The ForgeRock Identity and Access Management Platform can be deployed in many different cloud services like AWS, Google, Azure, and even in Alibaba Cloud very recently by a partner. Being able to support a cloud deployment model is one thing, but keeping up with the changes in the cloud at the pace they are happening is where ForgeRock excels. This is accomplished not only by testing and updating our cloud deployment model with best practices and recommendations with every release of our platform, but also testing and improving on it based on the changing security landscape or adding new capabilities based on customer requirements.
I had one such opportunity recently where a prospective customer in the financial services industry wanted to deploy the ForgeRock platform in AWS and test out its scalability for their stringent security requirements as well as business and development needs. The industry and nature of their end users is such that their applications would see heavy usage during tax season.
The main IAM platform requirements this company had include:
Deploying in Amazon Elastic Kubernetes Service (EKS) to enable their DevOps CI/CD pipeline
10,000 transactions/second with less than 100ms response time for 95th percentile of calls
A replication delay of less than one second between token stores
10 million users in the user store with 150,000 concurrent users
In addition to the requirements above, they also needed a custom pair of authentication trees with their own nodes built with assistance from the ForgeRock team and a mix load of tests representative of their expected production environment. The authentication trees combined Intelligent Authentication with “step up” authorization, one generating an OTP for multifactor authentication and another simulating a call out to an external fraud engine. They were implemented as two separate trees to verify the performance of both functions independently.
Cloud Deployment in Action
To address these requirements, I started with the standard ForgeRock Cloud Deployment Model guide and picked the large cluster size for Amazon EKS because of the throughput requirements (even though we would consider 10,000,000 users a medium cluster deployment). After the 5 minute ForgeRock cloud deployment was done, off I went to make additional changes. This included changing ELB to ALB to meet the new security requirements and configuring the ALB appropriately. The resulting deployment looked something like this:
Cloud Deployment Results
After that little bit of work, what did we actually get?
Over 60,000 transactions per second with a 53ms response time for 95th percentile of calls
Replication delay of 22-34 milliseconds between token stores
150,000 concurrent users simulated successfully with 95th percentile of response times less than 100ms in all tests
We met and exceeded all our intended target performance metrics with a good margin to spare!
This meant that our prospective customer can now successfully go back to their business owners and tell them:
They can handle peak production loads during tax season without any issues
The ForgeRock Platform will scale to meet their future business growth projections
They can meet the strict security requirements even when running in AWS
They can leverage our Trust Network to add new capabilities quickly
They can add new capabilities that their business needs continuously with CI/CD
Performance results for ALB or ELB are very similar, so based on your security and business requirements, you can choose either
Using a “Large” sized cluster with 10M accounts rather than 100M produced better performance numbers than the “official” performance results because more memory to Directory Services allows for more caching
Now we have all the artifacts that any customer can use to run in AWS to support 60,000 transactions/second in under 5 minutes.
Need more help? Please feel free to reach out to our experts.
*** This is a Security Bloggers Network syndicated blog from Forgerock Blog authored by James Billinghamn. Read the original post at: https://www.forgerock.com/blog/your-iam-vendor-keeping-cloud