Technology Trends

Augment Your Legacy IAM

Have you ever run into a situation where you know exactly what you have to do to solve the problem but can’t do it? No, I’m not talking about fixing the last season of Game of Thrones. For those running legacy identity and access management (IAM) systems, the decision to modernize isn't so much about whether there is a problem but rather how to go about solving it.

Legacy IAM

From time to time, I talk to customers who are running legacy IAM systems and want to modernize. They understand how easy it is to do so but cannot take that project on for other business reasons. 

I ran into one such situation with a customer recently. The customer spent most of last year and many costly consulting hours “upgrading” to the newer version of their IAM system. After the upgrade, the team realized that they lost some features. How an upgrade actually results in loss of functionality is beyond me but the deed was done and there was no way to downgrade to get those features back. They are now stuck.

The executive management team was now understandably wary and not ready to invest any more on the legacy system, especially when they have many other priorities, like improving security by adding Multi-Factor Authentication (MFA) as a business priority. They wanted to focus their IAM efforts on improving their overall security posture, along with improving the user experience during authentication. They did not want to move their IAM system from one vendor to another, even if that meant more features and stability in the long run.

They reached out to me and asked for help. I started by whiteboarding the below diagram to help the team understand the current architecture.

Figure 1. Legacy architecture for a simple app.


The users access the legacy applications through a proxy and get authenticated through the Legacy Access Management (AM) that then authenticates to their Legacy Directory Services.

To introduce new capabilities like MFA and many other Intelligent Authentication capabilities into the architecture, all we have to do is leverage the plug-in capabilities of the legacy AM with the powerful REST API of the ForgeRock Access Management platform. The new architecture will look something like below.


Figure 2. Augment legacy AM system with ForgeRock Intelligent Authentication.


With very little change to the legacy system, now you have introduced modern capabilities and also laid down the foundation for a modern IAM platform. Once you show the organization the power of a modern IAM platform that is stable, scalable, and secure, the future IAM conversations become easy. They will no longer talk to you about scalability issues or outages; the discussion turns to how your modern IAM platform can improve the user experience and play a critical role in digital transformation and other critical business growth initiatives.

You can simply say yes to all of those requirements because of the strong foundation of ForgeRock AM that can be easily extended to start protecting new and old applications by plugging them directly into ForgeRock AM with our well tested Seven Step Approach.


Figure 3. co-exist legacy AM system with ForgeRock Intelligent Authentication during migration.


Let's Chat

Want to see a demo of the above approach working in a real environment? 

Want to know which legacy access management solutions we can help with? 

Want to learn more about our Intelligent Authentication capabilities? Contact Us.


Modernize IAM for Government: A Real World Example

I recently had the chance to do a podcast with my friend and colleague Tommy Cathey, ForgeRock RVP of Public Sector. Tommy and I have worked together for years, and I am thrilled that he is bringing his deep public sector knowledge to ForgeRock (and this podcast). In this podcast with Statescoop, we discussed how the State of Utah and other government agencies are cutting operating costs while improving citizen services & security through a consolidated IAM project.

This Utah case study is such a compelling story because it is all about serving citizens better. However, the State of Utah managed to do that while also reducing costs, something that just doesn't happen that often. In the podcast, we also talk about non-government examples of Identity consolidation, which drives home the fact that this opportunity isn't specific to Utah, or even state governments for that matter. When any organization starts to collapse identity silos, they reduce their attack surface, lower administrative burden, and improve the end-user experience... It is a win-win.

Another critical point is that the State of Utah chose an open platform in ForgeRock. That gives them near-infinite extensibility. Whether it is our APIs, support for the latest identity standards or access to over 75 Trust Network partners,  by choosing ForgeRock, Utah has ensured that their platform will meet the needs of their agencies and citizens now and in the future.

Check out this podcast and tech brief to hear the benefits of a modern IAM platform, where to start implementing this solution and top tips for CIOs who are embarking on this journey. 



How do you choose the digital identity platform that is right for your government agency or public sector organization? Check out this workbook

We want to hear from you. Let us know what you think on LinkedIn or Twitter.


How to Compare Digital Identity Providers for CIAM

Comparing and selecting digital identity providers for CIAM (customer identity and access management) is a daunting task. With the fast-paced nature of business and technology today, you need to ensure that you’re not only able to meet all your current requirements, but those to come. So, where to begin?

Select Digital Identity Providers for CIAM

As part of our Ultimate CIAM Buyer’s Guide, we’ve recently published a textbook-like paper called Evaluating Digital Identity Providers for Customer Identity and Access Management: Top Criteria, Differentiators, and Questions to Ask CIAM Providers. The paper starts with a review what a CIAM solution needs to be capable of doing in order to address today’s demands and trends, as well as those to come. These include:

  • Personalizing customer experiences, building relationships and delivering omnichannel experiences
  • Securing and connecting billions of customer and IoT identities and data
  • Authenticating and authorizing billions of logins and transactions daily
  • Facilitating security, analytics, privacy, and control
  • Supporting and adhering to regulations (GDPR, HIPAA, Open Banking, PSD2)
  • Integrating with other systems, such as marketing automation systems
  • Easily scaling to meet demands and requirements
  • Identifying and protecting against fraudulent or malicious activities

As the paper discusses, in order to achieve all of the above, a CIAM solution needs components that are beyond the basics of federated SSO, social registration and authentication, multi-factor authentication (MFA), authorization, self-service, and so on. 

For example, in order to comply with regulations such as the General Data Protection Regulation (GDPR), you need a CIAM solution that can allow users to control how their personal data is used and even request that it be deleted altogether. From a CIAM perspective, this is accomplished through a strategic component called Privacy by Design and Consent Mechanisms. 

Of course, when comparing and selecting a CIAM solution, you have to go further than just knowing what something is called. You need to know (1) why each CIAM component is important, (2) what’s needed to make it work, and (3) what questions you should ask CIAM providers about each component to ensure you’re covering all of your bases within your RFPs. 

For example, when evaluating CIAM providers for Privacy by Design and Consent Mechanisms, you should know that in order for them to work most effectively, they should be based on the UMA 2.0 standard and integrate with other software that helps meet regulatory requirements. Privacy by Design and Consent Mechanisms should also give users fine-grained controls to share and audit data about themselves, their devices and IoT ‘things’. Importantly, a Consent Receipt feature to track user consent is also mandatory for a compliance-ready CIAM solution. Additionally and importantly, the privacy and control mechanism user interface (UI) should be intuitive and friendly.

Therefore, based on the information above, the RFP questions you should ask CIAM providers for Privacy by Design and Consent Mechanisms include:

  • Does the solution support a privacy and consent framework based on the UMA 2.0 standard? 
  • Can the solution provide users with fine-grained controls to share and audit data about themselves, their devices and ‘things’? 
  • Does the solution include a Consent Receipt feature?
  • Does the solution support “the right to be forgotten” that adheres to regulations such as GDPR?

The details of what needs to be understood about each CIAM component in order to ask the right questions in your RFPs and, in the end, make a good purchase decision circles us back to the fact that selecting a CIAM solution provider is a very daunting task. 

This is precisely why we wrote Evaluating Digital Identity Providers for Customer Identity and Access Management: Top Criteria, Differentiators, and Questions to Ask CIAM Providers. It includes in-depth descriptions (written in layman’s terms) of the basic and strategic components needed for CIAM and why. Further, this paper includes RFP questions for each component, so you can be sure you cover all your bases when evaluating CIAM solution providers.

At ForgeRock, we believe in being a true partner throughout the journey of selecting a CIAM solution. If you’re in the process of evaluating Digital Identity Providers for CIAM, read this paper and please let us know how we can further assist.

Four Key Customer Journeys for Virtual Banks

Virtual Banking is here. The recent issue of new Virtual Banking licenses in Hong Kong and the upcoming licenses in Singapore have spurred the need for building new age banking systems that leverage the latest technology stack. This is a great opportunity for some of the existing banks to re-imagine and rebuild their banking architecture, while for new entrants it’s an opportunity to define and build a modern banking solution; efficient and future proof. As a matter of fact, the HKMA guidelines for Virtual Banks promote the use of new technology for providing a better customer experience.  Based on the demands of today’s consumers, especially millennials, this will require Virtual Banks to provide mobile, frictionless and secure services. In this post, I will share the basis of four key customer journeys for Virtual Banks and touch points where Customer Identity and Access Management will play a significant role.


Virtual Bank: Frictionless Onboarding

One of the key challenges that banks face today is onboarding new customers. In fact, as per some of the reports, the abandonment rate is 70-90% if one has to visit branch to complete the onboarding. The following example journey illustrates the steps required to easily and quickly on board Amy digitally with a self-service option to enroll for multi-factor authentication using her smart phone.

Virtual Bank: e-Know Your Customer (eKYC) 

Once Amy is onboarded with a basic account and multi-factor authentication, one of the next steps for Virtual Banks is to perform the Know Your Customer (KYC) check. While this is a mandatory step before one can start transacting, sometimes it’s the most difficult one to accomplish. Why? Because it is replacing the physical check of end users, which was previously achieved by visiting the branch and sharing identity documents like passport, driver's license, employment letter and national identity cards. The good news is that this can be achieved with high level of confidence with technology advancement using Artificial Intelligence and Machine Learning from solutions provided by the likes of Daon, Jumio and Gemalto for eKYC. An example of the steps involved for an eKYC consumer journey is depicted below.

  Virtual Bank: Contextual Authentication & Authorization

Once Amy has signed up, been verified and completed her eKYC journey, she starts using the online and mobile banking facilities. Contextual Authentication and Authorization here helps in ensuring that while we are providing a frictionless experience to Amy for low risk transactions by only asking for username password-based authentication, if she wishes to conduct a high risk transaction i.e. adding a payee or transferring a large sum of money, her specific context is examined again and if deemed risky the Bank asks for a step up in authentication to reach a higher level of assurance before allowing the transaction. An example of the steps involved for this journey for Amy is illustrated below.

Virtual Bank: Consent Management 

Personalization without breaching consumer privacy can be the key differentiator for the new Virtual Banks. This brings us to the next journey to consider for Amy, that of managing her consent. For example, Amy wants to apply for a new auto loan to buy her dream car. While she has been searching online on various websites and aggregators to compare rates, what if she can get a personalized offer from Cool Bank? Understanding what your customer wants and positioning relevant offers is the key here. An example of the steps involved for this journey for Amy is shown below.

Customer adoption is one of the key variables every Virtual Bank is worried about. We believe that Customer Identity and Access Management will be the difference between adoption or lack of it, due to the significant touch points throughout the variety of journeys each customer makes in their everyday banking. Designing these journeys to avoid abandonment, increase satisfaction and drive deeper engagement, involves the kind of metrics and measures that Intelligent Authentication provides. Want to know how to orchestrate Identity for successful outcomes? We can show you live demos of these journeys. ForgeRock is here to help.


Disrupt or Be Disrupted: The Power of the Disruptive Economy

As one of the leading and most comprehensive digital identity providers on the market, we keep a finger on the pulse trends necessitating better identity.  As part of this ongoing practice, we have identified six important trends that are actively and interdependently shaping business and society — adding complexity to the landscape that organizations must navigate. To survive and thrive, organizations must be equipped to address each trend. The first trend is the ever disruptive Disruptive Economy.

What is the Disruptive Economy? 

Disruption in business is nothing new. For example, the steam engine disrupted the horse-drawn carriage industry. However, what is new in ‘disruption’ is the intelligence and speed of technology, and the pace at which organizations need to adopt, adapt, and innovate in order to survive.

More than hyperbole, the power of today’s Disruptive Economy is tangibly real. Disrupters such as Amazon can take down market shares with a simple announcement. For example, when Amazon simply announced its intent to enter the prescription drug market, CVS’ and Walgreens’ stocks plummeted. The extent to which Disruptors ‘disrupt’ the market has even led CNBC to post an annual Top 50 Disruptor list.

While the tech industry is going at mach speeds developing platforms and tools to ‘transform’ and ‘disrupt’, traditional organizations are now taking an introspective look at their brands and products in order to position themselves for survival. To survive, organizations need to meet ever-growing consumer expectations. To thrive, organizations must go one (or many) steps further and create novel and memorable customer experiences. 

For example, as a frontrunner in the luxury automobile industry, BMW, pays keen attention to how the industry is moving towards electric cars, self-driving vehicles, and customers’ latest expectations. To address this, they are focusing on providing technological and software-fueled experiences that can be updated as needed. These continuous, new experiences will provide a direct channel between the customer and BMW throughout the ownership cycle — allowing BMW to foster long-term, loyal relationships.

Another example is within the food and beverage market. Some iconic brands have been struggling to reinvent themselves successfully while other companies are growing at unprecedented rates, such as Talking Wines, which uses mobile technology and augmented reality to animate their wine labels. Reportedly, Talking Wines ‘flies off the shelves’ and has generated significant word-of-mouth buzz. 

These examples point to a business environment of ‘disrupt or be disrupted’. And, of never stopping. Because at some point animated labels will become old, requiring a new innovative idea to capture customers’ attention. Such is the fast-paced cycle of the Disruptive Economy.

The Disruptive Economy is a powerful force. Yet, it is just one of six, interconnected digital transformation trends shaping both business and society. Collectively, the six trends necessitate that organizations change how they interact with customers, devices, ‘things’, and data. They also require a new approach to delivering products and services as well as security, access, privacy, and control. Ultimately, this means leveraging an advanced digital identity management platform built for today’s trends, as well as tomorrow’s.

For an in-depth look at each of the six digital transformation trends and how leading, future-minded organizations are addressing them with digital identity management platforms like ForgeRock, download the first paper within our Ultimate CIAM Buyer’s Guide called The Top Six Digital Transformation Trends Shaping Business and Society: Why Digital Identity Platforms are the New Imperative for Customer Identity and Access Management.

We want to hear from you. How is the Disruptive Economy shaping the future of your business?

Prevent Data Breaches: Making Sure The Algorithms Work

An identity platform like ForgeRock is the backbone of an enterprise, with a view of all apps, identities, devices, and resources attempting to connect with each other. This is a very nice position to gather rich log identity data to use to prevent data breaches. In my previous blog, I discussed how we detect data breaches using identity logs. Now I am back to discuss how we test accuracy of our breach prevention algorithms, because the last thing you want to do is introduce false positives that put friction into your identity flows.

Building Metrics To Test Algorithm Accuracy

In order to measure accuracy, we have to build our measuring stick, which comes in the form of a series of metrics against which we can evaluate the algorithms:

  1. Core Metrics: We use multi-stage Data and ML pipelines and embed different metrics into each stage to measure effectiveness of our models and pipelines. We introduce various weighted scores to measure the model accuracy, computation latency, and efficiency of our pipelines.

  2. Business Metrics: We put some context around our metrics because we know we are working with identity use cases.  Here our job is to build realistic correlation between core metrics and business metrics, without which we will not be able to gauge success/failure of the models. We track Anomalies Detected, Positive Action Rate, Negative Action Rate and False Anomalies Detection Rate, and many other relevant metrics. These metrics measure real world health of our ML models and help in making executive decisions. 

  3. Are more metrics better? Not always. Sometimes more metrics can lead to confusion. We constantly audit/modify our business and core metrics.  Our core metrics are used for tracking health of our models and pipelines and are also used in aggregating to provide insights into our business metrics.

Using A/B Testing To Reduce Risk and Learn More

Thanks to our metrics work, we now are in a place where we trust our algorithms but we constantly want to make them better, smarter, and faster.  A/B testing gives us a way to grow our capability safely.  

  1. A/B testing of Models: A/B testing helps us to release upgraded model version to a controlled set of users. This makes it easier to target our customer base and collect qualitative metrics from the A/B testing effort.

  2. Truly Random or Controlled Random: We prefer a uniform weighted controlled random sampling for our A/B testing. This helps in controlling new model rollouts and also helps in making sure customer experience is not affected during a phased rollout of our models.


Going Back In Time Helps Build Trust

When we modify/refine/tweak anomaly algorithms, we can run the new version against historic data. This is data we know and trust and have metrics for, which gives us more confidence in accuracy.  This back testing involves random sampling of historic data with different cross-validation methods to test for divergence in our core metrics.  

  The Future Is Exciting; Let’s Collaborate

In this two part series, we discussed how ForgeRock leverages Artificial Intelligence (AI)  to prevent data breaches. We have been able to successfully leverage AI to detect anomalies and avert breaches. We continue to pioneer advanced features and techniques to make our platform and ML models faster and better in detecting and averting breaches.  We love partnering with ForgeRock customers in building our algorithms. If you are a current customer with interest in anomaly detection on identity logs, we’d love to collaborate with you! Please reach out to your ForgeRock representative if you are interested. A special thanks to Mary Writz for helping in proofreading this post.

Prevent Data Breaches: Find Out More

To find out more about how to prevent data breaches, visit us here. If you prefer to speak to someone directly, contact us today.


Is Your IAM Vendor Keeping up with the Cloud?

The ForgeRock Identity and Access Management  Platform can be deployed in many different cloud services like AWSGoogle, Azure, and even in Alibaba Cloud very recently by a partner. Being able to support a cloud deployment model is one thing, but keeping up with the changes in the cloud at the pace they are happening is where ForgeRock excels. This is accomplished not only by testing and updating our cloud deployment model with best practices and recommendations with every release of our platform, but also testing and improving on it based on the changing security landscape or adding new capabilities based on customer requirements.

I had one such opportunity recently where a prospective customer in the financial services industry wanted to deploy the ForgeRock platform in AWS and test out its scalability for their stringent security requirements as well as business and development needs. The industry and nature of their end users is such that their applications would see heavy usage during tax season.

The main IAM platform requirements this company had include:

  • Deploying in Amazon Elastic Kubernetes Service (EKS) to enable their DevOps CI/CD pipeline

  • 10,000 transactions/second with less than 100ms response time for 95th percentile of calls

  • A replication delay of less than one second between token stores

  • 10 million users in the user store with 150,000 concurrent users

In addition to the requirements above, they also needed a custom pair of authentication trees with their own nodes built with assistance from the ForgeRock team and a mix load of tests representative of their expected production environment. The authentication trees combined Intelligent Authentication with “step up” authorization, one generating an OTP for multifactor authentication and another simulating a call out to an external fraud engine. They were implemented as two separate trees to verify the performance of both functions independently.

Cloud Deployment in Action

To address these requirements, I started with the standard ForgeRock Cloud Deployment Model guide and picked the large cluster size for Amazon EKS because of the throughput requirements (even though we would consider 10,000,000 users a medium cluster deployment). After the 5 minute ForgeRock cloud deployment was done, off I went to make additional changes. This included changing ELB to ALB to meet the new security requirements and configuring the ALB appropriately. The resulting deployment looked something like this: 

Cloud Deployment Results

After that little bit of work, what did we actually get?

  • Over 60,000 transactions per second with a 53ms response time for 95th percentile of calls

  • Replication delay of 22-34 milliseconds between token stores

  • 150,000 concurrent users simulated successfully with 95th percentile of response times less than 100ms in all tests

We met and exceeded all our intended target performance metrics with a good margin to spare!

This meant that our prospective  customer can now successfully go back to their business owners and tell them:

  • They can handle peak production loads during tax season without any issues

  • The ForgeRock Platform will scale to meet their future business growth projections

  • They can meet the strict security requirements even when running in AWS

  • They can leverage our Trust Network to add new capabilities quickly

  • They can add new capabilities that their business needs continuously with CI/CD

Lessons Learned
  • Performance results for ALB or ELB are very similar, so based on your security and business requirements, you can choose either

  • Using a “Large” sized cluster with 10M accounts rather than 100M produced better performance numbers than the "official" performance results because more memory to Directory Services allows for more caching

Now we have all the artifacts that any customer can use to run in AWS to support 60,000 transactions/second in under 5 minutes.

Interested in more? Read this detailed guide that goes through the steps. Install ForgeRock in the cloud of your choice in under 5 minutes and run! 

Need more help? Please feel free to reach out to our experts.

IoT Edge Controller: Trusted Identity at the Device Level

On Tuesday, ForgeRock announced  the availability of its IoT Edge Controller, which provides consumer and industrial organizations with the ability to deliver trusted identity at the device level.  

The ForgeRock IoT Edge Controller 

The ForgeRock IoT Edge Controller, now available as open source software under the Apache 2.0 License, enables customers and partners to build industry-specific solutions with additional functionality, and ultimately drive higher levels of interoperability. By delivering an open source edge controller, ForgeRock allows businesses to include digital identities as part of products and significantly accelerate time-to-market of new IoT solutions. ForgeRock supports integrations with the major IoT platforms to deliver employee, customer and device identity management as well as the complex relationships between them. 

Connected Devices - Opportunity or Risk?

The Internet of Things (IoT) already affects many industries, as connected devices streamline business processes and add entirely new revenue streams for global organizations. By connecting devices with systems, data, and people, organizations can introduce more personalized, automated, and enhanced experiences for their customers.

ForgeRock recognizes that “things” can have the same identity capabilities as traditional (customer or employee) identities, and can engage in their own complex identity relationships. A thing can be a service, system, application, data source -- any thing that interacts with a human operator or organization. These things communicate via cloud, mobile, social, and legacy platforms to request or provide information, send commands, and help manage complex automated process. 

It is important for companies to have a trusted Identity in their connected devices. No organization wants to make a decision based upon information they cannot trust.  It is critical in lifecycle management of the device or product. And it is necessary to log these devices for audit reasons. 

The release of the IoT Edge specifically benefits companies in the following three ways:

  1. Different industries have different requirements. Being able to work with OSS allows adoption to industry specific needs prior to a purchasing decision. Among many this is important for health care, transportation, or even avionics.

  2. Devices, Gateways and Edge computers come in many flavors from many different vendors. Making the IEC available as OSS allows these vendors to pre-integrate a trusted Identity compatible with a market leading Identity and access management system making them literally plug and play compatible with the ForgeRock platform.

  3. Adoption to different root credentials. Hardware-, Certificate-, File-based,  are just a few. Any other type of highly differentiated/unique signature can serve as root credential to generate the highest possible level of trust in existing installations.


The ForgeRock IoT Edge delivers identity-driven security by creating trusted identities and ensuring the ongoing authenticity and authorization of connected devices, their transactions, their data streams, as well as ecosystems at the edge. It runs on smart edge devices, and provides the privacy, integrity, and security required for devices to register as identities in the ForgeRock Identity Platform.


Find out more about ForgeRock’s commitment to IoT here.

Blog Contributor: Robert Vamosi

Who’s Robert?  He is an award-winning writer and author of two books on privacy and the identity of people and things.  As Senior Product Marketing Manager at ForgeRock he is extending our customer story into the cloud. Robert is a runner with thirteen marathons to his credit, and contemplating his next race.

Blockchain: A Distributed Ledger Technology (DLT)

My mother just called me, wondering why a week doesn't go by that she doesn’t read about yet another Fortune 100 company announcing some Blockchain initiative. She asked me "What is this chain thing, and why are some people so enamored with it?"

What is a DLT?

While I didn't (and still don't) have a clear answer for the latter, for the former I started by first trying to explain (and highlight the merits) of a system that has these “DLT" characteristics:

1. DISTRIBUTED: Because it's decentralized, there is no single point of failure; also, because there are so many copies of the database "distributed" across the internet, it's almost impossible to compromise since doing so would require one to compromise every single instance. 

2. LEDGER: A record of business transactions, or a decentralized database, where everyone can see these transactions and share if they so choose.

3. TECHNOLOGIES: It is built using the same state of the art cryptographic "technologies" and techniques that have been tried, true, and trusted over a decade (PKI or Public Key Infrastructure…but that’s another blog altogether).

Now that we more or less had covered the general gist of DLTs, I explained that Blockchain is just one type of a DLT. 

How is Blockchain Used? 

To drive home the point (and benefits) of the DLT, I told her about real-life Blockchain implementations where:

1. A manufacturer of jet engines parts can assure customers and partners the provenance of their components 

2. A seller of perishable goods lets customers and partners track their items 

3. A retailer enables customers and partners view their warehousing, inventory, and logistics 

Does ForgeRock Use DLTs?

"Ok... now I get why Honeywell, Walmart, and Target are using BlockChain, but why should ForgeRock?”

Each time that question comes up (usually from a customer or partner) I explain how we can, for audit purposes, transparently and unequivocally persist a timestamp in a DLT each time a person, thing, or service accesses the system. For example, suppose you work at a bank and for regulatory purposes, the bank needs to log every time you access one of their systems. By "storing on chain," this can now be done automatically using ForgeRock, alleviating risk and ensuring compliance.

We are already doing this, using Intelligent Authentication, in a number of ways by leveraging different DLTs (Ethereum, Hyperledger Fabric, CryptoWallet, JavaChain, etc). In my next blog I'll dive into details on how we configured a couple of these Authentication Journeys in the ForgeRock Identity Platform.


If you have any questions about ForgeRock and DLTs, contact us here

Replacing Legacy Systems with Identity-Enabled Microservices

According to a recent Forrester report, The Future Of Identity And Access Management, identity-enabled microservices are fast-replacing complex and monolithic legacy solutions. Why? Microservices and API-based solutions show faster time-to-value, provide flexibility for changing requirements, and support mobile and IoT technologies. 

To create competitive advantage, organizations need to provide superior and engaging customer experiences which adapt to the ever-changing landscape of customer requirements, whether it be online, in store, or across the entire omni-channel customer journey. In short, adaptability is the single most important attribute for long-term success.  

Create Competitive Advantage with Identity-Enabled Microservices

As leading marketplaces like Amazon, Rakuten, and Alibaba have proven, developing commerce infrastructures offer flexibility and agility unmatched by the traditional platform providers. Although once thought to be the preserve of only the largest businesses, organizations with DevOps capabilities can create competitive advantage with the agility to innovate by building their own platforms.

While DevOps is an engineering practice which aims to unify software development and  operations, the building blocks used in today’s technology-savvy businesses are identity-enabled microservices. A variant of the service-oriented architecture (SOA) architectural style that structures an application as a collection of loosely coupled services, microservices also parallels development by enabling small autonomous teams to develop, deploy and scale their respective services independently, which makes building commerce applications faster and easier, capable of operating at extremely high scale with the ability to change or evolve services in a much more agile way. In this way, retailers create a foundation from which to respond to customer needs more quickly and therefore innovate faster. DevOps provides the processes while microservices provide the building blocks. But the glue in any successful microservices build for customer facing applications is identity.

Today’s commerce applications are required to perform actions on behalf of customers across a variety of interactions in the customer journey --- be that on the website, the mobile app, through a call centre, in store through beacons or IoT enabled technologies, or even through other services provided by third parties all in the same environment and often in the same shopper journey.  For a consumer to experience frictionless interaction across these different channels, there must be one notion of identity passed through and authenticated across all of the associated microservices. Essentially at the back-end architecture, each microservice needs to know who the consumer is and what they are allowed to do.

Building a single back-end with microservices for all of the front-end applications to consume provides a clear advantage of reducing software complexity. Any reduction in software complexity in a retailer must equate to faster innovation and therefore the ability to respond to their consumers’ needs more quickly which simply translates into greater competitive advantage.


ForgeRock is designed to easily modernize your legacy identity. So, what do you need to consider when transforming monolithic environments with microservices? Learn more by reading our whitepaper, Implementing Microservices within a Monolithic Architecture.  

Microservices Enablers: DevOps and Identity

To create competitive advantage within today’s disruptive economy, organizations need to not only adapt to customer demands, but they also need the agility to turn on a dime in response to the ever-changing landscape of customer requirements and provide superior and engaging customer experiences --- whether it be online, in store, or across the entire omni-channel journey. In other words, within business, adaptability and agility are the most important attributes for long-term success. Further, due to the exponential increase in cyber-crime, leading organizations are embracing a zero trust model and therefore need to constantly adopt new security features and practices with agility. Of course, accomplishing all of this is easier said than done. Most organizations’ environments are built with monolithic legacy solutions that present significant challenges to adaptability and agility. Because of these challenges, leading organizations are moving to a microservices-based environment for their customer facing applications. 

What are microservices?

Microservices are based on an important development method that focuses on building and deploying applications as groups of modular, composable services within an application. Most are built within a development model called DevOps. DevOps enables software development and deployment to run in a continuous cycle, allowing organizations to rollout new capabilities faster by reducing time to production. Developing microservices infrastructures with DevOps offers agility, adaptability, and flexibility unmatched by the traditional platform providers. Any organization utilizing microservices and DevOps can increase their agility to innovate and gain competitive advantage.

The glue in any successful microservices build for customer facing applications is identity. Identity and access management (IAM) determines which service performs which function on behalf of which user within which business process. With identity-enabled microservices, not only does every transaction get protected, but each microservice, as an identity itself, is managed and secured.

For example, today’s commerce applications are required to perform actions on behalf of customers across a variety of interactions in the customer journey, such as on a website or mobile app, through a call centre, in the physical store through beacons or IoT enabled technologies, or even through other services provided by third parties, --- all within the same environment and often in the same buyer journey. For a consumer to experience frictionless interaction across these different channels, identities must be authenticated across all of the associated microservices. In other words, each microservice needs to know who the consumer is (authentication) and what they are allowed to do (authorization).

Because identity-enabled microservices increase agility, efficiency, resiliency, and revenue, they are fast-replacing large, complex legacy IAM solutions. They also lower project and operational risk, show faster time-to-value, provide flexibility for changing requirements, and more easily support mobile and IoT technologies. 

ForgeRock’s proven support for microservices architectures, and the new challenges they bring, accelerates and risk-mitigates investments. No other provider delivers the comprehensive capabilities to manage identity across this evolving landscape. And, no other provider offers an end-to-end solution that checks all the boxes when migrating existing legacy applications to a microservices architecture.


ForgeRock is designed to easily modernize your legacy identity. Read our latest whitepaper to learn how to transition from a monolithic, legacy environment to microservices.

Beyond Regulation: Open Banking Accelerators

Open Banking is a global movement. In some geographies it is driven by regulation; in others, it is driven by industry encouragement or organic business adoption. Beyond regulation, there is no doubt that the cost of screen scraping is significant, and secure Open APIs is a more cost effective, safe, and enabling solution. With Open Banking, the innovation possibilities for financial organizations and developers are limitless. Not only can Accounts and Payments APIs be made available as per the regulation, but other for-profit APIs can be opened. Financial organizations can themselves become Trusted Third Parties (TPPs) and build new innovative solutions. Winners will have an ecosystem of TPPs building exciting new technologies that are dependent on the secure Open APIs provided. Enter Open Banking Accelerators. 

Introducing Open Banking Accelerators

At ForgeRock, we are excited to help our partners and customers take advantage of opportunities in Open Data. To that end we have recently added to our existing Open Banking portfolio with a new solution called the Open Banking Accelerators. The Accelerators drastically increase the speed and reduce the complexity involved in producing secure Open APIs that conform to the UK Open Banking standard. The solution is focused on API security, security API endpoints, and strong customer authentication for Onboarding, Consent, and Access Authorization. Along with the code, configuration, and documentation provided as part of the solution, we have also developed a Deployment Support Services package to get customers up and running quickly. 

The Open Banking Accelerator solution adds to an existing product, the Open Banking Sandbox as a Service, which is a test environment for developers and includes a model bank and directory. We continue to develop the sandbox offering and have recently added a new analytics reporting feature, as well as support for eiDAS certificates. The analytics feature will make FCA reporting much easier with an auto export *.pdf feature, and provide business level KPI visibility.  

The patterns used in Open Banking - allowing a user to authorize access directly with a bank prior to giving a developer access -- extend well beyond the financial space and into other industries like Healthcare, Utilities, Transportation, and beyond. We are moving towards a more secure, sustainable, and innovative future based on secure Open APIs. We look forward to supporting the tremendous opportunity for all involved.  

To learn more, we have developed an on-demand webinar. I’d encourage you to take a listen.

Modernize Your IAM Platform: Seven Simple Steps

Are you being asked to reduce your growing Identity & Access Management (IAM) costs? Are you being asked to support new business initiatives like Digital Transformation, Bring Your Own Device (BYOD), and other borderless workplace initiatives? Is your legacy IAM system becoming a bottleneck for regulatory and security compliance, or too fragile for the pace of changes needed by the business? It's time to modernize your IAM platform.

A modern identity platform expands on the traditional capabilities of a legacy IAM system to support today’s business initiatives while improving your overall security posture and simplifying deployment and maintenance overhead. Of course, this all sounds great in theory, but based on your past experience with the legacy systems, you might be thinking:

  • If patching and upgrading takes 6+ months, how long will replacing my IAM system take?
  • How will I justify the budget request to replace a legacy system I just spent millions of dollars and years building and deploying??
  • Now that my identity system is finally up and running, how can I modernize without breaking everything?

ForgeRock, with our years of experience in the identity and access management space, has built a proven methodology to get you off of legacy systems. This involves a seven step process to methodically migrate and eventually completely sunset the old systems. 

Here are the steps to modernize your IAM platform:
  1. Inventory Your Apps
  2. Prioritize Apps
  3. Understand the Use Cases
  4. Add Value
  5. Coexist
  6. Migrate
  7. Sunset



Let’s discuss each: 1. Inventory Your Apps

The first step to modernize is to understand the complete inventory of applications managed by the legacy system. If you have this already documented and, in a human readable format you are ahead of the curve! However, if you don't have it, not to worry, even legacy systems like CA SiteMinderOracle Access Manager and Identity Manager provide capabilities to export applications under management to help you get the complete inventory. If you already have a list of applications you want to move, jump to step two.

2. Prioritize Apps

The next step to modernize is to prioritize the apps that you want to migrate. ForgeRock recommends that you do this by starting with the apps that are ‘low hanging fruit’ and then moving to the most difficult ones. Apps considered ‘low hanging fruit’ can be determined in one of two ways:

  • The apps where the owners are really supportive and want to get off of legacy for various business reasons
  • The apps that have the least number of customizations 

This process is as much a business decision as a technical determination, so be sure to involve both stakeholder categories. Develop a set of repeatable prioritization criteria based on your organization’s priorities, then use it to iterate through your app inventory. In the first go around, we recommend that you pick an initial 2-3 applications based on the above criteria.

3. Understand the Use Cases

The third step along the modernize path is to document the use cases that are being supported by the IAM platform for these apps. For SSO, these use cases could be simple things like the authentication policies, attributes that need to be returned and any authorization policies, or more complex items like custom plugins. Similarly, for Identity Management, the use cases could be understanding what workflows are involved, what attributes are mapped from source to target and so on.

4. Add Value

Step four is the most crucial step to the entire modernize effort. After understanding the use cases that need migration, you’ll want to add a new layer of value by extending the use case to improve security, user experience, privacy, performance, etc. It’s best not to try to retrofit legacy architecture and customizations into the new system. This is the right time to see why you have made those customizations and if they are all still relevant. If a legacy app must be left as is, use ForgeRock’s Identity Gateway to modernize around the app until it can be migrated.  For apps that can be migrated, adopt capabilities like Intelligent Authentication, Progressive Sign-up, Privacy Management, Fine-Grain Authorization, and others. This step is crucial to not only getting the necessary business buy in, but also to help gain better user acceptance of the changes.

Reducing the amount of time spent deploying and maintaining an IAM system is another way to add business value by reducing costs, which also frees up precious identity resources to spend more time on value-added activities. ForgeRock offers deep DevOps integration, enabling your business to run our platform in any public cloud and many others in a highly automated fashion. 

Obviously having a modern platform with a host of capabilities to choose from will help in this effort.

5. Coexist

In this step you deploy the ForgeRock platform and, depending on which legacy system you are moving away from, you have multiple options for a coexistence strategy. Some of them are detailed in additional blogs or whitepapers here and here. With the right coexistence strategy, you have the choice to migrate applications at your own pace without any loss of functionality or impact to the end users’ experience.

6. Migrate

The next step is to migrate the applications from the legacy platform to the ForgeRock Identity Platform. There are tools for migrating some of the configurations and other artifacts, but depending on your customizations and legacy platform versions this step might involve a fair amount of elbow grease and support from the right IAM experts.

Next, repeat steps two through six until you have moved all of the applications to the ForgeRock platform and are completely ready to shutdown the legacy platform.

7. Sunset

After all is said and done, this is the best part. This is when you turn off the old system completely. This means no more worries about scale, missing features, ungodly upgrade cycles, and most importantly, spending a fortune on licensing and support costs.

As you read this blog post, customers are shutting down legacy CA and Oracle components all over the world.  They are already well on their way to cost reductions and innovation for a competitive edge in the today’s digital business market space. What are you waiting for?


For more information on modernizing your IAM systems, visit us here. Prefer to speak to someone directly? Click here.

Prevent Data Breaches: Identity Logs and Machine Learning

An identity platform like ForgeRock sits right in the heart of an enterprise, with a view of all apps, identities, devices, and resources attempting to connect with each other. It turns out that this is a perfect position to gather rich log identity data to use to prevent data breaches.

Prevent Data Breaches? It's Hard.

An attacker has the luxury of finding the easiest way to break-in, whereas a defense team has to secure every possible attack surface. There were 12,440 new breaches in 2018, which was an increase of 424% over the known breach count in 2017. A total of 14.9 billion identity records were found to have been exposed during the year, up from 8.7 billion available in 2017. Some of the hardest breaches to find are micro data breaches, which are spread over a long period of time. Data breaches through micro transactions are becoming more prevalent and are very hard to detect.

Identity Logs and Machine Learning: How To Approach the Problem
  1. We are in the right position: All authentication (AuthN) and authorization (AuthZ) requests and identities behavior events are tracked and logged by our IAM products. 

  2. We stream raws logs into a big data store and store a few months of data. 

  3. We analyze behavioral patterns on logs generated by identities. When we represent these patterns in a latent space, we can use the pattern to train models to detect anomaly behaviors.

Machine Learning Algorithms Showing Promise Log Embedding

We leveraged word embedding to learn temporal contextual information. This helped us to learn what events naturally occur with identities and group them into a latent space. After further experimentation using a customized version of Non Contrastive Loss, we converged to a 50 dimensional temporal representation of an identity behavior in the latent space.



We use stacked autoencoder to compress the log embeddings with artificial bayesian noise in the input. The bottleneck layer compressed higher dimension log embeddings into principal lower dimensional representation. The decoder learned to reconstruct from the lower dimensional representation. We used simple reverse indexing methods to map and extract information from the log entries.


  Initial Results

We have over 90% accuracy in predicting anomaly which is used through a graphQL API to predict micro-data breaches. Our t-SNE visualization corroborates these results.

In Part 2 of this blog series on how to prevent data breaches, which will appear next month, we will delve into metrics, derived metrics, A/B testing, back-testing, and how we improved on this model.

To learn more about ForgeRock Identity Platform, visit us here. If you prefer to speak to someone directly, contact us today.