Identity and Graph
Graph databases are the new foundation for the next generation of Relationship Centric Identity Management systems. As the integration of people, devices and processes continues to grow in numbers and complexity, the need for understanding the relationships between these elements is becoming critical to authentication, authorization and auditing decisions. Relationship Based Access Control (RelBAC) allows for more robust representations of the interconnectedness of people, processes and things. RelBAC is increasingly the key to supporting rapid decisions that provide reliable scalable security models in the new Identity eco-system.
Graph databases are one member of the NoSQL database family and are key to the successful implementation of dynamic relationship based authorization decisions. Graphs excel at querying and maintaining interconnected data and have risen to prominence over the last decade with the advent of social networking.
Graph databases are relationship centric and thus different from the traditional identity stores of SQL databases or LDAP enabled directories. In a graph database the relationship is an object unto itself and is persisted to disk. Contrast this with a relational database whereby relationships are created at run time creating extra processing overhead and contributing to high latencies. LDAP enabled directories, where joining cannot even be accomplished, cannot support the performance requirements of a relationship centric identity system. Graph databases respond well to open ended relationship queries whereby the degree of separation is unknown. This type of query is not feasible in a SQL database.
As the field of Identity Management marches forward with increasingly interconnected identities (user, services and devices) systems will need to scale in order to respond to open ended relationship-centric queries.
Graph databases also lend themselves well to modelling the real world entities. They can be used to represent and relate formerly siloed data stores thus creating a picture of the entire enterprise. Due to their schemaless nature where everything is a node or a relationship with key value pairs there are no “impedance mismatch” problems due to unrelated schemas. With a holistic view of the enterprise it is easy to determine how formerly unrelated items are connected. From those formerly unknown or undefined relationships new attributes can be inferred. The graph database thus lends itself to relationship based access control (ReBAC).
The ForgeRock™ stack lends itself to maintaining identity data in the graph database via Identity Management and then using identity relationships for policy decisions using Access Management.
Nulli can help your enterprise:
- Integrate Neo4j® graphdb to support authorization decisions consumed by Access Management.
- Model your identity data as a graph in Neo4j.
- Convert your identity data to Neo4j.
- Maintain your identity relationship data in Neo4j.
- Create authentication and/or authorization solutions using ForgeRock and Neo4j that are tailored to your specific needs.
Our Partner Solutions
While the use of graph databases has risen to prominence with the advent of social networking that has largely been based on proprietary R&D, Neo4j is the leading vendor in the commercial graph database space. Neo4j employs native graph storage to fully leverage the power of the graph as opposed to other products where the graph component is merely a logical layer. Neo4j can scale to handle billions of nodes and can be deployed in a full high availability (HA) architecture.
ForgeRock and Neo4j
- Use ForgeRock Access Management to authorize access to resources. Given its fluid support for disparate objects and relationships, Neo4j makes for a very robust and flexible authorization model. Nulli has an open source generic policy condition plugin for Access Management that allows for Neo4j to be used for authorization requests.
- Use ForgeRock Identity Management to provision accounts, objects and relationships to the Neo4j graph database.
- Use ForgeRock log data to build out pertinent transaction history in Neo4j for more robust decision making.
- Use ForgeRock Identity Gateway as a secure identity gateway for Neo4j.