View
343
Download
1
Embed Size (px)
DESCRIPTION
Andrew Nash Despite what we may wish to implement in our identity architectures, large-scale identity deployments are driven by financial value. This session examines recent thinking on how identity attribute models are likely to be deployed, the values and roles of the various participants and the challenges of how value is distributed among the participants.
Citation preview
Follow the Money
Business Filters on Technology
Things don’t get simpler … • Iden:ty is no longer about 3 par:es • A?ributes are as interes:ng as iden:fiers • Fresh informa:on is a business driver • Iden:ty assurance is giving way to
a?ribute confidence • Consumer IDPs are in full swing • Useful systems can be built without being
the account owner • Brand recogni:on is as important as trust Internet ID is not just about anonymity • Iden::es and a?ributes are a mul:-‐
variable calculus
UMA
Identity Provider
RelyingParty
The 3-Party Model
User
Iden:ty Ecosystem En::es
Attribute ExchangeAttribute
Providers
Identity Provider
RelyingParties
User
AuthorizationManager
Who Adds Value & What is it? • Aggrega:on of service capabili:es tends to confuse the conversa:on – Not clear that *any* provider can cover all aspects
• Authen:ca:on services don’t provide iden:ty • IDP’s may provide iden::es, more frequently provide iden:fiers
• IDPs outside of enterprise context do not originate iden:ty a?ributes – Not authorita:ve(?) ¬ a fresh source
• Internet2 work on a?ribute format – Seman:cs are less understood
Verified Phone #’s
• Any may be “correct” or sufficient • It costs more to do “be?er” • Most of these may be devalued by so\ mobile providers including Twilio
Syntac'cally Correct
Allocated #
Response Consistently Asserted
Account Holder Name
Match
Posi've Event
Temporal/ Spa'al
Correla'on
Authorita:ve Sources • Loca:on – No longer the purview of telcos – compliance constraints
• Sources of a “verified” mobile # – OnTrac, UPS, FEDEX enable package tracking – Yelp delivers recommenda:ons to my phone – Not :ed to an “address” – Usually :ed to an iden:fier
Fresh Informa:on Delivery • When is fresh informa:on delivered? • My iden:ty validated and an iden:fier issued 5 years ago – As useful as a birth cer:ficate – Not appropriate for transac:onal value
• What channels are used – IDPs may not wish to be in the informa:on flow – Fresh data criteria may be different to session limits and may be set by different policy domains
• AXN A?ribute Criteria – Refresh Rate
Deriving A?ribute Confidence
Data Type Metric Availability/ Timing Metric Geographic
Coverage Metric Refresh Rate Metric
Authorita:ve 5 Real-‐:me 1 Global 3 Real-‐Time 5 Aggregated 4 Not Real-‐:me 0 Na:onal 2 Daily 4
Direct Captured 3 State/Provence 1 Weekly 3 Self Asserted 2 N/A 0 Monthly 2
Derived 1 Annually 1 N/A 0 Never 0
This is a derived a+ribute
Verifica'on Method Metric Level of Confidence Metric Coverage Amount Metric Currency/ Refresh Date
Verified by Issuer 4 High 3 Full 3 Actual Date Verified by 3rd Party 3 Med 2 Par:al 2
Out of Band 2 Low 1 Minimal 1 Not Verified 1 None 0 N/A 0
N/A 0
LOC (level of confidence) = fcn(Data Type, Verifica'on Method, Refresh Rate, Currency) Pricing = fcn (LOC, Coverage, AMribute Type)
A?ribute Exchange Networks
Attribute Exchange
Attribute Providers Relying
Parties
AttributesSource
Attributes
Simple Attribute Exchange
A?ribute Redistribu:on in the Enterprise
Attribute Exchange
Attribute Providers
Enterprise Relying PartiesAttributes
SourceAttributes
Enterprise Internal Attribute Distribution
IDP Trusted Iden:ty Establishment
Attribute Exchange
Attribute Providers
Identity Provider
VerifiedIdentity
LoginClient
Verified Identity/Credential Establishment & Use
Trusted IDs with Associated A?ributes
Attribute Exchange
Attribute Providers
Identity Providers
VerifiedIdentity
IdentityAttributes
Verified Identity/Credential + Attribute Exchange
USER RELYING PARTY
If I had more :me, I would have wri?en less…
Direct A?ribute Associa:on
Attribute ExchangeAttribute
ProvidersRelyingParties
Attributes
Direct to RP Model
Policy based Facilita:on
Attribute ExchangeAttribute
ProvidersRelyingParties
Attributes
Control +AccountingControl +
Accounting
Facilitated Direct to RP Model
Layered Ecosystem
• Why is it everyone talks about authen:ca:on? • Our ubiquitous biometrics sign-‐in apis suppor:ng mul:ple biometrics types will solve all your problems
• I have TPMs in every xyz product on earth – I should be in the Iden:ty Business
• I own 70% of the PC market – I should be an IDP
Abstract
Despite what we may wish to implement in our iden:ty architectures, large-‐scale iden:ty deployments are driven by financial value. This session examines recent thinking on how iden:ty a?ribute models are likely to be deployed, the values and roles of the various par:cipants and the challenges of how value is distributed among the par:cipants.