Tuesday, April 14, 2015

Italia Login as Citizen Life Management Platform

Italia Login promises to be the most innovative government platform for citizens, also called “the home for citizens”. This project is part of a set of accelerator initiatives to support Italy’s digital growth for the next 5 years.
Italia Login will provide an integrated API platform and supporting technologies which allow better joint participation of the public and private sectors for developing added value services for citizens and enterprises.
The following diagram shows a high-level model of the planned Italia Login interactions (extracted from these governo.it slide).

Citizens will log in to Italia Login using their digital identity (managed by an Identity Provider that is compliant with SPID — the Public System for digital identity), and then they can have access to any apps, provided by the public and private sector, based on their profile.

From a design standpoint, Italia Login shows many similarities with the Life Management Platform concept introduced by Kuppinger-Cole's advisory note (see details here). Life Management Platform has the goal of allowing individuals to consolidate all relevant online data from their lives, and provides tools to manage the essential information of every person’s life and making it usable for other parties.

Consider the following use case:
A citizen needs to enroll his child, through an online service, to an elementary school that facilitates the selection of subsidized school meals in case of parents who are eligible for the subsidy.
The enrollment process requires a citizen's personal details and documents about the situations which must be released by another agency (in this case, the National Social Insurance Agency).
The document attesting to the parents’ economic situation is necessary to demonstrate the eligibility for access to the subsidy.
The main requirements for this use case are the ability to centralize the access to the distributed resources (personal financial details) and enable a data sharing mechanism between the producer of the details (the agency) and the service consumer (the school enrollment application).
Italia Login can provide an essential platform for personal data sharing among distributed online services with the goal of supporting an advanced online service for citizens.

Challenges to mitigate risks
Unlocking the value of personal data in a decentralized and distributed system network requires new approaches for protection and security, accountability, and rights and responsibilities for managing user data, which can be summarized as follows:
  • Provide a new approach to protect and secure decentralized and distributed resources. 
  • Provide the ability to know who has data about you, and where the data is located. 
  • Provide a new approach that helps individuals understand how and when data is collected. 
  • Empower individuals more effectively and efficiently. 

Applying the User-Managed Access (UMA) model to the Italia Login Platform
User-Managed Access (UMA) is a profile of OAuth 2.0. UMA defines how resource owners can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policies.

UMA provides these functions to empower the individual to make choices regarding control and access of their data.

The following scenario shows how UMA can be applied to address the challenges and enable a citizen life management platform:
  1. The Citizen log in (using SPID credential) at the resource server, which expose the resource/API to access the “Financial Status”. 
  2. The Citizen decides to share (using a special button at the resource server) the resource with the Italia Login Platform, enabling a delegated authorization for the resource. 
  3. The resource “Financial Status” is now under the control of the Citizen at the Italia Login platform as “protected resource” and any attempt to access to the resource by an autonomous third third app must be authorized by the user, without the need to share any credentials. 
  4. Italia Login, providing an application and API ecosystem, allows to third-party (i.e. Elementary School App) to access remote resource (i.e. “Financial Status”) through the protected API. 
  5. At this point, the Enrollment process can be initialised by the Citizen, launching the Elementary School App, which starts requesting the consent to allow the app to access to the remote resource (Financial Status). 
  6. The Elementary School App acts as a Client for the remote resource, and it is able to access to the necessary information to apply for facilitated condition, based on the Citizen’s Financial Status. 
  7. In order to create trust relationship between the Client and the Resource Server, the Client must be authorized by proofing specific “trusted claims”, leveraging SPID infrastructure (using OpenID Connect claims, or SAML-based attributes), and evaluated by the Italia Login platform acting as Authorization Server. 
As the above diagram shows, UMA can play a fundamental role to protect distributed resources with a centralized approach, leveraging the Identity ecosystem (SPID), where the user is able to control personal information within an API ecosystem enabling new opportunities based on the sharing economy paradigm.

About UMA
User-Managed Access Work Group at Kantara Initiative wiki page.
User-Managed Access (UMA) Version 1.0 has been Approved by unanimous Member support as a Kantara Initiative Recommendation, the highest level of technical standardization Kantara Initiative can award.
User-Managed Access awarded 2014 Best Innovation in Information Security Award from European Identity & Cloud Conference (EIC 2014, Munich).

Friday, February 20, 2015

SPID and User Perspective about Privacy

In the last blog, I’ve introduced the Italian Digital Identity Initiative, called SPID (Sistema Pubblico Identità Digitali).

Technically, SPID will provide an Identity ecosystem for trusted digital identities based on a federated Identity Management system, where citizen can access to public administration (or private) online service using trusted credentials, with the goals to improve accessibility, trust and online security.

With SPID, from an user experience standpoint, when user attempts to access to a online service (Service Provider or Relying Party), he/she is redirect to a Identity Provider (IdP) for the authentication process.

The mechanism is based on SAMLv2 protocol, where the Service Provider (SP) initializes the process (SP-initiated-SSO), requiring an authentication assertion, with a specific level of assurance, to the Identity Provider. Based on user authentication the IdP releases an authentication assertion to the SP.

This approach introduces a potential issue about the user’s privacy, indeed the direct interaction between the SP and IdP, allow the IdP to trace the user transaction with online services, that is the IdP know which government service (or private services) they’re accessing. Considering that the Identity Providers will be, mainly, private companies, this can be a real threat to the user's privacy, which need to be addressed with appropriate regulations and technical solutions.

A possible approach to this problem, with the goal to mitigate user's privacy issue, is the Identity Hub model, which is used in other digital identity initiatives around the world, like Connect.Gov (US) and Gov.UK Verify (UK).

Connect.Gov, for example, acts as Hub and it’s in charge to manage the communication between customers, online agency applications and Identity Providers. "The service allows customers to establish their identity in a secure, privacy-enhancing manner, while also providing government agencies assurance of valid customer identification."

Monday, December 15, 2014

The Italian Digital Identity Initiative: SPID

Last week was published in the Gazzetta Ufficiale, the Decree of the President of the Council of Ministers (DPCM 24 ottobre 2014) about the regulations to implement the Italian Digital Identity Initiative, called "Sistema Pubblico di Identità Digitale" (SPID).

SPID is a set of credentials to access to the public administration online service, and also to private sector online service (i.e. e-commerce company) if they will adhere to the initiative.

SPID defines a Federated Identity Management system, based on SAMLv2 standard, where are involved Citizens, Service Providers (SP), Identity Providers (IdP), Attribute Providers(AA) and the Digital Agency for Italy, in the role of accreditation and registry authority.
The following picture describes a high level architecture and flow of  SPID-ready access to a online service.

  1. Access request.
  2. Redirect to Identity Provider.
  3. Credential request.
  4. Authentication.
  5. Redirect to the Service Provider with the Authentication Assertion (SAMLv2).
  6. Attributes request.
  7. Response with verified attributes.

Technical specification and interface (draft) are available here (Italian).

Wednesday, November 26, 2014

Protecting Personal Data in an IoT Network with UMA

Digital technologies are changing the game of customer interactions, with new rules and possibilities that ware unimaginable only a view years back.
Networked devices and sensors make up the fabric of the Internet of Things (IoT). Leveraging mobile devices, sensors, and wearables is the future of identity and personal data.
The risk about the use of personal data is the lose of trust between individual and organization.
"Fully 78% of consumers think it is hard to trust companies when it comes to use of their personal data.” 
Orange, The Future of Digital Trust, 2014

For balancing between individuals privacy and unlock innovation through the new digital technologies is needed a new approach to protect personal data.
The Word Economic Forum has provided an interesting report about "Rethinking Personal Data: A New Lens for Strengthening Trust" to address this requirement.

IoT complexity

The nature and the complexity of IoT environment is opening interesting discussion about how the authorization and access control mechanisms can be applied to this context. 
In respect of the classic definition of authorization process, which is a process for granting approval to a system entity to access a system resource, in IoT environment we have to consider different aspects and complexities (not exhaustive): limited resources, decentralized and distributed network,  relationship between objects and ownership. 
In order to proof how UMA (User-Managed Access) can be suitable to address specific IoT requirements we propose a healthcare scenario, which is, for his nature, well known for strong presence of Internet of Things (medical devices), and it combines interesting security and privacy aspects related to patient’s data.

Patient-Centric Use Case

The following diagram represents a healthcare scenario related to a patient-centric use case.
The doctor (Bob) is a user of Patient Monitor (Resource Server). The patient (Alice) uses is bedside remote as a Client to access to the Patient Monitor. Bob’s electronic stethoscope is a intelligence thing owned by Bob that can be temporarily paired with the patient monitor with Alice’s authorization. For safety, Bob’s stethoscope also has an RFID chip as a proximity sensor (Dump Thing).

Security and Privacy Goals

The following diagrams describes the security domains across the whole authorization process and  the actors involved in each domain, including IoT.

In the scenario, UMA provides the fundamental capabilities to prevent unauthorized things connection to the Resource Server (Patient Monitor), and allow to the patient to control and get visibility for authorising and share healthcare data.

For more details about the use case and UMA approach, please see the slideshare presentation (below), shown at Kantara Initiative Workshop at Dublin the 3rd of November 2014.

Thursday, July 10, 2014

Enterprise Mobility: Secure Containerization

Last week, I've presented at the event “Small Device - Big Data: sicurezza in un mondo senza fili” organized by
department of Computer Science of the Sapienza University of Rome, related to the Master in Information Security.

My speech was about the enterprise mobility and Bring Your Own Device (BYOD) paradigm. I’ve introduced the new challenges related the enterprise mobility, the risks associate with devices mobile and the new security requirements that the enterprise needs to address, including the main aspects of the secure containerization: application wrapping, secure communication, encryption at rest and Data Leakage prevention (See slideshare presentation below).

Monday, June 23, 2014

User-Managed Access awarded 2014 Best Innovation in Information Security

I'm happy to announce that User-Managed Access (UMA) has won the 2014 Best Innovation/New Standard in Information Security award from the European Identity & Cloud Conference (EIC). More details about the award are available at Kantara press release page.
After almost a year since I've published a blog post about how UMA can be applied to the Life Management Platforms (LMPs) concept, last May, I presented, along with Maciej Machulak, Vice-chair at UMA WG (on the right in the picture below), this approach at the European Identity and Cloud Conference (EIC) 2014, in the track session "Standards for an Open Life Management Infrastructure", with the title "User-Managed Access: key to Life Management Platforms".
During the session, we have given a complete vision and an architectural approach how UMA fits very well with the new emerging trends related to Personal Clouds and in particularly to LMPs, as authorisation system for online personal data sharing model (see slideshare below).

I'm very happy for helping the UMA WG to receive the award!

Thursday, June 6, 2013

User-Managed Access for Life Management Platforms

The concept of Life Management Platform (LMP) was introduced last year in the Kupping-Cole's advisory note "Life Management Platforms: Control and Privacy for Personal Data".
The platform concept provides the tools to manage the essential information of every person’s life and making it usable for other parties through privacy-enhanced applications, thus meeting the privacy and security requirements.
LMP is about Personal Information Sharing which is an emerging trend for online personal daily life activities, including the interaction with financial credit, insurance, healthcare, etc..
Very similar to concepts like Personal Cloud, or Personal Data Store (PDS), LMP encourages the individual to control own data and for some aspects close to a Vendor Relationship Management (VRM) vision.

The key features of this new concept includes:
  • Secure store of the information
  • Granular access control for data
  • Information control remains with individual
  • Informed Pull and Controlled Push mechanisms for sharing data (see details below)
In the "Take Control of your Personal Data: An UMA perspective" blog post, I've explained how UMA protocol (also see the UMA spec) addresses the individual's privacy requirements in today's data sharing challenges, that includes social network, personal data store, personal cloud and emerging participatory data store.
UMA defines how an individual can control protected-resource access by clients operated by arbitrary requesting parties, where the resource reside on any number of resource servers, and where a centralized authorization server governs access based on individual policy.
For this features, I think that UMA protocol, which is a OAuth profile, is well suitable to be part of Life Management Platform for managing Privacy and Security requirements. (Also see the UMA case study on “subscribing to a friend’s personal cloud”.)
To give you an idea of this approach, the following diagram shows a possible (high level) LMP architecture integrated with UMA protocol. 

  • The individual (the resource owner) interacts with the LMP for managing own data.
  • LMP acts as Resource Server for the individual's data, protected by the UMA Authorization Server (AS).
  • UMA Authorization Server acts as centralized policy decision point where the individual control the authorization of data sharing and service access.
  • Clients act as data producer and data consumer respectively for "Informed Pull" and "Controlled Push" scenarios.
Apart of secure store of the information which is a specific feature of the platform, the others key features could be aspects of UMA features.
In LMP scenarios, an individual interacts for sharing life data with parties through two specific way:
  1. Informed Pull - LMP allows to consume information from other parties (i.e an individual issues a request for information to a group of banks to obtain the best offer for a personal loan).
  2. Controlled Push - LMP is a producer of individual data for other parties (i.e. an individual requestes access to a online insurance service to buy a car insurance, providing personal information and car details).
In the Informed Pull scenario, UMA AS is able to provide a LMP Consumer API protection, forcing the client to be authorized before that the LMP consumes the data published by the client on behalf of a Subject (i.e. a loan offer provided by a bank).

In the Controlled Push scenario, UMA AS is able to provide a control about how personal information will be disseminate with which parties in order to access to online service. 
In this case, the authorization process starts when the client on behalf of the requesting party (i.e the insurance company) requests access to individual data which are stored or produced by the LMP.

The authorization process is based on UMA Connection concept (see details about UMA Connection concept here), by which the client must be identified and invited to negotiate the individual's access policies (they may include trusted claims, individual terms and constraints).

The following picture shows an example of user interface where is visible the two approaches for managing life connections and life events respectively for Controlled Pull and Informed Push models.

Benefits of UMA approach for LMPs:
  • Inspired by Privacy By Design concept.
  • Built on top of OAuth v2 specification.
  • Provide a centralized and granular access control system.
  • Interoperable with trusted ecosystems.
UMA Implementations 
There are several active UMA implementations in different space of the data sharing models, including Personal Data Store, Life Management Platforms and at enterprise level. For more details refer to UMA Implementations page.