es  and  a?ributes  are  a  mul:-­‐

variable  calculus  

UMA  

Identity Provider

RelyingParty

The 3-Party Model

User

Page 3: CIS13: Follow the Money

Iden:ty  Ecosystem  En::es  

Attribute ExchangeAttribute

Providers

Identity Provider

RelyingParties

User

AuthorizationManager

Page 4: CIS13: Follow the Money

Who  Adds  Value  &  What  is  it?  •  Aggrega:on  of  service  capabili:es  tends  to  confuse  the  conversa:on  –  Not  clear  that  *any*  provider  can  cover  all  aspects  

•  Authen:ca:on  services  don’t  provide  iden:ty  •  IDP’s  may  provide  iden::es,  more    frequently  provide  iden:fiers  

•  IDPs  outside  of  enterprise  context    do  not  originate  iden:ty  a?ributes  –  Not  authorita:ve(?)  &not  a  fresh  source  

•  Internet2  work  on  a?ribute  format  –  Seman:cs  are  less  understood  

Page 5: CIS13: Follow the Money

Verified  Phone  #’s  

•  Any  may  be  “correct”  or  sufficient  •  It  costs  more  to  do  “be?er”  •  Most  of  these  may  be  devalued  by  so\  mobile  providers  including  Twilio  

Syntac'cally  Correct  

Allocated  #  

Response  Consistently  Asserted  

Account  Holder  Name  

Match  

Posi've  Event  

Temporal/  Spa'al  

Correla'on  

Page 6: CIS13: Follow the Money

Authorita:ve  Sources  •  Loca:on  – No  longer  the  purview  of  telcos  –   compliance  constraints  

•  Sources  of  a  “verified”  mobile  #  – OnTrac,  UPS,  FEDEX  enable  package  tracking  – Yelp  delivers  recommenda:ons  to  my  phone  – Not  :ed  to  an  “address”  – Usually  :ed  to  an  iden:fier  

Page 7: CIS13: Follow the Money

Fresh  Informa:on  Delivery  •  When  is  fresh  informa:on  delivered?  •  My  iden:ty  validated  and  an    iden:fier  issued  5  years  ago  – As  useful  as  a  birth  cer:ficate  – Not  appropriate  for  transac:onal  value  

•  What  channels  are  used  –  IDPs  may  not  wish  to  be  in  the  informa:on  flow  –  Fresh  data  criteria  may  be  different  to  session  limits  and  may  be  set  by  different  policy  domains  

•  AXN  A?ribute  Criteria  –  Refresh  Rate  

Page 8: CIS13: Follow the Money

Deriving  A?ribute    Confidence  

Data  Type   Metric   Availability/  Timing   Metric   Geographic  

Coverage   Metric   Refresh  Rate   Metric  

Authorita:ve   5   Real-­‐:me   1   Global   3   Real-­‐Time   5  Aggregated   4   Not  Real-­‐:me   0   Na:onal   2   Daily   4  

Direct  Captured   3   State/Provence   1   Weekly   3  Self  Asserted   2   N/A   0   Monthly   2  

Derived   1   Annually   1  N/A   0   Never   0  

This  is  a    derived  a+ribute  

Verifica'on  Method   Metric   Level  of  Confidence   Metric   Coverage  Amount   Metric   Currency/  Refresh  Date  

Verified  by  Issuer   4   High   3   Full   3   Actual  Date  Verified  by  3rd  Party   3   Med   2   Par:al   2  

Out  of  Band   2   Low   1   Minimal   1  Not  Verified   1   None   0   N/A   0  

N/A   0  

LOC  (level  of  confidence)  =  fcn(Data  Type,  Verifica'on  Method,  Refresh  Rate,  Currency)  Pricing  =  fcn  (LOC,  Coverage,  AMribute  Type)  

Page 9: CIS13: Follow the Money

A?ribute  Exchange  Networks  

Attribute Exchange

Attribute Providers Relying

Parties

AttributesSource

Attributes

Simple Attribute Exchange

Page 10: CIS13: Follow the Money

A?ribute  Redistribu:on    in  the  Enterprise  

Attribute Exchange

Attribute Providers

Enterprise Relying PartiesAttributes

SourceAttributes

Enterprise Internal Attribute Distribution

Page 11: CIS13: Follow the Money

IDP    Trusted  Iden:ty  Establishment  

Attribute Exchange

Attribute Providers

Identity Provider

VerifiedIdentity

LoginClient

Verified Identity/Credential Establishment & Use

Page 12: CIS13: Follow the Money

Trusted  IDs  with    Associated  A?ributes  

Attribute Exchange

Attribute Providers

Identity Providers

VerifiedIdentity

IdentityAttributes

Verified Identity/Credential + Attribute Exchange

Page 13: CIS13: Follow the Money

USER   RELYING  PARTY  

If  I  had  more  :me,  I  would  have  wri?en  less…  

Page 14: CIS13: Follow the Money
Page 15: CIS13: Follow the Money

Direct  A?ribute  Associa:on  

Attribute ExchangeAttribute

ProvidersRelyingParties

Attributes

Direct to RP Model

Page 16: CIS13: Follow the Money

Policy  based  Facilita:on  

Attribute ExchangeAttribute

ProvidersRelyingParties

Attributes

Control +AccountingControl +

Accounting

Facilitated Direct to RP Model

Page 17: CIS13: Follow the Money

Layered  Ecosystem  

•  Why  is  it  everyone  talks  about  authen:ca:on?  •  Our  ubiquitous  biometrics  sign-­‐in  apis  suppor:ng  mul:ple  biometrics  types  will  solve  all  your  problems  

•  I  have  TPMs  in  every  xyz  product  on  earth  –  I  should  be  in  the  Iden:ty  Business  

•  I  own  70%  of  the  PC  market  –  I  should  be  an  IDP  

Page 18: CIS13: Follow the Money

Abstract  

Despite  what  we  may  wish  to  implement  in  our  iden:ty  architectures,  large-­‐scale  iden:ty  deployments  are  driven  by  financial  value.  This  session  examines  recent  thinking  on  how  iden:ty  a?ribute  models  are  likely  to  be  deployed,  the  values  and  roles  of  the  various  par:cipants  and  the  challenges  of  how  value  is  distributed  among  the  par:cipants.