20141015 how graphs revolutionize access management
-
Upload
rik-van-bruggen -
Category
Technology
-
view
4.444 -
download
1
description
Transcript of 20141015 how graphs revolutionize access management
![Page 2: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/2.jpg)
Agenda • About Graphs • About Graph Databases • How graphs revolu/onize Access & Iden/ty Management – Short demonstra/on
• Case Studies • Q&A
![Page 3: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/3.jpg)
My personal history
• Silverstream > Novell • Novell Iden/ty & Access Management • Imprivata • Courion – LeH the industry out of frustra/on with the lack of “real” solu/ons…
– Funnily enough, Graphs could probably have helped…
![Page 4: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/4.jpg)
Introduc/on: about Graphs
![Page 5: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/5.jpg)
![Page 6: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/6.jpg)
Meet ���Leonhard Euler • Swiss mathema/cian • Inventor of Graph Theory (1736)
![Page 7: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/7.jpg)
Königsberg (Prussia) -‐ 1736
![Page 8: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/8.jpg)
A
B
D
C
![Page 9: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/9.jpg)
A
B
D
C
1"
2"3"
4"
7"6"
5"
![Page 10: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/10.jpg)
About Graph Databases
![Page 11: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/11.jpg)
So what is a graph database?
• OLTP database – “end-‐user” transac/ons
• Model, store, manage data as a graph
![Page 12: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/12.jpg)
What is a graph? Node
Rela/onship
![Page 13: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/13.jpg)
Contrast with Rela/onal
Graphs are often referred to as “Whiteboard Friendly”. The data model reflects the way a domain expert would naturally
draw their data on a whiteboard “The schema is the data”. Schema flexibility allows the system
to change in response to a changing environment
![Page 14: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/14.jpg)
What are graphs good for?
Complex Querying
![Page 15: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/15.jpg)
Examples of complex queries? 1. Semi-‐structure in datasets
15
– Normaliza/on introduces complexity
– Forces developers to develop all kinds of logic to deal with this variability in their applica/on logic
![Page 16: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/16.jpg)
Examples of complex queries: 2. Connectedness in data
Lots of normalized rela/onships between the different en//es, forces developers to do • Deep joins • Recursive joins • Pathfinding opera/ons • “open-‐ended” queries
![Page 17: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/17.jpg)
Examples of Connectedness
![Page 18: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/18.jpg)
Graphs revolu*onize I&AM?
![Page 19: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/19.jpg)
“Killing” I&AM
• Sta/c view of the world – Iden//es are owned, created and managed by the enterprise
– “Add Move Leave” opera/ons are too slow and not aligned with core cons/tuencies
– This “misalignment” was a huge frustra/on to me: sooooo difficult to argue the business value, make it truly mafer to business, …
Many of these points were articulated by Gartner’s Ian Glazer ���at http://blogs.gartner.com/ian-glazer/
![Page 20: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/20.jpg)
“Killing” I&AM
• “Apart” from the cri/cal business applica/ons (<> “A part of” the cri/cal business applica/ons) – Partner applica/ons – Supplier applica/ons – SaaS applica/ons
• Because of this, IAM projects oHen fail, and lack a real business jus/fica/on – I have lived this: noone wants an “ok” solu/on, and bespoke solu/ons are very, very expensive
20
Many of these points were articulated by Gartner’s Ian Glazer ���at http://blogs.gartner.com/ian-glazer/
![Page 21: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/21.jpg)
“Killing” I&AM
• Many of these problems result from the fact that I&A is not easily represented as a strict hierarchy, anymore – Hierarchies cannot represent complex, mul/-‐dimensional rela/onships well
21
Many of these points were articulated by Gartner’s Ian Glazer ���at http://blogs.gartner.com/ian-glazer/
![Page 22: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/22.jpg)
How do graphs help?
• Hi-‐Fi representa/on of complex real-‐world rela/onships
• Real-‐/me queries eliminate need for integra/on and replica/on
![Page 23: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/23.jpg)
1. Hi-‐Fi representa*on of reality
• I&A can be described in as many dimensions as we need – Mul/ple hierarchies form one graph: departments, suppliers, partners, assets, roles, projects…
• Cross-‐cuing concerns (eg. roles in mul/-‐func/onal teams) can be easily described
• Removes the need for applica/on specific directories / user+role management
SeeTed Neward’s The Vietnam of Computer Science
![Page 24: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/24.jpg)
1.a. On RBAC
• Cross-‐cuing concerns are oHen described as RBAC: “Role-‐based Access Control"
• The truth about RBAC – Role-‐based Access is “just” another mul/-‐dimensional view of access & iden/ty
– RBAC systems are graph based in theory, but oHen implemented on top of an RDBMS that manages the provisioning system, that manages the applica/on directory, that manages the applica/on access
– REALLY???
24
![Page 25: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/25.jpg)
1.b. On Applica*on-‐specific Directories
• I&AM has always been “difficult”, because essen/ally it con/nued to be a complex integra/on project: you could not do without Applica/on-‐specific Directories – Too difficult / slow to model all applica/on-‐specific access in a hierarchy (ie. LDAP)
– This is VERY feasible in a graph • So maybe… we would no longer need to do the integra/on work?
25
![Page 26: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/26.jpg)
2. Real *me queries enable it all
• Access control, modeled as a graph, is a perfect Neo4j applica/on – Traversals can be mul/-‐dimensional – and prefy deep: combining different hierarchies in one query • Asset Hierarchy • Organisa/onal Hierarchy • Partner Hierarchy
– Typical access control ques/ons are very “local”, and have excellent performance characteris/cs • Yes/No answers to authorisa/on ques/ons
26
![Page 27: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/27.jpg)
Short demo
![Page 28: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/28.jpg)
Use Cases (neo4j.com/use-‐cases)
![Page 29: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/29.jpg)
Customers (neo4j.com/customers)
![Page 30: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/30.jpg)
Graph Gists (hfp://gist.neo4j.org/)
![Page 31: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/31.jpg)
Neo Technology, Inc Confidential
Neo4j License Overview
Developer!Seats!
($6K*/Developer/Year)
Test!Instances!
($6K/Instance/Year)
Production!Instances!
(Bundle / Core Pricing)
Instances whose purpose is to ensure that the software accessing
Neo4j is meeting specification.!!
(e.g. System Test, Integration Test, UAT, Performance Test, Staging)
Instances that store and process data in a way that benefits and
advances an organization’s goals.!!
May be accessed by applications and/or end users
Includes access by programmers to licensed test instances, and
private instances on the programmer’s personal machine for the sole purpose of writing, debugging, or testing software
designed to access Neo4j
*Or otherwise, depending on the Bundle, and negotiation
Neo4j versions / licenses
Personal < Startup / Departmental < Enterprise deployment models Open source & Commercial license terms available
Specific OEM models
![Page 32: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/32.jpg)
Future trainings & events!
32
![Page 33: 20141015 how graphs revolutionize access management](https://reader033.fdocuments.in/reader033/viewer/2022052906/5589f133d8b42af4508b463d/html5/thumbnails/33.jpg)
Neo Technology www.neotechnology.com Neo4j www.neo4j.org [email protected] / +32 478 686800 blog.bruggen.com / @rvanbruggen
Q&A, Conclusion, Next Steps