Download - Identity 3.0 and Oracle at AMIS25
![Page 1: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/1.jpg)
A match made in heaven or is hell freezing over? Bram van Pelt
Identity 3.0 and Oracle
![Page 2: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/2.jpg)
Who Am I
• Bram van Pelt• Expert lead Security• Security Consultant
![Page 3: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/3.jpg)
What will we be covering
Agenda• The evolution of the identity
• Identity 3.0
• Oracle POC implementation
![Page 4: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/4.jpg)
Definitions
• Account
• Identity
• User
![Page 5: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/5.jpg)
The history of digital Identity
![Page 6: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/6.jpg)
Identity 1.0
• Jericho Forum
• De-perimeterisation
• COA Framework
![Page 7: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/7.jpg)
COA Framework
• Technologies – Endpoint security
– Secure communications
– Secure data (DRM)
![Page 8: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/8.jpg)
COA Framework
• Processes – People Lifecycle Management – Risk Management – Information Lifecycle Management – Device Lifecycle Management – Enterprise Lifecycle Management
![Page 9: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/9.jpg)
COA Framework
• Services – Identity management and federation – Policy Management – Information Classification – Information Asset Management – Audit
![Page 10: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/10.jpg)
Identity 2.0
• Securely collaborating in clouds• Identity, Entitlement & Access Management Commandments
![Page 11: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/11.jpg)
Identity, Entitlement & Access Management Commandments
• 14 Guidelines on how to secure an identity
• An Entity can have multiple, separate Persona (Identities) and related unique identifiers
• The source of the attribute should be as close to the authoritative source as possible
• A resource owner must define Entitlement (Resource Access Rules)
![Page 12: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/12.jpg)
Identity 3.0
• Bring your own identity• Using identity to enhance privacy• “We believe that with a single global identity eco-system all this is
possible.”
![Page 13: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/13.jpg)
Identity 3.0 definitions
• External identifierA provider for attributes other than the user.
• Core identifierThe “bring your own identity” attribute provider
• PersonaA mix of attributes which are provided by the core identifier and optionally external identifiers
![Page 14: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/14.jpg)
Identity 3.0 principles: Risk
• Decisions around identity are taken by the entity that is assuming the risk; with full visibility of the identity and attributes of all the entities in the transaction chain.
• Attributes of an Identity will be signed by the authoritative source for those attributes.
![Page 15: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/15.jpg)
Identity 3.0 principles: Privacy
• Every entity shall need only one identity which is unique and private unto the entity; there will be no body issuing or recording identities.
• The Identity ecosystem will be privacy enhancing; attributes will be minimised, asserting only such information that is relevant to the transaction.
• Entities will only maintain attributes for which they are the authoritative source.
![Page 16: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/16.jpg)
Identity 3.0 principles: Functionality
• The digital representation and function of an entity type will be indistinguishable from another entity type, and will be interchangeable in operation.
• The Identity ecosystem will operate without the need for identity brokers, CA of last resort or other centralized infrastructure.
• Identity shall be (as much as possible) invisible to the end user; identity and attribute verification and exchange should be a background operation until such time that increased levels of user verification is required.
![Page 17: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/17.jpg)
The inner workings
![Page 18: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/18.jpg)
Inner workings
• Personas• One way trust
![Page 19: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/19.jpg)
Persona’s
19
[Entity: Organization]Government
[Entity: Person]Yourself
Citizen Persona with authoritative(cryptographically) signed
attributes
Date of Birth = 01 Jan 2000Place of Birth = London, UKSex at Birth = MaleName at Birth = John DoeCitizenship = Full BritishIssued = 01 Jan 2015Revalidation = gid.citizen.gov.uk
![Page 20: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/20.jpg)
Trust
![Page 21: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/21.jpg)
One way trust
• I trust you, so you can access my resources
• Does not mean you can access unauthenticated
![Page 22: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/22.jpg)
How does this work?
• Site demands identity• You give your attrbutes• Your login to the External identifier
![Page 23: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/23.jpg)
How does this work?
• Reusable• Web of identities
![Page 24: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/24.jpg)
Why would you want this
• No more user storage• Personalisation options• Transparancy to end users• Enhanced privacy
![Page 25: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/25.jpg)
How would we build this?
• Ingredients:– The core identity and identifier– The persona’s implementation– The external identifier / authenticators
![Page 26: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/26.jpg)
The core identity and Identifier
• This is a personal device which you have on you, if possible…• Phones • Dyn-dns via browsers• Personal component
![Page 27: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/27.jpg)
The Persona implementation
• Basically an “identity cookbook”• Trusts to identifiers• One way cryptographic trust
– Signed attributes
![Page 28: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/28.jpg)
The external identifier / authenticator
• Basically an external identification source
• Chosen by the application
![Page 29: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/29.jpg)
How would we build this?
• Oracle Weblogic Server– SAML Trust to an access manager
• Oracle Access Manager– Key retrieval using dyndns– External authentication (Using SAML or OAuth2)
• Personal authenticators…– Todo…
![Page 30: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/30.jpg)
Let’s picture it
![Page 31: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/31.jpg)
What do we need
• Oracle:– Authentication modules to authenticate using DYNDNS / IPV6– Personal authenticators– Expanded control over authentication chains
![Page 32: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/32.jpg)
YOU
![Page 33: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/33.jpg)
Special Thanks
• Global Identity Foundation• Jericho Forum
![Page 34: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/34.jpg)
• Bram van Pelt• Twitter: @BramPelt• LinkedIn: http://linkedin.com/in/bram-van-pelt-
77a15021
![Page 35: Identity 3.0 and Oracle at AMIS25](https://reader031.vdocument.in/reader031/viewer/2022022412/58f1d64a1a28abeb4e8b45c1/html5/thumbnails/35.jpg)