A technology promising to give users and corporate policy makers tight access controls over their personal or sensitive data housed in online social, sharing and business sites has taken its first step toward standardization.
User-managed data access control could put a dagger in the privacy and usage debates burning around social networking sites such as Facebook, and solve questions about control over more sensitive data stores such as health-care records and government databases.
The User-Managed Access (UMA) working group of the Kantara Initiative on Thursday submitted to the Internet Engineering Task Force (IETF) a draft recommendation for a user-managed data access protocol that has been three years in the making. The IETF meets later this month in Quebec City, Canada.
UMA lets Web application architects return to users the keys that lock their personal data by offering security, privacy and access controls. The protocol is the foundation for authorization hubs where users set policies for data sharing.
The Center for Cybercrime and Computer Security at Newcastle University in the UK is already testing UMA and believes it can be used to control sharing of sensitive data, such as employment history, exam results and health information.
“UMA provides the technology to share such data safely, putting the citizen in control,” said Aad van Moorsel, director of the Center. “We strongly believe UMA will be a cornerstone for future eGov services.”
The Center plans to publish its implementation of UMA as open source software.
Newcastle University used UMA to build its Student-Managed Access to Online Resources project, referred to as SMART. The system’s SMART Authorization Manager integrates with Facebook, leveraging friends as a ready-made access control list to set sharing policies on other sets of data. (A beta of the system is open for public use).
The UMA working group says the protocol has the same fit with Google + Circles, the search giant’s new social sharing site.
“Our Authorization Manager (SMARTAM) allows the individual to immediately see how information is being shared, how it is accessed. The individual can easily change security policies and as such, protect his privacy,” said Maciej Machulak, a Ph.D student working on SMART at Newcastle.
UMA began three years ago with the brains and backing of Eve Maler, the current chairwoman of the UMA working group. Last year, the group targeted the IETF as the standards body it hoped would take on UMA, whihc is built on IETF standard OAuth.
The IETF is currently working on OAuth 2.0, an authorization/authentication protocol.
At its core, UMA is an authorization mechanism. UMA authorization hubs provide an interface to set consent policies for access to cloud-based application resources. Requests for data access are routed through the UMA hub and checked against policies.
For example, an online resume could be protected and only viewed by those who have permission from the owner. Rights to view the resume are exchanged on the wire using OAuth access tokens.
From the business angle, UMA is exploring small business use cases where employers could control access to cloud application resources used by contractors or temporary employees.
Maler said UMA could also function as a lightweight RESTful interface for the authorization decision protocol called the Extensible Access Control Markup language (XACML). The protocol is gaining interest from enterprise IT staffs looking for standards-based centralized authorization.
“With cloud mashups and the ‘API economy’, UMA could be helpful to align more and more enterprise authorization mechanisms on simple, OAuth-friendly, concepts,” says Maler.
Most of that, however, is forward looking and at this moment Maler is just excited to have UMA before the IETF. The UMA working group will hold a public Webinar on July 13th at 9 a.m. Pacific time to demostrate UMA. (Register here)
“We feel like we have it 95% completed,” she said. And the possibilities for what she called “selective sharing” are important given the explosion in distrusted computing.
“This is a way that someone who runs a Web site - social or a repository or personal data locker - can avoid putting in sophisticated access controls,” she said. “They can outsource that to some authorization manager. That is a prospect we are holding out for.”
In addition, Maler says UMA helps solve trust issues between OAuth Authorization Servers (AS) and Resource Servers (RS) if those servers live within different domains. Currently, there is no technology to support that configuration.
Maler admits UMA in its current state is just scratching the surface. “We wanted something simple so we could get started experimenting. Higher security, higher privacy requirements, higher levels of assurance; there are glimmers in UMA of how you solve those.”
Right now, however, the IETF milestone and possibly aligning or integrating with the OAuth specification is top of mind.
“A lot depends on if the rest of the world thinks these problems are as important as we do,” Maler said.