Avoiding Accidental Architecture - Implementing Graph-Based IAM & CIAM goes Beyond Better Access Control

Thank you. Woo.

Alright, thank you very much. So I, I need to first actually reach out if anybody yesterday evening attended the indicate keynote session late in the evening. I need to tell you that this session will include absolutely no jokes. There will be no standup comedy and there will be no references to the five nightmares of I am either. This will be a rather standard presentation at Cooper Cole. Okay. Thank you very much.

So, but if you did not say that, I do strongly recommend you to take a look at the recording. Actually, it's one at the time. I know I'm biased in this thing, but, you know, having a conversation that was both fun and actually putting fresh, sort of fresh perspectives on, on, on this industry, it's, it's rare actually to have. So please take a look at that. My name is Mons. I am a solution architect at Plane id.

I, I represent this company called Indicate. We are a startup company so that we are specializing in customer or consumer identity and access management where we are a solutions provider.

Okay, today I will talk about three main topics. Okay? First thing to discuss is actually sort of some market requirements and market demands that has proof points to why we exist.

I mean, we are a small company entering an already existing market with established players already. So why would you enter that market in 2023? That will be my first topic. Second topic is to interest you a little bit in graph technology, graph databases and connected data and how those actually can underpin identity management processes and actually sort of gain real benefits of, of using such a rich platform and build identity processes and an identity tooling on top of that.

Lastly, just a brief overview. Obviously what we do, our platform and how you can interact with it. That's my plan.

Okay, well known fact, most organizations actually need to sort of increase their security posture. Obviously we turn to, IM to do so, it's for data protection and improve compliance. Very sort of common in this case. But as I said, it's 2023 and there is actually need to go out of only wanting to be like a, a cost center objective. Okay? We need to put ourselves in the shoes of the business and to really support that. And I know that has been big words along many years of talking about how Im can actually support that.

But we are in this business of actually helping organizations enable new business models. So create new revenue streams. We need to tie customers closely, create loyalty, reduce churn, and actually open up for that new, those new revenue streams coming in. And the way we look at this, so we look at how the sort of the real world, the physical world actually is working. That is a highly connected world, okay? It is me obviously, but it's also my family. Two parents, two kids, okay, very traditional.

But still there is also the extended family, meaning that the elderly fathers, elderly mothers, underage children, and even people that has been given control to us to protect and care for through legal guardian concepts and things like that. That is also part of this. And it doesn't start stop only with the identities of things. It's obviously the things that we are using. So devices and things, the cars, the boats, the computers and all that. That also is part of this picture and how we interact with organizations. Obviously. How do we do data exchange with organizations?

We do that sometimes through a checkout process. When we buy something, we sometimes do that through a contract or a subscription. We sometimes do that because we have consented by somebody to actually represent either from a sort of power of attorney concept where I can on behalf of this power of attorney, be be acting on behalf of somebody else. That type of world is highly connected. And when we look to the digital world today, we actually see quite a bit of silos. It's disconnected in many ways. It's hard to reference or implement that type of, of connected world.

And this is sort of the goal where we actually want to be. Okay? I'm gonna talk a little bit about how we can create such a connected experience by, by pulling in data from various data points and actually be able to, to derive some insights and knowledge out of that. And even better, IM and better security looking a little bit to Im, and I ain't going to lecture anybody about what Im is in this audience, okay? But we need to have at least an understanding of the processes or the capabilities that we are supporting. And I'm saying we are supporting, I don't, don't mean indicate in this case.

I'm, I'm talking about in the, IM as a market, okay? There is onboarding and verification, obviously it's a start board.

We, we, we need to have lifecycle and governance of those users. We need to authenticate and federate those users as well. We need to authorize them. And finally we need to have ways of actually managing delegation through some means. Meaning we can delegate from an end user perspective or through other means where we can share this data with us with somebody. These are the critical sort of capabilities of Im, and there are multiple touchpoints to this. And those touchpoints is in a constant flux at the moment. Okay?

This, this obviously is a representation of our industry. These things are moving, people are changing, process are changing, requirements are changing, tool is changing. So obviously those types of of capabilities that we have need to be sort of reflected in certain systems and, and putting the perspective on, on taking those capabilities and applying that to the workforce where we have pretty good majority, okay? We have known requirements, we have strong competence and the tooling is actually working very well.

That is, that is my understanding of this. But moving into the further into the customer side of things, either for commercial use or sort of consumer use or when we start continuing about partners and even things, and these are not silos, okay? The capabilities will go across here. Sometimes we actually need to authorize even our cars to park for free or something like that. That is a use case that we can apply to, okay? That goes obviously to partners, how they should also be onboarded and how they can be authorized or how they can share data between each other.

And when we look to this market, we saw a little bit like current IM solution was a little bit li sort of too static in many ways and missing some of these architectures that, that, that encompass more than one human being. Okay? So being able to represent a, a dealership for instance, how would you tie your cons to your, your, your, your, your reselling parties to a dealership in a certain region? Those are the things that we need to, to be able to establish here. And if you have that vision of a connected world, there might be reasons to look elsewhere for your solutions.

And this is where sort of where indicate is actually sort of trying to make a position in this market, trying to support that really connected cross customer, cross partner across things, architectures. Many, many people ask me, especially here at conferences like this, how we fit in, in the decentralized decentralized identity ecosystem. So we heard previous speaker, there has been many session around the wallets, the verifiable credentials and all that. And I I I just needed to to to, to put this picture together in order to explain what I think we fit in, in, into this place.

So when we talk about me, it's always the personal me, but also the commercial side of me. So who do I represent? And there will be wallets and I will obviously use wallets from various issuers and we will produce several of those identity cards or credential cards or travel par passports or even identity attributes that I will need to be able to put inside my wallet. And I need to be able to share those and act as certain roles to certain organizations.

And this organization of the relying parties in the concepts of of of decentralized identity, these organizations will verify credentials, verify identity, and in this picture so far indicate has no sort of presence at all. Okay? I need to be clear on that. So we are not in this space. So why do I talk about this? Okay? The process doesn't stop here because at the relying party side of things, they will want to store this data.

If they are allowed, obviously then they want to store that data, they want to connect that data with existing data that they have and they all believe they want to enrich the user experience or, so if I am a renter and I have a driver's license and I I approach a car rental agency, they will need to store that data somewhere. And in this model, I do believe that we have a place, but it's after verification.

And, and I'm gonna explain a little bit more about this, but this is how I think how we fit in next phase of my presentation was to talk a little bit about applying graph technology. What are the benefits of doing that? Graph databases, new subject. Even to me, I'm a non-technical identity access management expert. I have no real in sort of skills in managing databases, okay? But this is interesting, I really must say I have a slide, but we can skip this. What is a graph database?

We can, you can keep that as a reference or in my world, a graph database is a special type of database that is constructed for very complex information structures. Okay? It's designed through, its through, its through its concepts of, of nodes and relationships instead of tables, records, columns and views and all that. Okay?

And no, no sort of hierarchy limitation like with ELDA or something like that. It's designed to be able to, to really capture complexities. And this complexities might be customer structure complexities, it may be product structure complexities, it may be even organizational structure complexities. What if we can just put all those complexities into a, into a database that is actually designed to actually handle that. That is what it's all about.

And since it also has a very sort of easy way of being able to change as you go without really being, to have an expert in how that data needs to be sort of migrated across different versions of your, of your data model. It opens up that you can start small and actually build up on that. It has primarily been used for analytical purposes sort for, but it's starting to get traction now also for operational use. And as within the kite we are building on that operational store and provide identity services on top of that.

So I'm gonna give an example, we can leave that, but the example I'm gonna give is in retail. And if you are not in retail, if you are in banking, insurance, telco, manufacturing, you need to think of a sort of, in your world, what would this represent in this setup? We have a retailer organization that has one single customer that customer lives at a household, shops in a store, shops have been an online store and generates transactions, receipts, okay? It's part of a loyalty program to gain benefits and this is how they relate.

This is not the data model, this is like a whiteboard session, the first session where we map out our domain, who are the actors, which is the data, how do they interface and, and, and who, who, who does what. Okay? It continues a little bit because the, the, the user is not alone. There is more customers actually belonging to the same household. It's a family. So the concept of a family is really sort of, it's like a network in itself. That family obviously also shops in store generating receipts. This family has a second household.

The summer house on the west coast of Sweden, it has a car and they want to share shopping list, okay? That's the simple example. But still it's about those simple ways of being able to share either the shopping list or even sharing the data, sharing the core of the data. The retail owner only sand has obviously more things, okay? More shops, parking lot at, at, at one of the shopping, shopping malls. There is a campaign which you can sign up for and you want more of the customer, not only the loyalty member to gain benefits from the loyalty program.

So we can actually increase the value of that loyalty program. Okay? So we want to make sure that that can happen inside the family.

So, so this, as I said, was not a graph model, but this is what we can take and put inside not only, and if we focus only a little bit about, you know, the family itself, and I know it's hard to read in the back, I'm gonna assume in a little bit just shortly, but the yellow nodes that we are seeing where Alice is a child of Bob. So we have just managed to see that. So this is an instantiation actually of the data model. It's actually Alice and Bob and, and the data model and the instantiation of the model. It's actually looking the same and behaving the same.

And we can see the semantics here very clearly. So if I sue in, even on Bob a little bit, I will say that he's a person, okay? He's age 45. He has a driver's license and the car he actually both own and can drive. So we see that for every node in the, in the, in the system, we can have multiple singular or multiple connections. And the semantic, the meaning is very clear, okay? The driver's license that bomb have, we can also have metadata protect.

So not, not to protect, to describe that, that that driver's license. So the, we would know who the issue was. We would store that issuer, it was the department of road administration.

We, we would know who asked for it. In this case it was actually our company that asked for it and we would know when we did it. And we would also have an understanding of how much we would trust that specific data property because we have a, a possibility to have a level of assurance on each individual, either property node or relationship. And we can utilize that to drive decisions. So if we trust the data highly, we can provide more services, we can make more dis more distinct decisions about these services. The same goes for the age of this, okay?

We would, we would call out to a, a national ID service to actually understand if this, this age is validated, is it the birth, birth birthdate? Perfectly fine. We can calculate the age based on that. But the interesting thing that is that we can capture all this thing information and, and this is just a fraction of that data model that we were talking about. And people may say, man, this is not identity management.

And I say, yes it is because we wanna authorize on this. We want to share database on this. And that is truly, truly identity management. Okay? Hopefully this, this type of reasoning was to say again to that, to that title of this sort of avoiding, I know it's a sort of a blunt or, or perhaps even to, to, how should I put that, that the title is a little bit sort of aggressive. What should I say?

Okay, why, why, why did I put that? But I I I, I'm here to say that by using a graph model like this, and if your re requirements point that you actually want to implement relationship between these notes, please look at graph databases as means of actually simplifying that process. It gives us the possibility to manage the complexity. It is flexible to change and it allows speed in, in, in very sort of easy ways because all the nodes and all the relationships are already computed in the system. You don't have to create a joint and actually compute that joint.

That is what this delivers in, in, IM, we can think of this and I only need to focus on the middle part of this. It, it becomes the rich operational repository of the identities and the relationships with bus, with business data. And this is truly sort of what we are aiming at. Based on that repository, we can start making real nice decisions. So finally coming to an end, I have like two minutes left. I will just sort of give a brief overview how we have implemented graph technology and put, IM on top of that. We are a SaaS based company.

So our cloud delivery model is, is the way to interact with this. It's a central service.

It, it's, it's built on top of this connected data and it's designed to support these exciting user journeys. Okay? We have four major capabilities, not product but capabilities in this case, the knowledge graph itself, which you can sort of query, search and update for any, any reason might your application need. There is an authentic authentication federation or user onboarding process here. Okay? Primary purpose of that is more or less to integrate with existing identity providers. Okay?

Our main purpose is not to replace existing identity providers, but actually to integrate with them using open id connect, having anybody sort of authenticating or verifying, verifying identities or credentials we can integrate with them. Knowledge base access control is one of the key things that we also do. Obviously making fine grain dynamic decisions about who can access what based on relationships in the graph.

And lastly, we are, we are sort of putting the first incarnation of a consent driven, trusted data sharing capability out where end users may opt in and consent that you can share data, not only data about yourself, but actually the data that relates to you with third parties. That's a really interesting use case.

You, we have demonstrations upstairs if you are interested to see. So concluding, sorry, the, the, the, the connected data we have talked about it, the identity and the notion of identity of everything fuse. Those things create digital experience. That's the main goal of our platform. The platform itself looks like this and we ask customers to bring their own applications, their own IDPs, and then give them control of the knowledge graph. In the knowledge graph.

They can build the structure, they can ingest the data from underneath, talking to existing data sources, bridging those silos, fusing the information into the knowledge graph. Then through a service layer, anybody, any application can talk to this service, rest APIs, G P C, APIs and GraphQL APIs in order to query this database. Okay?

The, the, the, the amount of use cases would take enormous time to re to actually describe, but we, we could essentially sort of describe it as any of those application can query the graph, identify nodes, and then allow the graph to compute, to traverse to find out does these patterns actually exist. And if those exist we can make decisions. This is essentially how the product works, the service works. And as actually concludes my presentation today, we are little bit about time, but I think 30 seconds is, if there's a Question actually we could take at this one question.

If not, then maybe then we can find last year, okay. Because we are already five minutes left late to the lunch break. So thank you very much.