uma as authorization mechanism for iot: a healthcare scenario
DESCRIPTION
Presentation at Kantara Initiative workshop at Utrecht, 4-5th September 2014. UMA as Authorization mechanism for IoT: a healthcare scenario.TRANSCRIPT
UMA as Authorization mechanism for IoT A healthcare use case
Domenico Catalano, Oracle Italy Maciej Machulak, Cloud Identity Limited
!Kantara Initiative Workshop 4-5th Sept. 2014 - Utretch
1
Agenda
Problem Statements
Scenario and Requirements
UMA Concepts
Architecture
Q&A
2
Authorization Definition
A process for granting approval to a system entity to access a system resource.
3
System Resource
System Entity
Internet Security Glossary, Version 2 (RFC 4949)
Access
Nature and Complexity of an IoT Environment
4
Identity & Ownership
Objects with limited capability
Distributed Objects
Hierarchy & Delegation
External Application
Proprietary Protocols
Authentication and Authorization in Constrained Environment (ACE)
5http://tools.ietf.org/pdf/draft-gerdes-ace-actors-01.pdf
Actors in the ACE Architecture
User-Managed Access (UMA) Architecture and Terminology
6
Resource Server
Resources
Resource Owner
Authorization Server
Authorization API
UMA ClientPr
otec
tion
API
manage control
PAT
RPT AATAccesswith RPT
Protect with PAT
Client redirects theRequesting Party to AS
on behalf of Requesting Party
PAT: Permission Access TokenAAT: Authorization Access TokenRPT: Requesting Party Token
UMA as Authorization mechanism for IoT
Day Hospital scenario
• Alice is admitted to Hospital, for a checkup, where she is assigned a bed with a Monitoring device system (Smart Device).
• The doctor (Bob) checks Alice with his Electronic Stethoscope, which is able to record and store patient’s heartbeats.
• Patient’s heartbeats must be shared with EHR system and with an external provider for analysis.
7
8
Day Hospital Use Case Actors and Resources
9
Resource
ResourceOwner
ClientOwner
ResourceOwner
RequestingParty
Resource Client
Access Access
Patient’s SecurityDomain
Doctor’s SecurityDomain
Hospital’s SecurityDomain
Day Hospital Use Case Actors and Resources
10
Stethoscope
ResourceOwner
ClientOwner
ResourceOwner
RequestingParty
Resource EHR System
Access Access
Patient’s SecurityDomain
Doctor’s SecurityDomain
Hospital’s SecurityDomain
Smart Device
Obj
ect
Inte
rface
Netw
ork
Inte
rface
Patient Data
Assumptions
• Electronic Stethoscope is a device with limited capabilities (records, stores and signs heartbeats data).
• The Patient’s bed embeds a smart device (Patient monitoring,) which is able to connect with external devices and provides an IP connectivity.
• The healthcare’s Smart Devices are registered with NHS, which acts as trusted party.
11
Day Hospital Use Case Internet of Things High Level Architecture
12
B
A
ResourceOwner
HospitalUMA Authorization System
Cloud Provider
EHR
data
datadata
Trusted Network of Objects
data
SmartDevice
ResourceOwnerPersonal
UMA Authorization System
Doctor
Patient
ResourceResource
Goals
• G1. Doctor must able to register his own resource (stethoscope) to the Authorization System.
• G2. Patient must be able to register the monitoring device system as protected resource
• G3. Doctor must be able to authorize and delegate a client to access to his resource.
• G4. Patient must be able to express consent for sharing his own data (heartbeats) with other parties.
13
Requirements
• Resource Registration, Discovery Services
• Actions Delegation
• Patient Consent
• Access Control for sharing data
14
Resources Registration Dynamic Registration
15
ResourceOwner
PersonalUMA Authorization
SystemPatient
Hospital Objects
B
AOperator
Day HospitalRequest
National Healthcare System
Assign Resource
sw_stmt
Secret
Object EnrollmentAuthN
1
2
3
OAuth 2.0 Dynamic Client Registration Protocol
UMA Authorization Flow
1. The Smart Device reveals a electronic stethoscope.
2. The Smart Device (Client) attempts to access to the heartbeats data (Resource).
3. The Smart Device (Client) is re-direct to the Doctor’s Authorization Server for the authorization process.
16
Client Resource Resource Owner
Patient’s Monitoring System Smart Device
17
Electronic Stethoscope Authorization Process
Redirect to UMA AS…
Patient’s Monitoring System Smart Device
18
National Healthcare System Authentication Service
Fingerprint
Patient’s Monitoring System Smart Device
19
UMA Authorization Server Access Request
Allow Cancel
Patient’s Monitoring System Smart Device
20
Electronic Stethoscope data uploading…
Patient’s data association
A new Protected Resource is added to Personal UMA AS
21
ResourceOwner
PersonalUMA Authorization
SystemPatient
B
New ProtectedResource
Hospital Objects
Get Access
Notification
SmartDevice1
2
3
Patient Notification
22
View Close
Personal UMA ASHeartbeat data added as protected
resource
Alice
Actions Delegation
• The doctor needs share patient’s heartbeats data with EHR system and an external party.
• The sharing policy should be inherited by the mediator client (smart device) which will act as resource server for the EHR system and external Requester.
23
Delegation Process
24
Objects Request
www.uma4IoT.com/am/ObjectDelegation
Hospital UMA Authorization System
AppDelegation
Actions
Period: from __/__/____ to __/__/____
Share with EHR SystemShare with Healthcare Provider
Data ProtectionAnonymous dataPatient consent
Welcome Bob
Inherited Data Sharing Policy
25
Alice
Resources Heatbeats
Data Sharing Policy Data ProtectionDescription
Share with EHR System
Share with Healthcare Provider
Client Access and Patient Consent UMA Flow
26
PAT: Permission Access TokenAAT: Authorization Access TokenRPT: Requesting Party Token
Heartbeats data
PatientResource Owner
Authorization Server
Authorization API
EHR SystemUMA Client
Prot
ectio
n AP
I
manage
Consent
PAT
RPT AATAccesswith RPT
Protect with PAT
Client redirects theRequesting Party to AS
Patient Device Monitoring
IdP/Claim Provider Requesting Party
Cla
im C
lient
Authenticate
Req
uest
Use
rInfo
UMA Trust Model
27
Identity Assurance
ResourceOwnerAuthorize
Trust FrameworkISO 29115
Trustworthiness
Delegation
RegistrationTrusted Claims
Trust Chain
Client ResourceServer
AuthorizationServer
Prot
ect
Access(on behalf of Requesting Party)
Accreditation System
Advantages of UMA Approach
• Designed for centralising the authorization process for distributed resources.
• Works with constrained resources, requires web stack.
• Applicable to different nature of objects, data and owners.
• Developed to meet the Privacy By Design principles.
28
• User-Managed Access (UMA) Core Protocol
• OAuth 2.0 Dynamic Client Registration Protocol
• Securing Internet of Things
• Actors in the ACE Architecture
29
References
Acknowledgements
• Eve Maler - Chair UMA WG
• UMA Work Group
30
Questions? Thank you
@UMAWG tinyurl.com/umawg |tinyurl.com/umafaq