wladimir1804 - stock.adobe.com

How ForgeRock is tackling identity management

ForgeRock CEO Fran Rosch has set the identity and access management software supplier on a path to deliver a frictionless identity experience without compromising security or privacy

It is not uncommon to hear some organisations and experts talk about finding the balance between security and delivering great user experience, as if the two were conflicting goals in designing an application.

However, Fran Rosch, CEO of ForgeRock, believes user experience need not come at the expense of security, and vice versa in identity management. The company, which counts some of the largest financial institutions as clients, provides a platform that helps organisations handle all sorts of identities, including that of devices and cars.

During a recent visit to Singapore, Rosch spoke to Computer Weekly about how ForgeRock is differentiating itself from other suppliers, helping organisations address challenges in identity and access management and the company’s future directions. He was joined by David Hope, ForgeRock’s senior vice-president for Asia-Pacific and Japan (APJ), who provided an update on the company’s business in the region.

There are several identity and access management suppliers out there. How are you convincing customers to choose ForgeRock?

Fran Rosch: The first thing I’d say is that we engage with customers on the value they will receive from a modern identity platform, and it really comes down to the changes in identity over the past four to five years.

Prior to joining ForgeRock, I spent eight years at Symantec and 10 years at Verisign, so I’ve been in this space for a long time. When I hear companies talk about building identity experiences, they talk about finding this balance between experience and security. It sounds kind of logical, but I actually hate to hear that kind of advice, because they’re telling people that you can’t have both frictionless identity experiences and security.

And so, when we started talking to customers, like Standard Chartered Bank in Singapore, it was much more about how we can help them create identity experiences for employees and make it easier for them to onboard or access the applications and services they need to do their jobs without compromising security.

That’s been really helpful for us in engaging a broader set of stakeholders. Identity is not a typical security product. It’s a lot about business transformation, and talking to customers about that has been a part of our success and makes us different from others in the market.

But when it comes to technology, there are a couple of differences as well. From the very beginning, ForgeRock has focused on the most comprehensive product on the market, and we do that in two ways. One is that ForgeRock was built to handle all identities – employees, business partners, contractors, consumers, physical things and services – all on one platform.

The ForgeRock platform also covers the broadest identity lifecycle because our customers don’t want to cobble together multiple point solutions across the identity lifecycle. So, we’ve got identity management, access management, single sign-on, multifactor authentication, authorisation, and now identity governance and administration, all in a single platform.

When I hear companies talk about building identity experiences, they talk about finding this balance between experience and security. It sounds kind of logical, but I actually hate to hear that kind of advice, because they're telling people that you can't have both frictionless identity experiences and security
Fran Rosch, ForgeRock

No one else in the market has that full capability. Ping is really an access management company. SailPoint really just does governance, and we’ve got all that in one solution. It’s that comprehensive platform that really resonates with our customers, especially large enterprises in banking, public sector, healthcare, retail and media. It’s about that scale and enterprise grade capabilities that we can deliver as a company.

The third point I would make is that ForgeRock pioneered the concept of identity orchestration, or what we call identity trees, which we launched back in 2017 to help our customers build flexible identity journeys.

Who would be the primary users of your platform? Would they be business users or developers?

Rosch: When we engage with large enterprises, there’s usually a vice-president for identity. Five years ago, there used to be two of these people, one for workforce and one for consumer, but we see their roles now being taken on by one person.

Typically, this individual sits in the CIO organisation, responsible for driving technology strategy. What has changed over time is that there’s a lot of pressure on this individual when selecting a new technology for a business owner, who could be a chief digital officer, or someone in charge of online banking or a healthcare mobile app.

What business owners are starting to realise is that if digital identities, the front door to their organisation, isn’t frictionless, then they’re not going to be able to compete and win in their markets. So, there’s a lot more pressure coming from the business side. We also have the chief information security officer, who only cares if it’s a secure platform and whether we can embed security in every part of the identity journey. We recognise that those are two powerful influencers.

There are also developers who are building applications, and they don’t want to be identity experts. They need something easy to consume so they can quickly integrate identity into what they’re building. We also see the infrastructure buyer who is responsible for running the platform, though that’s becoming less important with more organisations moving to cloud. But that infrastructure person is usually the linchpin, so we make sure we communicate with all the different stakeholders.

One of the challenges that many companies face is identity sprawl and having to manage different identity systems. How is ForgeRock helping customers manage that problem?

Rosch: One of our customers, HSBC, had dozens of different identity solutions before they used ForgeRock. They were able to consolidate them, and that has been a big driver, because we built a very extensible platform that can plug into any type of infrastructure. We still have customers, such as Standard Chartered, which is still running mainframes and lots of proprietary on-premise applications, and they’re adding dozens of cloud and SaaS [software-as-a-service] apps. They were looking for somebody to cover all of that and then launch digital banks on the side. We helped to consolidate against that sprawl by providing a single platform.

Can you give me a sense of how fast the business is growing in APJ and the opportunities you’re seeing?

David Hope: One of the reasons I joined ForgeRock is the great base of customers here in the region. But there’s also more potential to expand and grow that customer base. With Fran’s global experience, including in this region, I’ve not had to explain country- or region-specific nuances. Under his leadership, we’ve doubled the investment in the region over the past two years. We have a dedicated support office in Singapore, and we’ve bought in new leadership in the region. We’ve also invested in our partners, cloud infrastructure support team and doubled our sales team in the region.

We’ve been strong in the financial services industry with big names like DBS, as well as ANZ Bank and Suncorp in Australia. Rather than have a strategy to cover all industries, we are doubling down on financial services, as well as telcos, where we have XL Axiata in Indonesia as a customer. We have other opportunities outside that as well, such as government, which has been a very fast-growing segment because citizen identity is becoming more important.

Rosch: The business is growing very healthily. As a company, we have been growing about 30% for the past 12 quarters, plus or minus a couple of percentage points. APJ has been a consistent growth engine for us. David shared some good business plans and we’re very optimistic. For us, Singapore is our hub, but we see a lot of growth in Indonesia, Thailand, Hong Kong and the Philippines.

What’s the typical entry point for customers since ForgeRock covers a wide spectrum of identity management for both employee and consumer identities?

Rosch: The typical entry point is the consumer side, where about 70% of our new customers come from and about 30% are using our platform to manage workforce identities. We have an opportunity to cross-sell both. As of today, about 43% of our customers are using ForgeRock for both consumer and workforce identities, and that user base continues to grow a couple of percentage points every year as we cross-sell and upsell. Workforce identity is a growing opportunity for us this year as we continue to advance our workforce portfolio through the launch of our governance capability for the cloud.

Rather than have a strategy to cover all industries, we are doubling down on financial services as well as telcos where we have XL Axiata in Indonesia as a customer. We have other opportunities outside that as well, such as government which has been a very fast growing segment because citizen identity is becoming more important
David Hope, ForgeRock

ForgeRock’s platform was typically run on-premise because of the sensitivity of identity information. There were regulatory requirements to keep it on-premise, but obviously a lot of companies now want to go to cloud, and they’re looking to get value out of their investments quickly. They don’t want to get infrastructure, hire a lot of people and do software upgrades, patching and vulnerability management. They want to consume services, and identity is no different.

ForgeRock started on its cloud journey five years ago, and since we launched our SaaS product at the end of 2020, we’ve seen rapid adoption of that platform. We continue to offer our customers choice, whether they are in a regulated sector or industry segments that are ready to put data in the cloud.

But more and more, we’re moving to identity as a service. We’re very focused on large enterprises and we’ve created a unique identity architecture for our cloud that gives our customers the highest performance of scale. Today, we have over 100 million identities per customer in the cloud. We can handle over 1,200 transactions per second in our cloud, which is much faster than any competitor. We also have a unique architecture around data sovereignty and data segregation that can meet the requirements of many regulators.

We’ve seen cloud become a big driver of growth over the past several quarters, and over 50% of our new customers that signed up have selected cloud. They can choose to run our software in a private cloud or a public cloud of their choice, such as Amazon Web Services and Google Cloud, or use our SaaS, which runs on Google Cloud.

Read more about identity and access management in APAC

Could you talk about the work you’re doing around the internet of things (IoT)?

Rosch: We look at it in two ways – traditional identity and the relationship perspective. In traditional identity, everything that accesses a network needs to be identified and authenticated – people, physical things, application programming interfaces (APIs), application services and the way you authenticate a person is going to be different from that of a machine.

As for relationships, take the example of our customer, BMW, which has been a leader in identity for people, but they’ve also integrated IoT identity into their cars. They want to understand the relationships between the people in their customers’ family so they can provide a more personalised experience. We’re extending our platform to be able to accommodate those relationships, and give our customers intelligence about people and how physical things and services are being used.

We also see that in healthcare, where one of our customers, Philips Healthcare, wants to understand how doctors and technicians, as well as patients, are using medical imaging machines. It’s not good enough just to authenticate the machine, so I think the exciting thing about IoT is really around relationships.

What are some of your plans for the future in terms of where you see the ForgeRock platform evolving?

Rosch: There are some areas we’re focused on to drive more value for our customers. The first is around bringing more intelligence to the identity journey through artificial intelligence (AI). Today, a lot of authentication systems use usernames and passwords, and that’s a bad experience, and it’s also bad for security. But I think our technology has evolved, and there are open standards around Fido to address that.

In the area of AI, we’ve implemented a module called autonomous access, where we collect signals of a user and device behaviour to develop a kind of fingerprint for that user, and then create a risk score. Based on all the information we have, which is extensive, if we have high confidence that someone is a legitimate user, then you can just let the user in.

We have customers that are doing away with passwords and letting the user into their systems for basic transactions because there’s a high level of confidence. If that confidence degrades and we still think it’s the right person but maybe not with high enough confidence, then we can do some sort of stepped-up authentication or biometric authentication.

And if we have low confidence that someone is a legitimate user, then we can give the customer the ability to block an account takeover and stop scams, which are happening a lot in Singapore and globally. So, we’re bringing AI to that identity journey to help customers determine risk, and take the appropriate action in real-time to stop the damage from happening.

A related area is going passwordless. We feel we have great technology both for consumers and the workforce, and this is where they’re different. A passwordless approach for consumers is very different from that for a workforce, primarily because of the infrastructure and types of applications.

Consumers typically log on to mobile apps or a relatively simple web app, so going passwordless by leveraging Fido standards is easy and out-of-the-box in our product. The workforce side is more complicated because some of our customers have dozens or hundreds of applications that speak different protocols. It can be much more challenging to do passwordless in the enterprise, but we think that’s the future, so we’re spending more there, going back to our value proposition of providing simple and easy identity experiences without compromising security or privacy.

Read more on Security policy and user awareness

Data Center
Data Management