Identity Cloud

Key features

Identity Cloud add-on capability

Contact your ForgeRock representative if you are interested in adding Autonomous Access to your Identity Cloud subscription. Refer to Add-on capabilities.

Autonomous Access features

Feature Description

Fully-native Identity Cloud deployment

ForgeRock’s Autonomous Access and its components are fully cloud-native, deployed into your new or existing development, staging, and production tenants. The data collected by Autonomous Access is stored for three months in the Risk dashboard and six months in the cloud to ensure optimal artificial intelligence/machine learning (AI/ML) analytics.

Machine learning-based anomaly detection

Autonomous Access uses AI/ML-based detection analytics centered around user behavior and geospatial contextual information at authentication. Anomaly detection includes location, time of day, operating system version, device model and type, browser type and version, and other data. Autonomous Access’s AI/ML decisions are designed to be explainable, providing clear reasoning for its scoring instead of generating black box results with limited transparency.

Fully GDPR compliant

The General Data Protection Regulation (GDPR) is a collection of European Union (EU) regulations designed to protect the privacy and personal data of users. GDPR grants an organization’s users greater control over their personal information and requires organizations to obtain explicit consent to access and remove their personal data. It also requires organizations to provide clear information about data processing and security measures to safeguard user data. Autonomous Access stores user data in the cloud for six months. Users can request to access or remove their personal data processed through Autonomous Access. Refer to Handling GDPR requests.

Real time threat detection

Autonomous Access AI/ML analytics engine discovers the risk threats described in Real time threat detection.

Autonomous Access dashboards

Autonomous Access presents multiple UI dashboards providing insights in the online behavior for tenant and individual users.

  • Risk dashboard. Displays an intuitive risk activity page showing all suspected access threats occurring in the past three months across a world-wide company. Authorized users can click on an event to drill down to examine the details. The dashboards display the risky events specific to the realm that you are in.

  • Activity detail. Displays a summary page for a selected risk event on the Risk dashboard.

  • User access behavior. Displays a graphical summary page of the typical access behavior for a selected user. You can access this page from the Activity detail page.

  • Tenant access behavior. Displays a graphical summary page of the typical access behavior for all users in the tenant. You can access this page on the Identity Cloud admin UI.

Autonomous Access nodes

Three Autonomous Access nodes integrate within your journeys. No custom coding and connectors are required for these nodes. The following Autonomous Access nodes are available:

  • Signal node: The signal node determines the heuristics and anomaly detection to include in the risk score generation. The node begins making API calls to the Autonomous Access AI server to collect and extract data from a pre-defined data source. After you run an AI/ML training workflow to generate the risk scores and models, the Autonomous Access AI server returns the risk score and accompanying information for each event to the decision node.

  • Decision node: The decision node determines the actionable journey paths based on where a risk score lies within a predetermined range of scores.

  • Result node: The result node collects the risk predictions and results for successful and failed outcomes and writes them to the Autonomous Access AI server.

The nodes are all specific to the realm that you are in.

For further customizations, you can leverage the more than 100 ForgeRock nodes within your journeys to implement in your use cases. For more information, refer to Learn about the Autonomous Access nodes.

Out-of-the-Box journey

Identity Cloud provides a preconfigured Autonomous Access journey with nodes. You can use this journey as a starting template for your specific use cases and requirements. Identity Cloud Analytics dashboard also reports successful or failed Autonomous Access journeys. For more information, refer to Create journeys.

Custom features

Autonomous Access lets you add custom features using YAML-based risk configuration and scripted nodes. For example, you can configure Autonomous Access with the following custom features:

  • Multiple policies: Companies typically require multiple risk policies for its various use cases. Autonomous Access provides a single risk policy out-of-the-box, but you can configure multiple policies.

  • Custom logic: Autonomous Access uses the highest risk score of all triggered signals by default. For example, if you have a UEBA signal with a score of 30 and an impossible traveler score of 60; the resulting score of these events is 60. However, you can also change the logic to use the sum of all triggered signals for your applications. For example, a UEBA score of 30 and an impossible traveler score of 60 results in a sum score of 90, which triggers a high risk.

Real time threat detection

Autonomous Access AI/ML analytics engine discovers the following risk threats:

  • Anomaly detection. Autonomous Access’s User and entity behavior analytics (UEBA) signal effectively identifies online anomalies in a user’s behavioral profile. UEBA is a powerful security tool that utilizes machine learning to analyze network activity, detecting any deviations from a user’s typical online behavior. This complementary tool can be seamlessly integrated with other threat signals for enhanced security measures.

  • Prevent double jeopardy. Avoids flagging a user for the same reason or risk score if they already passed multifactor authentication. For example, if a user in France visits Singapore and gets flagged for an unusual location but successfully completes multifactor authentication, Autonomous Access will not flag the user again during their next login within a default time window (60 minutes) from the same city (Singapore).

  • Credential stuffing: Identifies instances where a single IP address attempts to access multiple user accounts over a period of time by counting the total number of users accessed by that IP.

  • Suspicious IP: Tracks the overall count of authentication attempts made by a single IP address across all users. An IP is flagged as suspicious if it exceeds a certain threshold of authentication attempts within a specified timeframe.

  • Automated user agent filter: Detects if automated bots exist in the user-agent string. An automated bot is a program that operates independently, performing tasks automatically without the need for human interaction. Hackers utilize automated bots to launch large-scale attacks, such as distributed denial-of-service (DDoS) attacks or credential stuffing, by leveraging the bots' ability to carry out malicious activities rapidly and at scale. can detect such malicious activity using its automated user agent filter heuristic.

  • Impossible Travel: Detects if users are authenticated from two locations too far apart for a person to travel between these points at an impossible speed.

  • Brute force: Detects the frequency of authentication attempts for a user over a period of time. If the frequency is high, then Autonomous Access flags the event as a possible brute force attack.

  • Distributed attack: Detects whether the number of authentication attempts by a single user exceeds a predefined threshold of unique IP addresses within a specified time period. For example, if the threshold is set to 7 and the window is set to 10 minutes, Autonomous Access raises a distributed attack flag if the same user makes authentication attempts from 8 or more distinct IP address within a span of 10 minutes. The only action is to display the risk score on the Risk dashboard, so that the administrator can adjust the login journey to block or challenge this activity.

  • Allow/block IP addresses: Autonomous Access provides two important features to mitigate against cases where known IPs can be triggered as false positives and known malicious IP addresses that are associated with harmful activities on the Internet: allow IP lists and block IP lists.

    • Allow IP Addresses. This feature allows you to override a risk score when dealing with specific IP addresses triggering high-risk scores. Instead of assigning a high-risk score, it sets the risk score to 0. For example, many users and organizations use VPNs to access online services. However, VPN usage can often trigger a false positive related to credential stuffing because multiple users are coming from the same IP address. To address this, you can add the VPN’s IP address to an allow list. When an IP address is on this list, Autonomous Access assigns it a risk score of 0, bypassing heuristic and machine learning processes.

    • Block IP Addresses. This feature allows you to override any calculated risk score and set it to 100 for IP addresses known to be malicious. For example, if you want to block access from known malicious IP addresses completely, you can add them to a block list. When an IP is on this list, Autonomous Access subjects it to all configured heuristics and machine learning processes, calculates a risk score, and then overrides the calculated risk score by assigning a score of 100, indicating a high-risk state.

      Autonomous Access is not a firewall. You must consume the output risk score in a succeeding node in the journey for actionable outcomes. Autonomous Access cannot allow or block any IP address by itself.
Copyright © 2010-2024 ForgeRock, all rights reserved.