IDoT: Why We Need an Identity Layer IoT Slam 2016 April 28, 2016 - - PowerPoint PPT Presentation

IDoT: Why We Need an Identity Layer

IoT Slam 2016 – April 28, 2016 Marc-Anthony Signorino, IDESG Executive Director

www.IDESG.org

The Identity Ecosystem Steering Group (IDESG) is the source of expertise, guidance, best practices, and tools for trusted digital identities.

Welcome to the Identity Ecosystem

2

www.IDESG.org

Today’s Goal: Getting Identity Right

Customers will understand policies, control their identities Manage risk through common sense identity credentials, data minimization Create an ecosystem that encourages consumer trust, enables safer transactions Ensuring civil liberties are protected by using strong authentication for IoT users E M P O W E R R I S K S A F E F U T U R E

3

Who We Are

The Path to More Trustworthy Digital Identity Credentials

www.IDESG.org

“By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation.”

— President Barack Obama, April 2011

National Strategy for Trusted Identities in Cyberspace

5

www.IDESG.org

85,611,528 17.6 85 39 62

Identity by the Numbers

6

www.IDESG.org

7

records were exposed in 783 U.S. data breaches in 2014 U.S. residents age 16 or older experienced identity theft in 2014

• f people took some action to prevent identity theft

used mobile banking in 2014 (based on mobile phone owners with a bank account) did not use mobile banking and cited concern about security as a reason

85,611,528 17.6 mil 85% 39% 62%

www.IDESG.org

Building a Better Ecosystem

Identity Ecosystem Framework

8

www.IDESG.org

What Is the IDEF?

9

1

First rules of the road for navigating the evolving landscape of online identity Asserts capabilities and responsibilities for individuals, companies, government agencies and organizations in the identity ecosystem Creates policy foundation for strengthening privacy and security protections for organizations and consumers alike

2 3

www.IDESG.org

IDEF by stakeholder group

Drives business value and consumer trust for those issuing or consuming credentials

10

Enables truly trustworthy digital credentials to protect identities Offers foundational set of principles to which all frameworks can align to demonstrate interoperability

Trust Frameworks Relying Parties Consumers

www.IDESG.org

The Intersection of Identity Management & The Internet of Things

IDentity of Things (IDoT)

www.IDESG.org

IoT is Booming

Juniper: $100B to be spent on Smart home tech by 2020 ($43B now) Gartner: 25B networked devices by 2020 IDC: IoT Market to reach $3.04T by 2020

www.IDESG.org

A Paradigm in Dynamic Relationships

IDoT covers ALL entity identities and relationships:

• Device/Human
• Device/Device
• Device/Application~Service
• Human/Application~Service

Must draw on IAM, IT Asset Mgt, S/W Asset Mgt

www.IDESG.org

Governance of Object Data

Objects in the "Internet of Things" produce data. These data might lead to personally identifiable information (PII). A car for example is able to track GPS positions and to provide a complete movement profile of a certain person. How do you handle the users and their data?

www.IDESG.org

Beware of the Regulatory Cacodemons

The path forward for IoT is promising, but if we’re not careful, will create policy problems that will summon the worst Washington, DC has to offer:

www.IDESG.org

Beware of the Regulatory Cacodemons

The path forward for IoT is promising, but if we’re not careful, will create policy problems that will summon the worst Washington, DC has to offer: A well-intentioned Congress.

Hypothetical #1

My Connected Vehicle and the Meat-Head Kid Next Door

www.IDESG.org

Issues Raised in Connected Vehicles

• Data ownership/control – who owns it?
• Truck manufacturer? Dealer?
• Service Provider (repair shop)
• Truck owner, Bank who holds the note, Insurance Company?
• Truck users (employees, clients, prospective buyers, family members, etc)
• Passengers whose GPS locations become known?
• 3rd Parties providing sensors for service (data for subscription svc, driver

behavior data to determine insurance rates, government?) What about multiple devices controlled by multiple parties? What if sold?

www.IDESG.org

Issues Raised in Connected Vehicles

• Consent for interactions w/ numerous sensors,

controllers, and reporting devices

• If an auto mfr owns data collected by a vehicle, will it require consent from

the vehicle owner and svc provider?

• Will each user be required to provide consent for data generated while

driving?

• 5th Amendment, State Privacy Laws, etc.

Hypothetical #3

Wearables: How Could I Run 10 Miles Today If I Weighed 350 lbs.?

www.IDESG.org

Issues Raised by IDoT in Healthcare

• Identity Impersonation
• How will devices preclude impersonation of the other devices with which

they exchange data?

• Will each device the might generate, process, or report private, sensitive,
• r confidential data be required to provide its own IAM capabilities to

prevent fraudulent use?

• Will devices be required to develop UN/PW to interact with other devices?
• If so, who sets UN/PW criteria? How will data be stored securely? How will it be modified and updated?
• Hello HIPAA/HI-TECH

Hypothetical #3

Education: Keeping McGuffey’s Reader From Becoming WKRP in Cincinnati

www.IDESG.org

Top 10 Current Smart Techs in Ed

• Interactive Whiteboards
• Cameras & Video
• Tablets & eBooks
• Student ID Cards
• 3D Printers
• Smart HVAC Systems
• Lighting/Maintenance
• Temperature Sensors
• Attendance Tracking
• Wireless Door Locks

www.IDESG.org

Issues Raised in Connected Education

• Identity discovery
• Will owners/users have the ability to prevent their devices from being

discovered?

• Will they have selectivity about who can discover their devices?
• Will they have some control over who can interrogate their devices?
• Which Regulatory Schemes are Implicated?
• COPPA (Children’s Online Privacy Protection Act)
• FERPA (Family Educational Rights Privacy Act)

The Path Forward

Creating an Identity Layer in IoT

www.IDESG.org

IDEF Shows the Way

• Transparency
• User Authentication & Authorization
• Data Minimization / Data Collection (in advance)
• Consent
• Collection for specific use, not just get all the

data

www.IDESG.org

Solutions

• IDEF allows innovators to build privacy, security,

UX in before hand

• Use the Identity Ecosystem Framework’s Baseline Requirements as a

guide for identifying issues and resolving them

www.IDESG.org

Solutions

• Federated Identity
• Reduce the number of PWs required to authenticate diff applications,

devices and trust domains through federation.

• Allows users to authenticate only once with an existing credential to a

trusted domain and be issued a token that allows it to authenticate to other actors and domains

• Federated Single Sign On allows PWs to be replaced with standardized

security tokens for everyday tools and services such as email, Social media

www.IDESG.org

Solutions

• Federated Single Sign On
• Allows PWs to be replaced with standardized security tokens for everyday

tools and services such as email, Social media.

• Tokens issued by a site the user logged into directly, but simultaneously

gives access to a range of other applications – mitigating PW explosion

• Allows specific devices to be tied to a particular user by issuing tokens

specific to a relationship

• Smart car to send a ‘close’ msg to a garage door controller from a diff MFR

if sensed a growing distance between the car and the garage.

Join the Revolution:

Marc-Anthony Signorino, Executive Director MarcAnthony@IDESG.org (202) 656-2296