Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Neo4j GraphDay - Securing and Auditing Active Directory - Kees Vegter, Neo4j

Neo4j GraphDay - Securing and Auditing Active Directory - Kees Vegter, Neo4j

  • Login to see the comments

Neo4j GraphDay - Securing and Auditing Active Directory - Kees Vegter, Neo4j

  1. 1. Active Directory ! securing and auditing GraphDay Amsterdam June 6 2017! Kees Vegter – Field Engineer!
  2. 2. IAM and Neo4j Securing and Auditing Active Directory AGENDA: Demo
  3. 3. The Business Impact!
  4. 4. The Business Impact: SONY! •  Stocks tumbled 10%! •  Estimated loss of $100 million! •  Employees forced to use fax, snail-mail and phones only for weeks! •  Public reputations tarnished!
  5. 5. Problem statement from a Fortune 50 Customer! “Our IAM analysts are unable to accurately identify and manage security risks in an acceptable timeframe using tools that rely on our existing Active Directory implementation.”! !
  6. 6. Ac#ve Directory Implementa#on Common Prac*ces
  7. 7. AD Solely managed by IT •  IAM is typically the responsibility of IT •  IT personnel rarely have insight into overall organiza8onal structure. •  Group and account naming, as well as policy and permission associa8on become confusing or cryp8c and lingo-laden. •  Group and account descrip8ons neglected. Account: HR_DEF_BAS02 Group: HR_RW_NOIT_1A Account: HRSOM01
  8. 8. Managing groups without understanding AD structure and rela#onships •  Unmanaged AD growth leads to unintended or misunderstood group nes8ng. •  Nested groups inherit permissions and policies. •  Deeply nested groups increase the risk of unexpected unintended inheritance. •  All leads to unnecessary and / or unauthorized access
  9. 9. Unmanaged growth and limited monitoring •  AD structure is constantly evolving to reflect the reality of your IAM effort. •  Groups and account management is a demanding, ongoing process that requires an in-depth, and up-to-date understanding of content and structure.
  10. 10. Rigid hierarchies have defined how we have built IAM-tools in the past
  11. 11. Ideal organic growth
  12. 12. Real organic growth
  13. 13. Audi#ng AD in Neo4j Real customer ques*ons
  14. 14. Business ques#ons of a Fortune 50 customer “How many accounts have ‘Local Admin’ access to a par8cular resource at a par8cular 8me?”
  15. 15. Business ques#ons of a Fortune 50 customer “How can I define and determine which groups, accounts and servers have the highest risk?”
  16. 16. Business ques#ons of a Fortune 50 customer “How can I understand the impact of pruning groups from my domains?”
  17. 17. Business ques#ons of a Fortune 50 customer “What is the most efficient way to assign access to a par8cular resource?”
  18. 18. Audi#ng AD in Neo4j An actual audit: Risk Measures
  19. 19. Defining Risk: Accounts
  20. 20. Defining Risk: Servers
  21. 21. Defining Risk: Groups What’s the business impact if an account in this group is compromised?
  22. 22. Drilling Down: Exploring Risk Through Traversal
  23. 23. Drilling Down: Exploring Risk Through Traversal
  24. 24. Drilling Down: Exploring Risk Through Traversal
  25. 25. Quick Start: Plan Your Project
  26. 26. Quick Start: Plan Your Project Expired guest account with local admin access via 7 rela8onships and 5 nested groups
  27. 27. Path Risk
  28. 28. Path Risk
  29. 29. Customer Example: Neo4j AD Audit feedback loop Ac#ve Directory Graph Database Cluster Neo4j Neo4j Neo4j AD Audit and Visualiza#on Dashboard Dat Scien#st End User Neo4j AD Graph ETL Engine AD data processed in batch or in real-#me
  30. 30. IAM and Neo4j Securing and Auditing Active Directory AGENDA: Demo
  31. 31. Show case an example AD monitor. •  Analyze AD structure and event data in the databse •  Solu8on architecture •  An example applica8on showing the power of graph visualiza8on in your business applica8on. •  There are a lot of visualiza8on products available today... Neo4j AD Data Demo Applica8on
  32. 32. Demo
  33. 33. Demo 2 •  The size of the database is not affec8ng your (local) query performance •  It is possible to add data, which will give new possibili8es •  For this demo it is 'Logon data', but in theory it can be anything.
  34. 34. IAM and Neo4j Securing and Auditing Active Directory AGENDA: Demo
  35. 35. GRAPH THINKING: Identity And Access Management TRUSTS TRUSTS AUTHENTICATES NEO4j USE CASES Real Time Recommendations Master Data Management Fraud Detection Identity & Access Management Graph Based Search Network & IT-Operations CAN_READ
  36. 36. and for the right reason at the right time, Who gets access to what, Identity & Access Management (IAM)
  37. 37. & Access Management Identity Defining Iden8ty
  38. 38. & Access Management Identity The structure of organisa8ons
  39. 39. Traditional IAM-systems 2) Underlying assumption that organisations are hierarchal 1) Static idea of Identity
  40. 40. Emerging Complexity of Identity
  41. 41. Complexity of Digital Identities Serial # Unique idPersonal Customer Partner Consumer Citizen User identities Identity of Things
  42. 42. Device <-> Service Security End to EndIdentity of users Identity of things Applications and services Complexity of Digital Identities
  43. 43. Access Management is traditionally designed with the underlying assumption that everything is hierarchal
  44. 44. Rigid hierarchies have defined how we have built IAM-systems in the past
  45. 45. Representing your organisation as a graph, enables you to build stronger and more accurate IAM
  46. 46. Parent-Child rela8onships Ideal World Query complex rela8onships in real-8me Real World
  47. 47. Identity Relationship ManagementIdentity Access Management Applications and data Endpoints People Customers (millions) Partners and Suppliers Workforce (thousands) PCs Tablets On-premises Private Cloud Public Cloud Things (Tens of millions) Wearables Phones PCs Customers (millions) On-premises Applications and data Endpoints People
  48. 48. 1.  Build your IAM as a Graph 2.  Augment your existing IAM with Neo4j Different ways of adop8ng Neo4j for IAM
  49. 49. Q & A ! Kees Vegter, kees@neotechnology.com!
  50. 50. Neo4j!AD Data! Tomcat! Web App! Browser App! Software Architecture Demo!

×