Check out all the on-demand sessions from the Intelligent Security Summit here.
For enterprises that are looking to bring a zero trust approach as a way to better secure identities and permissions, leveraging advanced AI is now essential in order to achieve accuracy and scalability, ForgeRock CEO Fran Rosch told VentureBeat.
While traditionally, zero trust decision-making has relied mostly upon rules–for instance, rejecting a user request based on an impossible geographic location–ForgeRock adds in AI algorithms that enable far greater accuracy, Rosch said. This accuracy equates to dramatically enhanced security, he said–citing an example of a recent customer that increased its entitlement rejections by 300% after deploying ForgeRock.
“Because it was previously all done by these rules, and people were rubber-stamping these entitlement requests, they were letting these things go that they should never have approved,” Rosch said in a recent interview. “That was increasing the risk to the company. Because there were people who had no business accessing HR data, and no business accessing sales data, that were getting that information. So by leveraging the AI, a 300% increase in request rejections really tightened up the security of the organization.”
Crucially, ForgeRock’s AI-driven system also provides explainability about why rejections take place, he said.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
“Companies want to know why. They don’t just want to know that ‘the secret algorithm rejected this.’ Well, why? What was it about this user behavior?” Rosch said. “So having that explainability front and center is really important. Because a lot of times you have to explain that to the user. Why did we reject this? Well, because here’s what was going on with your behavior.”
Ultimately, when it comes to AI, ForgeRock is “farther ahead than most of the competition,” he said–and that’s a major factor behind the company’s surging growth. For the first nine months of 2021, San Francisco-based ForgeRock–which went public in September–generated $129 million in revenue, up 47% from the same period in the previous year.
“We feel it’s a way to actually get an introduction to the customer for ForgeRock,” Rosch said. “They might not know us, but they’re attracted by the differentiated capability in our AI tool.”
In the interview, Rosch also discussed ForgeRock’s other biggest differentiators versus competitors such as Okta, where the company’s capabilities are going next on AI, and his views on Microsoft’s expanded efforts in security.
What follows is an edited portion of the interview with Rosch.
How do you think about zero trust security, and how does your product enable it for customers?
We enable zero trust by giving our customers the ability to make ongoing decisions about who should see what in their enterprise. A lot of people think security is, “Hey, I get up in the morning, I log in, I get authenticated, and I go do my work.” And that’s not zero trust. That’s “single time” trust. I trust you once and you get everything you need. What ForgeRock does is enable our customers to do ongoing risk assessment of me as a user–throughout my journey, throughout my journey, throughout my day as I try to access new applications. We give our customers the ability to constantly assess my identity, and therefore assess risk and make these zero trust decisions.
So I log on in the morning, and I put in my username, password, MFA, whatever I do. The trust for me at that point is very high, because I’ve just authenticated. And what companies realize is that trust degrades every second that goes by after that initial authentication. Because there’s risk that it was not me–that my name has been hijacked in some way. So if an hour later I try to log on to Salesforce, we want to give our customers the ability to make another decision at that point–and say, “Look, I know Fran authenticated an hour ago, but it might not be him anymore. Let’s not trust him. Let’s have zero trust and let’s reassess Fran at that point.”
Then, reassessment can be done based on a stepped-up authentication. That’s where they say, “OK, Fran, I know you checked in an hour ago, we want you to check in again, can you go and re-establish–put in username and password again, maybe put in an OTP [one time password] again, and then re-establish trust again.” Identity is such a key element of zero trust. And that’s how ForgeRock does it, by giving our customers the power to constantly assess risk and make re-authentication decisions at any stage of the user’s session.
What do you feel ForgeRock does better than others in terms of zero trust identity security? How are you differentiated?
Traditionally, a lot of those zero trust decision makers are rules-based. One of the rules that most people commonly talk about is “impossible traveler.” So if I log on in California, and then an hour later in New York, I can’t be the same person. So let’s do a stepped-up authentication. That’s an impossible traveler rule. And there are lots of other rules if I’m on a different device at certain times a day, all of those types of things.
What we do is bring algorithms to that. Because we recognize that I, as an individual, develop patterns of behavior over time. And not only as an individual, but people with my same function develop patterns of behavior. The entire company has patterns of behavior. And we’ve brought algorithms to the point that every time I try to access some other new service or application with the company, we can use our algorithms to say, “Hey, does it still look like the same person?” If yes, let the individual keep going. But if we see some red flags, we can say, “Wait, let’s stop.”
The other thing we hear from our customers is, it’s not about black and white–”Let them in, don’t let them in.” It’s this concept of gray. We may want to let that user continue, but maybe we limit access to the most sensitive data. So the user can still access Salesforce, but maybe we disable the ability for them to export data out until we have a higher level of trust. So I think what’s unique about ForgeRock is we combine rules and AI in a more effective zero trust solution. [We accomplish this] through identity permissions. It’s basically changing the permissions for that user and how they use the app.
So because you’re not just using rules, and you’re using AI, does this bring significantly better accuracy on these permissions?
It does. For example, one of our customers is a large brokerage company, with about 15,000 employees. Those employees access about 2,000 applications. That creates a web of millions of entitlement requests–because they have to know what employee accesses what application. They were leveraging a rules process, where if somebody asked for access to an application–for instance, a new employee says they want to get access to the HR system–they would look at that person’s job and say, “Does it make sense based on a predetermined job description? Based on a rule?”
We came in with an algorithmic approach. We look at all the employees, what they do, and what they should really get access to. And we develop this graphical view, so you can really start seeing the outliers of, “Why does this person have access to this and to that?” When this company applied our algorithms they saw a 300% increase in the entitlement rejections that they processed. Because it was previously all done by these rules, and people were rubber-stamping these entitlement requests, they were letting these things go that they should never have approved. And that was increasing the risk to the company. Because there were people who had no business accessing HR data, and no business accessing sales data, that were getting that information. So by leveraging the AI, a 300% increase in request rejections really tightened up the security of the organization.
With this algorithm-based approach to permissions, do you feel like ForgeRock has figured out how to enable zero trust without creating a heavy lift for customers?
It is absolutely about automation. We believe that it’s got to be an automated operation, not a manual one–which means that’s how a company can scale and handle this. Access requests are no different. And as part of zero trust, that has to be automatic, and that’s what we do. These decisions are made in milliseconds, and they don’t slow down the productivity of the organization. I would also say zero trust is a term that’s gotten a lot of different meanings from a lot of different people. We think that zero trust is about combining an identity solution with a network solution and an endpoint solution–we’re part of a zero trust solution, not standalone. But for what we do around identity, it is absolutely automated, and it scales to the needs of the largest enterprises, which is where we focus.
So for the identity portion, then, you are able to automatically get this visibility into everything that a customer has?
That’s right. And it ends up with this very visual interface, where you can picture these tiny little dots, or requests. And you might see this sea of green dots and this big red one in the middle–and you’re like, why is that person in this ecosystem getting access to [certain resources] when they don’t have any of the underlying characteristics or need to get these. Some of these companies just have so many employees, they need the help of this visual tool to be able to do that.
We do have companies that are running in two different ways. They’ll run the rule base against their current entitlements, and identify any of these outstanding anomalies that they can go address. And then they will use it for that day-to-day decision making going forward. So they can really scale automatically.
What are your biggest differentiators in comparison to competitors such as Okta?
I think that ForgeRock is taking a different approach to the market than a lot of the other competitors in the identity space. First of all, our platform has the broadest coverage of functionality. When you think of the identity experience, it’s about identity management, identity lifecycle, onboarding new users, provisioning their access, setting up their accounts and their privacy settings. And then when those users come back, a minute, an hour, or a year later, you need to recognize them. [Then have] single sign-on for all the applications and services that they need, multi-factor authentication. And then all the zero trust, fine-grain authorization, all part of that access management category. And then it’s about that governance–managing all the entitlements. It’s onboarding the user, recognizing them, and then giving them access.
ForgeRock is different because we’re the only company that brings all of that into a single platform. That’s how we’re different. Most of those companies [in the space] are really identity and access management. They don’t have the governance component. We also have a single platform that works for both workforce and consumer, all in a single platform. [For many companies] having a single platform to manage all their identities is really important. And then it’s all about scale and integration into complex hybrid environments. So we’re different in the scope of the platform. And we’re different because we’re embedding AI throughout that entire identity journey, which is what I think our customers really like. Because they don’t want to cobble together multiple point solutions across that identity journey.
What were some of the advancements that ForgeRock made in 2021 in terms of AI?
The advancements are really in tuning the algorithms, and in the visual representation, and then in making it actionable. And ultimately, that’s what customers want. When we first got started in this, we focused on getting the algorithms right–being able to find and identify the legitimate user, with a high level of confidence, and identifying the potential malicious actor with a high level of confidence. It’s all about tuning those algorithms, which we’ve been doing for four years and now feel really good about.
Then the second step was making it visual–because it’s hard to see an algorithm. And when you start seeing the approvals, the rejections, everybody wants to know the “why”–which is called “explainability.” Do you have explainability behind the rejection? So you have to say, here’s what was anomalous, here’s why that user got flagged.
But then ultimately, they want it to be actionable. They want it to feed into making a decision–so one of their employees doesn’t have to look at the data and then go make a decision. So it has to plug into wherever the user is in their journey. Whether it’s an initial log-on and authentication, or an access management. We’ve been progressing in all three of those–tuning the algorithms, the visual representation and explainability of the results, and then most importantly, plugging it into systems actually make it actionable and automated.
In terms of the visual element, what you’re saying is that by having this, that enables customers to pinpoint the potential security issues quickly?
Absolutely. It’s like finding that needle in the haystack. And you can’t do that manually.
Then basically, what you can do is if you have that anomalous red dot in the sea of green, you can then hover your cursor over that, and then it gives the explainability. Why is this person requesting this authentication being rejected? And so it visually shows it. Companies want to know why. They don’t just want to know that “the secret algorithm rejected this.” Well, why? What was it about this user behavior? So having that explainability front and center is really important.
Because a lot of times, you have to explain that to the user. Why did we reject this? Well, because here’s what was going on with your behavior. We think about this for employees, but it’s also important for consumers. If you’re trying to do a wire transfer, or if you’re trying to buy a pair of shoes, and you get stopped from doing that–they need to be able to explain, “We’re just trying to protect you, and what we saw was this really weird behavior.” And then you go, “yeah, you’re right. I was using my brother’s computer, etc.” So that explainability is really important.
Looking ahead, where are you aiming to take the product next in terms of AI capabilities?
Where we’re going is to basically to bring AI at every step of that identity journey. We’ve launched it in a couple of different parts, starting around employee entitlements, and starting around consumer authentication. But we’re just bringing AI to every single step of that identity journey. And what we have in ForgeRock is a component we call our “identity trees.” These are no-code, preconfigured identity modules that you drag and drop and connect and hook, to build this identity journey. What we want is to be able to do signal collection and risk analysis at every single step along the journey, all automated and all equipped with explainability in decision-making. We’ve got the algorithms right, we’ve got the visual representation and explainability. We’ve got it now actionable in a couple of key moments of truth. We’re now working to bring it across the entire journey.
Then what really becomes exciting, beyond that, is that right now our AI capability works on a customer by customer basis. But algorithms get better and better trained and more and more accurate with more data. We’ve got some of the largest companies in the world [as customers], so we are working to be able to anonymize their data and then be able to pool it together and be able to look at it all at once with our algorithms that we build. And then, create smarter algorithms that we would then put back into those individual customers. Because we know that malicious actors are going to actually exploit multiple different customers, potentially at the same time. So No. 1 [in 2022] it’s about spreading the AI decision-making capability to every step along the journey. And then second, merging all that together to even train the algorithms–not just on a customer by customer basis, but across our entire ecosystem.
As you’re extending AI to every step of the journey, what benefit does that bring to the customer?
I think it’s power. It’s power to be successful in their businesses as they compete in their markets. [Think about] a bank today. When I would go to the bank in the ’80s and ’90s, a lot of the reason that you would choose your bank is customer service. What was it like to go into the branch, and how long did you have to wait, what was the service like? Today, banks are competing with each other a lot on their digital service–how easy is it to log on and get in when you’re on your mobile device or the web or the ATM machine? How easy is it to do business with that organization? And how frictionless is it? But at the same time, you want to make sure that your data is protected, your money is protected.
So the winning institutions in this market are going to be ones that create frictionless, easy experiences without compromising on security. And that’s what AI does at every step along the way. If we can continually monitor, and ensure that we know it’s you, and let you continue and do your business without any hassle or friction, you’re going to be happier with that institution. You’re going to stay, you’re going to become more loyal, and you’re going to do more business. And at the same time, if we can block bad guys from you, without having to bother you–so your data and your money stays safe–your loyalty will grow. So, we believe identity is that fundamental to the success [of companies]–whether that’s in banking, government, e-health and telemedicine, self-driving cars and automotive. Obviously we’re all doing Netflix and streaming–identity is the gateway to all of that. So AI empowers a better experience without compromising security.
So higher accuracy is really the big target here?
Identity is a lot about decision-making. Do I know who you are, do I trust you, should you get access to this application or this file at this exact second? We want a higher number of accurate yeses, and a fewer number of false positives, and a higher accuracy for the false negatives.
Do you consider AI a major differentiator for ForgeRock versus your competitors?
We do think that we’re farther ahead than most of the competition on this. And if you read some of the Gartner reports, they’ll definitely confirm that. We really have been leading in this space. And it comes down to those things we talked about–accuracy, visualization, explainability, and actionability. And we’ve got all four of those–and that took us a while. Most of the other [companies] are catching up in that area.
What would you want to say about how these efforts in AI have been enabling the expansion of your business?
AI is one of those real opportunities that we engage with our customers and say, “Great, you’ve got the core functionality up and running now. Here’s how we can make it smarter.” Whether that’s on the consumer side, and what we call intelligent access, or whether it’s on the workforce side, with this autonomous identity or self-driving identity around those automated approvals. So it’s an upsell to that core platform.
It’s still early days for us. We’re further along in that autonomous identity [area]. And that’s what we’ve set out to do. But what I would say is we’re seeing that the AI capability is so differentiated, we’re actually seeing customers saying, Wait, I’m not ready to move to the whole platform–I just want to start with your AI capability, on top of what I’m running today. So we feel it’s a way to actually get an introduction to the customer for ForgeRock. They might not know us, but they’re attracted by the differentiated capability in our AI tool.
And I would say some of this is driven by our great partnerships. We work closely with companies like Accenture, Deloitte, and PwC, who are involved with helping customers with their larger digital transformation initiatives. And they’re bringing ForgeRock into their customers because they know we are uniquely positioned to solve those problems. We’re seeing AI become a module that we sell after the product is deployed. And now we’re seeing it is actually a foot in the door, to demonstrate who we are and to introduce ourselves to the customer.
Microsoft has been focusing heavily on identity as part of its security push in recent years. Do you see Microsoft mainly as a partner, or are they a competitor in some sense as well?
We’re part of the MISA [Microsoft Intelligent Security Association] program. So we’re part of their security ecosystem, and we have a lot of great engineer to engineer relationships. A lot of our customers run ForgeRock in Azure. So we’re all certified to run in Azure. So there’s a good partnership there.
Microsoft is focusing on identity, as well. We don’t see them as a direct competitor so much. They’re more focused on that workforce, single sign-on space–just to cloud and SaaS apps, primarily in the Microsoft ecosystem. We typically work with larger enterprise customers that are really looking at identity as a key differentiator for their business. Companies like GEICO, where they’re like, how do we make this identity experience so easy, so we can sell more insurance? [For customers like that] we move pretty quickly beyond the capabilities of Microsoft identity. And that’s the companies where we’re working with. So more of a partner, occasionally competitor–but really, we’re going after a different part of the market.
Some companies, including some of your competitors, have criticized Microsoft’s security–saying that Microsoft is more a part of the problem in cybersecurity rather than the solution. What’s your perspective on that?
I have a rich history in this space. I was in the endpoint security business for a long time. And the reason there was an endpoint security business, to begin with, was because the Microsoft operating system, when it was first developed, did not think about security. So billion-dollar markets were created to provide security on top of that Microsoft system. And I think they would say, they did not take security seriously in the beginning parts of their company. They clearly have prioritized it dramatically over the past couple years, and they have made great improvements. But that product set is incredibly complicated–a lot of code from all over. There are going to be vulnerabilities in that system. So I think Microsoft needs partners like ForgeRock, like endpoint providers, to help their products stay secure and make their customers successful.
But it takes a long time. I remember when I was at Symantec, around 2002, we thought the Norton product was going to go away because Microsoft was just going to embed security for free for their consumers. Twenty years later, Microsoft’s done a lot better on their endpoint security product, but there’s still a market out there to make it even more secure. So I think it’s an ongoing challenge for them–one that they’ve done amazing progress on–but you need security around the whole Microsoft ecosystem, still today.
How would you summarize what you want people to know about ForgeRock’s product and opportunity?
Digital identity itself is just such a top priority for CISOs, CIOs, developers. That’s only increased with COVID–every worker has become a remote worker, and now our whole lives are online. You can’t find a customer who doesn’t want to talk about identity at this point. So it’s just an amazing opportunity. ForgeRock has very differentiated technology, built for the large enterprise, with the power of AI and a unique approach to the cloud. So we’re just really excited to continue to grow here as a company.
Besides identity, what do you see as the other essential components for zero trust security? In other words, what does ForgeRock work with as part of enabling zero trust?
There are network security providers, like Zscaler and Palo Alto Networks, that are doing some really great things in zero trust, in the network and the cloud perspective. There are companies like CrowdStrike and SentinelOne that are also doing great things with zero trust on the endpoint. I look at those three control points of network, endpoint, and identity, as being three vectors where you can apply a zero trust mentality. And you need to do all three. We partner with some of those other companies in different ways. Those are the companies I think are doing some really cool things.
So those other platforms are open enough that you’re able to work in tandem with them?
Absolutely. And the smartest enterprises are not only making zero trust on the identity decision, but they can factor in information they’re seeing from the network or seeing on the endpoint. There’s so much intelligence at all these different control points, that you really have to look at all of them. You can look at them individually, but you get even smarter and better when you look across all those control points.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.