Ludovic Poitou interview (ForgeRock, OpenAM talk)

Hello Ludovic ! First, may you introduce yourself to people that will come to RMLL : education, professional evolution, topics of interest ?

Hello, I’am Ludovic Poitou and I work for ForgeRock as product manager. I have followed J’ai une formation universitaire: un Magistère en Informatique et Sciences de l’Ingénieur, obtenu à l’Université de Nice Sophia Antipolis (formation qui existe encore sous l’enseigne Polytech Sophia-Antipolis après s’être appelée ESSI).

I then started to work for a startup in messaging and directory servers area, E3X, which has been acquired by TéléSystèmes then Sema (now Atos). In 1995, I have been recruited by Sun as software developer in its R&D center in Grenoble where I mainly worked on LDAP directories servers, on the software (Sun Directory Server), on standardization process at the IETF, à l’IETF, or on the promotion of OSS like OpenDS. After 15 years and after the Sun acquisition by Oracle, I join ForgeRock as product manager for the directories area and OpenDJ product and also R&D center manager in Grenoble. From the beginning, I enjoy working on development of network software and languages like Java which I discovered at Sun in 1995. I also work on identity management on Internet : security, privacy and diversity .

May you explain to us the birth of ForgeRock, the company you work for ? What are its goals ? How it works across countries despite its small size ? What is its business model ?

ForgeRock exists since the Sun acquisition by Oracle and due to strategic evolutions made by Oracle on OSS and open technologies initiated by Sun. The original members came from people working before for Sun and who deployed technologies on clients infrastructure, mainly OpenSSO. Its goal is to provide a complete set of Identitity management software, based on OSS, and to offers support for these technologies.

To develop technologies and projects in an Open Source manner, it is easier to find and use skills where there exist. So, from the first day, ForgeRock has been an international company : founded in Norway, with subsidiaries in England, USA and France, and employees from Germany, Hungary, Spain, Sweden, New Zealand ... . Our infrastructure is in the cloud, we communicate through email, Skype or SIP, and the only thing we need is an Internet access. These flexibility and geographic repartition allow us to provide 24h/day support too our customers. ForgeRock is currently self funded. Due to the fact we work only on Open Source softwares, the value of the company comes from the value of people that work the company and their knowledge. For our customers, there is no entry cost (no license fees) neither exit costs. This means that our services have to be better than those of our competitors and with a better quality. Support subscriptions integrate a part to support projects development in order to sustain their evolution for our clients.

2 years after Sun acquisition by Oracle, may you explain your feeling about it and the Oracle attitude on OSS investments/projects made by Sun ?

I think the philosophy and values of Oracle are quite far from those of Sun and it has an immediate impact on Sun OSS projects. But mainly, I think that Oracle has discovered an unknown world and it does not try to understand it in a first time. I have been surprised by the lack of communication of Oracle towards OSS projects right after the acquisition besides the fact the acquisition process has been so long to conclude. This led to clashes of different communities and "forks" of projects: OpenSolaris and Illumos / OpenIndiana, OpenOffice and LibreOffice, Hudson and Jenkins ...

On the other hand, some projects continue as before with the support of Oracle. Examples include GlassFish and NetBeans. Many projects have found a second life or a new community outside of Oracle. OpenAM is the case, which is a continuation of the OpenSSO project and OpenDJ, a fork of OpenDS initiated by Sun replaces Sun Directory Server, two projects now supported by ForgeRock but Jenkins or LibreOffice. Note that all these projects had a large community of users who had invested in these technologies and wanted to see them go freely.

Let’s talk about identity management. As a professional in the subject, how do you judge the maturity of companies, particularly small to medium companies on that kind of project ?

There was a big wave of identity management projects in large multinational companies in recent years, mainly due to legislation on the liability of employers for the use of company resources. This covered the access security with single sign-on, provisionning and deprovisioning features. Small to medium companies do not follow, by the cost of solutions and their implementation, the products fragmentation, and the investment of time to plan for a rights management. This results in multiple and isolated security policies inside companies, and more specifically the passwords ones. In which company does not find post-it on keyboard, or notebooks filled with password in the top drawer of the desk? It should be noted that many companies have started projects in identity management with first generation products, they face great difficulties, often trying to enter the business operations in software rather than vice versa . Fortunately, a new generation of identity management products comes : more open, it is based on recognized standards that facilitate integration into the information system and interaction with the outside. Some companies have realized that we could use the identity as a service by having a disconnect between enterprise applications and services authentication and authorization, with products like OpenAM. This allows them to increase the flexibility of their information systems to interact more easily with partners and suppliers and thus increase their competitiveness.

Identity and access management projects involved IT department but also Human Resources Department or even CEO. What are according to you the pitfalls to avoid and the levers that need to play to achieve success?

Identity is at the heart of all businesses, so there is interaction with all departements. It is the human resources department which has the mastery of the repository of employees, roles, security policy. IT department does technological choices on both network and applicative sides, and manages access permissions on a daily basis. For the success of an IAM project, there is no mystery: it requires above all a lot of planning, lots of communication and involvement of all company departments. And pitfalls are many. Many projects have failed, went out to budget, scaled back or even abandoned because it started as technical projects, then it is a business strategy that must obtain the support of all. Lack of experience and technology is also a factor in failure. It is therefore important to have a strategic vision for identity management in the enterprise, but also to design the implementation phase as a series of steps pursuing this strategy. From a technical standpoint, the first step, often already done in companies, is implementing a global directory, which is the identity repository. Then there are two main functions that are single sign-on and supply, then the functions of self-management of passwords. Finally, there is opening to the outside with identity federation that is to say, the exchange of identity information with partners.

One particular question : what do you think about CIO who decide to use their technical directory (often Active Directory) to store all identity and rights informations they have and use it for also SSO ? Is it a best practice, a choice among others or an error ? What are the benefits to use specific software as OpenDJ/AM ?

I think it’s good practice to have a single repository for identity, access rights and the SSO. And Microsoft is well positioned to offer all services on its own platform with Active Directory as the integration point. That said, integration with AD is not always possible for various reasons, both technical and political. First, because of technical solutions are highly focused on Microsoft Windows environment and do not always interoperate with other operating systems, although this aspect has greatly improved in recent years. But also because AD is primarily a directory to manage the network and OS, and is not extendable to integrate data necessary for additional services. For the SSO part, Microsoft has chosen to develop its own standards (WS-*), but SAML2, defined by Liberty Alliance and supported by many products including OpenAM appears essential as the standard for the secure exchange of identity information. Politics, too, because in this business are not the same teams that manage the intranet and staff positions, and the extranet, interaction with customers or partners. OpenDJ and OpenAM are both based on recognized and accepted standards : OpenDJ with LDAP, SAML and XACML for OpenAM. This allows you to interact with a large number of applications and infrastructure solutions. Written for the Java platform, they also fit the material choices made ​​by companies rather than impose them, and allow greater flexibility. Finally, these products have been designed to adapt more easily to the growing needs and data, and are capable of handling tens of millions of users.

About openam / DJ: What’s their open source nature brings in front of their proprietary competitors?

Openam and OpenDJ by their open source nature can accommodate a wider variety of usage scenarios, the community of developers or users contributing to these scenarios, to facilitate the use or the scalability of the products . They are generally much easier to implement than their competitors and adapt to more platforms. Also, being from projects supported by Sun, OpenAM and OpenDJ have been designed to meet the needs of scale beyond SMEs. These are technologies that were deployed in large telecoms operators with tens of millions of users. But their architecture allows them to adapt to smaller scale projects, with a cost reduced accordingly. And then there are the benefits of open source nature of projects: No (or very low) cost, ability to evaluate the product and the code before you invest, the reduced cost of output: if you are not happy with your support provider, you can continue to use the software, choose another provider for support, or choose to invest in maintaining the product yourself. Finally, the production cycles in open source projects are faster, more frequent, and allow everyone at any time to evaluate products, test version, a patch or suggest an improvement that will facilitate the immediate deployment and what other readers may also benefit. The code is public, security mechanisms can be (and are) studied, the technologies are more reliable in this area.

A question about Java on which OSS ForgeRock products work : according to you, current tensions around Java (Oracle vs. Apache Foundation) can get companies to move away from Java as a platform for their information systems? Which then impacts on ForgeRock products ?

This question could be asked a few months ago. But since we see that the approximation around Java between Oracle and IBM and Apple is more focused on OpenJDK can reassure businesses and strengthen the choice of Java as a platform for their information system. At the same time, we see a growing number of new languages ​​based on the Java platform: Scala, Groovy, JRuby ... which, if they break up the dominance of Java as a programming language, confirm the choice of Java as a platform. In terms of ForgeRock, our concern lies more at risk of a two-tier Java, the JVM that we know, based on OpenJDK, and a commercial Java for business, with services and features available only to those who pay, such as the JRockit VM. I hope this does not happen.

A word about your talk about OpenAM at RMLL : What are your goals? What audience you want to touch at RMLL which is not an event with a specialized audience?

It is true that the public of the RMLL is different from other conferences that I attend regularly. There are a lot of fans that are passionate about open source software, but also curious professionals with diverse backgrounds: academics, system administrators, part time developers , projects contributors ... My talk is intended primarily for system administrators, but also architects and all those who support the information system of their companies. My goal is to raise awareness about ForgeRock, its products and explain how you can use identity management products as OpenAM, OpenDJ in order to make corporate infrastructure more flexible and scalable, allowing the information system open outwards, exchanging identity data securely.

Ludovic Thank you for the time you spent for this interview and see soon at RMLL to share a ... Free beer (sic) ;-)

This interview was done by email in early June 2010 by Christophe Brocas, co-chairman of the Security topic of the RMLL 2011.