IDoT: Why We Need an Identity Layer IoT Slam 2016 – April 28, 2016 Marc-Anthony Signorino, IDESG Executive Director
Welcome to the Identity Ecosystem The Identity Ecosystem Steering Group (IDESG) is the source of expertise, guidance, best practices, and tools for trusted digital identities. www.IDESG.org 2
Today’s Goal: Getting Identity Right E M P O W E R R I S K S A F E F U T U R E Customers will Manage risk Create an ecosystem Ensuring civil liberties understand through common that encourages are protected by policies, control sense identity consumer trust, using strong their identities credentials, data enables safer authentication for IoT minimization transactions users www.IDESG.org 3
Who We Are The Path to More Trustworthy Digital Identity Credentials
“By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation.” — President Barack Obama, April 2011 National Strategy for Trusted Identities in Cyberspace www.IDESG.org 5
Identity by the 85,611,528 Numbers 17.6 85 39 62 www.IDESG.org 6
records were exposed in 783 U.S. data 85,611,528 breaches in 2014 U.S. residents age 16 or older experienced 17.6 mil identity theft in 2014 85% of people took some action to prevent identity theft used mobile banking in 2014 (based on mobile phone owners 39% with a bank account) did not use mobile banking and cited concern about security 62% as a reason www.IDESG.org 7
Identity Ecosystem Framework Building a Better Ecosystem www.IDESG.org 8
What Is the IDEF? 1 2 3 First rules of the road for Asserts capabilities and Creates policy navigating the evolving responsibilities for foundation for landscape of online individuals, companies, strengthening privacy identity government agencies and security protections and organizations in the for organizations and identity ecosystem consumers alike www.IDESG.org 9
IDEF by stakeholder group Trust Frameworks Relying Parties Consumers Offers foundational set of Drives business value Enables truly principles to which all and consumer trust for trustworthy digital frameworks can align those issuing or credentials to protect to demonstrate consuming credentials identities interoperability www.IDESG.org 10
IDentity of Things (IDoT) The Intersection of Identity Management & The Internet of Things www.IDESG.org
IoT is Booming Juniper: $100B to be spent on Smart home tech by 2020 ($43B now) Gartner: 25B networked devices by 2020 IDC: IoT Market to reach $3.04T by 2020 www.IDESG.org
A Paradigm in Dynamic Relationships IDoT covers ALL entity identities and relationships: • Device/Human • Device/Device • Device/Application~Service • Human/Application~Service Must draw on IAM, IT Asset Mgt, S/W Asset Mgt www.IDESG.org
Governance of Object Data Objects in the "Internet of Things" produce data. These data might lead to personally identifiable information (PII). A car for example is able to track GPS positions and to provide a complete movement profile of a certain person. How do you handle the users and their data? www.IDESG.org
Beware of the Regulatory Cacodemons The path forward for IoT is promising, but if we’re not careful, will create policy problems that will summon the worst Washington, DC has to offer: www.IDESG.org
Beware of the Regulatory Cacodemons The path forward for IoT is promising, but if we’re not careful, will create policy problems that will summon the worst Washington, DC has to offer: A well-intentioned Congress. www.IDESG.org
Hypothetical #1 My Connected Vehicle and the Meat-Head Kid Next Door
Issues Raised in Connected Vehicles • Data ownership/control – who owns it? • Truck manufacturer? Dealer? • Service Provider (repair shop) • Truck owner, Bank who holds the note, Insurance Company? • Truck users (employees, clients, prospective buyers, family members, etc) • Passengers whose GPS locations become known? 3 rd Parties providing sensors for service (data for subscription svc, driver • behavior data to determine insurance rates, government?) What about multiple devices controlled by multiple parties? What if sold? www.IDESG.org
Issues Raised in Connected Vehicles • Consent for interactions w/ numerous sensors, controllers, and reporting devices • If an auto mfr owns data collected by a vehicle, will it require consent from the vehicle owner and svc provider? • Will each user be required to provide consent for data generated while driving? 5 th Amendment, State Privacy Laws, etc. • www.IDESG.org
Hypothetical #3 Wearables: How Could I Run 10 Miles Today If I Weighed 350 lbs.?
Issues Raised by IDoT in Healthcare • Identity Impersonation • How will devices preclude impersonation of the other devices with which they exchange data? • Will each device the might generate, process, or report private, sensitive, or confidential data be required to provide its own IAM capabilities to prevent fraudulent use? • Will devices be required to develop UN/PW to interact with other devices? • If so, who sets UN/PW criteria? How will data be stored securely? How will it be modified and updated? • Hello HIPAA/HI-TECH www.IDESG.org
Hypothetical #3 Education: Keeping McGuffey’s Reader From Becoming WKRP in Cincinnati
Top 10 Current Smart Techs in Ed • • Interactive Whiteboards Smart HVAC Systems • • Cameras & Video Lighting/Maintenance • • Tablets & eBooks Temperature Sensors • • Student ID Cards Attendance Tracking • • 3D Printers Wireless Door Locks www.IDESG.org
Issues Raised in Connected Education • Identity discovery • Will owners/users have the ability to prevent their devices from being discovered? • Will they have selectivity about who can discover their devices? • Will they have some control over who can interrogate their devices? • Which Regulatory Schemes are Implicated? • COPPA (Children’s Online Privacy Protection Act) • FERPA (Family Educational Rights Privacy Act) www.IDESG.org
The Path Forward Creating an Identity Layer in IoT
IDEF Shows the Way • Transparency • User Authentication & Authorization • Data Minimization / Data Collection (in advance) • Consent • Collection for specific use, not just get all the data www.IDESG.org
Solutions • IDEF allows innovators to build privacy, security, UX in before hand • Use the Identity Ecosystem Framework’s Baseline Requirements as a guide for identifying issues and resolving them www.IDESG.org
Solutions • Federated Identity • Reduce the number of PWs required to authenticate diff applications, devices and trust domains through federation. • Allows users to authenticate only once with an existing credential to a trusted domain and be issued a token that allows it to authenticate to other actors and domains • Federated Single Sign On allows PWs to be replaced with standardized security tokens for everyday tools and services such as email, Social media www.IDESG.org
Solutions • Federated Single Sign On • Allows PWs to be replaced with standardized security tokens for everyday tools and services such as email, Social media. • Tokens issued by a site the user logged into directly, but simultaneously gives access to a range of other applications – mitigating PW explosion • Allows specific devices to be tied to a particular user by issuing tokens specific to a relationship • Smart car to send a ‘close’ msg to a garage door controller from a diff MFR if sensed a growing distance between the car and the garage. www.IDESG.org
Join the Revolution: Marc-Anthony Signorino, Executive Director MarcAnthony@IDESG.org (202) 656-2296
Recommend
More recommend