I rush up a little bit. Next presentation is from someone who has been working in the standardization area for years and has contributed to a number of SIS standards specifically in the open identity environment. Lets me call it that way. Please. Welcome PR the, so you with w S O two. Yeah. I must say this name in German is much faster. Yes. What's why, what type of applications are you building in Ws? O two.
Yeah. So basically w two produces a completely open source all under APA license, a comprehensive platform for connected business.
So that includes like wide variety of products that could cater different aspects from data to screen. So we have server enterprise service bars, API manager, likewise.
Okay. So you are working for a company building the connected enterprise, and you're going to tell us something about the connected entities tonight. Yeah. Yeah. Thank you very much. Close yours.
Yeah.
So, so this is basically my third time at DIC for last four years. Thanks. It's fantastic to be here again and again, I guess every one of you likes listening to stories. So let me start with a quick story. So it was August, 2012, Matt, Honan a reporter for the Wyatt magazine based in San Francisco. He return in his home and as usual, he started playing with his little daughter. At this point. He didn't have any clue what's going to happen next. Suddenly his iPhone powered down, he was expecting a call. So he plugged that into a, a wall power sock and rebooted it back.
What he witnessed next simply blew him away. Usually he, he didn't see the normal iPhone home screen with all sort of apps. It was a screen presented to him asking to reset his iPhone. So to set up a new iPhone with a welcome screen. So for a moment, he thought, okay, something wrong with my iPhone. And he was not that worried because he used to back up his iPhone and MacBook daily to iCloud. So if I could get into iCloud, then I can restore my iPhone. That's what he thought.
So he tried to look into MyCloud.
He, he, he typed his usual credentials, but it failed. He tried again, failed again, failed.
Anyway, he thought maybe I am excited with the things happened immediately. He tried for the, for one last time, that failed too. So now what only hope he had was his MacBook. So he was planning that if I could log into my back MacBook and use the local backup to restore the iPhone, then that could work. So he tried to log into his MacBook, put it up that didn't work either. It prompted a screen to enter a four digit passcode that he has never set up before. He was like almost hopeless, but this guy never gives up. So he tried to call apple technical center to reclaim his iCloud account.
Then he got to learn. He learned that he has called 30 minutes before and reset his iCloud password.
At that time to, to reset your iCloud account, you only wanted to know two things, your billing address and the last four digits of your credit card. So Han's billing address was readily available with his who is domain domain, internet, domain account for his personal website, and also to get the last four digits of his credit card. The attacker contacted Amazon help center, Amazon help desk. So he already had Horn's full billing address and the last and, and the email address.
So using those, the attack executed a simple social engineering attack and got the last four digits of horns credit card. So Koran lost almost everything, but the attack I was still need more. Then he broke into Horn's Gmail account. And from there he reset his email account, sorry, his Twitter account and got the handle, got the control of his Twitter handle. So one by one, one by one, the connected T of Honan started to fall into the hands of the attacker.
Something we all know by heart, the principle of principle of the weakest link, any computer system out there is as strong as the strength of the weakest link. You might have protected your iPhone with biometrics your, your MacBook with biometrics, but who counts.
If I can get access to your iCloud account or the web using simple use and password, I can wipe off all your data in your iPhone or in your MacBook. Look today, the global internet economies, somewhere in the neighborhood of 10 trillion, us dollars.
And by 2016, almost half the world's population, that's around 3 billion people will use a internet. And maybe that that number will grow up with the, the, the internet org initiative by Facebook and during 2008, the number of things connected to internet exceeded the number of people on earth.
2012, the number of devices connected to the internet was around 12.5 billion. And by the end of this year, number would be around 25 billion by two 20 it's estimated the, the devices connect to the internet will be 50 billion. Connected devices have been existed since the introduction of computer networks and consume electronics, but, but it wasn't, but it wasn't till the internet emerged.
The concept of the global connected, the global connected planet started to take off in 1990s researchers theorized how people, how human and machines view together a new form of communication and activity in terms of machines. So that is that's the reality today unfolding in front of, or before our eyes.
The
Word identity is normal just about humans. It represents both humans and things. The of things is effort that involves assigning unique identifiers and also set of associated metadata to devices out there. So they can communicate, talk to each other over the internet.
The meta data associated with the each unique identifier will define the identity for the corresponding endpoint. The, the identity of things is a key ingredient in internet of things, which is basically, which basically enable anything, anything imaginable and addressable and, and accessible through internet. So in this context, the thing is an entity. It can be a physical object or a logical object, which can be addressable by a unique identifier, and also can communicate all network. The definition of the identity has evolved with the internet. It's no more about attributes and claims.
It's it's about attributes claims, plus behaviors, patterns, and all about you. The Fitbit that you wear while you are sleeping knows about your sleeping patterns, the, the, the sensors attached to the connected car knows about your driving patterns. The sensor attached to your refrigerator knows about your daily food consumption patterns. At the moment, there are no adding stores out there which could build a unified view of a given use as identity at we getting all those stuff at beginning attributes, behaviors, patterns, everything.
So let's for the moment, forget about this aggregated view. We also have more challenging questions.
The, the ownership of the data and data migration, so connected costs, collect and store vast amount of data. This data goes well beyond use of preferences and settings.
So, so the credited cars collect driver data such as travel routes, travel destinations, car speeds, travel driver behaviors, commute patterns, and much more. These connected cars are only a fraction of devices, credit internet that enables users to set their preferences and then collect user data. These IOT also let you define your virtual identity while all these user generat data would last possibly last forever, the connected cars and the other IOT devices won't they won't last forever. So this phrases an important question. So what would happen to my data with all these devices?
So if I wanted, if I wanted to sell my connected car and buy a new one, what would happen to the, the data stored in the previous car? Can I migrate those data to new one? And then also the other question is where all these data gets stored. Connected car data, and user preferences are primarily stored in cloud-based silos.
There are no universal standards or agreed upon best practices among car manufacturers and, and connected car in the connected car industry to collect store and manage car owners data.
There's no universal standard out there to manage the, the car owners identity, which includes storage and export of user preferences and user history. So identity silos creates lot of friction in enterprise in the connected enterprise. How do we get rid of this friction? How do we get rid of these identity silos? One way is one way is to expose your data through APIs, even without, even without breaking the data silos, even without, even without changing the ownership of data, you can simply expose your data through APIs. Then the end user would benefit from this.
So you can aggregate all the data from different, different places and build aggregate identity view of the particular user. And also the Besters will benefit by having access to the complete aggregate view of the, of our users' identity. With this one can compare his sleeping patterns with drying patterns, his daily food consumption patterns with sleeping patterns, and many more. For example, the, the BMW connected dry, which connects a feed bit would know whether you had a good sleep last night or not. And based on that, the BMW connected drive can present you options to do a safe drive.
Then the challenge is how do we propagate use identities across these APIs? We need to come up with a security model, which is protocol agnostic. If we build BMW connected drive to compatible with the security model of the Fitbit API, then what would happen if, if the BMW connected drive wants to wants to, wants to get, find the nearest restaurant through Yelp, which is highly rated by your Facebook friends, then it has to access. It has to be compatible with the security model of Yelp, as well as Facebook.
In other words, we are, we are starting to talk, talking about building a security model, which is point to point, which there's some scale. So in fact, that lead to the anti patent calls, Spago the identity.
So you, you have a lot of connections. You, 1, 1, 1 product has to support all the protocols,
Adding
Silos and specialty identity are two anti patterns that are not just present in IOT world. If you look at the history, most of the companies grow today where acquisitions merges and partnerships in us only mergers and acquisitions volume totaled to 865.1 billion in the first nine months of 2013, according to geologic.
And that's a 39% growth or improvement from the previous year and the, the highest total for the, for the first nine months, since 2008, a research done by the Analyst firm called COER confirms in today's world. Most enterprises work with external users than internals in Europe, 58% transfer directly with users from other businesses or consumers.
And in UK, that figure is around 65%. Another, another Analyst firm predicts by 2020, 60% of all digital identities interacting with enterprises will come from external IDPs. Each external identity provider can be treated as an identity silo, the service providers or the identity consumers need to trust these identity providers to accept and use identity. And beyond this trust body service provider and the identity provider must the same language to bootstrap the initial trust relationship.
And then, and then transport. I tokens think about the case, a service provider doesn't support the ID token sharing protocol supported by the IDP. Then either you have to change the IDP end to talk the same language as of the service provider or fix the service provider.
So this is what you see silo one in one silo, there can be service providers and I providers all talk the other silo. There can be service providers and provider all talk open ID connect. So how do we bridge these two Federation silos? Under today's context? Connected business is a very, very dynamic and complex environment.
You decide to reach customers, partners, distributors, and suppliers, to, to build more interactions activities with them, and then to grow the revenue of your company. This doesn't merely mean that just by breaking technological silos in your company will do that. You need to expose your companies and make your company more accessible and reactive to the rest of the world.
Having, having friction to build connection between the business entities is not something LER. If, if the cost of introducing or provisioning a service provider or an ID provider to, to your existing system is high due to the due to the protocol incompatibility, then that won't work, that won't scale. And also the point to point connections that you create between service providers and it providers will also won't work
With identity bus or the identity broker in the more middle we can solve.
Most of these issues, the T broker will take care of mediating, different ID tokens between multiple heterogeneous protocols. You get open ID connect token from a service provider. Then ID broker can transform this into a semi token, then send IDP then with, get the response, some response from the IDP, transform it to an open ID connect response, and send the service provider. And also you don't need to build point to point trust relationships, service providers always trust the IDP and IDP will connect all the IDPs, other IDPs and the service providers.
And if you extend the functionality of an ID broker, you can further, further do further enforce access control rules, and then do auditing monitoring centrally. So with, with, with the evolving standards in it Federation, so you had some dominating for more than a decade.
Now, the open ID connect. So there can be more and more standards coming up. And also there are no, no proper standards for managing device identities, and there are no proper standard to propagate device identities in that word that we cannot completely fully rely on a particular standard. The identity broker or the ID bus will play a key role in building a comprehensive, open connected ID platform.
And, and that also would be protocol agnostic. Yeah.
Thank you. Very short question. So using a technology, my Fitbit will tell my car that I will have 50 horsepowers more the one day than the other, is that right?
Yeah.
So, so that's, that's basically imaginary. So that's, I guess where we need to go towards, and then again, the challenge is data privacy and security. Yeah.
So that, so, so my talk is about like the benefits, risk and challenge. So the benefit is basically to the end user, you build a comprehensive, complete view of your identity, aggregating different parts from different players, and that will also benefit the business. The challenge is how do we aggregate these different parties together? So one option is an ID broker. So that's just the one option then the risk privacy and security.
Yep. That's what we called to address necessary, but needed. Thank you again. Okay.
