Respect Connect: From Social Login to Personal Cloud Login2013-09-10Dan Blum, Principal ConsultantDrummond Reed, CTOGary Rowe, CEO

2

Today’s Presentation Will Cover

• Digital identity and privacy challenges

• Federated identity in context

• Social login advantages and disadvantages

• How personal cloud login works using Respect Connect

• Personal cloud login advantages and disadvantages

• Respect Consulting and Management Perspectives

3

Introducing: Dan Blum, Principal Consultant and Chief Security Architect

• Internationally-recognized security and identity expert• 1998-2009: Burton Group

– Principal Consultant for large enterprises, leading technology providers– Research Director for Identity and Privacy Strategies (IDPS)– Lead author on initial IDPS Reference Architecture– Consultant for U.S. E-Authentication and Canadian Cyber-Authentication

programs (2004-2006)– Research Director for Security and Risk Management Strategies (SRMS) and

lead author on SRMS Reference Architecture

• 2010-2013: VP & Distinguished Analyst at Gartner– Agenda manager for security reference architecture– Lead analyst for cloud security and other topics– Won Golden Quill Award in 2011

• March 2013: Joined Respect Network to develop consulting practice and create peer cloud security guidance

4

The Problem: For many people, managing

personal identity and data on the net is…

Too much work Too unsafe

Too distractingToo many passwords

OVERWHELMING

5

Problems for Individuals are Business Problems

• Weak or duplicated passwords• Forgotten passwords• Complex login procedures• Account lockout• The help desk blues• Misdirected communications• Accounts that live on past termination of business

relationships

My personal life

Social network

Email service Media

service

Benefits

Bank

Health care provider

My employer’s domains

Corporate Directory

HR

Too Many Silos of IdentityGovernment

Professional social network

My professional persona

6

The Solution: Federated Identity• Technical Definition: Technologies, standards and agreements that enable

use of identity, credentials and attributes across autonomous domains• Value Proposition

– Reduced sign-on (users)– Reduced help desk support– Establish business communities

7

Federated Identity Architecture

Site or BusinessRelying Party (RP) Browser Identity Provider (IDP)

User

Request accessRedirect to IDP

Request sign-on to RPDiscover IDP

Authenticate userProvide token (or link)*

Provide token or assertion (or link)

Provide temporary token

Access resources

Provide accessto resource, or

session with user

•Token from IDP known as token, assertion or claim in various standards. May be passed directly or as link

8

Bridging SilosMy employer’s

domains

My personal life

My professional persona

Corporate Directory

HR

Social network

Email service Media

service

Professional social network

Benefits

Bank

Health care provider

Government

Cloud, or SCM

Federated Identity or other SSO

Relationship

9

History of Federated Identity

10

Pair wise federationsEarly 2000sSmall clustersMinimal industry penetrationSAML, highly customizedVarious LOAs

Industry federationsEarly 2000s to presentSmall, medium and largeLow industry penetrationSAML, X.509, rich topologiesVarious LOAs

OpenID 1

NIH

InCommon

Nordic WAYF

CAC

Supply chains

LOA

PIV

Broad federationsEarly 2010s to presentLarge to very largeGrowing industry penetrationSAML , OAuth, OpenID ConnectLimited use casesLow to low/medium LOA

Enterprise to SaaS Large e-

commerce ecosystems

Social login systems

LOA

2013-2015

Evolution of Major Federated Identity Standards2000 2005 2010

Enterprisespace

User-centricspace

SAML 1.0Shibboleth

SAML 1.1Liberty ID-FFWS-*

Governmentspace

X.509 EAP profiles(X.509 + SAML)

OpenID 1.0OpenID 2.0

OAuth 1.0

Interop

OpenID Connect

OAuth 2.0

Government id cards, e.g. FIPS 201

SAML 2.0

11

Respect ConnectUMA, …

12

Federated Identity Challenges

• Scalability issues– Interoperability (minor)– Legal and trust issues (major)

• Incentive, or power, mismatches– Causing some federations to fail

• Privacy issues (emergent)

13

Social Login

• Definition: The ability to access a web site or application using an account on a social network

• Value proposition– Reduced sign-on friction (users and RPs)– Obtain customer data (RPs)– Gain market share and leverage (IDPs)

14

Social Login Market Share

15

Social Login

• Architecture

Relying Party Site Social Network

Your social graphReal nameBirthdayHome townLinks to photosRelativesFamily, childrenFriendsOther data

Or use another service

OAuth

16

Advantages and Drawbacks of Social Login

Advantages (user)• Reduced sign-on friction• Ease of use• Social features of RP’s app

Drawbacks (user)• Deep privacy concerns—exposing

your real personal information to all the social networker’s partners

• Lack of control• Lack of portability• Building in a dependency on a third

party

Advantages (RP)• Reduced sign-on friction• Ease of development• Leverage personal data

Drawbacks (RP)• Having a third party in the middle of

customer relationships • Lack of trust by users• Risk of changing terms and costs • Building in a dependency on a third

party

17

Privacy Crises

• Inconsistent rules or no rules• Unreadable privacy policies • Unwanted advertising - Spam, spam, spam• Increasingly sensitive financial, medical and social data

in the hands of data brokers• One faux pas online may hurt your reputation forever

18

Do People Care?

Source: Differentiate with Privacy-Led Marketing PracticesA Forrester Consulting Thought Leadership Paper Commissioned by NeustarJuly 2013

19

Do People Care?

Source: Differentiate with Privacy-Led Marketing PracticesA Forrester Consulting Thought Leadership Paper Commissioned by NeustarJuly 2013

Personal Cloud Login

20

21

Introducing: Drummond Reed, CTO

• 1995-2007: Co-Founder & CTO, Cordance• 2004 – Co-Chair, OASIS XDI Technical Committee• 2005 – Founding Board Member, OpenID

Foundation• 2009 – 2010 Executive Director, Information

Card Foundation• 2010 – Founding Executive Director, Open

Identity Exchange• 2011: Co-Founder Respect Network

22

What is a Personal Cloud?

• A cloud-based platform the individual owns and controls– My oasis on the Internet

• Available from a cloud service provider (CSP) or self-hosted• A secure, lifetime personal data repository with NO ambiguity in

terms of who controls the data– Store any kind of data—binary, structured, application, preference

• A place to manage connections, relationships, communications• A platform for applications—much like a personal computer or

smartphone—but accessible from all your devices

23

What is a Personal Cloud Network?

A peer-to-peer network of personal and business clouds that provides interoperability, portability, and trust between members

24

What is Personal Cloud Login?

• Definition: The ability to access a web site or application using a personal cloud

• Value proposition– Reduced sign-on friction (users and RPs)– Increased trust (users and RPs)– Safe data sharing in either direction (users and RPs)– Lifetime data subscriptions (users and RPs)– CSPs gain market share, leverage and new revenue streams

25

The next 3 screens show the actual user experience today for Facebook Login

at The San Francisco Examiner

26

27

28

29

Personal cloud login works just like social login except there’s no social network in the middle—the connection is directly with the

user’s own personal cloud

Business Cloud

30

The next 3 screens show what the user experience would look like for

Respect Connect personal cloud login at The San Francisco Examiner

31

32

Login with Respect Connect

Okay Cancel

drummond@connect.meEmail

Drummond ReedName

98133Zip

code*

The San Francisco ExaminerMember since May 2014

RespectConnection

s

304

Personal cloud data requested: Permissions requested:

Send daily news summary

Send weekly news summary

All data shared under the Respect Trust Framework

33

34

The secret to making personal cloud login work is that each cloud belongs to a

personal cloud network—this is how the Respect Connect button does its magic

35

This also means each Connect button is a way for new users to join the network

36

The next 3 screens show the Respect Connect user experience if the user does not yet have a personal cloud

37

38

Login with Respect Connect

Continue Cancel

Enter any one of the following:

If you already have a personal

cloud

Cloud name

Mobile phone number

Email address

Remember me on this device

If you do not yet have a personal

cloud

Learn more about personal clouds

Join Respect Network now in 30

seconds

39

40

In all cases, 100% of the user’s login data is stored securely in his/her personal cloud

Personal Cloud

• Under the user’s exclusive authority and control

• Portable for life to any personal cloud provider (or self-hosted)

• Not visible to any other party or app without the user’s permission

• Protected by the user’s choice of strong authentication and encryption offered by the CSP

41

Advantages and Drawbacks of Personal Cloud Login

Advantages (user)• Reduced sign-on• Privacy• Portability• Empowerment• View provider reputation

Drawbacks (user)• Something new to sign up for• Will take time to gain adoption• Must trust CSP and Respect Network

Advantages (RP)• Reduced sign-on• Leverage personal data with consent• Gain user trust• Direct, permissioned subscription• No social network dependency

Drawbacks (RP)• Small user base (at first)• Social graph data only by permission• Overhead of consent management

Conclusion

Respect Consulting

• Leverage our world-class team to help organizations:– Determine how and when to leverage personal clouds– Better understand and gain business advantage from personal clouds– Assess and develop enterprise security architecture – Assess and develop cloud security architecture– Architect and build next generation identity management systems– Develop federated identity architecture

• Delivering consulting via:– 1- 3 day workshops delivered onsite– Custom consulting leveraging our consultants and our partners– We can deliver custom consulting, longer term

43

44

Upcoming Respect Network Webinars

• CRM Meets VRM: How a Personal Cloud Network Will Enable Real Vendor Relationship Management

• Connecting the Internet of Things to the Internet of People• Trust and Reputation on a Personal Cloud Network

Gary Rowe, CEODrummond Reed, FounderDan Blum, Principal Consultant

gary@respectnetwork.comdrummond@respectnetwork.com

dan@respectnetwork.com

45

46

Upcoming Respect Network Webinars

• CRM Meets VRM: How a Personal Cloud Network Will Enable Real Vendor Relationship Management

• Connecting the Internet of Things to the Internet of People• Trust and Reputation on a Personal Cloud Network