In a world of Internet and cloud computing, the issue of ‘identity’ is not a cut and dried thing. Software applications and their data sit in many more different locations now i.e. not just on your computer or your mobile device, but inside a cloud datacenter, inside a firewall and perhaps inside a ‘workflow’ process that is connected to all of the above. Knowing who owns what data and what applications and/or databases should enjoy access privileges to what data is a matter of ‘electronic identity’, if you will.
User-Managed Access (UMA)
With the identity market now burgeoning, the race is on to create standards and assert ownership and credible thought leadership positions. Identity and access management company ForgeRock is attempting to spearhead a new ‘digital consent and privacy’ initiative to accelerate developer adoption of the User-Managed Access (UMA) standard.
NOTE: The UMA standard is web-based access management protocol that enables both consumer privacy scenarios and business authorisation scenarios.
The firm says it will drive the new Kantara Initiative UMA Developer Resources Work Group (UMA Dev WG) to release new open-source UMA implementation toolkits for web applications and the Internet of Things. Kantara itself is a non-profit professional association dedicated to advancing technical and legal aspects of ‘digital identity transformation’.
“As organizations collect more and more user information in order to deliver more personalized experiences to consumers, failing to offer those consumers a way to actually manage that personal information themselves is a privacy time-bomb,” said Eve Maler, ForgeRock’s vice president of innovation and emerging technology. “ForgeRock believes UMA is the right solution to apply before the problem explodes.”
The UMA Dev WG says it believes that by empowering consumers with new controls that offer greater flexibility around what they have to share online, confidence could be boosted.
Welcome to consent 2.0
UMA, launched by the Kantara Initiative in 2009, is an OAuth-based protocol that gives a web user a unified control point for authorizing who and what can get access to their online personal data. ForgeRock’s forthcoming addition of OpenUMA support to the firm’s own branded identity platform is designed to help deliver so-called “consent 2.0” experiences to users who are increasingly more concerned about their ability to manage their digital privacy.
“At Philips, we’re on a mission to improve people’s lives and to empower people to take better care of themselves and others. With the rise of cloud-based data, health and wellness apps and consumer sensors, it’s important to be able to share all those sources of data with family members, health professionals and others under close personal control,” said Jeroen Tas, CEO, Healthcare Informatics Solutions and Services, Philips. “With OpenUMA, we are able to design innovative data-sharing and consent technologies into our HealthSuite Digital Platform that make it possible to foster consumer and patient trust.”
Practical examples, how UMA standard works
The UMA standard might (for example) work as follows – instead of making copies of a child’s healthcare records at the beginning of the school year and walking it into the school office where it will be filed, a parent could give the school access to the online record for one week at the start of the school year. Once the school confirms the child’s health status and vaccinations, access to the digital record can be revoked, eliminating the need to duplicate personal healthcare records and maintaining privacy.
In a similar fashion, financial records can be shared with tax accountants and loan officers and healthcare records can be shared with medical specialists. With UMA, individuals can grant access to digital records on a need-to-know basis and for only an appropriate length of time.
The new Kantara Initiative Work Group will provide free and open-source software for developers incorporating UMA enablement and protection into applications, services and devices. The software, which will be available in languages such as Java, C++ and Python, promises to make it easy to add interoperable authorization, access control, privacy and consent features to application ecosystems.
Follow me on Twitter