Security as a Company Value

ForgeRock’s security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access the digital world.

Three Guiding Principles for Security

ForgeRock has founded its security approach on the three core principles of information security:

  • Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
  • Integrity: The property of safeguarding the accuracy and completeness of information and such asset
  • Availability: The property of information is accessible and usable upon demand by only authorized entities

Together, these three principles deliver one thing to our customers — a product and service that allows people to simply and securely access the digital world and a company they can trust to help them do that.

Secure Personnel

ForgeRock takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to ForgeRock resources.

  • All ForgeRock contractors and employees undergo background checks prior to being engaged or employed by ForgeRock in accordance with local laws and industry best practices.
  • Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
  • We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.

Secure Development

  • All development projects at ForgeRock, including on-premises software products, support services, and ForgeRock's own Digital Identity Cloud offerings follow secure development lifecycle principles.
  • All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
  • All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
  • Software development is conducted in line with OWASP Top 10 recommendations for web application security.

Secure Testing

ForgeRock deploys automated vulnerability scanning of all production and Internet facing systems on a regular basis.

  • All new systems and services are scanned prior to being deployed to production.
  • We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
  • We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.
customer-cloud-environment.svg

Cloud Security

ForgeRock Identity Cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.

ForgeRock Identity Cloud leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.

  • All customer cloud environments and data are isolated using ForgeRock’s patented isolation approach. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
  • All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored by dedicated, highly trained ForgeRock experts.
  • ForgeRock has implemented a mature information security management system (ISMS), owned by our CISO, which details the security policies that all ForgeRock employees must follow. All of these policies and practices are also regularly reviewed and assessed by internal as well as external auditors.
  • We separate each customer's data and our own, utilizing unique encryption keys to ensure data is protected and isolated.
  • ForgeRock's data protection complies with ISO 27001 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information is protected at all times.
  • We implement role-based access controls and the principles of least privileged access, and review revoke access as needed.

Compliance

ForgeRock is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance of ForgeRock’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices ForgeRock has in place.

aicpa-soc-logo-transparent.png
SOC 2 Type II

SOC 2 Type II

ForgeRock successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that ForgeRock’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, and confidentiality. Our adherence with these standards will be externally validated annually.

Customers and prospects can request access to the audit report here.

schellman-iso27001-logo.png
ISO 27001

ISO 27001 is an industry standard for information security. ForgeRock has been independently assessed and certified to the ISO 27001 standard for all major offices where development happens, for all of our product offerings as both stand-alone on-premises products and our Identity Cloud service, as well as all supporting infrastructure, systems, and internal processes.

cyber-essentials-plus-logo-transparent.png
UK Cyber Essentials Plus

The UK Cyber Essentials Plus certification helps guard against the most common cyber threats and demonstrate ForgeRock's commitment to cyber security. This certification provides extra reassurance for our customers in the United Kingdom, which is where ForgeRock manages support for all of our major products.

csa-logo-transparent.png
CSA Star Level 2

Cloud Security Alliance (CSA) is the first step of the many cloud-specific certifications. ForgeRock continues to demonstrate our commitment to industry-accepted security controls and transparency for our cloud services. ForgeRock Identity Cloud has recently completed an external audit to validate that we meet the criteria required for the Cloud Security Alliance (CSA) Star Level 2 attestation. Both the CSA Star Level 2 attestation and the CSA Consensus Assessments Initiative Questionnaire v3.1 can be seen on the CSA Star Level 2 registry page.

HIPAA-Compliant-icon
HIPAA and HITECH

Health Insurance Portability and Accountability Act (HIPAA) is the U.S. national standard for health information security and privacy that governs the use and disclosure of sensitive protected health information (PHI). ForgeRock Identity Cloud complies with HIPAA security standards and Health Information Technology for Economic and Clinical Health (HITECH) Act breach notification requirements.

Resources

 

Whitepaper

ForgeRock Security & Compliance Whitepaper

Whitepaper

ForgeRock Identity Cloud Security

Statement

ForgeRock Statement on Modern Slavery