Technology Trends

Cloud Series: Which Cloud Solution Is Right for You?


You’ve made the decision to move to the cloud, now what? A second, and equally important, decision is how much or how little DevOps you will need to support your decision. Hosting your environment in your own cloud or in a public cloud still requires the services of DevOps (either in house or managed) to keep the system updated and upgraded as needed. And even if you choose the as a service approach, there will still be some DevOps required, although not as much, and at a considerable reduction in cost over time. So, which cloud solution is right for you?

DevOps is a software industry term that refers to the practices around the automation between software development and IT that allow these teams to build, test, and release their software faster. DevSecOps, then, refers to the specific inclusion of security team members in the build, test, and release process.

DevOps allows operations, security, and development to work together in parallel. The elements of the typical application delivery process are deconstructed, and the resulting process emphasizes agility and time to value. When viewed holistically, large bottlenecks can be identified and removed quickly. Instead of major updates or releases, DevOps delivers smaller and more frequent updates to the software.

Your Cloud, Their Cloud

If you’ve established your DevOps resources already and if one or more members are versed in Kubernetes, then you might want to consider our cloud deployment model, or CDM. It is a containerized version of our on-premises ForgeRock Identity Platform,  and it is designed so that your team can lay the foundation to deploy to any cloud you want – your own, or a public cloud such as Google, Amazon, or Microsoft – with preconfigured cloud installation packages of 1 million, 10 million, and 100 million identities. 

Since DevOps resources can be overworked, so we’ve gone ahead and benchmarked our CDM against public cloud providers. We can help you find the right cloud for what you want to achieve. To further assist with the knowledge and skill-set gap, the ForgeRock Identity Platform also includes developer-friendly documentation so your developers can easily access cloud deployment reference artifacts, deployment methodologies, reference architectures, and benchmark performance data. And once you do deploy to a cloud, we provide additional benchmarks so you see whether or not you’ve deployed correctly. At that point, ForgeRock can take you the final mile by helping you customize the environment to your specific needs and then make it suitable for production with live data.

Our Cloud  

With the ForgeRock Identity Cloud, you can go the so-called “NoOps” route. In its most recent workforce report, the International Information System Security Certification Consortium (ISC²) finds there is a shortage of nearly 3 million security professionals worldwide. Further, there’s an even more acute shortage of professionals with both security and identity experience. If you are maintaining your own identity solution, you will need individuals with both sets of skills. If these resources are hard for you to find, then might want to consider our platform delivered as a service.

With the ForgeRock Identity Cloud, we take on the DevOps responsibilities of deployment and maintenance so you can be up and running within weeks, not months. 

You can consume the identity platform as a subscription service without worrying about hardware resources. This is ideal for organizations with minimal DevOps, where those limited resources can be better used in creating rich apps for their customers and workforces and not care and maintenance. With the Identity Cloud, you can focus on the complex identity use cases and not the system itself.

Learn more here. Or contact your sales rep today.


A Passwordless Future Is Here Now 

Part 3: ForgeRock Gives Customers Choice In Going Passwordless

In the second part of this blog series, I talked about how technology leaders are embracing the FIDO Alliance’s WebAuthN distributed approach to passwordless authentication to facilitate integration into numerous applications. 

In Part 3, we’ll show you how ForgeRock stands apart, offering a unique and truly comprehensive approach to passwordless authentication. We provide both out-of-the-box and curated partner solutions for a wide spectrum of applications that go well beyond FIDO as it stands today. Available now are both out-of-the-box and curated solutions for a wide array of applications that enable a truly passwordless experience.

Passwordless right out of the box  

Available today, ForgeRock’s authentication engine has two out-of-the box capabilities built in: FIDO WebAuthN standard support and push-based authentication.
Our identity platform natively supports the FIDO2: WebAuthn specification, which allow users to leverage their smartphones, computing devices or a hardware token to authenticate to online services. That means any device that supports WebAuthN can be used as an authenticator for ForgeRock without the need for any additional software.

Also built into our platform is push-based out-of-band authentication. When an authentication event occurs on a device, the ForgeRock Intelligent Authentication Engine notifies the user that authentication for a device that has been enrolled in ForgeRock is required. There are several ways to accomplish this: enroll the device with a QR code using the ForgeRock Authenticator app (available in major apps stores), or implement an app integration via the ForgeRock’s Zero Touch mobile software development kit (SDK). Once the device is enrolled, ForgeRock automatically sends a push notification and asks the user to authenticate by using the method native to the device, such as touch, facial recognition, or other techniques.

The ForgeRock Trust Network 

Through the ForgeRock Trust Network, an extensive ecosystem of over 75 partners, we give our customers and their users ultimate flexibility and choice. Our portfolio of third-party solutions includes centralized biometric systems to satisfy the need for roaming or inter-device movement, easy-to-implement and creative FIDO solutions, and innovative biometrics modalities that go beyond what is available with FIDO or native to the device. 

Here are some examples of what’s available:

  • Centralized biometrics: We have partners that can store any type of biometric data – whether it’s voice, thumbprints, or iris scans – in a non-reversible way. In essence, the biometric data that the application consumes is hashed so that it can’t be reassembled. The minutiae from any biometric is put through a non-reversible algorithm, which allows you to centrally store the biometric in a secure form. This enables you to do things like free seating, where you don’t need to enroll individual devices and marry them to individual users. This is especially relevant in healthcare, military, and government applications.
  • Multi-modal authentication made simple: Some of our partners have created out-of-the-box multi-modal authentication systems, many using FIDO. But rather than having to go out and find separate facial recognition, iris scan, or thumbprint authenticators yourself, they’ve done all the legwork. These partners license all the different biometric authentication techniques and bring them together. They then add a management layer, a user experience layer, and developer tools to make the solution easily adaptable to any device. FIDO often operates behind the scenes transparently – you don’t even know it’s there. These multi-modal solutions are useful in situations where a company wants a choice as to which mode of authentication they prefer and be able to provide the user with the same choices. Leveraging our partners’ technology, the ForgeRock Intelligent Authentication engine orchestrates that experience. 
  • Flexible and Futureproof: ForgeRock partners are using new and innovative authentication modalities that extend beyond biometrics. Whether it’s optical codes you scan with your smartphone replacing usernames and passwords or proximity technology that can determine if you are standing in front of an ATM, our partners are bringing customers a world of innovation. This means that as circumstances, use cases, and technologies evolve, ForgeRock customers can take advantage of the latest advancements
Behavioral biometrics and device reputation technology further strengthens passwordless authentication 

Once you stop collecting passwords and start using biometrics or other authentications, it’s helpful to have behavioral authentication working behind the scenes to detect fraud and risk signals. ForgeRock’s partners can create behavioral biometrics profiles for users by collecting and analyzing hundreds of human-device interactions, like scrolling patterns and speed, keyboard typing, finger size, and more. This can help determine if the user is a human or a bot that may be lurking on your websites and in your applications. A person’s unconscious behavior can prove to ForgeRock that they are who they say there are. If we see that, we can require a person to re-authenticate or use a stronger form of authentication. With these amazing partners, we’re always checking on users behind the scenes. 

On the device reputation side, our partners have massive global networks tracking devices involved with elicit behavior. This instructs us if a device is untrustworthy or appears to have been used for fraudulent activities. In those cases, we can require stronger forms of authentication or deny the user outright. 

Whether you are using ForgeRock’s built-in passwordless capabilities, leveraging the industry’s most powerful partner ecosystem or layering in behavioral biometrics and device reputation solutions, it all comes together seamlessly with ForgeRock’s Intelligent Authentication technology. Intelligent authentication allows our customers to orchestrate the perfect passwordless user journey, from end to end. 

Are you ready to embark on your passwordless authentication journey? Don’t delay. 

Start by clicking here to find out more about ForgeRock’s Trust Network.

Check out the rest of the Passwordless series here:  


Update to Our Customers and Partners

It's been a week since my last note. I have to say that I've been in awe as I watch the world respond to COVID-19 in ways both big and small. In my own neighborhood, a sign-up sheet at the local market has been posted on the door asking for volunteers to deliver groceries to the elderly. Despite the unfortunate circumstances, finding a way to lend a hand while we shelter-in-place has made me feel even more connected to my community. 

At ForgeRock, we continue to look for additional ways to support our customers through this challenging business environment. Today, to ensure that our customers’ identity platforms are prepared for the changing business environment, we announced we'll be providing a free remote performance check through June 30, 2020. We know our solutions help people safely and simply access the connected world. It's more important now than ever before, as employees and consumers are relying on remote access to everyone and everything. With the remote performance check, we'll help our customers assess whether their ForgeRock systems need any tuning adjustments to keep their operations running smoothly.  

For organizations that may be in need of a new modern digital  identity platform as they experience new challenges, there is a free 180-day evaluation version of our software available for download. 

Fill out this form and we'll get back to you to arrange an appointment for the performance check. 

Stay safe, 




Is Delight Necessary to Win the Hearts of Employees and Customers?

Why improving user experiences should be the aim of your digital identity system


Across all sectors, customer centricity and user experience are a focus area in the battle to win, service, and retain income-generating assets (yes, that’s what a customer effectively is) for businesses.

An overused term is “Delight your customer” and I have two main issues with this:

  1. You probably don’t need to delight, but instead be just a bit better than good enough!
  2. What about employees? Surely they need a bit of love too?
Why do we think we have to delight our customers? 

To set some context, everyone holds the big guys like Apple, Google and Amazon up as examples of delightful experiences. The argument is that they deliver delightful experiences AND that they can pretty much jump into any sector and disrupt things brilliantly.

Some of this is true but much of it is hyperbole. Yes the iPhone was revolutionary, it made its competition (BlackBerry) look Jurassic. It created devoted fan boys and girls the world over BUT if you use multi-factor authentication (MFA) with Apple ID it will still send the MFA request to all your devices including the one you are trying to authenticate - this to me, is broken security UX.

Google makes search simple. YouTube is amazing. Nest products are great. But have you ever tried to use Android as a mobile operating system? It’s the most fragmented ecosystem out there, making it ripe for all sorts of vulnerabilities (including human ones). And have you tried to set up your home with Google’s Nest products? Just try creating your own routines. 

What I am saying here is that these companies have created some amazing user experiences, but not universally, and they have tended to focus on the key ones for their own users.

Pretty much every employee you have, uses services from these companies every day. So their expectations of user experience are driven from outside the workplace. We are in a momentous shift right now where the next generation of employees are 100% digitally native and will shun poor digital experiences at work. The previous generations were pathfinders to how IT could be incorporated into the workplace and as such are more accepting of fragmented systems and services leading to complex user experience. 

Is it a delightful experience or just less frustration that we are after? 

No one will ever tell their friends or colleagues that a password reset experience was “A-MA-ZING.” The same goes for any digital experience that is just effectively replacing a legacy human powered job. The one exception I have found is when folks first set up a new digital banking service from one of the modern challenger banks, however some of this is plain old confirmation bias (I did this, so therefore it's cool and so am I).

Instead, our target should be simplification – with just enough friction to remind the customer that there is something worth doing and protecting. We need clear communication with clean interfaces.

As a consumer, I much prefer self-service whenever possible. I hate trying to do something quickly from my phone and then getting frustrated when the end state is “Call our customer service department to be put on hold for 30+ minutes and waste time.” 

As an employee, I want to have automatic access to the systems and services I need to do my job on day one. And I want one set of credentials, preferably with some nicely delivered biometrics/MFA. If I need something else, I can request it simply, if I need to reset my password I can do it myself - or even better we get rid of passwords altogether. 

One area where I feel significant progress has been made is in citizen services, not just in the UK, but globally there are some very diligent people trying to make the boring necessities of paying taxes, registering vehicles and other tasks simple to do with digital services.

The mantra of  every service designer should be: What is going to save my customer or employee time and hassle. No more than that.

Poor experiences drive people away or at the very least make them angry 

While everyone fears the worst, that if you deliver a less than delightful experience then Google will eat you, bad experiences are frustrating customers and employees the world over. 

A personal example for me is whenever I change my phone and have to redeploy my mobile banking application. Nine times out of ten, I end up having to go into the bank branch to get it all working again! The process is so complex and badly thought through it makes me wonder what my loyalty is for.

Being driven from a supposedly digital only process through to a human process is deeply frustrating and as previously mentioned wastes time. However we still don’t need a delightful experience. We just need one that works well. 

In the workplace, it is often perceived as less impactful, with a common attitude of “oh well, it's part of the job to deal with this sh*t, isn’t it?” But broken processes as simple as password reset or provisioning the correct application to the correct user costs you money in both IT support costs and lost productivity.

So what should I do about this? 

I would immediately go to your IT support and customer support teams to find out what repeatable things they get stuck doing the most often. Then fix that. It is likely going to be in the areas of: customer registration, password reset, consent management, registering a new MFA device, registering a new phone etc. And in the workforce it's the same reality with some different words: Staff registration and application provision (Joiner, Mover, Leaver), password reset, and MFA device registration.

Then look to re-engineer and simplify those processes. A comprehensive IAM platform can really help you here along with some very clever marketplace solutions for things like behavioral biometrics. A/B test these new processes with your users, and keep on iterating. The key performance indicators (KPIs) will be easy to track in IT department/customer service call metrics. The benefit to your business will be cost savings in these areas as well as happier but probably not delighted customers and employees.

Oh, top tip! If you have a support process that starts online and moves to the call center – for example from a chat bot to a call – don’t make them go through a complete life history on the phone to re-authenticate! Instead, use an out-of-band authentication direct from the chat bot or even just call them back automatically. 

What this boils down to is time and cost savings 

For every “customer” self-service  password reset, profile update, or access request that does not end up with a customer contact center or your IT service desk, time and money is saved,  not just at the service desk, but also in productivity - I fix my issue and can crack on with work. Another big benefit is increased customer satisfaction and increased revenues - I fix my issues and can carry on accessing your services.


The world is changing, across the globe economic and societal factors are shifting the way we, as consumers and employees, access what we need. COVID-19 is just the latest example of this. In Southeast Asia, one of our financial services customers is seeing a 300% increase in online service requests and a 50% drop in branch foot traffic. Employees are being told to work from home, Zero Trust and CARTA are being deployed to support these initiatives. 

Identity experiences are the first interactions you have as a customer or employee when accessing what you need, and these need to be better than good enough. We’ve got ideas on how to achieve that bar. 

Part Two: 5 More IAM Capabilities to Support Remote Work and Online Business at Scale

In our first post in this series, we discussed how traditional IT environments and legacy identity and access management (IAM) systems are being pushed to their limits due to the increase in remote users and sessions. We also touched on the increase in security risks associated with the significant increase in employees working from home. We then detailed five modern IAM capabilities, such as enabling Zero Trust security and bring your own device (BYOD) models, that help support remote work, study, and play at scale. 

In this post, we’re continuing the conversation with five additional (and highly important) capabilities that support business at scale without compromising security and user experience.

1. A Unified Experience Through a Single View of the User

When shopping, studying, or working from home, poor user experiences can become deal breakers. From an IAM perspective, a disjointed view of a user is often to blame. Most users (employees, customers, students) interact with an organization across many different channels (ie. applications and systems for things like HR, marketing, accounts payable, and so on). There may be user data integration between some channels, but on the whole, across an organization, each channel and its data about a user are siloed. This presents difficulties in fully understanding a user (student, consumer, workforce) from a 360-degree view. This includes knowing all their access rights, preferences, usage, potential risks, and more. Unfortunately, legacy IAM cannot bridge the siloes to help solve the puzzle.

In order to gain a complete picture of your users and how they interact with your organization, modern identity and access management (IAM) uses identity management and directory services products to synchronize, migrate, and manage identity data across your organization’s system environment. With a single view of a user, you’re then able to: 

  • Consolidate user identities and increase their security with behavioral, contextual, and risk-based authentication and authorization policies
  • Standardize and unify the user experience across any device (omnichannel)
  • Continuously gather information about users in a streamlined, non-intrusive way (progressive profiling)
  • Increase user acquisition and retention with easy registration (social registration) and exceptional, personalized experiences
  • Conduct analytics on profiled user bases to better understand users and risks

Read how the State of Utah integrated and unified over 900 applications, resulting in over $15 million in savings.

2. AI and ML Powered Identity and Governance 

Today, many organizations are unexpectedly supporting their entire workforce remotely. This increase is likely challenging their current employee IAM systems, as well as the IT staff, administrators, and managers who have to ensure that the right people have the right to access the right systems and applications while working from home. Additionally, the risk of breaches, hacks, fraud, and other malicious activity also increases with the sudden increase of remote employees. All of this is a problem to be solved.

Identity Governance and Administration (IGA) helps you manage and provision user access, as well as reduce the risk that comes with employees having excessive or unnecessary access to applications, systems, and data. Machine learning (ML) and artificial intelligence (AI) take IGA to the next level by automating the most common activities. This includes automatically approving access requests, performing certifications, and predicting what access should be provisioned to users. All-inclusive modern IAM platforms that offer identity and IGA powered by AI and ML increase efficiency and provide more time for IT staff and access approvers to focus on access rights that have been identified as risky or anomalous. The result is improved security and reduced administrative burden.

3. API Security

APIs make today’s remote world go round by linking people, systems, and services together, no matter where they are. As detailed by KuppingerCole in their API Security Leadership Compass report and Modern Identity Fabrics research paper, API security is a linchpin of modern identity and access management strategy. With identity-enabled APIs, you can:

  • Meet customer expectations by delivering seamless, omnichannel experiences
  • Create value-added services through partnerships and third-party integrations
  • Bridge legacy systems with modern applications
  • Aggregate internal and third-party user data into a single view

To secure APIs requires a standards-based, modern IAM platform capable of exposing rich APIs for seamless integration, deployment agility, and continuous delivery. Modern IAM platforms also leverage a gateway to secure APIs and users by enforcing authorization for any type of traffic. You can also monitor API traffic, throttle traffic volume, and detect anomalies. 

4. DevOps Friendly Architecture

Time is of the essence when it comes to developing and deploying capabilities that support remote work and online business. One of the best ways to improve speed to market is to adopt a DevOps model. 

DevOps enables software development and deployment cycles to run continuously, so you can roll out new apps, services, and capabilities faster by reducing time to production. Because of the efficacy and rapid adoption of DevOps, future-minded IAM platforms support DevOps deployment with containerisation and orchestration technologies such as Docker and Kubernetes. 


5. Flexible Cloud Options to Consume or Deploy 

Today, getting modern IAM capabilities that securely support remote work and online business quickly is important. Traditional, legacy IAM deployment and maintenance is often lengthy, costly, and complex, requiring numerous resource hours and slowing time-to-market. Further, legacy IAM solutions can be very difficult to modify in order to meet new needs, trends, and demands. On the flip side, consuming or deploying modern IAM in the cloud accelerates time-to-market, increases flexibility, availability, and scalability, and saves resource time. 

By deploying modern IAM platform in a cloud environment (private, public, hybrid cloud, multi-cloud) or consuming it as a service (IDaaS), you can easily move your existing workloads and and get up and running within minutes without sacrificing rich features and extensibility. Further, with IDaaS, you also get the benefit of offloading maintenance to the provider, as well as the big advantage of always being on the latest version. 

Importantly, IAM providers that offer an IDaaS platform with feature parity to their software platform give you the invaluable flexibility to easily shift your IAM environments according to your business needs with minimal disruption.

Get IAM Done Right With ForgeRock 

The modern IAM capabilities explained above, as well as those discussed in our first blog post, enable exceptional experiences and security for your remote users and online business at scale.

With our eyes on the present and the future, we ForgeRockers are passionate about helping our customers create exceptional, secure user experiences. We’d like to help you. Learn more about connecting everyone, anywhere or contact us for a conversation.


5 IAM Capabilities You Need to Support Remote Work, Study, and Play at Scale

With the increase in ‘online everything’, traditional IT environments and legacy identity and access management (IAM) systems are being pushed to their limits. The result is latency, frustration, friction, and increased risk, causing organizations to ask how to support business at scale without compromising security and user experience

Here are five modern IAM capabilities to help you get started. 

1) Availability and Scale

To keep your business going and make user experiences fantastic, it is important to ensure that a user’s access and session remains undisrupted should something happen, such as a server going down. Modern IAM platforms should include both service availability and session availability. Service availability ensures that users can access a site when a server goes down. Session availability preserves and keeps a session running if a server goes down.

Modern IAM should also support a variety of scale scenarios. This includes an ever-changing number (often millions) of users, devices, and things, as well as changing frequencies and lengths of simultaneous and concurrent sessions. Additionally, to help maintain healthy services and protect against breaches and distributed-denial-of-service (DDoS) attacks, you should leverage an Identity Gateway to monitor API traffic, throttle traffic volume, and detect anomalies.

2) Custom Authentication Journeys

As employees, students, or binge watchers, we all want fast, frictionless access to apps and services. At the same time, organizations need to protect their assets and customer data from fraud and cyberthreats. By customizing authentication journeys with factors such as user type, device, and geolocation, as well as using self-service features such as self-registration or password reset, you can reduce friction during the authentication process in order to provide a great user experience. On the flip side, you can also add friction, such as multi-factor authentication, when there’s suspicious activity.

3) Support for Bring Your Own Device (BYOD) 

Remote workers and remote students often need to use their own devices to do their work. Supporting BYOD models requires modern access management. Just as with custom authentication discussed above, with modern access management capabilities, organizations can easily define different user journeys for access by device. This is done by capturing device-specific context such as IP address, localization, browser agent, and device characteristics. You can also store, with the user's consent, a cookie in their browser to help identify them when they return. By capturing this rich data set and then using it to make runtime access decisions, organizations can configure flexible yet secure journeys that prompts the user to authenticate, re-authenticate with a second factor, or completely deny access when appropriate.

4) Support for Zero Trust/CARTA Security Models 

It’s a sad reality that fraud and cybercrime have persisted and even risen in the wake of current events. Zero Trust/Continuous Adaptive Risk and Trust Assessment (CARTA) security models are based on the idea that no network, individual, thing, or device can be trusted. Modern identity platforms should be able determine whether an entity requesting an action is authorized to do so and if they have proven they are the entity they claim to be with a sufficient level of assurance based on the risk of the specific action. Within these models, every action taken must be properly authenticated and continuously authorized. To do this, authentication and authorization decisions take into consideration a rich set of information by leveraging contextual information and become risk-based rather than binary.

5) Privacy, Consent, and Regulatory Support 

To support a remote workforce requires that you comply with the various regional regulations (such as the California Consumer Privacy Act [CCPA] and General Data Protection Regulation [GDPR]) that apply to your employee, student, and customer locations. For global and regional compliance, it’s critical that modern IAM platforms enable you to meet regulation and compliance standards. This includes Privacy by Design and consent mechanisms based on the UMA 2.0 standard, as well as integration with other software that help meet regulatory requirements. 

And equally important, to provide a great experience for your users, you also need to make it easy for them to register, consume, and manage their personal preferences or run the risk that they will leave for a better experience offered by competitors. Modern IAM platforms should include intuitive and user-friendly privacy and control mechanisms that make it easy to register and manage profile and privacy settings.

We’re Here to Help 

With modern IAM capabilities, you can easily address the demands for remote work, study, and play at scale. ForgeRock is here, prepared, and able to help you quickly meet the challenge. Getting started is simple. Contact us to start a conversation or learn more about how to connect everyone, anywhere.

Interested in more IAM capabilities that enable remote work and online business at scale? Check back next week for five more tips or sign up for our RSS feed to get the latest ForgeRock news sent to you directly. 

Living and Working in a New Reality

I think it’s safe to say that anyone reading this will have to agree that the last several days of work have been unprecedented for all of us. Whether we are in lockdown or shelter in place in San Francisco, New York City, London, or Milan, social distancing (not to be confused with conscious uncoupling) and work-life balance have taken on new meaning. Our ability to work remotely, often accompanied by small children, has changed greatly with the closure of public areas, movie theaters, malls, small businesses, and schools.  

And amidst all this, I began my journey with the incredible team at ForgeRock.  

If you’ve been around since the advent of cybersecurity or have read a history book or two, you know that ForgeRock’s team has some of the best brains in the field of digital identity. When combined with Rivest, Shamir, and Adlemen of days gone by, these are the folks that got us to where we are today in terms of large-scale authentication and authorization.   

And here we are now, in a new reality.

Instead of heading to my new bright, modern office in San Francisco, I am sitting at home, like millions of other remote workers across the US and the world. I am very familiar with being a remote employee, and I can say that my #1 headache as a remote employee was having the right access to the right thing when I needed it. I experienced a lot of frustration about the lack of a centralized tool that did it all, rather than one tool to manage my federated access online and another tool for on-premises identities. Keeping up with passwords is a nightmare for the user. Keeping up with multiple tools is a nightmare for the IT and security teams. It all spells resource contention and confusion.

Today, we also see unprecedented numbers of consumers using the Internet to buy products, and have them delivered so they don’t risk going to public areas. Those consumers have a choice as to where they can buy something. If they can’t get logged into ACME, they go to Amazon or Walmart. If they can’t reset their passwords, they will take their business elsewhere. What happens when doctors and patients need to have access to medical records without having access to the entire site? And when buying experiences are customized, no one wants to go back to have to start all over to customize their experience.

And this is why identity management still sits at the top of the prevention chain and Zero Trust models. We are experiencing the latest paradigm shift in our generation: remote work is no longer that perk you get in a Silicon Valley startup. It's the reality for us all. As businesses close and move to online, it's critical that the industry keeps up. The discussion around remote workers has gone round and round for years, and now it's a necessity.    

When I made the decision to join ForgeRock, there was a tremendous sense of pride knowing that I would be joining a company as it launches into the cloud with its Platform-as-a-Service offering. ForgeRock holds so much of the braintrust that has shaped identity and access management over the years. Now we intend to bring that same level of smarts to the cloud so that our customers can bring their innovations and products to the market faster and provide quicker time to value. And given where we are today, there is no better time or place to be as customers navigate this new era. Check our offerings and I hope you’ll agree ForgeRock is well positioned to help.  

A Message To Customers and Partners

Today, we are faced with an unprecedented crisis created by the COVID-19 virus.   The global pandemic is affecting all of our families, our businesses, and our communities. I am confident, nonetheless, that, together, we will all rise to the challenge to defeat this virus and that our society and economy will recover.  During this time, I want to reach out and update you on how we’re approaching the situation at ForgeRock.

All of our employees around the world are now working from home. With our highly distributed workforce and many of our employees already working remotely, this shift has been relatively smooth. We continue to deliver the highest levels of performance, availability, and security. We are  also asking our teams to work with our customers and partners through digital channels as much as possible.

We recognize that we have a unique responsibility to our customers and partners as a provider of digital identity solutions, which  are more important to you than ever before. We know that more of your employees are now working remotely and that they require seamless and secure access to company resources in order to stay productive. And we realize that more and more of your customers are choosing to work with you over digital channels instead of visiting physical locations. Businesses that maintain both a physical and online presence are seeing major shifts in how their customers are engaging with them. One financial institution told me this week that while their foot traffic has dropped by 50%, their online traffic has climbed by 300%.

The ForgeRock team is prepared to step up and support you. We are dedicated to your success. We have a number of digital solutions ready to go to help keep your remote workforce productive and connected. Please reach out to our Customer Success organization or your account team if you need assistance during this difficult time.

And please do not hesitate to reach out to me directly at

Stay safe,

Fran Rosch

A Standard Finally Bridges the Gap

A Passwordless Future: Part 2  

In Part 1 of our series, we talked about the world’s desire to eliminate passwords and how smartphone providers have contributed to getting us closer to this goal through the use of biometrics. In this post, we’ll take a look at the importance of industry standards.

Until recently, there was no easy way to use biometrics to ditch passwords unless you were willing to endure tedious efforts to retrofit your application. Even when biometrics sensors became more ubiquitous, there was a huge gap between the sensor and the applications that needed to use it for login. You would potentially need to build integrations for each biometric sensor on each platform for every application, as there was no standard to tie them together.

Even as smartphone vendors rolled out biometric authentication experiences on their devices, there was still a password in the background that was used to authenticate to applications and services. The smartphone vendors used a sleight of hand, where they would store usernames, pins, and passwords in the device’s secure element and “replay” them to applications on demand after biometrics unlocked the secure element. Although the experience was more convenient for the user, the password still presented a potential risk for hackers to exploit. What the industry needed was a universal passwordless standard that could be used by every application.

FIDO leads the march toward a passwordless future 

Now, with the help of its member community of identity, security, and biometrics experts, the FIDO Alliance has developed and promoted free, open standards that have taken passwordless authentication to the next level, so it can be more easily adopted.

In 2018, FIDO adopted the WebAuthN specification created by the World Wide Web Consortium (W3C) as part of its FIDO2 standard. This provides an application programming interface (API) that can be easily implemented on any website or service and can communicate directly to a browser like Google Chrome, Microsoft Edge or Apple Safari to initiate FIDO-based authentication. This democratized passwordless authentication in a significant way.

These specifications are designed to delegate authentication to endpoints like mobile phones or computers. And the specifications are agnostic when it comes to the actual modality used for authentication. They can even work in mixed environments, where one user may be authenticating with facial recognition, another with an optical code, and yet another with a thumbprint.

 FIDO has already established a foothold among technology leaders. In fact, Apple recently joined the FIDO Alliance and holds a seat on the board. Other leading organizations that are members include Amazon, ARM, Facebook, Google, Intel, Microsoft, Mastercard, PayPal, Samsung, Visa, and VMware. Apple MacBooks with the Touch ID recognition feature, have integrated FIDO.1 And Samsung has already shipped devices where the biometric sensor is FIDO-enabled. Thanks to FIDO and WebAuthN, application owners can finally remove the password completely.

How FIDO’s distributed approach differs from a centralized approach 

Let’s take a deeper look at how FIDO and WebAuthN differs from traditional approaches to biometrics and passwordless authentication.

In the past, biometric data would be sent to a server, processed, and then stored as minutiae points, which were mapped to the biometric scan. Every time a person would present their iris or thumbprint to access a device, the stored data would be used to confirm a match and then grant access. The upside to this method is that the minutiae points were typically meaningful only to the biometrics system, so cybercriminals could not steal the minutiae points and recreate a thumbprint or iris. The downside was that people were uncomfortable with the centralized storage of their biometrics.

FIDO and WebAuthN, on the other hand, work by decoupling someone’s biometric information to authenticate from the app a person wants to access. WebAuthn introduces the concept of “authenticators” that can roam. They can move between computers by using USB, near-field communication (NFC), or Bluetooth or between platforms, as they are built into the operating system. Authentication can be as simple as an action that proves that a person is present such as touching a USB fob or native biometrics, such as a fingerprint.  

During the initial registration, a unique cryptographic key pair is created. This is a private key that  is kept secure within the authenticator and a public key that is sent to the service. During authentication, a simple challenge/response occurs. Only a signed response using the correct private key will complete authentication. In a typical flow, FIDO and WebAuthN are used in conjunction with a secure element, so that the cryptographic keys can be generated and stored there. The biometric unlocks the key that’s sent to the server. Each service generates a unique key pair, so not only would a hacker need to attack every single device, they would also need to identify and compromise each key. 

All biometrics data is stored on the device rather than on a central server. Because of this, a fraudster would have to steal this information by hacking one device at a time. But, generally speaking, it’s not a worthwhile pursuit for a cybercriminal due to the amount of time this would take. Essentially, there’s no central treasure chest where hackers can gain access to thousands of devices, passwords, or minutiae points that they can potentially leverage for other attacks.

The power of WebAuthN is the flexibility and range of authenticators that can be used.  WebAuthN authentication is built into operating systems such as Microsoft Windows 10 with Microsoft Windows Hello, which allow keys to be stored on laptops and USB fobs and even USB, NFC, and Bluetooth devices. This enables users to carry their authentication method with them across multiple devices.

ForgeRock offers a more flexible alternative while still supporting FIDO standards 

ForgeRock provides a comprehensive approach to passwordless authentication. Not only do we provide native support for WebAuthN, we also have alliances with partners that have developed curated FIDO solutions for many different types of applications. We’ll take a deeper dive into the ForgeRock difference in Part 3 of this blog series.

Click here to learn more about the FIDO Alliance.





Cloud Series: Build, Buy, or As A Service?



One problem for organizations today is finding a robust and secure modern identity solution. For some, the prospect of managing a few thousand identities seems manageable so they opt to build it themselves. For others, managing tens of thousands of identities is a purchasing decision and one that may have been made years ago. As the needs for digital identity become more complicated and as the scale of the identity market grows to include millions of devices, it is clear that neither a homegrown nor a legacy solution will be able to meet future demands. Your best bet may be a new, future-proof, as-a-service identity solution that grows with your business needs.

Build an Identity Solution 

Building your own identity solution takes time. Having your development team tackle this in-house also means there will be much less time for those same individuals to develop other rich features that you may need for your consumer-facing apps. Doing both the front-end and back-end work could cost time to market that you don't have.

If you decide to create your own solution, will it be secure? Security experts today are hard to find. In its most recent workforce report, the International Information System Security Certification Consortium (ISC²) finds there is a shortage of nearly 3 million security professionals worldwide. Further, there’s an even more acute shortage of professionals with both security and identity experience. If you are designing your own identity solution, you will need individuals with both sets of skills.

Even if you do take on the creation of an identity solution with a team of security and identity experts in place, will the final product be enough? The solution that emerges may solve today's immediate identity problems, but what about tomorrow’s? Solving for the long term includes not just anticipating new standards and requirements, but also being able to integrate the solution into new infrastructures. 

Will your homegrown solution scale? You may need to manage 100,000 external identities today. But, after a few years, what if your company grows to the point that you may need to manage 200,000 or even 500,000 external identities? Does that scaling also affect the homegrown solution’s performance? 

Finally, if your solution is homegrown, who will maintain it? Once the original engineers have moved on, who will maintain and update it? Over time, computer languages fall out of favor, standards change, or new ones are adopted. Finding  a niche developer who can maintain your decade-old boutique identity solution may not be worth the effort.

Buy a Solution

Maybe you bought an identity solution. But some legacy identity systems – including those native to the cloud – might not fare any better over time. That identity solution you bought a decade ago – either on premises or in the cloud – is probably starting to show its age. And just because it’s from a household-name vendor doesn’t mean that solution will receive the attention, development, or innovation today that it needs for tomorrow. Businesses change, and if their core business isn’t identity, then maybe you should look elsewhere.

If identity is not the vendor’s core business, then older identity solutions may also be slow to adopt new features such as WebAuthn. Or there may also be hidden costs associated with bolting on new pieces of the identity jigsaw puzzle, requiring additional specialized equipment or expertise.

Legacy systems may also lack an integrated, single view of the customer. Data stored in different silos can increase the risks of a data breach, or, at the very least, lead to a negative brand experience if consumers are required to register for separate but related services from the same organization. 

Finally legacy systems may lock you into their proprietary universe. This can be a problem if the solution doesn’t allow you to anticipate new business needs or to integrate new solutions down the road, narrowing your options year after year.

With cloud-delivered identity solutions, some of these concerns are lifted. The traditional run/operate costs are reduced by removing the maintenance costs associated with on-premises servers. Until recently, the value of identity in the cloud has been tested in the market only with point solutions that mostly connect workforce users to other cloud apps. This is one of identity's most simple use cases. And it represents only a tiny percentage of the estimated $7 billion cloud identity market.

ForgeRock Identity Cloud 

For CISOs and identity architects who want a unified view of their customers, employees, device activities, ForgeRock provides the most comprehensive identity platform as a service on the market. Unlike other identity solutions that are nearly a decade old and cobbled together from existing solutions – and therefore not a true unified identity platform – only ForgeRock can be deployed anywhere and deliver true scale with millions identities for customers, workforce, and things.

Sign up today for a preview of our ForgeRock Identity Cloud. It’s our comprehensive identity as-a-service solution built with the power of the ForgeRock Identity Platform. Now, whether you deploy ForgeRock on premises, in a hybrid or multi-cloud environment, or natively with the ForgeRock Identity Cloud, you’ll be able to solve identity’s most complex problems with a single comprehensive and extensible platform so you’ll never outgrow your identity solution.

That’s the ForgeRock difference.

Learn more here. Or contact your sales rep today.

ForgeRock Secure Sharing: The Framework

My previous blog outlined how a sharing solution involves trusting people, resources, applications and services, and the access information communicated between a producer and consumer. Let’s turn our attention now to the specific architectures, standards, and technologies that are used to implement an advanced secure sharing solution. 

The Kantara Initiative, Inc. developed the User-Managed Access (UMA) 2.0 specification, which describes an open standard for person-to-person resource sharing. UMA 2.0 is an extension of the OAuth 2.0 access delegation open standard specification. This is the framework for ForgeRock Secure Sharing. 

The UMA 2.0 architecture defines these roles:

  • Resource Owner
  • Client
  • Requesting Party
  • Resource Server
  • Authorization Server


Resource Owner 

The Resource Owner manages access to resources. This can be a person or or an organization that essentially  acts as the producer. Typically, an individual has direct control over their own resources, while organizations have control over a collection of resources. Regardless, the Resource Owner must be authenticated to the Authorization Server. The Resource Owner is responsible for:

  • Creation and registration of resources: Maintaining metadata, and, optionally, associating with digital content that may be in an external system.
  • Updating policies: Setting resource permissions that control who has access to what and to what extent. 
  • Handling requests: Approving or denying requests for access to resources.

The Client is used by the Requesting Party to access resources. A Client can be a browser-based application, mobile application, the dashboard of a car, or a smart-home system console. A Client application is generally implemented to support specific organizations or industries. The UMA 2.0 protocol is secure and leverages OAuth 2.0. The Client must be trusted as part of a secure solution and should be an OAuth 2.0 registered client with the Authorization Server.

Requesting Party 

The Requesting Party is a person seeking access to a resource, also known as the consumer. They must also be authenticated to the Authorization Server and must use a Client application trusted by the Authorization Server. When a requesting party accesses a resource, they follow this process:

  • Use a Client application 
  • Authenticate to the Authorization Server
  • Contact the Resource Server to request permission
  • Contact the Authorization Server to get specific approval
  • Get the resource from the Resource Server
Resource Server 

The Resource Server hosts resources for the Resource Owner and processes requests for resources from Requesting Parties. A Resource Server typically has the following capabilities:

  • Exposes business- and industry-specific interfaces related to resources 

  • Accepts both manage and access resource requests 

  • Interfaces with the Authorization Server for UMA 2.0, OAuth 2.0 and policies 

  • Interfaces with associated digital content (optional)

Resource Server functionality can be implemented by:

  • Enhancing an existing resource system

  • Providing a proxy-type service as a front-end to an existing resource system

  • Developing a new system

ForgeRock provides an open source UMA 2.0 Resource Server reference implementation project that can be used for testing and development:

Authorization Server 

The Authorization Server protects the resources on the Resource Server. An UMA 2.0 Authorization Server provides a trusted sharing solution that:

  • Leverages the OAuth 2.0, an industry standard protocol for authorization

  • Establishes trust with the Resource Server, Resource Owners, and the relationship between a Resource Server and Resource Owner combination

  • Empowers the Resource Server to issue permission for access requests from client applications

  • Establishes trust with Client applications and the Requesting Party

  • Issues resource access tokens for a specific Requesting Party, from a specific Client application, for a specific purpose, mode, or operation

  • Manages access requests, from Requesting Party submission to Resource Owner approval or denial 

  • Provides services for the Resource Server to validate access tokens

ForgeRock Access Manager implements both the UMA 2.0 specification and the OAuth 2.0 specification. ForgeRock Access Manager provides value-added features for UMA 2.0 resource policy and permission management via both end-user web interfaces and APIs.

The UMA 2.0 architecture is based on two Kantara Initiative specifications:

  • Federated Authorization: This specification defines a standards-based method for loosely coupling the Authorization Server and the Resource Server in the context of the Resource Owner.

  • Grant for OAuth 2.0 Authorization: This is a means for a client (application)  representing a requesting party to request access to a resource

The UMA 2.0 specifications are used to implement the primary ForgeRock Secure Sharing journeys: 

  • Resource management
  • Resource access

UMA 2.0 and OAuth 2.0 enable a trusted environment for person-to-person resource sharing.  Trust is established for the people (Resource Owner and Requesting Party), Clients, and services (Authorization Server and Resource Server). The transactions between UMA 2.0 roles are also trusted as part of the secure solution. 

Resource Management 

The Resource Owner is empowered to manage (create, update, or remove) their own resources. The owner, authenticated to an Authorization Server, leverages Resource Server interfaces (typically via an application) to manage their resources. The Resource Server is trusted by the Authorization Server as an OAuth 2.0 client.

Owners add a resource to the Authorization Server via the UMA 2.0 registration process. They then add a policy that defines who can access a resource for a specific set of scopes. The Resource Owner can use ForgeRock Access Manager (the Authorization Server) user interface or APIs to manage policies.

Resource Access 

The Requesting Party can now access registered resources for which they match a policy. After getting permission from the Resource Server to access a resource, the Requesting Party’s Client contacts the Authorization Server to obtain an access token.

With a valid access token, the Requesting Party or Client can obtain the resource. The Resource Server validates the access token and returns resource information. The returned information may include metadata about the resource and/or external digital content that is associated with the resource.

An organization can use UMA 2.0 to add ForgeRock Secure Sharing functionality to existing services or new person-to-person services. Applications used by the Resource Owner and the Requesting Party can be enhanced to support the secure protocols. The Resource Server functionality can be added to an existing service that does resource management. Alternatively, a Resource Server could act as a front-end to legacy resource management systems. 

For more details on implementation, visit the open source Resource Server:

ForgeRock Access Manager, along with ForgeRock Directory Services, provide turn-key Authorization Server functionality. ForgeRock Identity Management’s Profile and Privacy Management Dashboard is an additional example of an interface to UMA 2.0 AS functionality as part of its single-pane-of-glass consent and permissions management interface. 

For Part 1 of this blog series, click  here.

For Part 2 of the blog series, click  here.

Are Your IAM Systems Up to the Challenge of COVID-19?

How to Support a Remote Workforce at Scale  

To mitigate the spread of COVID-19 (coronavirus), organizations across the globe are taking unprecedented actions. Universities and schools are temporarily closing, and businesses are setting work-from-home mandates. At ForgeRock, we have curtailed business travel, and employees are now working from home. This sudden worldwide shift to online everything (work, study, play, shop, etc.) will have effects that are yet to be seen for all organizations. 

Gartner analyst Saikat Chatterjee summed it up well. “We’re being forced into the world’s largest work-from-home experiment and, so far, it hasn’t been easy for a lot of organizations to implement.” He went on to share that a staggering 91% of HR leaders recently polled said the biggest challenge they face stems from the lack of technology infrastructure to support this new way of working.  

In the face of these challenges, global business leaders are asking what steps they need to take to keep their employees productive and their operations running smoothly. As organizations implement work-from-home mandates, many will be testing the limits of their identity and access management (IAM) systems. Key questions they should be considering include: 

  • Will my IAM support larger-than-normal volumes of online sessions without breaking? 
  • How do I ensure that users requesting remote access are indeed who they say they are?
  • Can our system secure all the personal devices employees are using to access work apps and systems from home? 
  • What will it take to ensure business continuity, including onboarding and securing new users?
Supporting a Remote Workforce Requires Modern IAM 

Identity and access management (IAM) systems are part of the invisible plumbing that secures and manages the digital identities of people and things while enabling access to applications and systems so they can do their work from anywhere, anytime. For example, when employees use their corporate and personal devices to log in for work, IAM systems determine who can access what while keeping bad actors out. 

Legacy IAM was originally designed for people doing work on site. Now, with large numbers of remote users logging in from various locations and devices, legacy IAM systems will be pushed to their limits. They simply can’t handle the scale and complexity of a work-from-anywhere-with-any-device model, nor can they ensure the security (such as Zero Trust and continuous adaptive risk and trust assessment [CARTA]) required in today’s cybercrime-filled world. The potential for breaches rises with increased mobile working. This makes modernizing IAM all the more critical and is a reason to launch an IAM modernization initiative.

To securely support today’s trends and scale for sudden spikes in demand caused the escalating needs of a remote workforce in the face of coronavirus, legacy IAM systems must be modernized. 

ForgeRock specializes in making IAM modernization easy. Download our migration guides for CA Single Sign On (Siteminder), Oracle Access Manager (AM), and Oracle DSEE (ODSEE).  

To learn more about the top workforce trends and IAM capabilities needed to support them, read Modernize Employee IAM: Why It’s Time to Extend or Gradually Replace Legacy Identity and Access Management.

A Passwordless Future

Part 1: Smartphone Manufacturers Quietly Lay the Groundwork

Passwords are the ultimate lose-lose. They simultaneously provide a poor user experience and represent a tremendous security risk. The high volume of passwords that users have are too difficult for most to remember. As a result, they use non-secure, easily guessed passwords or they reuse passwords, making all systems only as secure as the weakest one. Because of this, passwords are the leading attack vector used in data breaches. And enterprises have been well aware of these risks, but haven’t had a viable alternative. But change is in the air, and it’s been in the air for longer than you might think. 

Leaders in a Passwordless Revolution 

Few people think of our smartphones as being leaders in a passwordless revolution. Every time we reach for our smartphones, we hardly notice that they use passwordless authentication for secure access. Whether it is the latest Apple iPhones using “Face ID” facial recognition or the Samsung Galaxy mobile devices and their Ultrasonic Fingerprint scanner, these devices have quietly been changing how we authenticate. In effect, for nearly a decade, through the use of ubiquitous biometric sensors and subtle software tweaks,  smartphone manufacturers have been conditioning us to adopt the mindset and habits required for fully embracing a passwordless future. These manufacturers have often positioned this as a convenience factor, but, in reality, they have been slowly making us more secure.

Apple and other smartphone manufacturers have been unobtrusively fostering this “movement” by eliminating the traditional barriers and inertia that prevented the removal of passwords. This process began with the use of biometrics in smartphones and has made its way to almost every device we interact with. In the past, biometrics were not widely used because sensors were pricey, often low quality, and awkward to implement. In addition to these business and technical issues, users were wary about biometrics for fear of sharing their private information. 

Over the past 10 years, Apple and other smartphone manufacturers have pioneered the use of this security and privacy-preserving technology, which turns their devices into secure enclaves. As a result, biometrics have become ubiquitous. Today, the technology has evolved to a point where these new and improved sensors are widely available and inexpensive, making it easy and cost-effective for manufacturers to embed them into devices of every type. And equally important, the new generation of sensors, when paired with the right software are so user-friendly and transparent that consumers don’t even think twice about biometrics anymore. 

Smartphone manufacturers have paved the way for passwordless authentication and have made it habitual, and now people use these methods of authentication dozens of times a day without a second thought. This access technology has evolved from a vision into an everyday reality that is moving beyond the realm of mobile devices into other forms of authentication. Now software-based biometrics, which takes advantage of the high-quality cameras used in mobile phones, can allow for cross-platform biometrics without the need for special sensors. 

The FIDO Alliance has been instrumental in driving passwordless authentication. (FIDO stands for “Fast IDentity Online”) The stated mission of the open industry association is the promotion of “authentication standards to help reduce the world’s over-reliance on passwords.” The FIDO Alliance strives to improve authentication with open standards that are more secure than passwords, simpler for consumers to use, and easier for service providers to deploy and manage.

In Part 2 of this blog series, we’ll take a look at how the FIDO Alliance and other technology leaders have helped address the challenges associated with moving beyond the device for passwordless authentication. 

Thanks to smartphone providers, this great functionality has gained broad market acceptance. How can you make use of it in your own applications? You’ll need to leverage an identity and access management (IAM) platform like ForgeRock. Check out Part 3 where we discuss our unique approach to passwordless authentication.

Click here to learn more about the FIDO Alliance.

ForgeRock Secure Sharing Ingredients: Who, What and How

In my previous blog, I described the ForgeRock Secure Sharing solution, which enables people to share their digital resources selectively with others in an enforceable way.  How exactly do we do that? Let’s start with the three main ingredients:

  • Who: Authenticated people
  • What: Verified applications and services
  • How: Trusted access
Who: Authenticated People 

The ForgeRock Secure Sharing solution involves producers and consumers. 

  • Producers own and manage resources. They are responsible for the lifecycle of any given resource: creation, content modification, metadata changes, access management, approval, or denial of requests and removal. 
  • Consumers use the resources  they have access to. They can also  request access to new resources. 

Both producers and consumers must be authenticated. That is, they need to have digital identities in ForgeRock Secure Sharing. The authentication services in ForgeRock Secure Sharing can support existing user repositories, provide a self-service registration process, or use federation to automate the importing of digital identities from external trusted user repositories.  

What: Applications and Services 
  • Applications provide people with a way to access and use all kinds of resources. An application can range from the dashboard of your car and a security panel in your home to an app on a mobile device  or a web browser interface. 
  • Services provide capabilities behind the scenes that interoperate with applications, coordinate with other services, and perform business operations. 

In ForgeRock Secure Sharing, both applications and services must be verified in order to prove that they are legitimate.

How: Trusted Access 

Accessing a resource consists of multiple components. We define access as an event in a particular point in time that involves a resource (owned by a producer), the consumer, and a means of controlling aspects of  the resource . 

Access starts with the producer who is authenticated to the services in ForgeRock Secure Sharing. The producer may not necessarily be online to grant access when a consumer makes a request. They often need to proxy the granting of resource access to a service so that the consumer can access resources anytime. 

To create trusted offline resource access, both the producer and the services need to be trusted. The consumer and the applications they use, must also be trusted by the services they use to obtain access because resources may contain sensitive information. The services need proof that the consumer and the application are legitimate. The resource’s access information must also be trusted. The producer needs and wants to be assured that their permissions are correctly represented. And the consumer wants to feel confident about the information they are receiving.

As we’ve seen, ForgeRock Secure Sharing involves trusting people, resources, applications and services, and the access information that is communicated between a producer and consumer. 

In the final blog of this series, I’ll discuss the architecture, standards and technologies that form the foundation of ForgeRock Secure Sharing.

Advance Your Modernize IAM Program With ForgeRock's New Accelerators


There’s more pressure than ever to compete in today’s digital market. New demands require new technology that is interoperable across digital ecosystems and is capable of knowing, securing, and serving your audience at any touchpoint. The foundation to enabling digital success is identity and access management (IAM), yet many organizations struggle with IAM software that is siloed, inflexible, and unable to scale beyond employees.

A Simple, Flexible Approach 

The demands of digital transformation require IAM technology that can seamlessly interoperate across your ecosystem, identifying and providing secure access to your customers, workforce, and things at any touchpoint. The prospect of migrating to a new solution is daunting. But, you don’t have to suffer the pain, risk, and expense of ripping out your legacy identity solutions to get the benefits you need to compete in the digital landscape. 

ForgeRock provides a simple, flexible approach that enables you to coexist and migrate legacy identity management systems to ForgeRock. With our standards-based IAM platform, you can quickly and easily build on your existing investments and streamline operations. Most importantly, you can make migration to ForgeRock seamless and invisible to your users.  

Modernize IAM Accelerators: Migrate Faster 

Available now as open source, the Modernize IAM Accelerators are designed to help customers migrate from legacy IAM systems to ForgeRock faster and with less expense. They are a set of open source tool kits and plug-ins that focus specifically on two areas of migration: user migration and single sign-on (SSO) between a legacy vendor and ForgeRock. Complex legacy deployments of IAM with many applications often require migration waves over time to minimize operational impact. This drives a need for a coexistence strategy between the legacy vendor and ForgeRock, which is enabled by SSO.  

There are two primary approaches to user migrations: bulk or just in time (JIT). With bulk, you move users over all at once. JIT allows users to be provisioned as they authenticate into the legacy system, and can help customers save time and effort without sacrificing user experience – especially when legacy systems can’t export passwords in a bulk fashion. 

New Tool Kits 

Included in the Modernize IAM Accelerators are three tool kits:

  • Bidirectional Coexistence – Core, which can manage tens or hundreds of legacy applications, so customers may choose migration waves to minimize the operational impact on production systems.
  • Bidirectional Coexistence  – Edge, which can be easily extended to support migrations from any legacy IAM platform that is capable of exposing client SDKs/APIs.
  • Bulk User Migration, which is a one-time and incremental import of user profiles from legacy LDAPv3 store or similar user stores to ForgeRock Directory Services (DS). 

Based on their selected migration strategy, customers can select the optimal tool kit (or combination of tool kits) .   

For all three tool kits, ForgeRock has developed a pluggable framework that can be extended to specific legacy systems with included plug-ins. Because the assets are open source, additional plug-ins can be developed by customers and partners.   

The accelerators are designed to have a significant impact in time-to-value around the design and build of SSO and user migration strategies. Get the details by reading our solution brief.

Learn more about modernizing legacy systems here, or contact your sales rep today.

Cloud Series: Accelerate Your Own ForgeRock Cloud Deployment


If you have a robust DevOps team and you want to deploy the ForgeRock Identity Platform on Kubernetes, we have some good news. ForgeRock has simplified its reference cloud deployment. This includes new, lighter documentation, a new tool set that includes Skaffold, Kustomize, and Pulumi, to simplify cluster creation, which shortens the deployment process from one week to as little as half a day.

Cloud Deployment Model 

Our Cloud Deployment Model (CDM) is a way for your DevOps team to spin up the ForgeRock Identity Platform in a public cloud such as Amazon, Google, or Microsoft Azure. We provide a GitHub repository and the online documentation needed to get your DevOps team started. 

We’ve streamlined and simplified our quick start guide and documentation. We’ve created a  new Cloud Developer's Kit (CDK), updating what was previously known as DevOps Examples. For more information, see "About the Cloud Developer's Kit" in the DevOps Developer's Guide: Using Minikube.

Both the CDK and the CDM now use uniformly comprehensive Access Management (AM) and Identity Management (IDM) configurations. The examples in the documentation better illustrate full-featured configurations and are no longer based on minimally viable configurations. 

Lighter Documentation 

For the CDM, the new Cloud Deployment Cookbooks for Google Cloud Services, Microsoft Azure, and Amazon AWS are each now 40% shorter in length. The decrease in documentation length means an increase in the return on the time invested. With the old cookbooks, the time to deploy a Kubernetes version of ForgeRock was about a week. With the new documentation, it is now about half a day.  

The acceleration is also attributable to the release of new tools. The GitHub forgeops repository contains new artifacts that let you deploy the ForgeRock Identity Platform using the Skaffold framework. This allows you to:

  • Quickly and easily start the ForgeRock Identity Platform.
  • Modify the AM, IDM, and Identity Gateway (IG) configurations.
  • Build updated Docker images that include your configuration changes.
  • Restart the ForgeRock Identity Platform with the updated Docker images.

Before you can use Skaffold with the ForgeRock Identity Platform, you'll need to install Skaffold software on your local computer. See the DevOps Developer's Guides for more information.

No More Helm 

We no longer use Helm to orchestrate the ForgeRock Identity Platform on Kubernetes. We now use the Kustomize framework to orchestrate AM, Director Services (DS), IDM, and IG on Kubernetes. Before you can use the Kustomize framework with ForgeRock Identity Platform, you'll need to install Kustomize software on your local computer. See the DevOps Developer's Guides for more information.

This revision uses Pulumi scripts to create clusters for CDM deployments. The previous version used a set of bash scripts for cluster creation. These scripts have been removed from the forgeops repository. For information about how to create Kubernetes clusters for the CDM using Pulumi, see the Creating and Setting up a Kubernetes Cluster sections in the CDM Cookbooks.

More Simplification, More Security 

The version of the CDM Cookbook for AKS is no longer evaluation-only. We're supporting Azure in production. The revised CDM Cookbook for AKS now includes:

  • The CDM deployment topology on Azure now matches the CDM deployment topology on GCP and AWS.
  • Pulumi scripts demonstrate AKS cluster creation.
  • Benchmark results are available for a sample deployment with 10,000,000 users.

There are also security enhancements in our CDM. The new ForgeRock secrets generator randomly generates all secrets for AM, IDM, and DS services running in the CDK and the CDM. Random secrets generation greatly improves security for CDK and CDM deployments from previous versions. The secrets generator runs as a Kubernetes job before AM, IDM, and DS are deployed.

Learn more here.

Take My Daughter to Work Days

It took me a long time to find my voice at work. I finally did it by embracing motherhood. As we approach International Women’s Day, I’m sharing my tips for making teams more female-friendly. 

Mary and her daughter on the road. For the past three years, the pair have attended Defcon, Blackhat, and RSA together to minimize time away from each other while Mary pursues her career goals. 

I’m a proud cybersecurity veteran with two decades of experience. I've had an exhilarating career. I’ve travelled the world, written patents, hacked into banks (ethically), led teams of rockstars, and earned enough money to have a lot of options in life. I want more women to blaze their own trail in the science, technology, engineering, and math (STEM) fields, particularly cybersecurity and identity. This is an amazing career path for women. While not commonplace, I've led teams where women were the majority – in one case by 60%! I’ve seen what’s possible when you make diversity and inclusion a priority. Here are my top four tips to make your team more evenly split across gender lines.

1. Inclusive networking

The number one thing that has impacted my career journey was building a meaningful network of peers early in my career. This wasn't the kind of surface-level, "I just connected to you on LinkedIn" kind of networking. This was networking where I built trust, became your friend, went to your wedding, and  watched your pets when you went out of town. The hard thing about networking in a field with an imbalanced gender ratio is that many of the opportunities to create deep and lasting relationships can be intimidating to a young (and possibly single) woman early in her career – late night drinking, gun ranges, paintball, and sports events. I endured them but wished they weren’t the only options. The networking events that were easier for me included breakfasts, group lunches, and movie premiers.  My recommendation is to invite your peers to a breakfast or lunch.These are the most non-threatening meals of the day! Or, turn your one-on-one networking dinners into team dinners so they are less intimidating and more inclusive.

2. Make space

Working mothers face unique situations that are highly personal – like pumping breast milk in an airport bathroom (high five to all the ladies who have been there).  Motherhood is hard, especially if you are a brand new, working mother. I recall my first work trip that required leaving my newborn daughter overnight for the first time. It  felt like my heart was being ripped from my chest. For leaders with a new parent on their team, I suggest making remote participation available or hosting a meeting in their city and having everyone fly to them. Thinking this way will benefit everyone – not just new parents – struggling to balance personal commitments with work. You will be surprised at how effective people are if you support them. They will support you right back.

3. Empathy

It's never easy when you feel like your peers don't understand you. Women in STEM fields can start to believe that their situations or feelings are unique or unrelatable. For example, my work requires frequent travel. I sometimes bring my toddler along, which also means traveling with her grandmother as a caretaker. Bringing my daughter is wonderful because it allows me to do my best work and then spend quality time with her before and after the work day. Not many of my colleagues arrive at a conference with a carseat or share their bed with a toddler. I don’t do this because it’s easy. I do it because it works for my family. Other women will have their own unique challenges. Perhaps they are caring for a sibling or dealing with an unexpected illness. Give them some emotional space to open up about what they need, and empathize so that they don't feel alone. It can be isolating to feel like no one understands your life. And it can feel energizing to realize that your differences are appreciated and celebrated, not simply tolerated.  

4. Set an example

I try to be transparent about life as a female executive. As a vice president, I'm in a position that is highly visible at ForgeRock. I purposefully talk about what it's like to be both an executive and a parent. There are many ways to be a professional woman, and I want to be an example of what's possible. I also want to debunk the stereotypes of what an executive “should” be. I've brought my daughter to conferences, dinners, and the office. I made the decision to remove my strict boundary between my personal and professional life when I realized that I had been waiting my whole career for a mentor to share their life, parenting, and career tips with me. I couldn't seem to find that person, so now I try to model that role for others by being more open and vulnerable myself. Once I opened up, I found a large and eager audience that felt the same way I do. In fact, I can spot those women a mile away, and we give each other a knowing glance and often a hug.  

Let's keep working on bringing more diversity, empathy, and inclusivity into these innovative and wonderful STEM companies!  Happy International Women's Day!


Cloud Series: Express Delivers Modern Identity in Minutes


Modernizing a native app can be difficult, especially if you are a developer with limited or no experience with identity or security. And given the skills gap in the security market today, finding someone with the right skill set is not always possible. ForgeRock Identity Cloud Express can help. 

Modern Mandate

Let’s say your organization has determined it could gain greater workplace adoption or higher customer retention if it introduces a more frictionless authentication method. Say you are the lead developer, so it’s your task to update all the native apps with secure passwordless logins instead of username and password. Oh, and can you implement this enhancement by the end of this month? 

If you are a developer already up to speed with the latest security and identity standards, this task is perhaps a stretch but otherwise doable. If you are just an experienced developer— but one without a security or an identity background — the task may be near impossible. You will need help.

ForgeRock Identity Cloud Express 

ForgeRock Identity Cloud Express is our solution as a service that provides developers with modern identity for their native web and mobile apps in minutes. Express is optimized to solve about 80% of the most common CIAM use cases — registration and authentication.

Enter a name for your app, choose from a preconfigured authentication journey — username and password, password plus WebAuthn, two factor (2FA), and two factor plus WebAuthn — then define their ODIC scopes and set a password policy (if one hasn’t already been set). The entire process takes as little as five minutes, from first time account creation with Express to configuring and updating a native app with modern identity. 

To further assist developers, ForgeRock includes free software development kits (SDKs) for JavaScript, Android, and iOS apps. With the ForgeRock SDK, any future changes to the authentication methods within the app can be performed without recompiling and updating the app. Changes such as the fine grain definition of the OIDC scopes become check-box easy. 

Modernize Legacy Systems 

All too often, organizations have on premises legacy identity systems that cannot be easily updated. Maybe the original engineers who built the system have all left and it is based on SAML, with no forward-thinking OAuth or OIDC capabilities. Maybe the legacy provider is slow to innovate, or has moved on to other interests. And the few identity experts that your organization has inhouse — or on contract — are needed to maintain the existing legacy identity infrastructure. They do not have the extra bandwidth for innovation on their own. 

By adding ForgeRock Identity Cloud Express, your organization can keep its legacy system for now while modernizing its registration and authentication journeys in the cloud for its customers over the next few years. ForgeRock Identity Cloud Express can co-exist with your legacy solution. And later, you can easily upgrade to the full ForgeRock Identity Cloud platform. 

User Self Service 

ForgeRock Identity Cloud Express also includes hosted pages — everything from initial registration page to user self service pages for forgotten username or password. Express allows customization of these pages with your logo and you can modify the color schema to match your brand. No more clunky default widgets. You can also code the registration or log on fields to match to your horizontal or vertical web page design needs. 

Express also includes several customizable email templates, covering everything from initial registration to user self service for forgot username and forgot password. If you need, you can use the ForgeRock email server. Or you can configure your own email server to work with Express.

Learn more here. Or contact your sales rep today.

Why ForgeRock Secure Sharing: Trust and Enforce

Most people are willing to share their things with other people they trust. That said, we  also want to be assured that what we are sharing is used in the right way. That’s where "trust and enforce" comes into play.

If your neighbor borrows a screwdriver, you may not be too worried about how it's used. But if you loan your truck to the neighbor, you might be a little more concerned about how it's used. You want to be assured that the borrower doesn’t use your truck for a long-distance trip or take it off road. 

You may also choose to control how your daughter uses your car when she goes to the movies by not giving her permission to transport passengers. 

And when you need to file your taxes, you need to share financial statements with your accountant, but you want to control what data the accountant has access to and what they can do with it.   

Other things you may share in everyday life are your vacation cabin and medical records. These are just a few examples of things that you own and are willing to share but would like to manage in terms of how they are used.


Most people want the convenience of being able to control their own resources: financial reports, medical records, connected car, smart home, and other property or data. But in many instances, a way for us to manage these resources doesn’t exist or we have to use different proprietary systems for each item. In a world where there is "an app for everything,” we want to control our resources from our mobile devices or via a website. Most of us really don't want to have to contact someone like a customer service agent just to make changes to how we share our resources.

What is Secure Sharing?

ForgeRock Secure Sharing capability is about enabling your users and your organization to have full control over their resources. Think about the resources you are allowing someone to access and what controls and restrictions you want to apply to those resources.  

Organizations that are responsible for user resources can benefit from a sharing solution that helps reduce risk, cut  costs and increase revenue. ForgeRock Secure Sharing can reduce risk by ensuring that user resources are only made available to specific people under certain conditions. This sharing solution is managed by the resource owner, which means that your organization doesn’t need agents or help desk staff to process access requests. Finally, by providing  resource sharing capabilities, your organization can offer new or better services than the competition, which helps attract more new customers and deepen engagement with current customers.

Watch for Part 2 of this three-part blog series, where we discuss the who, what and how of ForgeRock Secure Sharing.

Remember: Trust and enforce!

Modernizing Passwordless Authentication: What Enterprises Can Learn From the U.S. Government

Passwordless authentication is a hot topic. Did you know that the U.S. federal government went passwordless more than 15 years ago? Well, kind of, as I’ll explain shortly. From 2010 to 2015, I worked for the Department of Homeland Security, and was part of driving this effort. We achieved a great deal and learned many valuable lessons along the way. These lessons can benefit any digital identity effort – especially one that includes passwordless authentication. 

The federal government efforts to eliminate passwords began in the late 1990s, and, by 2015, almost everyone’s computer login passwords had been replaced with a smart card that supported up to three factors of passwordless authentication. The problem? Behind each computer login lived thousands of password-protected applications that had no way to process smart cards. 

Since those early days, Uncle Sam has modernized and released an updated policy covering identity, credential, and access management. In a recent podcast with Scoop News Group, I spoke with FedScoop Senior Vice President Wyatt Kash about the policy’s impacts. Our discussion got me thinking about the similarities between the challenges the U.S. government has faced over the years and the challenges faced in the broader identity world today. 


I’ve summarized my observations into three lessons that will benefit any digital identity effort.

Lesson 1: Usability Is a Must

Passwordless authenticators are more complicated to implement. A separate enrollment process is typically required to associate an identity to a credential, whether the credential is a token or a biometric. The credential must also be linked to each application account. And don’t forget about alternate and recovery methods for times when the preferred authenticator can’t be used or fails. This will happen. The federal government had to solve all of these issues along the way. 

A modern identity platform abstracts the additional complexities of passwordless authentication from the user experience.  

Lesson 2: Secure Accordingly 

Not every resource requires “super-max” security. In the early days of government smart cards, the policy was to fully use this passwordless credential for access to all federal systems and facilities. But application integration was slow because the blanket policy approach proved ineffective and the ocean wouldn’t boil. 

A modern identity system adapts intelligently based on a broad spectrum of frequently changing data points. Depending on the application and real-time user data, the system can determine what type of credential is required and route the user journey accordingly. The same system also continuously evaluates risk and requires a stronger authentication when necessary. The federal government plans to leverage this capability to modernize its passwordless smart cards and not require a smart card for every authentication.

Lesson 3: No Legacy Left Behind 

Every organization has legacy systems – or will have them at some point. And legacy systems can’t deal with advanced authenticators. Some federal government agencies implemented single sign-on (SSO) by creating a secure chain of trust between the workstation smart card login and the target application. In the Scoop News podcast, I shared a fun story about a highly complex SSO integration we implemented while I worked in government – with all complexities abstracted from the user, of course. 

Because rip and replace is rarely a viable option, modern identity systems must be able to provide integration that allows legacy applications to coexist with modern applications during migration and sunset activities. With this strategy in place, users will never be aware of the difference between legacy and modern systems – at least not from an identity experience perspective. 

Whether your organization is part of  the U.S. government, a large enterprise, or somewhere in between, security, privacy, and legacy app integration are now foundational digital transformation elements on top of which we must provide highly usable, efficient, and differentiated digital experiences.

Visit us here to learn more about how ForgeRock can accelerate your digital transformation.