This document discusses reinventing identity and access management (IAM) with graph databases. It notes that traditional IAM systems have static views of identity that cannot handle today's complex, dynamic identities for users, things, and services. Graph databases allow for modeling the flexible, multidimensional relationships between entities that are needed for modern IAM. Neo4j is highlighted as a graph database that can represent complex identity relationships and hierarchies and enable real-time traversal of these relationships for advanced access management and compliance checks. Case studies demonstrate how Neo4j has been used successfully for flexible, high performance IAM applications.

1. Reinventing
Identity & Access Management
With Graph Databases
WhiteHall Media IDM conference, June 21st 2017

2. Rik VanBruggen
Regional VP
@rvanbruggen
rik@neotechnology.com

3. Rik VanBruggen
Regional VP
@rvanbruggen
rik@neotechnology.com

4. RELATIONAL DATABASES

5. This is data modeled as tables!

6. This is data modeled as graph!

7. A Property Graph Is
NODE (with properties)
NODE (with properties)
NODE
(with properties)
RELATIONSHIP
(with properties)
RELATIONSHIP
(with properties)
RELATIONSHIP
(with properties)

8. PERSON
CHECKING
ACCOUNT
BANK
A Property Graph Is
HAS

9. KNOWS
KNOWS
WORKS_AT
WORKS_AT
WORKS_AT
COMPANY
STANFORD
STUDIED_AT
NEO
COLUMBIA
STUDIED_AT NAME:ANNE
A Property Graph Is

11. A Property Graph Is
Also Very
Applicable
To IAM

12. and for the right reason
at the right time,Who gets access to what,
Identity & Access Management (IAM)

13. Traditional IAM-systems
2) Underlying assumption
that organisations are
hierarchal
1) Static idea of Identity

14. 1) Identity is increasingly complex
Why we need to
reinvent IAM?

15. http://blogs.gartner.com/ian-glazer/2013/02/08/killing-iam-in-order-to-save-it/
Active
Directory
SAP
Knowledge
Base
CRM
Customer Support
Inside Sales
HR-system
ADD / CHANGE / LEAVE IAM
Static identities left the building!

16. Serial # Unique idPersonal Customer Partner
Consumer Citizen
User identities Identity of Things
Dynamic Complexity of Digital Identities
Web-
service
Micro-
service
Identity of Services

17. Device <-> Service
Security End to EndIdentity of users
Identity of things
Identity of
Services
“RBAC on steroids”
Dynamic Complexity of Digital Identities

18. 2) Traditional hierarchies are being revised
1) Identity is increasingly complex
Why we need to
reinvent IAM?

19. Running up and down the tree:
Parent-Child relationships
Ideal World
Query complex, multi-dimensional
relationships that traverse multiple hierarchies
in real-time
Real World

20. 2) Traditional hierarchies are being revised
1) Identity is increasingly complex
Why we need to
reinvent IAM?
3) Access Management is more and more about the
relationships between users, partners, customers,
things and their different touchpoint within
organisations and eco-systems – and will need to
provide REAL-TIME checks

21. Identity Relationship ManagementIdentity Access Management
Applications
and data
Endpoints
People
Customers
(millions)
Partners and
Suppliers
Workforce
(thousands)
PCs Tablets
On-premises Private Cloud Public Cloud
Things
(Tens of
millions)
WearablesPhones
PCs
Customers
(millions)
On-premises
Applications
and data
Endpoints
People
“GDPR compliance will largely depend on our ability to check
complex relationship patterns in real-time.”

22. How does Neo4j help?

23. • I&AM can be described in as many
dimensions as we need
• Multiple hierarchies form one graph: departments,
suppliers, partners, assets, roles, projects…
• Cross-cutting concerns (eg. roles in multi-
functional teams) can be easily described
• This flexibility removes the need for
application specific directories / user+role
management in the long run
Hi-Fi model of reality

24. • Access control, modeled as a graph, is a perfect
graph database application
• Traversals can be multi-dimensional – and pretty
deep: combining different hierarchies in one query
• Asset Hierarchy
• Organisational Hierarchy
• Partner Hierarchy
• Added value of “impact analysis” questions to
prevent accidental service disruption
• Typical access control questions are very “local”,
and have excellent performance characteristics
• Yes/No answers to authorisation questions
Complex traversals = graph affined

25. Who’s using Neo4j?

26. Case Studies

27. Thank you!