Technology Trends

ForgeRock Identity Live 2020: What Our Customers Are Saying

CEO Perspective 

ForgeRock Identity Live 2020 went virtual last week! It was exciting to connect with everyone, share what is happening at ForgeRock, and learn from each other. While I would have preferred to meet in person, the conversations with customers and partners were just as meaningful. We heard from leading brands around the globe about how identity is shaping the future of their organizations and saw some amazing product demos from our ForgeRock team. 

Top of mind for everyone was how we’ve all experienced the way we live change overnight. The pandemic has put greater emphasis on the need for digital identity solutions that can keep employees productive and consumers connected while still protecting the security of the enterprise and the privacy of the user.

In the last nine weeks, we’ve all been grappling with similar questions. 

How do you provide secure and frictionless access to apps and information for a remote workforce? How do we reduce the enormous strain and complexity an increasingly remote workforce puts on IT teams? How can businesses keep the costs of things like password resets down when more people are creating new online accounts daily? And how can we help consumers, citizens and students get to the things they need easier and from any device? 

We heard our panelists ask and answer these very questions. We believe artificial intelligence (AI) is the way forward when it comes to access and enabling smooth and secure experiences. 

We were also reminded that digital transformation is a journey – no two organizations are the same. Aside from delivering amazing solutions that are simple to use, provide superior security and intelligence, and are delivered as a cloud service – we must also create a path that can either help you leapfrog from where you are today or build on what you have at your own pace. 

With the advancements in the ForgeRock Identity Platform, we’ve made orchestrating identity journeys even simpler and more secure, and that includes solutions like ForgeRock Go, aimed at making usernames and passwords a thing of the past. It was gratifying to hear Sean Carrick, vice president, identity operations and engineering, LPL Financial, echo our belief that it's a strong addition to the platform. 

Balancing user experience with security is critical. Verizon IT Executive Director Manah Khalil pointed out that the power of artificial intelligence (AI) will help determine what makes one of their millions of customers distinct while also protecting their privacy. 

The cloud is a great opportunity for organizations to deploy their infrastructure faster and at less expense. Understanding that everyone’s cloud journey is at a different stage, we’ve made it simple to manage identities across all use cases and with any cloud option – your cloud, our cloud, or a public cloud. 

Rich Kneeley, managing director of cybersecurity and privacy at PwC, shared that companies that have already moved to the cloud were in a much better position to respond to the pandemic than others: “Employees, consumers, and business partners are expecting greater collaboration, increased security, deeper personalization, and unique experiences as they interact with their trusted brands. Identity should be a business enabler for increased cloud adoption.”

When the reality of the pandemic hit, our customers had to act fast. Scalability and simplicity of deployment really matters. For example, the New South Wales Department of Education in Australia manages more than one million student and employee identities, making it the second largest school district in the Southern Hemisphere. Shane Gandy, director of identity management for the district, successfully navigated the pandemic and points to AI as a tool that will make similar challenges easier to overcome in the future: “With COVID-19, we had two weeks to mobilize all these identities for online learning with the understanding that some students don't have access to devices or even the Internet. We had to quickly and securely get people access to these services.”

Creating delightful user experiences is a passion at ForgeRock and essential in a digital world. That came into play at the Australian Securities Exchange (ASX) when the pandemic struck. “With COVID-19, we had to adjust to the volatility. In April and May, we had historic volumes of trading - 150,000 people joined or re-joined their accounts – and we went from $1.6 billion to $33.3 billion a day in revenue. Tools like multi-factor authentication (MFA) were very helpful in providing one front door for customers to enter and offer a better user experience, ” said Tristan Geering, Chief Information Security Officer, ASX. 

Final Thoughts 

The pandemic won’t be the last disruption for your organization. Customer expectations will continue to push your business to evolve. Accordingly, you need an identity platform that can flex with you and help you grow your business no matter the circumstance. 

We are committed to building on the strength of our AI-driven platform and enabling your workforce to be productive from anywhere, putting consumers on a happy path, and, most importantly, continuing to deliver innovation that does the heavy lifting for you.

This is how we see the future of identity and the role it plays for our customers. We launched a wave of new innovation last week designed to help you achieve this new reality.

I’d like to thank all our customers and partners who helped make Identity Live 2020 a success. Catch highlights from all three shows and hear from BMW, Accenture, Deloitte, and others here


CEO ForgeRock 


ForgeTalks: Smarter Access Is Here With Autonomous Identity

AI and the Arrival of Automated Access with ForgeRock Chief Product Officer Peter Barker 

We've talked a lot about the promise of AI and ForgeRock's investments in bringing the power of automation to its platform. I wanted to find out more about how we're delivering this advanced capability to our customers and how it will help them succeed. This week, I met virtually again with ForgeRock Chief Product Officer Peter Barker, to learn all about ForgeRock's amazing new Autonomous Identity offering. 

I hope you enjoy this latest installment of ForgeTalks. Make sure to tune in next week where I discuss Security & Privacy with our CTO, Eve Maler. And, if you missed last week's episode with Alex Laurie, you can catch it here.

ForgeTalks Episode 3: Creating Delightful Digital Experiences

Welcome back to another episode of ForgeTalks. I've heard the phrase "Delightful Digital Experiences" thrown around a lot, and I've never really been sure what it means. I caught up with Alex Laurie, who heads Global Solution Architecture at ForgeRock, to find out exactly what is meant by "Delightful Digital Experiences," and why it's so important for businesses competing in a highly digital world.

I hope you enjoy this latest installment of ForgeTalks. Make sure to tune in next week for my discussion with our CTO, Eve Maler who shares her perspective on why security and privacy are important in 2020. And, if you missed last week's episode with our CEO, Fran Rosch, you can catch it here.

Do We Still Need Pride in 2020?


The Stonewall riots in 1969 were a pivotal moment in LGBTQ+ history, leading to the first Pride events the following year in New York, Los Angeles, and San Francisco. London followed with its first Pride event two years later in 1972, and then the first Mardi Gras took place in Sydney in 1978.

Pride in those early days had a very obvious purpose. It was the coming together of gay people in a very visible way, with security in numbers. For one day every year, gay people could be out and proud in their home-town streets. They could be themselves. And they could hold their same-sex partner’s hand and not fear abuse. That’s why Pride was needed and celebrated.

Fast forward 50 years and the world has (mostly) changed. Being gay is much easier today than it has ever been, but there are still many parts of the world where it is illegal and even punishable by the death penalty. (Check out this interactive map.) The main thing you'll notice is that lesbian, gay, bisexual, and transgender people in Europe, the Americas, Australia and New Zealand are not criminalised. But does that mean, they have true equality and face no discrimination? 

As a gay woman in the UK, I can say things have massively changed in my lifetime. I no longer have abusive comments shouted at me on the streets as I did when I first came out. I had a civil partnership ceremony with my partner 13 years ago, which we converted to a marriage four years ago, so in a legal sense, we are equal now. 

But I have to come out time and time again. It's obviously a lot easier than when I did it the first time and most people don't bat an eye. But society is still very heterosexual in its outlook and that comes with its own set of assumptions based on how you look or act. So if you don't look “gay”, then people assume you will have an opposite sex partner, which can lead to awkward conversations and you having to come out again and again.

On a lighter note, my boss at one of my first jobs, on hearing I was gay, exclaimed, “She’s not gay, she’s French” as if the two were mutually exclusive. (And besides, I’m not even French!)

I have to consider my safety and personal well-being when choosing holiday destinations. There are large parts of the world where I don't want to travel because being me is illegal and I could face the death penalty. 

Even closer to home, we have seen an increase in attacks on gay people. Last summer, two women were attacked on a London bus by several men who felt they could demand that the women kiss for their benefit. This was not only a homophobic attack, but a blazing display of male entitlement. 

So is Pride needed today or is it just an excuse for a party? I would argue Pride is still very much needed, even in places where we have a lot more equality. For one thing, although things have got a lot easier for gay men and lesbian women, bisexual people still are perceived negatively and transgender people still face huge prejudices, even from within the LGBTQ+ community. And being “queer” is often completely misunderstood, as is anyone who chooses not to be constrained by gender labels. 

Pride is a chance for everyone in the LGBTQ+ community to come together as they have for the last 50 years – to be visible, be out and proud, and feel included for at least one day. It is there to make it easier for a younger generation of LGBTQ+ people, who may be bullied or feel pressured to be straight, to come to terms with who they are, know they can be themselves, and not feel marginalised. Even if it’s just temporary, it gives hope. Equally important, Pride is for our allies, for us to all stand together, united. Pride should very much continue to be celebrated.

I went to my first Pride event in years last year – spurred on by the LGBTQ+ initiative at ForgeRock. It felt great, marching with my wife and coworkers at Bristol Pride. This was not something my younger self could ever have imagined!

I wholeheartedly support the ForgeRock LGBTQ+ initiative. It is a great way to make everyone feel more included and has created a safe space for LGBTQ+ people. Undoubtedly, it has helped the company recruit a more diverse workforce. I chose a company with an active drive for inclusivity over any other company when looking for work. I know there are a lot of allies within ForgeRock – and that is really cool. Unfortunately, there are people who don't think it's needed, and they are the very reason why these types of initiatives (and Pride in general) remains important. Having said that, I am confident that we will continue to make progress in educating ForgeRockers.

2020 would have been the year to celebrate 50 years since those very first Pride events but unfortunately, many have been cancelled or postponed due to the Coronavirus pandemic. Despite this, we must continue to celebrate Pride virtually, and we must strive to become more inclusive and more equal. There have been great strides made in LGBTQ+ rights in 50 years, but we must not become complacent, as there's still a long way to go.

Click here to learn more about Inclusion and Diversity at ForgeRock.

ForgeTalks Episode 2: Jumping Into the Shoes of Our Customers

Welcome back to ForgeTalks. Our CEO Fran Rosch is always telling us that "feedback is a gift", and it's true, we do value customer feedback at ForgeRock. In this episode, I sit down with Fran to discuss his thoughts and learnings from a recent virtual session he had with our customer advisory board. It was great to hear how our customers are using identity, as well as what they think of our future innovations.

Grab a drink and a snack and enjoy this episode of ForgeTalks.

Coming Soon: Don't miss our next episode where I sit down with Alex Laurie and discuss delightful digital experiences.

Check out ForgeTalks Episode 1: A Roadmap Deep Dive here

Evolution from IDaaS to the SaaS-Delivered IAM

As enterprises rapidly evolve their overall cloud-first strategy, they are also rethinking their identity and access management (IAM) deployment models. The question on everyone’s mind is how to transition from on-premises IAM, which they invested in so heavily over many years, to the cloud and still maintain full functionality.

Many organizations embarked on the journey to cloud with a hybrid cloud approach. Often, they deployed their legacy on-premises IAM solutions in their own private clouds and just leveraged the public cloud as another data center. This gave them more flexibility to scale on demand and provided the agility to meet the business needs of dynamic and ever-changing workloads without the need to invest heavily in their infrastructures.

Others chose managed services, outsourcing identity management to a third party that has the expertise and staff to run and maintain on-premises identity solutions. IAM managed services was a viable alternative for organizations that were challenged to hire, train, and retain professionals with the skills required to manage and support IAM operations.

And some were early adopters of pure-play identity as a service (IDaaS) solutions – a term whose meaning has evolved over the past few years. In the past, Gartner published a dedicated magic quadrant for IDaaS and defined it as, “a predominantly cloud-based service in a multi-tenant or dedicated and hosted delivery model that brokers core identity governance and administration (IGA), access, and intelligence functions to target systems on customers' premises and in the cloud.”

The problem with these solutions, even back then, has been their limited capabilities. But the good news is that they are evolving quickly and are becoming more feature-rich and robust. With that evolution, Gartner has changed the name of the category as well to SaaS-delivered Identity and Access Management (SaaS-delivered IAM).

Why are people transitioning to SaaS-delivered IAM?

This is primarily driven by the increasing demand for more comprehensive cloud IAM capabilities from customers who want to consume more and more IAM functionality as a cloud service.

Market projections show that the IDaaS market is expected to grow from USD $2.5 billion in 2019 to USD $6.5 billion by 2024, a compound annual growth rate of 21.1%.1

We here at ForgeRock offer a comprehensive IAM platform, whether you choose our software version to deploy it in your own data centers, private cloud, hybrid cloud, or public cloud or you choose to consume it as a service provided by us. This is the foundation of the ForgeRock “your cloud, their cloud, or our cloud” strategy. The goal here is to provide you all of the features and functionality that meets your enterprise needs, however you decide to consume it.

ForgeRock Identity Cloud

Identity Cloud is the comprehensive ForgeRock Identity Platform delivered as a cloud service. It enables you to reduce operational risk by consuming the IAM service from a trusted vendor and reducing the total cost of ownership (TCO) by offloading the infrastructure and maintenance of the platform. This allows you to focus your energy on developing business IP, not creating and running IDAM solutions or infrastructure.

Even if you’re thinking about moving to the cloud but are not quite ready for it, you can still take advantage of ForgeRock’s complete suite of modern capabilities that address any identity need, in any environment.

Read more about the ForgeRock Identity Platform and the ForgeRock Identity Cloud or contact us to get your specific questions answered.



Rethink Identity Governance with AI-Driven Analytics

Protecting Consumer Data and Your Brand 

For the second year in a row, identity ranks as the top target for cybercriminals. According to findings in our latest Consumer Identity Breach Report 2020, personally identifiable information accounted for 98% of all stolen data in the past two years. That harsh reality underscores the need for a new approach to digital identity management and governance strategies. We believe a more modern approach that incorporates AI-driven identity analytics can alleviate a lot of challenges.

Changing the Mindset

The number of digital identities and business applications and the amount of data usage is growing exponentially, but many enterprise organizations continue to rely on legacy identity and governance processes and solutions that are static, siloed-based, and cannot scale to meet the demands of today’s dynamic digital age.

So how do risk and compliance professionals get more out of their existing identity and governance solutions? How do they gain enterprise-wide visibility and risk awareness? How do they gain a deeper understanding into risk associated with user access across the entire enterprise? They can accomplish all of this by changing their approach. 

A Best Practice, Modern Approach

By embracing a more modern approach that leverages artificial intelligence (AI), machine learning (ML), and automation, organizations can address these growing challenges. This new approach meets the needs of organizations today while having the ability to easily scale and evolve to meet future challenges and requirements.   

Contextual, enterprise-wide visibility

One of the biggest challenges facing enterprises today is a siloed view of identities and the access they have. This is a result of various departments or business units within the organization deploying different types of identity, governance, and infrastructure platforms . In a typical scenario, each solution contains only a subset of identities (employees, contractors, partners, and others). As a result, security and risk professionals have a very limited view – or possibly no view at all – into user access risks across the entire enterprise.

By leveraging an AI-driven analytics solution, organizations can collect and analyze identity data (accounts, roles, user activity, entitlements, and more ) from the different identity, governance, and infrastructure solutions they have in place. This provides enterprise-wide visibility to all identities and what they have access to across the entire organization. This modern approach provides security and risk professionals with contextual insights into low-, medium-, and high-risk user access at scale. 

Access risk awareness

Over the past decade, organizations have manually built and deployed data lake-based solutions as a way to view all identities. A data lake is a simple storage repository that holds a vast amount of raw data in its native format until it is needed – typically in a flat architecture. Data lakes offer the ability to derive value from unlimited types of data and store all types of structured and unstructured data. What they do not inherently provide are Al/ML-driven analytics out of the box. Typically, organizations build a home-grown data lake solution and then develop analytics to run on top of it. These analytics need to be constantly fine-tuned, updated, and upgraded overtime.  

By leveraging AL/ML techniques in a modern solution, organizations can analyze all identity data centrally and contextually identify riskier user access and entitlement creep across the entire organization. This intelligence-based approach allows security and risk professionals to quickly identify suspicious user access and privileged and root account access violations.

Access rights identification and remediation

With the explosion of digital identities (3.2 billion and growing) over the past decade (McKinsey), organizations are drowning in user access requests, entitlement creep, and access certifications. Because of this, security and risk professionals are manually rubberstamping user access requests and bulk-approving user access certifications on a quarterly, bi-annually, or yearly basis. The end result is elevated risk due to overprovisioned user access rights.

With an Al-driven analytics solution, organizations can contextually examine all identity-related data and then identify and recommend the right level of user access rights. This modern approach allows organizations to identify and apply appropriate birthright user access rights (to accounts, applications, systems, roles, entitlements, etc.). In addition, security and risk professionals can proactively identify overprovisioned user access rights, recommend remediation, and automate  removal.  

Embrace AI-Driven Identity Analytics

With growing external and internal cyberthreats, security and risk professionals need to work smarter, not harder, in order to effectively protect the business. This simply means legacy identity, governance, and infrastructure processes and solutions need to be vastly enhanced, not only functionally, but from a business value perspective. It is time for enterprises to increase the business value of their legacy identity, governance, and infrastructure solutions by proactively embracing an AI-driven analytics solution that offers contextual, enterprise-wide risk visibility, improved operational efficiencies, and accelerated decision-making.

Learn more about ForgeRock’s AI-driven identity analytics solution.


ForgeTalks Episode 1: A Roadmap Deep Dive

Welcome to “ForgeTalks!” Today, we’re launching a new video series about digital identity trends and innovation. ForgeTalks will bring you straight-talk from ForgeRock experts and help cut through the industry hype. We’ll chat with experts on topics ranging from digital transformation, automation, cloud, privacy and share insights aimed at helping identity practitioners and leaders make smart decisions about how to use digital identity as a competitive advantage. 

The series premieres today and features ForgeRock chief product officer Peter Barker. Together we take a closer look at how the company’s recent Series E funding will help accelerate ForgeRock’s product roadmap. We also discuss how digital identity plays a massive role in enabling remote digital experiences in the age of COVID-19. 

So sit back, relax and check out ForgeTalks. To learn more about the ForgeRock Identity Platform, click here.

Enjoy the show!


Coming Soon: In our next ForgeTalk, I'll sit down with CEO Fran Rosch.


The ForgeRock Consumer Identity Breach Report: the Battle to Contain Unauthorized Access

U.S. organizations spent $1.2 trillion in recovery costs related to breaches  

The ForgeRock 2020 Consumer Identity Breach Report is here, providing insights into global threat activity and the impact felt by enterprises that have been attacked. This year’s report reveals that for the second year in a row identity remains a major weakness of the web and continues to drive skyhigh clean up costs for enterprises.

In looking at the year-over-year comparisons, it’s disheartening to see the bad guys continue to succeed. We saw increases in every category and across every region we inspected. Here are just a few of the major trends that emerged in the last year about data breaches:

  • Healthcare was once again the most frequently targeted industry (43% of all breaches). On the other hand, technology firms had the highest number of records compromised (over 1.37 billion served, er, exposed).
  • Unauthorized access, the nemesis of IAM professionals everywhere, was by far the most common attack vector, responsible for 40% of breaches, with ransomware/malware and phishing trailing distantly at 15% and 14%.
  • Breaches cost U.S. organizations over $1.2 trillion, nearly doubling the previous year’s cost, and the data was nearly all PII (98%).

The report is packed with data and insights, and we’ve expanded our focus beyond the U.S. to include perspectives from the U.K., Australia and Germany.

Here’s my take: When it comes to data breaches, security on the internet continues to be an identity problem. Poor access management is hurting consumers and enterprises the world over, so there’s no better time to implement a modern IAM platform that offers dynamic and adaptive solutions to today’s problems.

It's an exciting time for achieving cybersecurity and data privacy goals but what does success look like? To me, it's about democratizing data control, and here's what that means: This looks like putting your known users onto a passwordless express lane, and cybercriminals through extra authentication hoops. It's keeping personal data packets in the right jurisdictional boundaries for privacy compliance, and preparing for the regulatory future as well as the present. And it looks like empowering your applications to control their own boundaries to realize your Zero Trust strategy, and empowering your users to control their own permissions to foster mutual trust and confidence.

Click here to see the full report.


How to Easily Modernize Access to Your PeopleSoft Applications

Over the course of 2020, how and where we work has rapidly changed. More employees than ever before are working from home. In fact, according to CNBC, “42% of U.S. workers who did not telecommute previously are doing so now.” This new reality requires that organizations offer secure, remote access to critical work apps and services. As part of this, common applications like Oracle PeopleSoft are getting a second look. Business critical applications for managing employee lifecycles, tracking purchase orders, or performing other functions come with inherent risk because of the sensitive data they contain. Securing these applications to ensure that only the right people have access is critical. Unfortunately, organizations with legacy identity and access management (IAM) systems struggle with this. 

With the majority of employees now working from home, the ways in which people access PeopleSoft are changing, and to meet that demand, the ways in which it is protected must also change. This is especially true because Oracle is ending support for Oracle Access Manager, the 11gR2 access management middleware originally included with PeopleSoft, by December 2020. With budget constraints and limited IAM provider options competing with urgent requirements for remote access and improved security, it’s understandable that organizations are contemplating how best to solve this timely issue. 

At ForgeRock, we specialize in helping organizations like yours meet the demands for secure, easy access from anywhere by coexisting with applications, like PeopleSoft, and their related legacy IAM systems, such as Oracle Access Manager. 

For example, I recently had a conversation with a customer whose employees are now all working from home. Because PeopleSoft is the primary application used by the Human Resources department, they needed to be confident that the sudden shift to working from home wasn’t going to cause any security issues to their critical applications. With ForgeRock, this customer succeeded in modernizing and strengthening their access security to support remote sessions for PeopleSoft by quickly building and delivering a secure, frictionless authentication journey utilizing multi-factor authentication (MFA). They are also now exploring expanding this same security model to other applications within their network. 

How can you leverage ForgeRock to secure your critical PeopleSoft applications?

To start, the ForgeRock Identity Platform comprises the following components, which can be used on their own or as a complete solution to support desired enhancements to PeopleSoft:

The ForgeRock Identity Platform and its industry-leading capabilities allow for significant enhancements in security-related functions. Intelligent Authentication, a component of ForgeRock Access Management, enables you to build robust, customized authentication flows (called authentication trees) using a dynamic menu of pre-integrated nodes within a drag and drop interface. This authentication journey agility not only provides users easy, secure authentication options that can be utilized from any location, such as work from home scenarios, it also helps organizations prevent fraudulent access attempts. For example, users can augment a failed username/password attempt to access PeopleSoft by requesting a one-time use passcode or facial recognition via a mobile device using MFA controls. 

In addition to leading access management capabilities, ForgeRock Identity Management includes built-in provisioning and workflow capabilities, so you can manage and orchestrate all access to PeopleSoft applications by monitoring changes both within the PeopleSoft data store, as well as other data stores within your organization, like LDAP directories. This unified view provides you with greater control and accuracy in terms of who can access high-risk applications such as PeopleSoft.

Of course, knowing what’s available is one thing --- getting it done is another. ForgeRock can help there too. We provide out-of-the-box accelerators to get you up and running quickly, as well as seamless migration tools for when you’re ready to migrate away from your legacy IAM systems.

The ForgeRock Identity Platform can coexist with any legacy environment to give you more agility in how you secure business-critical applications like PeopleSoft. From the toughest legacy systems to the most cutting-edge applications, ForgeRock can handle all of your organization’s unique identity and access management needs. Contact us today to learn how we can help you.

Want to learn more about how to integrate Oracle PeopleSoft with ForgeRock? Read our white paper Modernize Access Security for PeopleSoft with ForgeRock for more details. 


From Evolution to Revolution

How COVID-19 has accelerated digital transformation


As shelter-in-place restrictions caused by COVID-19 slowly start to lift around the world, the notion that it will be “business as usual” is far from reality. At this stage, we know comparatively little about the virus and its long-term impact on business. But there are definite indicators based on the countless conversations I’ve been having with customers in the last eight weeks that companies with strong digital identity strategies have fared much better than those that did not.

The discussions I’ve had with leaders inside financial institutions, media conglomerates, and others offer some very interesting insights into how customer preferences, needs, and expectations might evolve in the coming months. Here are my virtual “notes from the road,” which I hope are useful to any organization looking for guidance on starting their rebuilding efforts in a post-pandemic world. 

COVID-19 has forced dramatic change in the digital world

The pandemic has pushed organizations to accelerate their digital transformation at an unprecedented pace. Pre-COVID-19, most businesses were on an evolutionary path to digital transformation. Now, necessity has forced them into a digital revolution. 

Overnight, our customers saw spikes in online traffic at levels normally associated with special events such as Black Friday or the Olympics – events where, historically, people had months or years to plan. COVID-19 afforded no preparation time. Huge spikes in activity across e-tail, education, healthcare, banking, telecommunications, and other sectors  became a reality as both adults and children turned to a new remote way of life and working. Simultaneously, an uptick in malicious activity took place, as cybercriminals tried taking advantage of organizations that slashed red tape and bureaucracy in a desperate effort to keep up.

At ForgeRock, we believe this is a moment of truth for brands. An organization’s core mission won’t change because of COVID-19, but how they deliver on it has. Ensuring secure access and a streamlined, frictionless user experience are vital to maintaining competitive advantage. As a result, identity and access management (IAM) has emerged as a top priority. Even as some organizations cut spending, digital identity remains a must-have priority, with most identity and access management initiatives moving forward with even greater urgency.

Seize the opportunity to disrupt 

Looking at the situation optimistically, we see this time as a unique opportunity for your business to rally and to stand apart from the rest. Zoom is a perfect example of a brand that has achieved cultural awareness as a result of the global health crisis. It has moved beyond the enterprise and is now one of the primary ways housebound people connect worldwide.

“Getting identity right” means making it easy for your customers to connect to you digitally –  making it easy to login, reset passwords, receive personalized digital content, and feel secure, with respect for their privacy. Users deserve a digital experience that is both simple and safe. Getting identity right could change the trajectory of your company and make your brand a household word. By 2022, it’s estimated that businesses that provide great customer experiences are projected to earn 20% more in revenue than those with less than optimum customer experience.1

Identity technology is an enabler

The data we’ve gathered from our own customers attests to this. ForgeRock has enabled many organizations to scale up in order to meet consumer demand. Here are real-world examples of how organizations across multiple sectors adapted quickly to address the changing needs of both consumers and the workforce.

  • Scale at unprecedented levels: A large media organization serving a major European country had to scale dramatically during COVID to accommodate billions of access requests from citizens tuning in for live news updates and streaming content at different times of day. Historically, events of this scale would be related to a major sports event or an important political event and would be planned for months or years in advance. With COVID-19, this scale is occurring daily.  
  • Massive switch from “in-person” to digital relationships overnight: Overnight, a large banking organization saw a 300% increase in online/mobile banking while also experiencing a 51% decrease in local branch foot traffic.
  • Rapidly mobilizing a new remote workforce: One large financial company shared a common experience of going from 95% of the workforce located in offices pre-COVID-19 to the same number now working from home. The impact to productivity was felt immediately by both IT professionals and staffers when the rollout of new collaboration apps for virtual whiteboarding and video chat began and the need for multi-factor authentication for securely implementing remote work became apparent. 
  • Black Friday every day: Many of our retail customers reported unprecedented increase in online activity – surpassing Black Friday level traffic. DevOps and auto-scaling capabilities in ForgeRock IAM have been critical in supporting these levels of traffic.
Zero Trust timelines have accelerated by over a year

Zero trust and “identity as the new perimeter” have been popular thought leadership topics in IAM and often on an organization’s roadmap, but in the midst of COVID-19, the roadmap for accomplishing these initiatives has been accelerated by a year or more. 

In addition to navigating  increased customer demand, many organizations have also come to realize that their traditional approach to digital identity management falls short in enabling all their employees to work remotely and to access applications securely. The need to adopt a work-from-home policy for employees has put pressure on capacity for many businesses. Realizing that there is no such thing as a trusted network or device, organizations are now opting for risk-based authentication and authorization methods. 

Another concern is an increase in Coronavirus-themed security threats – from phishing campaigns to fraud. A joint alert issued by the U.K. and U.S. lists more than 2,500 COVID-19-related scams. It’s more critical than ever to provide a secure online experience for all types of users on all types of devices. ForgeRock helps you protect user privacy while ensuring secure connections on all their things.

Consequently, the adoption of a Zero Trust model – the foundation of the ForgeRock IAM Platform – has accelerated.

Enable safe and simple digital access

With more people relying on online services, it’s critical to ensure that the first steps in any digital journey are smooth and seamless. It’s often at login that you are most at risk of losing users, especially when they have forgotten their usernames or passwords. We will soon roll out new capabilities that ensure you retain customers – regardless of their technical skill level –  during the login process. Soon you’ll be able to quickly and easily determine who the user is, what device they are on, and what their preferences are.  

Protect digital users

During COVID-19, everyone has opened themselves up digitally to a greater extent. This new “all digital” lifestyle has caused people to want more control over their data and privacy. Our self-service privacy and consent dashboards enable users to securely share and revoke or authorize consent. We also offer users choices, asking them whether they prefer passwordless or password-driven logins. 

As the digital revolution unfolds in all of its permutations, we are here to help you meet and exceed the expectations of your customers and employees alike. When it comes to digital identity, remember: you are not alone. Find useful resources at Connect Everyone


 1. Gartner Identity and Access Management Summit, Keynote: “The Future Identity and Access Management in 2019 and Beyond,” Gregg Kreizman and Mary Ruddy.





Bring Digital Identity Out of the Shadows to Fuel Digital Transformation

CPO Vision


Everyone that has anything to do with security is all too familiar with the term “Shadow IT,” which applies to situations when users across virtually all departments in an organization access applications and services without the authorization of corporate IT. Driven by the consumerization of IT and the convenience of the cloud, Shadow IT has introduced significant risk to enterprises due to lack of visibility and control. 

Today, as more businesses invest in their digital transformation – to the tune of more than $3.7 billion in 2019, according to Gartner – they are faced with yet another security and privacy challenge that also undermines the customer experience and hampers business success, namely Shadow Identity, or “Shadow ID.”

What is Shadow ID?

In the process of creating and delivering new digital services for their customers, business units within an organization can inadvertently create identity silos. In many organizations, a fragmented approach to identity consists of legacy, home-grown, and off-the-shelf point solutions that create a crazy quilt of applications that cause what we now call Shadow ID. This occurs primarily because organizations lack a unified consumer identity and access management (CIAM) solution  and oversight over the process. 

The end result is that a single customer who signs up for various digital services with a company may actually have multiple sets of identities. Every time an innovative digital service is rolled out to users, there is the potential for another identity silo to crop up. So why is that a problem?

  • The user experience suffers in a big way. Let’s consider this simple scenario: A large financial institution offers an array of services – from ATMs to bank cards to online banking portals to mortgage loans, and more – and requires customers to create separate logins for each of these. Each department at this bank houses this customer identity data in a different silo for each service, and these silos are disconnected. When customers call their branch to have a question answered, they are typically shunted around to different people before they have a conversation with someone who has their customer information (and even that may be incomplete or inaccurate). The end result is a frustrated customer who gets even more frustrated with each engagement across all channels.
  • Cross-sell opportunities are limited. Without a single source of truth about customer identities, it’s difficult to perform meaningful marketing analytics. And without reliable analytics, companies will have a hard time cross-selling services to their existing customers and delivering personalization for online applications and services. Clearly, Shadow ID can hinder business growth and put organizations at a disadvantage vis a vis competitors who have a unified identity architecture that can provide better, more streamlined customer experiences.
  • Shadow Identity increases security risk to enterprises. Identity silos inherently result in an inconsistent security posture due to differing password-strength and reset policies and some services requiring multi-factor authentication but not others. Further, as security and identity standards evolve (examples: HTTP/2, mutual TLS, and newer crypto algorithms), it’s nearly impossible to consistently update disparate identity silos in unison, and this exposes the enterprise to greater risk. 
  • Identity silos create privacy and compliance problems. Fragmented identity silos make it increasingly difficult to keep up with ever-changing government and industry regulations. The EU General Data Protection Regulation (GDPR), which imposes strict regulations on usage and sharing of private customer data, is an excellent case in point. Without a single view into all customer identity data points, GDPR compliance becomes exceedingly difficult, if not impossible. Additionally, when a customer chooses to opt out of a service, managing this process across multiple silos becomes a hugely painful and time-consuming effort.
Enter the ForgeRock Digital Identity Platform

At ForgeRock, we help people safely and simply access the connected world by enabling exceptional digital experiences, no compromise security, and comprehensive functionality at any scale with simple, flexible, and rapid implementations. With ForgeRock, you can address – and get ahead of – the requirements of the digital Disruptive Economy. Using ForgeRock’s comprehensive, flexible customer identity and access management (CIAM) technology, you can support customer experiences that exceed expectations and foster consumer trust and loyalty to create new opportunities for growth and competitive advantage.

At ForgeRock, we are well aware of the pitfalls of Shadow ID and are passionate about helping our customers grow and innovate while offering a safe and frictionless experience for their users. It’s all about giving the right people the right access at the right time – by using the right IAM platform

Learn more about how to connect everyone, anywhere, or contact us to get started.


Media Giant BBC Credits Digital Identity Strategy as One Key to Success During Pandemic


As COVID-19 continues to affect our world, the importance of keeping citizens informed is even more critical now than ever. Media giants like the British Broadcasting Company (BBC) have found themselves serving as a central player in helping millions of people stay connected and safe with new programming and services aimed at educating, entertaining, and keeping everyone calm – from small children to aging adults. 

The venerable brand has met the challenge by mobilizing its workforce quickly to work remotely and by doubling down on a digital transformation strategy grounded in identity in order to handle a massive influx of consumer demand that came to the BBC nearly overnight.  

We recently talked with Matt Grest, director of platform for the BBC, to learn how his organization is able to successfully keep employees productive and provide the essential information consumers need during the crisis. 

Supporting Remote Workers

ForgeRock: When it became obvious that working from the office was no longer possible, how were you able to get your team operational from home quickly? 

Matt: We were fortunate in many ways. I have about 350 people on my Platform team at the BBC. Many already had experience working remotely before the pandemic hit and were using best practices, like morning stand-up meetings. To help make the shift smooth for everyone, we were also able to quickly give employees instant access to appropriate applications so they could continue their work from home. In the last six weeks, I’ve been very fortunate that my team has continued to be productive whilst our offices were running at about 10% capacity. We’re still in the early days, but it’s appearing that efficiencies are comparable, if not better, than with the on-premises working model. 

Scaling to Meet Demand 

ForgeRock: Seismic shifts in audience size can present unexpected risk. What sort of growth have you seen?

Matt: We’re getting World Cup numbers every day at 5 p.m., right when everyone tunes in to hear what the Prime Minister is saying about the COVID-19 crisis. Millions of people want the information instantaneously and in different formats, such as video, text, and audio. Our challenge is to respond to this ever-increasing demand and provide seamless service to our audience.

During the COVID-19 crisis, we are experiencing record numbers of customers tuning in for live news updates and streaming content every day. We’re also seeing changes in usage patterns, such as significantly more consumers demanding content in the middle of the day. Meeting scalability challenges is something that never goes away. As an increasing number of people shift their viewing habits away from traditional broadcast TV and onto digital platforms, scaling up to meet this demand becomes a daily focus for us. In 2017 we introduced the ability for our audience to sign-in to iPlayer. Getting people signed in means we can offer them a truly personalised experience. Now, in 2020 the majority of people in the UK have a BBC account and use it to access our personalised online services. Again, this posed another huge scalability challenge as we had to build out our systems to cope with an ever-increasing demand.

Launching New Services and Content

ForgeRock: Meeting the needs of consumers across a wide range of demographics can’t be easy. What challenges have you faced? 

Matt: In addition to supporting remote workers and changing capacity, we are also rolling out new content and services. In April 2020, we introduced BBC Bitesize, a website that provides parents and students with free videos, step-by-step guides, activities, and quizzes by level and subject. We relaunched the service within weeks and saw three million people use the service on launch day, with zero downtime. 

Children can be more challenging to authenticate. Article 8 of the GDPR dictates that users under the age of 16 need parental consent to access content. We deliver highly personalised, age-appropriate experiences in a compliant manner while ensuring kids are using their own accounts versus their parents. Kids can even authenticate their identities via voice-first commands, an age-specific preference that could have been difficult but we were able to deliver it with minimal headaches. 

Personalized Data Is Better Data

ForgeRock: Offering personalized services adds significant value for your consumers. But with that comes a huge responsibility to protect a vast amount of customer data. How do you earn the trust of your users?   

Matt: A personalised BBC makes for a better BBC. Once we get our audience signed in, we can then understand people’ likes, dislikes, device preference, time-of-day usage, and more in order to deliver a bespoke and optimal user experience. At the same time, we must remain compliant in keeping customers’ data secure and allow users to opt out of the personalised experience if they desire. 

Future Scalability Considerations

ForgeRock: Innovation is at the heart of what you deliver every day for millions of customers. What’s next at the BBC? 

Matt: The future is digital, and the biggest ongoing challenge for us is scalability. Today, we keep users signed in for two years (compare that with banks that log users off after a few minutes of inactivity). In addition, each user leverages the BBC with three different devices, on average. With 45 million users working with three to four devices, it could be a big challenge to manage access and active sessions, but we have the right technologies to help us meet our goals.

As we look to introduce more new and exciting services over the next few years, continuing to scale up our ability to deal with increasing millions of people who wish to access an ever-increasing amount of content is an ongoing challenge for us  – a challenge our team thrives on.  

The BBC is a public service, and we need to keep pace with customers, but we can’t leave anyone behind. For example, we need to balance expanding our digital content and services whilst also catering to the audiences who prefer to tune in via traditional channels like radio and television.

As a BBC consumer personally, I am one of those who enjoy BBC content, such as the fabulous TV show “Killing Eve.” I can’t wait to see what they offer us next.

As Director of Platform, Matt is responsible for leading the transformation of the BBC’s digital and broadcast products into a fully integrated platform, bringing together the BBC’s content library, digital archive and audience services into a single integrated platform, and preparing the BBC for an Internet-fit future. Since starting at the BBC in 2017 Matt has created the Platform Group; bringing together teams around the UK that provide content and personalisation services to the BBC’s digital products, and created a single integrated organisation. Matt sponsors the BBC’s Step into Tech initiative, giving women training and a pathway into a digital career. Matt has also sponsored the BBC’s technology expansion in Glasgow. Prior to joining the BBC, Matt was Director of Digital Platforms at Sky, where he was responsible for the technology that powers Sky's Digital products. Matt also lead the creation of Sky's digital hub in Leeds. Previous roles include leading the team responsible for the main NHS digital platform, leading technology teams on large scale financial services mergers and acquisitions, and took an ISP from start-up through to exit.

Identity Connects Everyone to Everything, Everywhere 

Find out how ForgeRock delivers work from home and online consumer experiences at scale here.

Announcing the ForgeRock University Achievement Awards

Each year, the ForgeRock University team comes together to reflect on the accomplishments of our team, instructors, and Authorized Training Partners. We are thrilled to announce our ForgeRock University Achievement Award winners. 

We created the University Achievement Awards to recognize outstanding performance in the areas of student experience, growth, and innovation. Leveraging Six Sigma standards and the results from our “Metrics that Matter” study, we were able to identify those high flyers who really made a difference in the past year. 

Our Achievement Awards highlight the outstanding performance of one instructor and one Authorized Training Partner. 

Drumroll please!

The Outstanding Authorized Training Partner Award goes to ExitCertified/TechData Academy (US). 

ExitCertified was ForgeRock's first Authorized Training Partner, joining the family in 2015. It is a delight to watch our old friends succeed and push themselves harder each year. Between 2018 - 2019, they delivered nearly 20% year-over-year growth in student days. This means that about one-third of all ForgeRock University's 2019 student days can be contributed to ExitCertified's incredible efforts. Additionally, their dedicated team managed to increase the overall quality of class delivery during this time of growth. This is an achievement to be applauded and more than worthy of our Outstanding Authorized Training Partner Award!

The Outstanding Instructor Achievement Award goes to Rajesh Rajasekharan of Red Education (APJ).

Technology Evangelist Rajesh teamed up with Red Education as an instructor back in 2017, delivering public and specialized private classes all across the Asia-Pacific region. He is one of our most sought-after instructors, with students regularly reaching out and highlighting his incredible expertise, patience, and interactive way of teaching. 

Having over a decade of experience as an instructor, Rajesh strives to enable the best student experience possible at all times. And it shows. Rajesh’s overall score resulted in a performance rating of 95.1%, making him the first ForgeRock instructor to win this award twice in a row!

Please join us in congratulating our outstanding partners and instructors for their fantastic achievements. We look forward to seeing who claims the outstanding achievement awards next year.

Learn New Skills

Want to learn new skills and prepare for a new world of work? ForgeRock University is offering a 50% discount on all live virtual classes from now until the end of July 2020. In addition, students enrolled in certification-related classes will receive a complimentary voucher to take a ForgeRock Certified Specialist Exam before year end. Recent additions to the curriculum include ForgeRock Identity Governance workshop and Deploying the ForgeRock Identity Platform Using DevOps Techniques. Learn more here


How ForgeRock’s DevOps Deployment Model Speeds Time to Market

Combining IAM with Docker and Kubernetes gives you competitive advantage 

Time is of the essence when it comes to developing and deploying capabilities that support remote work and online business. One of the best ways to speed time to market, scale for peak demand, and increase efficiency is by using a modern identity and access management (IAM) solution that supports a multi-cloud DevOps deployment model utilizing containerization and orchestration technologies, such as Docker and Kubernetes. With the cloud now a top enterprise strategic priority and more workloads shifting to cloud platforms every year, it’s imperative that these workloads be protected. 

New Demands Create Challenges for Traditional IAM 

IAM enables organizations to connect users to all their services with seamless and secure access from any device. For any new services needed, identity authentication and management is essential. However, traditional IAM solutions are complex and difficult to deploy. They lack the scalability and flexibility needed for quickly rolling out new services, upgrades, or releases. Modern IAM solutions need to be agile in order to quickly respond to market demand. This requires rearchitecting IAM to support automated and continuous delivery requirements essential for DevOps across any cloud. Supporting a DevOps approach and containerizing IAM using Docker and Kubernetes allows for greater flexibility when deploying IAM solutions.

What Is Docker and Kubernetes? 

Docker is a tool designed to make it easier for developers to quickly create, deploy, and run applications at scale and in any environment by using containers. Containers allow a developer to bundle an application with all of the parts it needs – such as libraries, code, and other dependences – and deploy it as one package. Developers can focus on writing code without worrying about the system that it will be running on. Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Together, Docker and Kubernetes enable developers to orchestrate and deliver faster services with flexible deployment options, whether in an on-premises, hybrid, or multi-cloud environment. 

The Power of DevOps and Identity 

Large enterprises face identity challenges around slow time-to-market development, high deployment costs, and lack of resources and skill sets. What's needed is a cost-effective way to speed and streamline deployment, maintenance, and management with a comprehensive identity platform. 

A modern identity platform will enable you to build and maintain a production-grade, DevOps-enabled, referenceable, cloud-ready architecture that enables automated multi-cloud deployments – leveraging Docker and Kubernetes. These capabilities reduce the time you spend managing and configuring software, increase the speed of deployment, and allow you to focus on delivering business results, thereby increasing your overall productivity and competitive advantage. In fact, customers that leverage ForgeRock DevOps deployment model have accelerated projects by three to six months and have saved 25% on implementation costs. With the right identity solution, organizations can easily protect workloads in any cloud; support millions of any type of identity; enable rapid solution development in a repeatable way; and conduct fast, simple, and highly available deployments – all without sacrificing rich features and extensibility. This ultimately leads to immediate business benefits, including accelerated time to market, increased flexibility in rolling out new services, availability and scalability, and time savings. 

Microservice architectures, DevOps and agile development as new paradigms, and container-based deployments are changing the way IT is done. There are obvious benefits in moving to such architectures, such as increased flexibility and lower cost of operations, but also increased security.   – KuppingerCole 

The ForgeRock Difference

By making it easy to utilize the power of Docker and Kubernetes technology, ForgeRock provides the fastest and most flexible multi-cloud IAM deployment options. Our cloud deployment model removes complexity and can help you accelerate time-to-market development, making it easy for you to deploy millions of identities in minutes, on any cloud, whether it’s Amazon Web Services (AWS), Google Cloud, or Microsoft Azure. You can validate deployment options against ForgeRock benchmark results and analyze the most cost-effective cloud solution based on multiple factors so that your organization can reduce costs, ensure optimal performance, availability, and reliability to meet customer demand quickly.

Learn more about our multi-cloud and DevOps solutions. For a technical deep dive, watch this on-demand webinar on Running IAM using Docker and Kubernetes. 


IAM 101 Series: Federation and Federated SSO

What It Is, Why It’s Important, and How It Enables Our Online Lives

As highlighted in our blog post, IAM 101 Series: Single Sign On (SSO), people all over the world are utilizing digital apps and services to access their jobs, stores, schools, and health services remotely from their homes now more than at any other time in history. 

In fact, the Associated Press (AP) reports: “Transaction volumes in most retail sectors have seen a 74% rise in March (2020) compared to the same period last year, while online gaming has seen a staggering increase of 97%, according to analysis by ACI Worldwide of hundreds of millions of transactions from global online retailers.”

Breaking down the rise in retail by sector, the AP article shows the following increases in transaction volumes for March 2020 compared to last year:

  • Home products and furnishings: +97%
  • Do it Yourself (DIY) products: +136%
  • Garden essentials: +163%
  • Electronics: +26.6%
  • Telco: +18.6%

Sadly, the increase in online transactions brings with it an increase in cybercrime and fraud. Just weeks ago the BBC reported: “Scammers are sending 18 million hoax emails about Covid-19 to Gmail users every day.”

With this explosion in online traffic and cybercrime, organizations and service providers are continuously asking the question: “How do we provide the easy online access our workforce and consumers want and need securely?”

Identity and access management (IAM) and federated single sign on (SSO) are the answer. They are the behind-the-scenes secret sauce that enables secure, easy online access for billions of users and all their connected things around the globe. 

So, what is federated SSO, and how does it work? Let’s review the single sign on basics first and go into federation from there.

Single Sign On (SSO) Basics: A Review

In the blog post IAM 101 Series: Single Sign On (SSO), we discuss single sign on in its simplest form within the security perimeter of an organization. In a nutshell, all SSO relies on an IAM component called an identity store to house user credential information and data (such as usernames and passwords) for multiple resources (such as apps, services, and systems). This one identity store to many resources ratio is what allows internal users to log into multiple resources with one set of credentials – hence, single sign on. Identity stores are part of, and managed by, identity and access management (IAM) systems.

When users such as employees are within an organization’s IT security perimeter or firewall, SSO is relatively simple. The resources are internal, and the user has already been vetted to some degree. Therefore, there is an existing level of trust and security. 

But what about when a user or resource is not internal to an organization, such as an online banking customer or an employee using externally hosted software like Salesforce? How do they gain secure access to those apps and systems? 

Enter identity federation and federated SSO.

Identity Federation and Open Standards: The Building Blocks of Federated SSO 

For those new to identity access management and SSO, the word ‘federation’ means a united, trusted relationship between two or more entities, such as schools, businesses, government agencies, and so on. For example, the U.S. Federal Government is a federation of states. 

Identity Federation, IAM, and Open Standards are the magic behind the curtain empowering our digital lives.

For purposes of IAM and SSO, a trusted union of entities is called an identity federation. Identity federations use agreed-upon protocols based on open standards that allow the federated organizations’ IAM systems to securely talk to one another in order to share data and access to resources across organizational perimeters. Open standards accomplish this by creating and passing encrypted tokens that contain user data, such as a username and password, between the federated IAM systems. Commonly used open standard protocols for federation include OAuth, WS-Federation, WS-Trust, OpenID Connect, and SAML. 

Fun fact: ForgeRock’s very own Chief Technology Officer, Eve Maler, is one of the original authors of the SAML and UMA open standards, among others.

Identity federation, IAM, and open standards enable organizations to conduct business securely with third parties, such as partners, and individuals, such as customers, by allowing each organization to know who is interacting with them and what they’re enabled to do and to trust that the interaction between them is secure. This is significant because it means that identity federation, IAM, and open standards are the magic behind the curtain empowering our digital lives.

What Is Federated Single Sign On?

Building from the section above, federated single sign on is a capability only made possible by identity federation, IAM, and open standards. Because secure, encrypted communication can flow between federated IAM systems, you can therefore authenticate with one organization to gain access to resources hosted by another organization(s). This is the basis of federated single sign on. For example, when you log into an app using your social media credentials (called social sign on), it means that the social media organization is federated with the organization offering the app. Additionally, federated SSO allows you to authenticate once to then gain access to multiple resources, such as authenticating to open your mobile phone or tablet and then getting direct access to your third-party apps.

Federated SSO translates into better user experiences because it provides greater accessibility to apps and services without the headache of having to remember multiple usernames and passwords. Additionally, for organizations, federated SSO results in better security, engagement, and conversion.

Why ForgeRock for Federated SSO and IAM? The Ease and the Results

The ForgeRock Identity Platform is the most extensive IAM platform on the market and offers the very latest federated SSO capabilities, such as passwordless authentication,  which allows users to securely authenticate without usernames and passwords (yes, really). A distinguishing feature of the ForgeRock platform is its ability to give organizations the latest IAM and SSO capabilities and enable them to quickly coexist with legacy IAM systems or easily replace them.

With ForgeRock, one of the largest wireless communications providers removed 99% of the friction in their login process and decreased fraud by 25%

For example, one of the world’s largest wireless communications services providers, with more than 100 million wireless customers, was using Oracle Open SSO and required open standards, such as OAuth, SAML, OIDC, and so on. After careful consideration of many providers, they selected ForgeRock because our platform includes many of the capabilities they sought right out of the box, such as open standards support. 

The results that this large communications company realized with ForgeRock are outstanding. In terms of SSO, they removed 99% of the friction in the login process, resulting in superior customer experiences and improved customer trust. They also increased their security by decreasing fraud occurrences by 25%.

The benefits of ForgeRock are wide-ranging. In addition to bridging the gap from legacy SSO systems, the ForgeRock platform also includes integrations from the industry’s largest technology partner network, so you can leverage the latest single sign on practices, as well as easily extend your IAM capabilities to other areas without having to vet numerous vendors or buy multiple point solutions.

Interested in learning more? Read the latest trends and IAM requirements for securing and supporting your remote workforce and online consumers and citizens.


Cloud Series: Authorize Anyone, Anything with Macaroons

What are Macaroons? 

Macaroons are access tokens that use contextual authorization to confirm that the user is who they say they are, and that no one is impersonating them. Developed by Google, Macaroons are improvements on traditional cookies that reduce the scope or capability of a given token or allow for more distributed capabilities. Macaroons offer a new type of token format, specifically used with OAuth2/OIDC scopes, and they are available in the Identity Cloud.

In traditional token-based authentication, access tokens represent the authorization of a specific application to access specific parts of a user’s data. They are kept confidential with only the application itself, the authorization server, and resource server ever seeing the token. To allow for a new set of use cases to be focused on distributed capabilities, macaroon-based tokens can be verified cryptographically away from the issuer, using standard libraries and can replace regular access tokens. 

Access and Refresh Tokens 

Traditional access tokens are short-lived because, if leaked, they grant potentially malicious users access to the resource-owner resources. However, clients may need to access the protected data for periods of time that exceed the access token lifetime or when the resource owner is not available. In some cases, it is unreasonable to ask for the resource owner's consent several times during the same operation.

Refresh tokens solve this problem. They are long-lived by default and allow you to configure the lifetime of the tokens in the OAuth 2.0 Provider settings, or in each client. Refresh tokens, as opposed to Access tokens, allow the clients to ask for a new access token without further interaction from the resource owner. However, refresh tokens can only be used once.

More Secure

Macaroons are a new type of bearer token that can be used when issuing OAuth 2.0 access and refresh tokens. They allow caveats to be appended to restrict or to provide context for how a token can be used. They can also provide additional security, as these tokens can be restricted temporarily.

For example, you can add a 5-second expiration time to a macaroon access token before sending it to an API. Additionally, you can bind it to a TLS client certificate before use. And it is possible to create as many macaroons as needed from the single access token, and the scope of each can be restricted by the trusted client using a caveat.

Distributed Access 

Macaroons can also be used in place of regular access tokens, as they allow the sharing of the single access token with multiple clients and resource servers, without compromising on security. Rather than issuing multiple access tokens with different scopes, ForgeRock, acting as the authorization server, issues one access token wrapped in a macaroon, which has a broad scope. As many macaroons as needed can be created from the single access token, and the scope of each can be restricted by the trusted client using a caveat.

Caveats further add the ability for clients to restrict how the macaroon token can be used. The ability to add caveats make macaroons very useful for delegation, for example in a microservice architecture. The client can delegate to other services, with a limited set of capabilities, bound by certain restrictions. For example, the client can append a token with a caveat that shortens the expiry time, or reduces the scope of the token, after it has been issued. Let’s say a user has an account receive and account payable with a bank. You can caveat the token with a macaroon so that the user cannot perform both actions on the same account within a 5 minute time window.

Continuous Authorization 

Macaroons continuously authorize that the user is who they say they are and that no one is impersonating them via contextual authorization. They do this by using a hash-based message authentication code (HMAC), a mechanism for calculating a message authentication code that includes a hash function. 

Macaroons can be used when issuing OAuth 2.0 access and refresh tokens. They allow you to authorize resource access using bearer tokens that can be appended with caveats. They are based on a construction that is highly efficient, easy to deploy, and widely applicable.

Learn more about the Identity Cloud here. Or contact your sales rep today.

Gain Early Access and Help Shape Our AI Risk Engine


Starting today, we are extending the ForgeRock AI Risk Engine Early Access program to include new security features. This is an exciting opportunity to preview how we’re harnessing state-of-the-art AI to accomplish a Zero Trust or CARTA security model.   

Leveraging AI to continuously inspect and adapt real-time access based on historical behavior and orchestrate real-time response is a powerful way to reduce account takeovers and insider threats at the point of access, while delivering delightful user experiences.    

In this phase, we are targeting a select group of customers (both CIAM and Internal)  to help influence our roadmap.  The early access program has two paths: one for design advisors, and one for design advisors plus data providers. For the latter, we ingest a participant’s anonymized production ForgeRock platform data, provide a dashboard, and then work together to identify threats and risks for AI Model Tuning.  ForgeRock’s development and data science teams work closely with all early access program participants.

We are making tremendous progress and need your continued feedback to help us further enhance what will become an integral part of the ForgeRock Identity Platform that will run in the ForgeRock Identity Cloud.   

Today the ForgeRock AI Risk Engine can:
  • Identify and detect outliers and anomalies and respond with a risk score.
  • Respond by requiring multi-factor authentication (MFA) or allowing a user access without a challenge.
  • Leverage the power of trees to orchestrate risk journeys around partner network nodes, access management (AM)-adaptive risk nodes, and the AI Risk Engine.
  • Visualize Anomalies and Risks

Future releases will provide organizations with continuous verification, explainability, end-user and administrator inputs for model enhancement, global learnings, and additional actions and remediations integrated directly into the platform. The engine will leverage continuous insights from the entire ForgeRock Identity Platform to optimize both user experience and security, while helping customers achieve Zero Trust or CARTA security model.     

We’re excited to invite you to help us gather feedback and shape the future of the ForgeRock AI Risk Engine. If interested, request an invitation to the ForgeRock AI Risk Engine Restricted Early Access Program today.

Fueling Groundbreaking Innovation Across the Digital Identity Landscape

CPO Vision  


We entered 2020 with a strong focus on what’s next in the digital identity landscape and a strategy aimed at turbo-charging our plans to infuse cloud and artificial intelligence into every aspect of the ForgeRock Identity Platform. Just recently, our ambitious plans got some extra fuel.

As most of you are aware, we recently announced a $93.5 million Series E round of fundraising led by Riverwood Capital. This infusion of capital will enable us to fund our investment in key innovations that will continue to help our customers drive exceptional experiences for their workforces, consumers, and things.

Identity is what makes digital access possible. It’s our passport to the digital world. If organizations do it well, they can reap significant business benefits. And, if they do it poorly, it can actually be detrimental to their business. 

At ForgeRock, we are dedicated to helping people access the connected world safely and simply. We firmly believe that identity done right is a force multiplier for positive business outcomes – like delivering better user experiences that will help increase customer loyalty and conversion rates and improve employee productivity, providing stronger security and privacy, reducing risk and improving compliance, and cutting costs. 

Now, more than ever before, as organizations work toward realigning how they conduct business in the face of a global pandemic, identity is foundational to their success today and in the future. As renowned technology investor Mary Meeker points out in her recent report on the economic and social impact of COVID-19, companies that have transitioned to digital are in the best position to emerge from the current crisis in a position of strength. We have always believed that identity is mission-critical. And today, as organizations are preparing for a post-pandemic comeback and the new normal we are well positioned to help them succeed. 

With that in mind, let’s take a look at how ForgeRock’s product strategy supports the accelerated pace of digital transformation – unlike any other vendor in this space.

First, ForgeRock’s full-suite, comprehensive identity offering is unique in the industry. The ForgeRock Identity Platform unifies a set of advanced technologies – identity management, access management, directory services, user-managed access, edge security, and identity gateway – in a cohesive way to address the needs of any organization at any stage of maturity. We will continue investing significantly in our core platform, which serves as the identity fabric that enables new business and digital services while integrating with your legacy IAM systems and applications.

Second, we are investing heavily in artificial intelligence (AI). We have a unique, differentiated vision of AI as an enabler of autonomous identity and access management. In essence, our platform leverages AI to predict, provision, and protect good access and to detect, prevent, and remediate bad access. All this is done with high confidence and in ways that can be interpreted and explained.

The third pillar of our product strategy is the cloud. When it comes to the cloud, our customers will have freedom of choice. Whether it’s their cloud, a third-party cloud platform, or our cloud, they will derive the same benefits from ForgeRock technology. An extension of our vision for the cloud is our market-first identity platform as a service solution. With this round of funding, we will continue to invest in ForgeRock Identity Cloud, which provides our full-suite, comprehensive identity offering as a service, making it easier for organizations to solve more use cases with a single solution rather than having to stitch together different point products.

This latest round of funding during an unprecedented time in recent history underscores the fundamental contribution ForgeRock is making to the advancement of a safe, easy-to-access digital world. We pledge to continue to drive innovation and support the digital transformation of our customers and their users.

Read the recent press release announcing our series E funding.

Access Control, UMA, and Everyday Experiences

In the first blog of this series, “Create Better User Experiences by Applying Confirmation and Authentication in the Right Places,” I talked about how organizations are de-emphasizing authentication in favor of confirmation to create a better, more natural user experience. 

This time around, I’m turning my attention to access control and why it’s important for transactional applications to streamline this process in order to create the best possible user experience. Access control boils down to this: Is a particular individual authorized to access a resource, and can they delegate a proxy to access that resource?

Why users need and want to delegate access

Here’s a personal example where not providing a user with the ability to delegate a proxy can get things into an unpleasant tangle. Several years back, when my job required a lot of overseas travel, I hired a bookkeeping service to attend to my personal accounting and pay all my bills. Every month, my bookkeeper would log onto the website of a particular credit card I had and pay my bill. And, without fail, the credit card company would lock the credit card because it observed what looked like suspicious activity. My bookkeeper was logging into their site from her location in the U.S., and I happened to be using the credit card to pay for things in Germany. The credit company logically concluded the card had been stolen, so they blocked the account. Was it a sensible and secure measure? Yes. Did it interfere with the user experience and cause a lot of frustration? A resounding yes! And the result? I cancelled the credit card. 

You can see why the concept of allowing users to assign one or more secondary authorized users makes a great deal of sense. When we consider financial services or healthcare, for example, it’s perfectly reasonable for an elderly parent to delegate their adult child to go to the pharmacy to pick up their prescriptions for them or manage their bank accounts.

In fact, the idea of giving access to people designated by the primary user is being used in many scenarios we’re already familiar with, such as family plans for mobile phones and bank accounts. These are all valid situations where we want delegation. And most of us are accustomed to sharing or delegating access to a group of people in Google Docs, for example. 

Beyond delegating to people, we’re also increasingly delegating authority to things, like Amazon Echo and Google Home. 

Let’s push that envelope even more by imagining a scenario where I own a self-driving car that becomes an Uber vehicle that picks up and drops off passengers while I’m at work. A number of interesting questions arise. When the automobile starts running low on gas, who will validate the credit card when the car needs a fill-up? Will the credit card company end up sending me a text message with an alert while I’m busy at the office? And what happens to the poor passenger, who is at the mercy of the credit card company approving the transaction for the driverless vehicle? 

So we can see that today, and even more so in the future, multiple identities may need to be involved in a transaction. 

Move over, MFA. Enter UMA.

As more organizations start to embrace the notion of delegation, there are some things they need to keep in mind. More often than not, the authorized users are geographically separated, they are likely to be using different types of devices, and one or more may or may not even be connected at any given time. 

Many applications currently rely on traditional means of verifying identity, like multi-factor authentication (MFA). But if MFA is their answer to security, they are making the delegation process much harder. 

This is where advanced technologies like user-managed access (UMA) can help customers and employees determine and control who can have access to their resources, for how long, and under what circumstances. And, of course, UMA can help optimize the user experience. It doesn’t have to be complicated. There are solutions available today that provide a convenient central console for organizing digital resources that reside in many locations (for example, where we save our credit card information on various sites), delegating access to others, and monitoring and revoking access. 

UMA is a great way for organizations to give users what they want and need, hassle-free, while providing privacy controls that meet compliance requirements and build trust with customers.

Curious about UMA? Find out how ForgeRock does it.