Your relationship to a requested resource is key to making access policy decisions

Alex Babeanu 24/11/2017

“No man is an island…” John Donne, Devotions (1624)   

And equally so, no identity is complete without knowing its place within a domain of related identities and protected resources. Identities provide names to things and thus make things particular to humans and to access management systems.  Graph databases, like Neo4j, provide us the tools to build “relationship-based-bridges” between the islands of identities and protected resources.  Neo4j’s use of the open source Cypher Query language provides tools to assess relationships that are allowed to access protected resources.

Identifying devices and processes in relation to each other and to human identities is critical for securing the Internet of Things (IoT) and customer facing internet resources.  Identity Relationship Management (IRM) maps and visualizes the multitude of relationships between identities and protected resources.  The identity relationship of devices and processes to protected/managed resources allows for robust and flexible authorization policy enforcement.

Nulli – Identity Management is addressing the need for a flexible identity relationship-driven model using the Neo4j graph database.  Relationships between identities, processes and things build a fast, flexible and secure identity relationship based authentication and authorization model.   The Nulli graph data model is proving to be fast, flexible and adaptive when addressing authentication and authorization requests.

Looking at a real-world scenario, you can imagine a situation where a device is owned, managed or used by someone or something.  Ownership is optimally determined by a  defined set of relationships that provide the context of the owner with respect to the device or devices.  The device, governed by an owner, needs an accredited identity of its own to attest to the validity of the device and its permission to be on the network.  

Based on the access policy model, the device might access online services or even other devices.  Similarly, users can own devices, lend them to friends or family members, to access remote devices or read some metrics, etc.. The possibilities seem endless, and all of these use-cases actually define relationships between the various actors and resources of the system. And all of these relationships can be modelled in a Graph.  Graphs, and graph databases are therefore particularly well suited for IRM, as they store relationships natively in the database.

Graphs were thus the subject of 3 sessions at the Cloud Identity Summit (CIS) this year, including my own CIS session titled “Implementing Complex IoT Fine-Grained Access Policies”. Quite a mouthful, but the fact is that we (Nulli) have had great success implementing access policies, IRM and Identity and Acess Management (IAM) systems using Graph databases (hence our partnership with Neo Technologies). Real-life IoT use-cases for graph include the likes of :

“As a building owner, I need to grant access to floor N to technician JDoe so she can fix the smart sensors there.” (true real-life use-case).

In addition to providing tremendous (and much needed) simplification in modelling access policies for the huge volumes involved in IoT projects, graphs also provide a natively semantic web of well labelled data. The relationships in a graph actually introduce meaning to the objects they connect. This has been well known at least since Sir Tim Berners-Lee showed their importance in the early 2000’s in his efforts to create the Semantic Web. Graphs were/are thus at the very core of the W3C RDF specification, one of the standards underlying the Semantic Web: “The Resource Description Framework (RDF) is a framework for representing information in the Web. […] RDF graphs are sets of subject-predicate-object triples…”.  Graph databases are quite mature nowadays, and the mere fact of storing data in them makes it transcend the bytes it uses; data becomes knowledge. Back in the mid-1990’s, when I was studying AI in Edinburgh, we called these “knowledge-based systems” (KBS), and they are still called that.  When we use graphs to model access permissions, we, therefore, in effect, creating IAM knowledge-based systems.

Graphs are not sufficient though, “intelligent” here means a system capable of adapting to unforeseen situations. Nowadays the only way to achieve this is through Machine Learning algorithms. The knowledge stored in graph is well labelled, and can, therefore, be used to trained supervised learning algorithms, depending on the type of access problem they are solving.

We are now at the age of Intelligent Identity, and as the threats themselves become more intelligent, organizations worldwide, small and big, will have no choice but to adopt these relationship driven techniques.

To learn more about Neo4j or how Nulli uses graph databases to enhance flexibility and speed of IAM systems needing to address massive relationship models in Customer Identity Access Management (CIAM) or Identity for the Internet of Things (IoT), give us a call or email us here.

No Results