2. About me ….
• 25 years of Product Dev
• Special interests in Systems,
Embedded & Identity
Management
• Moved to Maryland in 2005
• Wife, twin teenage daughters,
cockatiel and chihuahua
• Love music!
6. The Destination
• Strategically: improve Identity
Management and raise security
profile
• Tactically: migrate off current
technology by the end of 2018
• Practically: select a vendor,
architect and implement the
solution
7. FINRA Identity Platform (FIP) Features
A single Identity Management
Platform which supports all internal
and external users
• 24/7/365 Uptime
• Multiple usage models: Web Applications
and APIs
• Flexible authentication: single factor,
multi-factor, adaptive
• In the cloud
8. Current State
• Multiple Identity Stores, each
with its own Authentication stack
• One way federation
• On-Prem solution
In spite of all this complexity,
authentication infrastructure is very
reliable!
9. More Enterprise Considerations …
• Must control and retain all
identities and credentials
• Single Sign On (SSO) : once
authenticated, user is not challenged
again
• No Big-bang migration of all 90
applications
• No code change to existing
applications
11. Know What You Want
Put all functional requirements into
one easy-to-read deck:
• Consolidate your thoughts
• Get signoff from key stakeholders
• Validate the requirements with
vendors
12. Select Possible Vendors
Our 3 steps:
1. Review requirements with Gartner
and select possible vendors
2. Analyze all vendors and choose three
finalists
3. Finalists should confirm they can
meet the requirements
13. Validate Key Features
We demonstrated all critical features in our environment.
All three vendors would have been able to demo
all the functionality in their sandbox. Our
complex legacy environment really tested the
integration capabilities of the vendors.
14. Remote Identity Stores are Challenging
Out of the 3 selected vendors, one could not access our
Identity Stores in an acceptable manner
Vendors make assumptions about controlling the
identity store, especially in the cloud. As a policy,
FINRA will not let 3rd parties control the identity store.
15. Zero-downtime Deployments
• Zero downtime was a key goal
• Need to customize ForgeRock’s configuration stores for this goal
Zero-downtime is very difficult. Several ways
to implement, each with their own trade-offs.
16. Application Migration
• Staged migration requires interoperability between the
legacy system and ForgeRock
• Build an ”authentication bridge” between both systems
Have a well-thought out rollout and focus on the customer
experience. This is especially challenging when you need
to integrate with legacy systems.
17. Two Viable Vendors
All necessary features were demonstrated by ForgeRock
and one other vendor
Even though both vendors implemented key
requirements, their implementations were quite different.
Both solutions had strengths and weaknesses.
18. Why ForgeRock?
These were the key factors for FINRA:
1. Access to source code allows for customization
2. ForgeRock APIs are in-line with FINRA’s micro-service vision
3. Better engagement with Product Management
Customizing ForgeRock is not for every organization!
19. Enterprise Considerations
• Keep all key stakeholders looped in
• Demo to application teams,
INFOSEC and architects
• Create internal training around
Identity Management
• Develop a strong partnership with
ForgeRock
20. My Thoughts on the Future …
Onboarding and multi-factor is
making Identity Management more
challenging.
There needs to be a trusted identity
broker in the financial space.