While the accelerated digital transformation across enterprises streamlined operations and introduced new revenue streams, it has also opened the floodgates of cyberthreats.
With remote/hybrid work becoming the norm, businesses are still grasping for solutions, now that the threat landscape has expanded beyond the four corners of the office building.
ForgeRock, a multinational identity and access management software company, is banking on digital identity as the cornerstone of enterprise security, in light of online threats that are only growing more sophisticated by the day.
Since its inception in 2010, the company has seen various changes in the digital identity space. According to ForgeRock CEO Fran Rosch, businesses previously looked at consumer identity and workforce identity as two separate problems to solve.
“We saw that come together, where companies want a single platform for all identities, instead of multiple ones, because when we think about it, what do we want for our employees? An easy way to log on in the morning to do your job, and get access to applications and services, right?,” he said.
Rosch said they want the same thing for consumers: to have the ability to log on and easily register for new banking, shopping, healthcare, and government services, while still keeping their identity protected.
“The industry is starting to converge onto single-identity platforms,” he observed.
Area of opportunity
After more than a decade at Symantec, Rosch joined ForgeRock in 2018 when the organisation had just about 100 employees. Today, ForgeRock has a workforce of over 1,000 and has offices in the United States, the United Kingdom, France, Norway, and Singapore.
“We launched our first identity SaaS three years ago, and it’s really driving a lot of growth in the company,” Rosch said.
In September 2021, ForgeRock became a publicly traded company, raising US$300 million during its IPO. A year later, private equity firm Thoma Bravo announced ForgeRock’s acquisition for US$2.3 billion.
“After a successful start as a public company with strong initial earnings calls, we began to see some macroeconomic changes such as rising interest rates and fears of recession. During this time, Thoma Bravo and other private equity firms had been in talks with us for over a year and a half. Eventually, we decided that the time was right, given the uncertainty in the macroeconomic environment,” the CEO recalled.
Even before the COVID-19 pandemic occurred, several businesses already had some form of hybrid work arrangement in place, usually divided into 80% onsite, and 20% remote.
This phenomenon, said Rosch, has made decision makers optimistic about facilitating employees’ access to systems and applications.
“The COVID-19 pandemic has prompted a shift in workforce identity. Previously, it was based on security and protecting the workplace environment, but the ability to work from anywhere led to a focus on ease of experience. During the Great Resignation, companies are competing for talent, and making it easy for employees is a priority,” the Chief Executive remarked.
It eventually came down to productivity, wherein businesses that invest significant resources for a security solution cannot afford to make their employees wait around to access an app, or pass a firewall.
“We’ve been able to grow our workforce identity business because we’ve understood that before a lot of our competitors. Zero-trust security is critical, but it is really about that employee experience and productivity,” Rosch said.
The future is now
With the industrial internet of things (IIoT) and internet of medical things (IoMT) becoming increasingly prevalent, identity management could become an overwhelming task for IT teams.
According to the ForgeRock CEO, this complexity could be addressed by focusing on what he termed as “relationship management.”
“We can do device recognition, we’ve done it for a long time; we can do user-based identity, but putting them together, relationships become a lot more interesting for me,” he said.
Rosch explained that there is so much of this connection between people, things, and services. As companies strive to succeed in their respective markets, they do so by providing better customer experiences. In order to accomplish this, it is important to comprehend these relationships.
“The way this works is we can do the identity authentication for people, physical things, and services, but we’ve also spent a lot more time with relationship management — to be able to have a directory infrastructure that can store all these identities and understand the relationship between them,” he said.
Meanwhile, the future of identity management, Rosch noted, rests on two areas: the user side, and the IT professional side.
“From the user perspective, the future is passwordless, and that it’s already here today.
Thanks to distributed identity, or sometimes called self-sovereign identity, we can just set up different identity relationships with every person or organisation we deal with. That means no more re-enrolling or re-registering, saving organisations’ time and money on identity proofing and credential validation,” the CEO said.
Rosch sees a future in which a single digital identity can be used across platforms and services, eliminating the need for multiple login credentials. He describes this “single driver’s licence for the Internet” as the second big thing that will transform the industry from the user’s perspective, offering the benefits of portability and frictionless access.
From the IT professional perspective, it will be all cloud, and centre on faster time to value.
“It will be easy to create these identity experiences by dragging and dropping these low-code modules. It will be a lot more intuitive to the IT professional,” he said.
Banking on AI
At present, ForgeRock is working on bringing more intelligence to their identity system through the help of AI.
To Rosch, identity comes down to one word — trust.
“Do I know who you are? Do I trust you? Should you have access to this application or file at this exact second? Identity is about decision-making in that exact second. What we’re trying to do is help our customers make smarter decisions, to recognise a legitimate user and give them frictionless easy access, but also to recognise a potential malicious actor and block them from getting into the person’s account. The aim is to reduce that fraud, and reduce all those account takeovers,” he said.
Traditionally, the company has done this verification through usernames and passwords, but since they are not secure, their money is now on AI.
“We’ve been investing in AI over the past several years, to be able to collect ongoing signals of user and device behaviour, to be able to identify a legitimate user, give them access, and block malicious actors. So, this is an opportunity to bring more intelligence to the identity journey,” Rosch said.
Although there are a lot of open-source algorithms to take advantage of, ForgeRock has built its own AI algorithm to better respond to their customers’ needs.
“Our customers expressed the need to go beyond mere intelligence and make it more actionable. This means when a decision gets recommended by the engine, we need to be able to automatically put that in the identity journey. Take, for example, the process of logging into a bank account. If the AI engine detects a higher risk, it should immediately prompt that user for an upgrade or more authentication steps, or even block access altogether. It can’t be an offline system,” the CEO explained.
The company’s AI engine was also built right into what they call identity trees or orchestration capability, so that real-time decision-making is right there along with the engines.
“For us, it’s really about fraud mitigation. That’s what customers want us to do. They don’t care how you do it. They want less fraud and less account takeovers, so we really focus on that customer value. AI is just a way to deliver,” he said.
Indeed, identity has evolved over the years from being just about security and technology, into a business enabler.
“Customers want fewer solutions, and more intelligence in those solutions. We’re not a typical security solution. We’re really a business transformation tool that has to have security along with it,” Rosch concluded.