When it comes to identity management, major advances around a User-Managed Access (UMA) standard based on the OAuth protocol have made it possible for end users to define what level of permission and access they want to provide others with when accessing documents they create.
Now ForgeRock, a provider of identity management software, wants to extend that concept out to Web and Internet of Things (IoT) applications on a much broader scale via the formation of a Kantara Initiative UMA Developer Resources Work Group (UMA Dev WG) that promises to create open-source UMA implementation toolkits.
Eve Maler, vice president of innovation and emerging technology for ForgeRock and executive director of the Kantara project, said the goal is to enable developers to be able to embed more sophisticated approaches to managing identity and permission that can be inherited across multiple users and machines. Deploying Web and IoT applications at scale by definition requires those capabilities, but at present being able to provide that level of richness and depth to identity management and permission controls is too difficult for the average developer to implement, says Maler.
The UMA Dev WG will address that issue by providing open-source software initially for Java, C++, and Python developers, incorporating UMA enablement and protection into applications, services, and devices. This software will make it simpler to add interoperable authorization, access control, and privacy and consent features to a wide variety of applications.
In general, identity and access controls were things that internal IT organizations and compliance officers worried about after an application was developed. But given the increased awareness of security that is being driven by almost daily breaches of applications, IT organizations are pushing more responsibility for security controls back onto the shoulders of developers. While that’s fine in theory, the number of toolkits that make it simple to add this level of control have been limited, while working with the OAuth protocol itself directly can be cumbersome. OAuth tends to require a lot of implementation expertise that developers don’t generally have.
While there may never be such a thing as perfect security, right now it’s simply too easy to hack into an application. As the API economy continues to expand, all those data breaches threaten to hamper its growth because organizations will be reluctant to integrate applications that they view as being inherently insecure.
The Kantara UMA Dev WG may not wind up being the only way to solve application security over the long haul, but it certainly represents a step in the right direction.