Checking in with ForgeRock Co-Founder Jonathan Scudder

John Pinson · May 10, 2016

The KuppingerCole Access Management and Federation Leadership Compass is one of the identity industry’s most-awaited analyst publications of the year. It offers an in-depth review of the main players in the market, classifying each as Followers, Challengers or Leaders – similar to Gartner Magic Quadrant reports or the Forrester Wave. The 2016 edition was warmly received here at ForgeRock HQ because – for the first time – we were named as a Leader in all four categories: Product, Innovation, Market and Overall. In fact, ForgeRock took top honors in the Innovation category, ahead of Oracle, CA Technologies, Ping Identity and several other vendors.

We thought this would be a good occasion to check in with original ForgeRocker Jonathan Scudder. Jonathan heads up development of our Access Management offering (formerly OpenAM). A specialist in the field of identity management for much of his career, Jonathan was one of the five co-founders of ForgeRock, and he also serves on the board of directors. We caught up with him recently to discuss the KuppingerCole report, the origins of ForgeRock, the fast-changing identity space and the advantages of the open source model.

Congratulations on the recognition from KuppingerCole. You and your team have been involved in ForgeRock Access Management and the OpenAM project for many years, so being recognized for the most innovative product in the sector must be edifying.

Having OpenAM recognized in this way by analysts is great. We believe our products excel within their respective areas and our amazing customer base gives us confidence that this is correct. Broad market comparisons by KC and other analysts complete this picture. This is no excuse for complacence, however, and our focus on innovation grows only stronger. Going right back to the Sun days, it was always great to talk to a customer with the honest belief that our technology is best placed to solve their challenges, and I’m delighted that we can continue to do so. We’ve been around for a few years now, but the analyst reports have traditionally painted us as an up-and-comer or a bit of an underdog, competing with heavyweights like IBM, CA and Oracle. We’re here to stay, and I suspect the underdog label won’t last much longer!

Can you provide some background on how you got involved with the Sun OpenAM project?

I was working for a Sun partner back in 2005 when I got drawn in to some exciting projects and started focusing exclusively on identity and access management. I was technical lead on the OpenAM-based identity implementation we did with the government of Norway – a massive government federation project involving millions of citizens that is still going strong a decade later. One thing led to another and I rapidly found myself working directly for Sun as identity architect in Central and Northern Europe, and OpenSSO (as it was then known) became my main occupation. Oracle’s acquisition of Sun in 2010 was the catalyst for ForgeRock because here was Sun, this business that had grown up around hardware, which was becoming less viable, but thriving on the software side.

So this takes us back to the origins of ForgeRock. The OpenAM project was somewhat unique – still is, really – in that it’s an open source solution in a sector where really big, slow-moving proprietary solutions were dominant.

Yeah, the whole turn to open source – it’s not about being open source as such. We all think that’s a good thing, but it’s also what that does with the products. In the identity sector 10-15 years ago, your main choices were these massive products that took months to install and configure before you could really use them for anything. With open source, you can’t have that model. You need to have something that you can download and play with, and be able to use it to get something up and working within in a few hours. That’s the way it needs to work, and this is still the case. We still see these massive, heavy identity offerings on the market that are very slow to change and very difficult to implement. They’ve got a history, but there’s no agility there and little ability to meet changing market needs – which are in fact evolving faster than ever before. So we see ForgeRock’s ability to innovate on an open source model as a real business strength.

Which goes back to the KuppingerCole recognition, right? That agility and speed of innovation is evident in the latest iteration of the ForgeRock Identity Platform that came out earlier this year with multiple new capabilities.

Exactly. We believe we’re innovating faster than ever before. I’ll just bring up a few product highlights where we think we’re leading the way in the identity sector.

The first would be our concept of continuous security at scale. Conventional identity products provide protection “at the doorway.” What we can do now is offer continuous security through the life of a session, making it possible to assess the authenticity of users, devices and things, and mitigate risk whenever an anomaly is detected. We’re also now enabling identity professionals to simplify security and lower the total cost of deploying multi-factor authentication with a mobile authentication app.
The new mobile app provides strong multi-factor authentication, generates one-time passwords, and delivers easy and secure provisioning with quick response (QR) codes.
We’re also the first vendor to include a full implementation of the UMA standard, which means our customers can offer consumers the choice of who to share their personal data with, under what circumstances and for how long. These capabilities are in demand now and will become more so as greater numbers of Internet of Things devices and services come online.
I’d also add that the platform now makes it possible for developers create and get new identity-powered capabilities to market faster than before. For instance, it’s now easier to connect data stores throughout the organization to get a complete view of the customer; build new services that provision, authenticate and authorize identities that are integrated with internal legacy platforms; and ensure services and data supports BU engagement objectives while providing a readily available and flexible service platform.

How has the identity space changed in recent years?

The identity sector used to be very much organized around an internal security model – it was all about employees, internal users, internal access management. A large-scale deployment back then would have been in the tens of thousands or maybe hundreds of thousands employees – there aren’t that many companies out there of that size. Today, it’s external. Pretty much every website or application today has a login and registration. That’s because everyone recognizes the value of knowing who your customers are. With identity, you have a secure channel of communications with that customer base. So identity has gone through a massive paradigm shift from a “bolt-the- doors” approach where it was all about protection – here’s our perimeter, you’re either in or out – to a world where identity becomes the perimeter, and you need to manage secure access for multiple customer identities and devices.

Which opens up all kinds of new challenges.

Yes, as soon as you go external, where you needed to provide identity to all your customers, you quickly go two or three orders of magnitude beyond the legacy enterprise employee model. Citizens? The project we did with the government of Norway serves 5 million citizens and more than 500,000 businesses. We’re working on a project with a large European media company that aims to support 75 million customers. As the Internet of Things brings all kinds of new devices and services online, we’re definitely going to see more implementations into the hundreds of millions. The scale of identities we’re seeing is just way beyond what the legacy providers are designed for.

So you’re saying that scalability is a big differentiator for ForgeRock in the marketplace.

That’s definitely a key aspect, but on the other axis it’s flexibility. There are players in the identity space that can scale, but what we see is that these are relatively simple or limited offerings. You get scalability but the tradeoff is that you can handle identity management with only a handful of capabilities – you have to do it with this specific methodology. Our perception is that when you look at identity at this scale, and with the multitude of services and devices that need to be accounted for, it’s really difficult to lay down the law and say, “OK we can do identity management, but only this particular way.” And so flexibility and extensibility become critical. That’s what we’re seeing with our customers – high scale, broad requirements. Tying back to the product discussion, these diverse requirements are exactly why we provide virtually endless authentication possibilities – over 20 out-of- the-box authentication modules including device fingerprinting, one-time password and adaptive risk authentication and lots more. It’s all about giving the customer the capabilities to address whatever identity scenario they might encounter.

Does the open source approach feed into this strategy of providing the highest level of flexibility and extensibility?

Open source is important to us, but we’re a professional software vendor providing world-class products to highly demanding enterprise and public-sector organizations. Open source isn’t what we do, it’s the way we’re doing it. The impact of developing solutions through an active community of developers has advantages in terms of better visibility into the product if things aren’t performing as expected, getting new features and capabilities into the market faster, and the ultimate advantage in documentation which is, of course, to turn to the source code if you can’t find an answer in the comprehensive product documentation. These are real benefits.