kras99 - stock.adobe.com
Ping CEO on ForgeRock integration and future of identity
Ping Identity CEO Andre Durand discusses the company’s unified roadmap, commitment to customer stability and growth plans in the evolving identity landscape following the merger with ForgeRock
Just months after the merger between Ping Identity and ForgeRock was completed in August 2023, Ping CEO Andre Durand swiftly brought the two identity and access management (IAM) players together, focusing on providing clarity and predictability to enterprise customers.
Rather than forcing a disruptive migration, Durand prioritised maintaining existing customer investments in core technologies, opting instead to unify surrounding services and allowing customers to leverage the strengths of both platforms.
In an interview with Computer Weekly on the sidelines of the Ping YOUniverse Singapore conference, Durand revealed the strategy behind the integration, the synergies between Ping and ForgeRock offerings, as well as the company’s approach to pricing, competition and regional nuances in the Asia-Pacific market.
Editor’s note: This interview was edited for clarity and brevity.
I understand the integration between Ping and ForgeRock was done within 100 days. Talk to us about the experience and how it went.
Andre Durand: We had the option to go slow or go fast. We chose fast and we chose to move without ambiguity to reduce the potential confusion to customers. Our large enterprise customers like predictability and they wanted to know where they stood post-merger. So, it wasn’t just a matter of integrating the companies quickly, it was a matter of coming up with a unified or shared vision in the roadmap for both legacy customers.
Not only did we integrate the companies, but our go-to-market was also integrated between August 2023 and our company kick-off in January 2024. We went on a roadshow in March 2024 and shared our joint vision and where we were going to unify technologies.
We wanted to assure large enterprises that we weren’t going to pull a rug out from underneath them. People make large investments, and they don’t want to change that for a decade, maybe longer if they could. And so, reassuring the stability of the choices they had made was job number one, and then building a roadmap into the future where they could see additional benefit that they wouldn’t have seen from either company independently was job number two.
Can you share more about the roadmap and the product rationalisation choices you’ve made? How are you addressing concerns about certain products being deprecated in favour of others?
Durand: The core technologies that most companies have invested in for legacy Ping or legacy ForgeRock are very mature and profitable. Customers don’t benefit – nor do we benefit – by telling them to go from one to the other. If they were not profitable or less mature, I’d feel different. I’d choose the more mature or profitable product. But that wasn’t the case with core technologies. We can support the core choices that customers have chosen very profitably, going into the future.
Andre Durand, Ping Identity
Now, what we’ve chosen to do is for the core services to remain independent. Everything around them is being unified, so a lot of innovation is being put into our multi-tenant SaaS [software as a service], PingOne. You can consume PingOne services from any one of the prior platforms by just layering it on.
The universal services, including SDKs [software development kits], administration and marketplace – the things that surround core services – have all been unified. We have a single SDK that talks to both backends. We have a single gateway that talks to applications which talk to both backends. We have one MFA [multifactor authentication] client that you download for your phone, and it talks to both backends.
So, everything around the core services of the directory and authentication have been unified. That’s less disruptive for customers.
Identity orchestration is one of the selling points of both Ping and ForgeRock with PingOne DaVinci and ForgeRock Trees. What synergies do you see between the two orchestration offerings? How are you reassuring customers that their investments are being protected?
Durand: Well, Trees is on-premise and DaVinci is not, so there’s a difference there. Customers that have to run orchestration themselves and don’t want to consume orchestration from the cloud have an option with Trees. But, around the edges, we will look to unify. For example, DaVinci has 3,400 pre-integrations. We’re looking to carry those investments over to Trees.
In DaVinci, we’ve built solution templates for customer and workforce identities, but Trees didn’t have that. We’re looking to take the templates and port them over to Trees, so both have templates that accelerate orchestration use cases. That’s an example where the core engines are different, but the templates and integrations are shared.
The teams also talk regularly and share innovations. But fundamentally, one is SaaS-only, and the other is on-premise software. They have different delivery models, and I don’t want to lose that. I don’t want to lose the ability for customers like banks to run orchestration on-premise.
Should customers expect any changes in pricing or licensing?
Durand: We’ve both had an identity-based or user pricing model. We’ve both had monthly active users as well as the total number of users, so the fundamental economic unit was consistent between the two companies.
We’ve done some work to simplify areas that were a little different, so maybe the tiering is now similar between the two companies. The business model is not changing, and the pricing model is not changing for customers.
How are you positioning Ping against competitors in the CIAM (customer identity and access management) space that might take advantage of some of the uncertainty around your customers’ investments?
Durand: Ping runs the largest customer-facing deployments on the planet, including those at major banks, airlines, retailers and some of the biggest governments. None of our customers have to worry about their investments in Ping infrastructure. We’re undisputed in terms of our scale, performance and flexibility for customer identities.
A lot of our innovation around fraud, user experience, passwordless and authorisation to combat fraud is pretty uncontested.
Can you give us a regional flavour of what you’re seeing in Asia-Pacific? What are customers telling you and demanding from you?
Durand: We’re very committed to investing in the region and we have a lot of customers in the region. We also have a lot of employees in the region, and you will see that increase. This is my first time here doing a conference, but it’s not my last. We’ll be here every year.
As for regional differences, I’d say when you get outside the US and the farther you get, the more demands there are for control over software. There’s more awareness of data residency and sovereignty of critical infrastructure here, especially with today’s deglobalisation and geopolitical environment where more people are willing to give up some innovation to get some control.
It’s probably right for them to do that, so our deployment flexibility matters. People are asking more questions about which clouds we operate in, and in which regions, than they have in the past. Ping is undisputed in our flexibility. You can run it in your datacentre, Amazon Web Services, Microsoft Azure or Google Cloud.
Another thing I have heard here that I haven’t heard as much in the US is the distrust of mobile devices from a security perspective. Malware seems to be a bigger issue on mobile devices here than it is in the US, so we probably need to take that into account. What happens if we can’t trust the device at all? We have to look through a different lens for all the techniques we have on the mobile device to authenticate people and other things.
What are some of the growth opportunities in the region?
Durand: We tend to start with the largest enterprises in the region who find value in our solutions. Globally, we focus on the Fortune 5000, including the top banks, airlines, telcos, retailers and healthcare providers in every region. Those are the companies we serve the best. They’re the ones that are the most complicated and probably have the most legacy.
Many of them offer some of the worst customer experiences, so they have the most to gain by modernising what they do with identity and the technology we provide is deep, uniquely scalable and focused on security.
There are not a lot of providers with this level of scale, so when we come into a region, we look at the large companies with regulatory requirements that are not easy to meet. We look to solve their problems first.
Many of the largest companies, including those in financial services, tend to run identity systems on-premise for the reasons you mentioned. Some of these systems tend to be heavily customised as well. Is there any way for them to modernise those systems?
Durand: Customisation is a bit of a dirty word. Today’s customisation is tomorrow’s cement. Large companies do need to make the technology fit in their environment, but once you do enough customisation over a long period of time, your infrastructure becomes unstable and fragile. But because you don’t know if a change is going to break something, you don’t change anything – that’s what I meant by today’s customisation is tomorrow’s cement.
Andre Durand, Ping Identity
The way to address that – and because a certain level of customisation is unavoidable – is to make sure the customisations are visible, not invisible and buried in custom code. We should architect a way for companies to do the integrations or customisations they need but do them in a way in which they’re not invisible bombs for future generations managing the infrastructure.
Orchestration is a great example of that. When someone uses our orchestration engine in Trees or DaVinci to integrate our services into other services, you can see exactly what the engine is doing, what services it is calling and in what order. It’s very visible and self-documenting. W
ithout orchestration, that same configuration is in the heads of 10 different admins and five different developers. You don’t know which APIs [application programming interfaces] were called, in what order, and under what conditions. All the customisations were invisible and buried in the products.
Orchestration architecturally pulls it out so you can see what’s going on. It’s an investment in business agility. You have to architect your way out of the pitfalls of customisation.
There have been suggestions that the identity space is becoming commoditised. What do you think the next wave of innovation is going to be?
Durand: There are several areas that are evolving rapidly. We’re now starting to have serious conversations about centralising authorisation that’s important for identity. Everything related to digital credentials and decentralised identities is becoming very real, very quickly. The risk and fraud signals are also becoming pretty sophisticated. The improved security and user experience by incorporating risk and fraud signals into authentication and authorisation decisions will enable us to combat a lot of fraud, without the user ever knowing it.
Some of the biggest areas of innovation are related to the trust of the individual. Today, an individual cannot prove who they are digitally. Every company you interact with has to verify everything about you. You can’t show up pre-verified in a new relationship. That’s about to change.
As individuals, we’re about to be able to carry digital proof of our real identity, employment, insurance and other things about our identity. If I can carry that proof into a new relationship, the entire trust model begins to shift in a profound and meaningful way, enabling you to perform high value transactions, for example. It’s not just about combating fraud, it’s also about enabling digital business, because the trust model has become more trustworthy.
Can you give me a sense of the company’s growth? What are your expectations moving forward?
Durand: Our focus is on profitable growth. We are a fast-growing, highly profitable company, and we expect to reach $1bn in subscription revenue next year. One thing that being highly profitable has allowed us to do is to acquire several companies over the years – and we’re not done yet.
You don’t often talk about it, but being profitable gives you a lot of flexibility, and so achieving inorganic growth is also a big part of our strategy.
You mentioned that you’re not done with acquisitions yet. What are the gaps that need to be plugged?
Durand: There are not a lot of gaps right now. It’s not like back in the day when I didn’t have directory or orchestration capabilities before we merged with ForgeRock. Now, as I look forward, it’s the smaller gaps that play out in the bigger vision. There are probably a few decent-sized companies and two or three other smaller tuck-ins that we’re looking at in the next 12 to 18 months.
We’re looking to be nothing less than the most admired company in identity. Size and scale are part of the equation, but they are not the only parts of the equation. Doing right by customers is so important to our enterprise customers. If Ping doesn’t run, these companies don’t run. Planes don’t fly, you can’t check your bank account, and you can’t pay your bills.
That’s how critical we are. So, being a sustainably responsible company in the way we grow, especially globally, is really important – and it’s important that we take our time and do it right.
Read more about IAM in APAC
- BeyondTrust’s chief security strategist talks up the importance of identity and access management, and the role of cyber insurance in driving security improvements.
- Okta has been bolstering the security of its own infrastructure and building new tools to scan customer environments for vulnerable identities, among other efforts to fend off identity-based attacks.
- CyberArk is seeing exponential growth in the broader identity security market as the company expands its capabilities beyond privileged access management.
- The National University of Singapore’s Safe initiative has strengthened the security of IT systems and end-user devices while prioritising user experience through passwordless access.