Tag Archives: Forrester

Consensual impersonation is delegation done very wrong

I’ve got a new post up on the Forrester blogs about “consensual impersonation”, which is what happens when you give your password to someone else so they can do something from your account. As Paul Madsen points out, it’s “another manifestation of the password anti-pattern”, and it’s a use case whose legitimacy — at least some of the time — we haven’t really thought about. Head over there to see if I manage to avoid mentioning UMA. (Hint…)

New post: Venn of access control for the API economy

Up on the Forrester blogs, I present a new Venn diagram that compares OAuth, OpenID Connect, and UMA. A number of people contributed to the final form of this one, which we presented in a Google Tech Talk a couple of weeks back. Thanks to all of the following folks (listed in no particular order) for their feedback!

By the way, we’ve got another UMA Twitter chat coming up this Wednesday morning at 9am Pacific. For details, visit http://tinyurl.com/umachat. Spread the word, join us, and get all your questions answered…

New: Report contemplating OAuth and “Zero Trust identity”

Is it possible for an enterprise to turn itself inside-out? Apparently so. I’ve got a new post up on the Forrester blogs that discusses the “Zero Trust” aspect of enterprise security that a number of companies are addressing with various clever uses of OAuth.

New: “Participating In Markets For Portable Identities In The Cloud: What’s The Coin Of Your Realm?”

I’ve got a new post up on the Forrester blogs, discussing a “markets for portable identity” angle on my latest research report (which is full of Venn goodness!), and how SAML, OAuth, and OpenID are “hard currencies.”

You could take this theme pretty far. Does SAML-OAuth bridging have any elements of arbitrage about it? Is assurance leakage in protocol translation like the lousy currency exchange rates at those little van kiosks in airports? Maybe that’s far enough…

New: “Protecting Internal APIs – Is OAuth Ready For Its Closeup?”

Check out my new post on the Forrester blog, looking to hear about your experience and opinions on the use of OAuth to secure your internal app landscape. You know you have stories. I know you have stories. So why not share them??

I hosted a session at IIW last week to start collecting data around this topic, impishly/illicitly called Two Legs Good? (since the OAuth community keeps trying to quit the “legs” habit but can’t seem to manage it). Session notes are at the link. IIW totally rocked this time; thanks to the organizers and all who contributed to making it great!

In order to encourage you to comment over on the other site, I’ve turned off comments here (boy, does that feel weird…). If you prefer to weigh in with 140 characters’ worth of wisdom, just be sure to use the hashtag #Forr2Legs so I’ll see it.

New: “Identity Assurance Means Never Having To Say ‘Who Are You, Again?'”

Does having published my first Forrester research report and done my first quarterly teleconference mean I’ve made my analyst bones? Hmm. You can read about my identity assurance coverage here. (Regular readers may recall that I wrote about identity assurance on Pushing String last fall, batting around ideas with Paul Madsen and others.)

New: “OpenID, Successful Failures And New Federated Identity Options”

Though there’s still a creepy fuzzy anonymous head where my picture is supposed to be, I’ve got my first post up on the Forrester Research Security & Risk blog. It discusses the recent 37signals decision to stop using OpenID and the larger “button-based login” environment in which OpenID can be considered a positive influence. As a bonus, it provides a new Venn diagram comparing features of OpenID + attribute exchange, the SAML web browser SSO profile, and OAuth + “connect”-style login.

Later: Neat, it’s been cross-posted to the CSO Online blog as well.

Ch-ch-ch-ch-changes

I’ve just made a big change, joining Forrester Research as a Principal Analyst, and this new adventure is sure to be exciting. It’s an honor to join this stellar organization and work with so many talented folks. I’ll be serving security and risk professionals and will focus primarily on identity and access management, so this move feels like a natural outgrowth of work I’ve been involved in for more than ten years now.

My tenure at PayPal was a great learning experience; I’ll never forget my time there, nor the good friends I made. I also managed to learn a few things while “catching up on life” in the few weeks between gigs. Here are some questions folks have been asking me, with answers:

Q: Are you moving back to the east coast?

A: Nope, I’m still based in the Pacific Northwest, but I will likely be out Boston-way somewhat more often. As for other appearances, you’ll definitely be able to find me at Forrester’s IT Forum 2011 in May, and I’ll be figuring out the situation with other events shortly.

Q: Will you continue to blog here?

A: Yes, though the mix of topics will likely change, as I’ll be contributing industry-related posts to the Forrester blog. I’ll post pointers to those here, and my hope is to step up my writing activity on other topics of interest at Pushing String. And I hope you’ll continue to follow my doings at @xmlgrrl (where the #forrester tag will likely make lots of appearances).

Q: What about User-Managed Access and other innovation-oriented work?

A: The plan is for me to continue in my role as “chief UMAnitarian” and to participate in certain other tech leadership activities as time allows. In the last couple of months we’ve gotten a big influx of active UMA contributors, and we’ve had a burst of progress in the last few weeks on defining how to loosely couple “user-centric” policy enforcement points and policy decision points. So I think we’re well on our way to meeting the goals and timing stated in our charter.

Q: So what did you do on your winter vacation?

A: One of my goals was to “learn one big thing”, so I started learning how to play guitar, under the tutelage of my dear old friend Rich. My original use cases were around communicating better with my Mud Junket bandmates who are actual guitarists, but Rich doesn’t fool around: I have to learn good technique and not take any shortcuts. Luckily, the fret-hand callus crop has finally started to come in.

I also read a great book called The Talent Code, which describes what goes on neurologically in people who seem like once-in-a-lifetime geniuses, and discusses how any skill (like guitar-playing!) can be honed more rapidly through “deep practice” that stimulates myelin growth.

With all this plus a healthy dose of R&R, it feels like I’m learning how to learn all over again.

About Me

Welcome to XMLgrrl.com! I’m your host, Eve Maler. On my personal blog, Pushing String, you’ll find commentary on digital identity, data portability, meaningful privacy, online trust, and assorted other topics.

You can reach me at eve-at-xmlgrrl.com, emaler-at-forgerock.com, and @xmlgrrl. Additional online homes are linked from the Welcome section in the right sidebar.

One way to get to know me is through the nicknames I’ve collected. I’ve had the pleasure of working on a crazy quilt of technologies, protocols, policies, and methodologies over the years, and various monikers related to them have stuck. The first was XMLgrrl, reflecting my part in the creation of the Extensible Markup Language (XML). The next was the SAML Lady, bestowed by a colleague based in Japan on the occasion of a trip to Tokyo to teach the Security Assertion Markup Language, the federated identity standard. More recently I became chief UMAnitarian, working on the User-Managed Access protocol and associated adoption.

Yes, that’s a cartoon, though based on a real photo of my head from, oh, 1998 or so. In the pre-blog era, I wrote a Web column on XML — sort of “advice for the parse-lorn”.

On July 14, 2014, I joined ForgeRock. Following is an extended version of my work bio:

Eve Maler is a renowned strategist, innovator, and communicator on digital identity, access, security, and privacy, with particular focus on creating successful wide-scale ecosystems and fostering individual empowerment. As VP Innovation & Emerging Technology in ForgeRock’s office of the CTO, Eve drives Identity Relationship Management innovation for ForgeRock’s Open Identity Stack; she also directs ForgeRock involvement in related industry standards, particularly for access control and privacy, to which end she leads the User-Managed Access (UMA) standards effort.

Eve was formerly a principal analyst at Forrester Research, advising clients on emerging identity and security solutions, consumer-facing identity, distributed authorization, privacy enhancement, and API security. Previously Eve was an identity solutions architect with PayPal and earlier a technology director at Sun Microsystems, where she co-founded and made major contributions to the SAML federated identity standard. In a previous life she co-invented XML.

Eve co-authored Developing SGML DTDs: From Text to Model to Markup, a book that provided a unique methodology for information analysis and SGML schema design. Eve’s blog, Pushing String at xmlgrrl.com, touches on topics both technical and whimsical.

Some of Eve’s other interests are singing barbershop and bluesy-funky rock ‘n’ roll.

Some alter egos for portions of my blog are VennOfIdentity.org (corresponding to the “Venn” category) and carbgrrl.com (corresponding to the “carbgrrl” category).

Creative Commons License
This work is licensed under a Creative Commons License.