CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen

IoT? The ‘I’ needs to be ‘Identity’  

Paul  Madsen  CTO  Office,  Ping  @paulmadsen  

We’re  s9ll  only  at  the  diaper  stage  in  the  IoT  

The IoT still has its training wheels on

The IoT is nothing but hot air

The IoT is sure to go through labor pains

THE INTERNET OF THINGS IS COMING

What are we going to do about it?!

(In this !

Room)!

Only identity can provide the necessary organizing principle by which we can enable, manage and control all these relationships

Defini9ons  

Sensors   Actuators  

           Data  

Physical  environment  

Network  

         Opera9ons  

Physical  environment  

Network  

App   App  

Humans are merely a part of the physical environment (yes Steve an important part)

Sensor  

Thing  

Environment  

Interacts  with  

Actuator  

User  

 •  Lawn  sprinklers  •  Jet  turbines  •  Toasters  

 •  Water  meter  •  Thermometer  •  GPS  

 •  Alarm  clock  •  Phone  vibrator  

 •  Heart  implants  •  Muse  headband  

Phone  as  sensor  plaMorm  

Copyright © 2014 Ping Identity Corp. All rights reserved. 17

Laptops are things too!!

Sensor  

Thing  

Environment  

Interacts  with  

Actuator  

User  

 •  Lawn  sprinklers  •  Jet  turbines  

 •  Water  meter  •  Thermometer  •  GPS  

 •  Alarm  clock  •  Phone  vibrator  •  Screen  

•  Heart  implants  •  Muse  headband  •  Keyboard  •  Touch  screens  •  Fingerprint  sensor  •  Camera    

The  nature  of  our  interac9ons  with  devices  is  changing  

•  Direct  -­‐>  Indirect  (e.g.  manage  Nest  thermostat  via  na9ve  applica9on)  •  Ac9ve  invoca9on  -­‐>  passive  (e.g.  rules-­‐based  as  per  IFTTT)  •  Sta9c  -­‐>  dynamic  (e.g.  washing  machine  downloads  OS  updates  &  new  features)  

Passive  /implicit  

Interac3on  model  

Authen9ca9on  

UX  

Ac9ve  /explicit  

Applica9on  

•  Browsers  •  Keyboards  •  screen  swipes    

•  Step  counters  •  Heart  rate  sensors  •  Blood  pressure    

•  Keyboards  •  TouchID  •  Facial  recogni9on  

•  Geoloca9on  •  Device  proximity  •  Facial  recogni9on  •  Stride  analysis  

Human  Device  Interac9on  

Iden3ty  for  Things  

Things  for  Iden3ty  

Device   Cloud  

                                                   Applica9on  Client   Server  

Device  

Cloud  

                                                   Applica9on  Client   Server  

                             Iden9ty  Cloud                                                      Authn  &  ID  Client   Server  

OpenID  Connect  1.0  

Copyright © 2014 Ping Identity Corp. All rights reserved. 27

•  OpenID Connect normalizes an identity layer on top of OAuth 2.0 •  Newly standardized from OpenID Foundation •  Adds identity semantics to base OAuth flow to enable –  a web SSO model (like SAML) –  User attribute sharing

•  Arguably matches functionality of SAML, though with a more modern architecture

Device  

Cloud  

                                                   Applica9on  Client   Server  

                                                                         Iden9ty  Cloud  

                                                   Authn  &  ID  Client   Server  

Device  

                                                   Authn  &  ID  Client   Server  

FIDO  

Copyright © 2014 Ping Identity Corp. All rights reserved. 29

•  Fast IDentity Online is 2 yr old standardization effort

•  Spearheaded by PayPal, Google, NokNok Labs, Microsoft and many others

•  Standardizes interaction between client authenticators and authentication servers by which client can demonstrate possession of a crypto key

•  User authenticates with local authentication method to unlock a key so it can be used for authentication to server.

•  For biometrics, doesn’t require biometric information be stored on servers – stays local

Made  for  each  other  

FIDO? Mature federation protocol seeks youthful authentication standard for integrations AND MORE. I enjoy long redirects on the browser, but detest form fill. I’m tired of insecure password posers – and am looking for something real. If you think you are ‘Something I (Should) Have’, let’s Connect!

Device  

Cloud  

                                                   Applica9on  Client   Server  

                                                                         Iden9ty  Cloud  

                                                   Authn  &  ID  Client   Server  

Device  

                                                   Authn  &  ID  Client   Server  

Explicit  giving  way  to  implicit  

Device  

Cloud  

                                                   Applica9on  Client   Server  

                                                                         Iden9ty  Cloud  

                                                   Authn  &  ID  Client   Server  

Device  

                                                   Authn  &  ID  Client   Server  

Apple  ‘Selfie  for  authn’  patent  

Copyright © 2014 Ping Identity Corp. All rights reserved. 34

“Smart  Lock  for  Android  keeps  your  phone  or  tablet  unlocked  when  it’s  safe  –  no  PIN,  pa`ern  or  password  needed.  And  when  your  device  senses  it  may  not  be  safe,  it’ll  need  to  be  manually  unlocked.  Android  can  do  this  by  recognizing  signals  like  its  proximity  to  that  fly  smartwatch  on  your  wrist,  your  safe  home  loca9on,  even  your  voice.”  

1.  A variety of devices interact with users, both actively & passively, to collect context and communicate signals to authentication server

2. Aggregated & analyzed 3. Relevant identity attributes

encapsulated in tokens 4. Token communicated to application 5. Rinse & repeat

THANKS