Kantara UMA Standard Achieves V1.0 Status, Signifying A Major Milestone for Privacy and Access Control

Kantara Initiative is calling on organizations to implement User-Managed Access in applications and IoT systems

Piscataway, NJ, May 5, 2015 – Kantara Initiative announces that the User-Managed Access (UMA) Version 1.0 specifications have achieved the status of Kantara Initiative Recommendations through an overwhelming show of support from the organization’s Members. To mark this milestone, Kantara will be holding a free live webcast on May 14 at 9am Pacific.
Developed through an open and transparent standards-based approach, the UMA web protocol enables both privacy-enhancing consumer-controlled scenarios for release of personal data and next-generation business scenarios for access management. The UMA Work Group has identified a growing variety of use cases, including patient-centric health data sharing, citizen-to-government attribute control, student-consented data sharing, corporate authorization-as-a-service, API security, Internet of Things access control, and more.

“UMA has been generating industry attention with good reason. UMA bridges a critical gap by focusing on customer and citizen engagement to transform privacy considerations into real business development opportunities,” said Joni Brennan, Executive Director, Kantara Initiative.

UMA is an OAuth-based protocol designed to give a web user a unified control point for authorizing who and what can get access to their online personal data.  By letting a user lodge policies with a central authorization service that requires a requester “trust elevation” (for example, proving who they are or promising to adhere to embargoes) before that requester can access data, UMA enables privacy controls that are individual-empowering – an idea that has perhaps gotten lost in the rush to corporate privacy practices that have focused on compliance.
This model enables individuals interacting with the web to conveniently reuse “sharing circles” and set up criteria for access at a single place, referred to as the UMA authorization server, and then go about their lives. For enterprises, deploying UMA allows applications to be loosely coupled to authorization methods, significantly reducing complexity, and to make the process of access decision-making more dynamic.

“Existing notice-and-consent paradigms of privacy have begun to fail, as evidenced by the many consumers and citizens who feel they have lost control of how companies collect and use their personal information,” said Eve Maler, ForgeRock’s VP of Innovation & Emerging Technology and UMA Work Group Chair. “We’re excited that UMA’s features for asynchronous and centralized consent have matured to reach V1.0 status.”

“The future Internet is very much about consumer personal data as an important part of the broader data-driven economy ecosystem. If personal data is truly a digital asset, then consumers need to ‘own’ and control access to their various data repositories on the Internet. The UMA protocol provides this owner-centric control for sharing of data and resources at Internet scale,” says Thomas Hardjono, Executive Director of the MIT Kerberos & Internet Trust Consortium and UMA Work Group specification editor.

“With the growing importance of personal data on the Internet, there is a clear need for new ways to allow individual users be in control of their data as an economic asset.” says Dr. Maciej Machulak, Chief Identity Architect of Synergetics and UMA Work Group Vice-Chair. “UMA can become the very basis for the profound trust assurance and notably the trust perception with end-users and organizations, that is required to finally introduce end-users as genuine stakeholders in their own processes and the integration point of their own data.”

Companies, organizations, and individuals can get involved by joining Kantara Initiative and the UMA Work Group, taking part in planned interoperability testing, and attending the webcast.

“In the Digital Economy where personal data is the new currency, User-Managed Access (UMA) provides a unique vision to empower individual more effectively and efficiently and enables a new approach to secure and protect distributed resources, unlocking the value of personal data.” Said Domenico Catalano, Oracle

“UMA promotes privacy by facilitating access by reference instead of by copy and, most important, by shifting access controls away from inscrutable prior consent to user-transparent authorization.” Said Adrian Gropper, MD CTO, Patient Privacy Rights.

“UMA is the first standard to enable centralized API access management for individuals or organizations. The promise of UMA is to enable the consolidation of security for a diverse group of cloud services. Combined with OpenID Connect for client and person identification, the Internet now has a modern standards infrastructure for Web and mobile authentication and authorization.” Said Mike Schwartz, Founder & CEO, Gluu

“UMA is a major step forward in giving individuals control over their own personal data on the internet. It is a key building block of an environment where people can continuously control access to their sensitive data, rather than simply handing that data over to vendors and hoping they don’t misuse it (or lose it).” Said Gil Kirkpatrick CTO ViewDS Identity Solutions

Kantara Initiative provides strategic vision and real world innovation for the digital identity transformation. Developing initiatives including: Identity Relationship Management, User-Managed Access (EIC Award Winner for Innovation in Information Security 2014), Identities of Things, and Minimum Viable Consent Receipt, Kantara Initiative connects a global, open, and transparent leadership community. Luminaries from organizations including: CA Technologies, Experian, ForgeRock, IEEE-SA, Internet Society, Radiant Logic and SecureKey drive strategic insights to progress the transformational elements needed to leverage borderless Identity for IoT, access control, context, and consent.