Product Q&As
ForgeRock Identity Platform
ForgeRock Identity Cloud

Does the ForgeRock CIAM solution provide Zero Trust Security and a CARTA model of risk?

Last updated May 3, 2022

This article provides answers to frequently asked questions on Zero Trust Security and Gartner's Continuous Adaptive Risk & Trust Assessment (CARTA) model of risk when evaluating the ForgeRock Identity Platform for Customer Identity and Access Management (CIAM).


Questions

Does the ForgeRock solution provide a Zero Trust Security and CARTA model of risk and/or value-based authentication (Adaptive Authentication)?

Yes. ForgeRock's standards-based solution uses Intelligent Access and a variety of policy enforcement options, allowing organizations to make continuous security decisions and support Zero Trust and Gartner's Continuous Adaptive Risk & Trust Assessment (CARTA). This enables people, devices, things, and applications to have different levels of credentials to authenticate against a common identity store.

With ForgeRock Intelligent Access, the nodes within a journey or tree can take account of context factors, and based on the outcome, nodes can be configured for risk calculations, modifications to authentication level, alteration of session properties, and more. For example, you can easily define a different authentication journey for access from inside or outside the company, for employees or partners, or any other contextual information (IP address, localization, device, and so on). You can also create policies that trigger additional authentication steps in some situations or for some transactions.

Technologies like biometrics and MFA, contextual signal collection, and AI-driven analytics are essential for reinventing the digital customer experience while enabling new functional capabilities and delivering Zero Trust, continuous risk-based authorization. To help meet this challenge, ForgeRock includes a pre-integrated ecosystem of nodes developed by our Trust Network Technology Partners and available on the ForgeRock Marketplace for use with our identity platform.

ForgeRock also leverages a modern token format called Macaroons, which allows for a distributed and decentralized approach to contextual and adaptive access, via the ability to add fine-grained "caveats" to previously issued tokens in order to reduce scope based on observed risk.

Note

Marketplace nodes are not currently available with Identity Cloud deployments.

How does a ForgeRock administrator configure risk assessment using high-risk device attributes (such as jailbreaking, malware, emulators, disabled JavaScript, and stolen cookies from another session)?

ForgeRock provides SDKs for web and mobile application developers that include methods for risk assessment, such as detecting jailbroken and rooted devices. A range of factors are evaluated, including the presence of certain applications, writable filesystem areas, and the presence of symbolic links.

ForgeRock recognizes that this is a continually evolving landscape, and therefore designed the SDKs to be pluggable so that customers can introduce additional checks. The SDKs also generate a risk score rather than an absolute true/false outcome, allowing authentication and authorization decisions to be designed around the level of acceptable risk.

In most cases, ForgeRock would suggest that jailbreak/root detection is provided as one factor among a wide range of other contextual information, which should be evaluated to determine a user's authentication or authorization patterns.

See ForgeRock SDKs for further information on the ForgeRock SDKs.

How does a ForgeRock administrator configure risk scores used to drive authentication policies (for example, customer logging in from a rogue country, customer logging in from a brand new device, customer logins show implausible travel)? 

With ForgeRock Intelligent Access, an authentication journey is broadly composed of information gathering nodes, intended to pick up a wide range of digital "signals", and decision nodes that act upon those signals. Nodes can gather information about the user's authentication environment, such as the device they are using, their IP address, geolocation, and time of day; static information about the user, such as information already gathered from their profile or information held in other systems of record (contract information, billing systems, contact center interaction); and data available from external services, such as identity proofing agencies, threat analysis services, and risk engines.

Smart login journeys can be configured to minimize friction and maximize security for legitimate users, while suspicious users could be denied access or redirected to a sandbox environment for further monitoring. The authentication level can be modified or decided on at any point in the authentication flow, therefore adapting the authentication flow depending on the accumulated risk score so far. Multiple paths, each evaluating a digital signal, can be connected to intelligently adjust login journeys, thereby providing a fast, secure login experience and minimizing the risk of data breaches and DDoS attacks.

Intelligent Access nodes can receive digital risk signals from any source which exposes applicable data via an API. Selected technology providers deliver tightly integrated joint solutions that are ready to plug into the ForgeRock platform, with emphasis on the following areas: Strong Authentication, Fraud and Risk Management, Behavioral Biometrics, and Know Your Customer (KYC)/Identity Proofing. It is also simple to introduce custom nodes supporting other risk sources. 

What kinds of threat feeds (bad IP addresses and so on) are available?

Our native SDKs allow you to capture various inputs such as location, device integrity, device registration, IP address, and network information. The detection capabilities include any data that can be derived from the incoming HTTP request (for example, IP address), geolocation, device information, CAPTCHA support, and biometrics (push, WebAuthn).

How does a ForgeRock solution administrator configure the protection of customers against credential stuffing and password spraying attacks?

Standard techniques such as the Google reCAPTCHA can be employed in the user authentication journey to prevent bots from spraying passwords. ForgeRock can also protect APIs using the Identity Gateway which will act as a reverse proxy, allowing for filtering against various attacks, such as password replay. 

See Also

Zero Trust and CARTA

Does the ForgeRock solution offer multi-factor authentication (MFA)?

Documentation:


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.