25 Mar Eve Maler: Come On Tell Me Who Are You, You, You, You
A cybersecurity troubadour shares her story
–Di Freeze, Managing Editor
Northport, N.Y. – Mar. 25, 2020
“Who are you? Who, who, who, who? I really want to know.”
As ZZAuth and the Love Tokens belt out the words, it’s from a different standpoint than most people who have done covers of The Who’s iconic song. Eve Maler, the interim CTO at ForgeRock, explains that like her, the rest of the band are people in the identity and access management industry.
ZZAuth got together four years ago with the idea of putting on a show at the Cloud Identity Summit, now known as Identiverse. Maler does a lot of the lead singing, some of the keyboards, and joins the Tokens to sing backup.
“I’m sort of the den mother,” she says.
Maler’s musical roots go back to when she was about 4 years old and thought she wanted to be an opera singer. The aspiring singer moved to Honolulu with her family when she was young. Her parents later found out about the Honolulu Children’s Opera Chorus, formed to provide young talent for opera productions, and got her involved in it.
“I ended up in some opera productions,” she recalls. “We’d do little shows in malls and things.”
By the time she was in high school, her music taste had changed. She liked performing so much that she deferred admission to Brandeis University for a year to stay with the band she was in and play fulltime. She recalls playing a lot of Pat Benatar, Kansas, Tom Petty, and The Pretenders.
She said she stayed open for as long as possible before deciding what her college goals were, but she eventually ended up studying linguistics.
“I didn’t really study computer science,” she said. “It was more like computational linguistics, detecting the structure underneath languages, and deriving the rules of languages. The grammatical rules and phonetics of languages. I had no idea what I was going to do with that. I ended up designing protocols.”
After her sophomore year, she had the opportunity to do an unpaid internship with Software Arts, which made VisiCalc, the first spreadsheet software. After college, she became a technical editor for Digital Equipment Corporation (DEC).
“I was at Digital at a pivotal time,” she said. “I helped with the documentation of compiler stuff. It was like Pascal and FORTRAN documentation. Eventually, I decided UNIX was the wave of the future and I moved to the ULTRIX Group.”
As she worked with technical documentation, Maler found herself becoming involved with defining terms.
“An example would be ‘internetworking’,” she said. “It had to be explained what internetworking was and where the term ‘Internet’ came from.”
While there, Maler began working with SGML (Standard Generalized Markup Language), including working laboriously on Document Type Definition (DTDs). She recalls that at the time, there were only four or five vendors of SGML software.
Maler was with Digital for almost a decade. Her next move was to Arbortext, one of a handful of SGML software vendors. During her time there, she co-wrote a book, Developing SGML DTDs: From Text to Model to Markup, with Jeanne El Andaloussi. It was published in 1995.
Part of her role for Arbortext was consulting, including helping customers create better DTDs. During her tenure there Maler and other SGML experts banded together, under the leadership of Jon Bozak, and the result was XML, Extensible Markup Language.
“We realized that SGML had too many options and it was too complicated,” she said.
Maler said that a big goal was making the web safe for SGML.
“We formed a group and he took us to the World Wide Web Consortium (W3C) and convinced them to host us working on cutting down SGML to make XML. We essentially carved away parts of SGML to create XML. That was perhaps an unusual way to make a new standard. We took an existing one and tried our hardest to make the new one be backwards compatible.”
Parametric ultimately acquired Arbortext.
“It was a great exit for Arbortext,” she said. “It was the first company to deliver XML-compliant software.”
Maler went on to work at Sun Microsystems, in 1999, as an XML standards architect, and later became a technical director. She was with Sun for almost ten years.
“I was attracted to Sun because they wanted to start an XML technology center. They were basically collecting people who were experts in that new field.”
While with Sun, she became the founding chair of the OASIS (Organization for the Advancement of Structured Information Standards) Security Services Technical Committee.
“The SSTC’s only output was SAML, the Security Assertion Markup Language for single sign-on (SSO) and identity federation,” she said. “It’s the greybeard of identity standards now, but it was a wild success and it’s still heavily used.”
Maler was also one of the editors of the SAML standard and helped write its technical overview.
While with Sun, Maler worked on the technical interoperability between Sun and Microsoft on web services of identity.
“I was in some pretty cool meetings,” she said. “We worked on one event where Steve Ballmer and Scott McNealy got together in Palo Alto and our technical folks did a single sign-on demo.”
Following Sun, she took a position as distinguished engineer, Identity Services, with PayPal, and then became principal analyst at Forrester Research, a role she held for three and a half years.
“I loved my time at Forrester, including some research I did around adaptive intelligence and customer-facing authentication,” she said.
Maler became aware of ForgeRock when she started following what they were doing while at Forrester. A multinational identity and access management company, ForgeRock was formed in Norway and is now headquartered in San Francisco. The company develops an IAM platform for the internet of things, customer, cloud, mobile, and enterprise environments.
“The founders of ForgeRock were all at Sun,” she said. “They took what would now be looked at as a consumer-scale, comprehensive platform and did a lot to it. Today, it’s a massively comprehensive, scalable, simple platform that’s going into the cloud. It’s a very attractive proposition in the modern era.”
Maler has been VP, Innovation and Emerging Technology since 2014. She became interim CTO in September 2019.
“Its mission is to ensure that users safely and simply access the connected world,” Maler said. “That mission really speaks to me.”
She said one thread that goes through her time at Sun, PayPal, and Forrester, and right through to her time at ForgeRock now is the UMA (User-Managed Access) standard. She founded the Kantara Initiative UMA Work Group in 2009 and continues to chair it. She notes, “ForgeRock and quite a few others have implemented it.”
“Kantara comes from a Kiswahili word for ‘bridge’,” she said. “We are trying to ensure that bridges can be built around identity-related technologies.”
She explains that Kantara, which enables groups to get together and work on standards, grew out of the Liberty Alliance, a consortium intent on figuring out how to federate identities so that anybody could issue them.
She said the common thread there is control of data.
“In the case of XML, instead of some vendor controlling your data format, how does the entity that’s creating the data control the data format? In the case of UMA, it’s the resource owner. How does the resource owner control grants of access to the resource?”
She believes that’s especially important these days.
“Let’s say you’re a patient, so it’s your health data, or you’re a consumer, and data is being generated by a smart device that you wear on your body or it’s implanted in your body. Or you’re driving a smart car. It’s getting ever more important for you to not just know about what data is being collected, but also to have a say. That’s why I work on implementing standards in this area.”
Maler said it’s exciting that there is always movement in the field.
“Federated identity is a way of having an identity issued by an identity provider, and then respected somewhere else. There’s also decentralized identity. It’s a species of ‘bring your own identity’ for individuals where, with something like a smart phone, you can have key pieces of your digital identity information packaged up in a kind of tamper-proof way. You keep them in an application, and you can bring them to this service provider or that service provider, and then they can use them, absorb them, and then do what they need to. It’s privacy enhanced and it’s secure. I think the jury is out though. There’s a lot more standards and adoption work to be done.”
Maler describes her and her team as all “living in the future.”
“We’re always working with customers on innovative POCs. That’s why I go around the world ensuring that we look around corners and keep our viewpoint fresh. ForgeRock is already doing a lot with autonomous identity and AI. We’re doing a lot with next-gen authorization. The identity platform of the future needs to respond to the needs of the future.”
Eve Maler is featured in “Women Know Cyber: 100 Fascinating Females Fighting Cybercrime.” Pick up a copy to learn about more women fighting cybercrime.