Tuesday Jan 26, 2010

The Reilly Minute

So I haven't started personal blog apart from Big Corp. just yet but I invited my 8 year old daughter to participate by writing a bit in a feature she named "The Reilly Minute". The rules are that there are no stupid potty jokes but nothing else. (I must reserve \*some\* content to myself after all.)

Her first installment written in her journal & shared with her full permission explains exactly why I think she's such a cool little bird. Here it is-- with a few spelling corrections:

"What To Do For Haiti

We should donate food, water, toys, money and medicine. We should adopt children and treat them well. If they get teased, help them. Don't spoil them. But if you don't have any children, you have more opportunity to get one. The least you can do is donate a jacket to keep a grateful child warm."

Yes, Sun we delisted Sun today & I feel very sad about that. But, all in, I'd rather send a jacket to a grateful child than worry that the footprints of the past may fade. Full speed ahead & hurrah for The Reilly Minute!!

Friday Jan 22, 2010

And Away we O...

So, we've come to an end and back to a beginning once again.

I'll have more to say in the coming week but there is a path forward for me & I'm sooooo ready to continue on working with engineers, ops people, academics, journalists, human resources professionals, lawyers and even sociologists & teenagers to build a better, more secure information world for myself, my family and for you.

I respect the power of information to impact our culture, our commerce and our community with others. We must build in as many technical mechanisms, craft sustainable & living policies that reflect our desire to build and protect rather than block & hide, and preserve our ethical drive to respect IP and PII as the critical assets they should be.

In short, my logo & paycheck may change but my mission will not.

We will not falter & we cannot fail. This is just too big.

Just an obscure thought,

Signing off to visit hopefrhaitinow.org to do the Dennedy's bit to respect the people who would like to continue creating PII for many years to come.

Thursday Dec 31, 2009

A Whole New Decade

So, it's new year's eve & I picked up the paper to read all these articles about how thrilled everyone is to see the 'lost' 'horrible' etc. decade be gone.

I will admit that there were times when I really wasn't sure what to think about the vast evil or massive power of nature or just the foolishness and economic hardship these last years.

The Panty Bomber who tried to blow up the plane a few days ago is just one of these incidents. That evil jerk will be locked up tight thinking about his panties for a long long time in thanks for his attempted mass murder. If he thought he didn't like us before, he's in for a whole new wake up call.

But, Panty Bombers and horribles aside, the dawn of the new millennia has been remarkable.

We are all here.

We have the ability to get to know one another in various forms and contexts and media like never before in human history.

We can befriend others from around the world, breathe in their culture and learn from them.

I find this rather cool.

Our identities are becoming refined and redefined every day. This is an overwhelming issue philosophically and an irresistible challenge technologically. How, when and with whom we wish to actually and virtually congregate is ours to own-- if we so wish.

In this new decade, I hope that we can respect the magic of this possibility and, like the Silk Road, leverage identities and personnas to carry forth new culture, commerce and understanding. Pollyanna? Perhaps.

For myself, I look back over the decade with nothing short of wonder.

I began as a newlywed in a career as a patent litigator that felt fine but uninspired for me. I was diagnosed with Multiple Sclerosis that year and was told by a quack with an Ivy medical degree that I would likely roll into 2010 in a wheelchair. I had been to Europe twice on the tourist circuit, Kenya on a safari trip and no where else. Sun was a building I passed on my way to work. Privacy was something you needed in the loo. Kids? Unimaginable.

Sure the road hasn't always been smooth, but wowee what a ride!

I am a fundamentally different person here on new years eve 2009 than I was in 1999. I have a vision and a purpose. I have touched miracles in my daughters and been bowed by devastating sadness in the passing of great humans. I learned first how to be a sick person with a chronic illness and then how to be a well person staring down MS and winning with every new day. I have looked at an impossible and unloved problem in the form of data protection and found pragmatic solutions that span the globe. I have grown and been enlightened and inspired and have loved more than I ever knew was possible; I have laughed and learned and traveled and grown and LIVED.

So poo-poo to the naysayers. I say Happy New Decade. My Identity story is just getting started and I'm ready for what ever's next. BRING IT ON!!!!!

I wish the same for you and yours-- let's turn every adversity into strength and innovation simply because we can and because it's more fun to do so.

Just a new decade's eve thought...

Tuesday Nov 03, 2009

Rest in Peace Don Bowen

My friend Don Bowen, great champion of ID management and all around creative innovator, has seen his battle with cancer come to a close. He died on Halloween. I can't say that he 'lost' his battle because he was strong, faithful and funny down to the last &, since we all have to go at some point, I'll call his a victory. I wish we could keep him here with us for many more decades.

Here is a link to our podcast, Pimp My Privacy: http://wcdata.sun.com/webcast/download/podcast/IDM/pod10.mp3 from back in 2007.

Wherever you are Don, I am a faithful fan. Rest in peace my friend.

Thursday Oct 29, 2009

An oldie but a goodie

I was clearing out my email box when I came across this little gem from the lovely Bruce Schneier. There something about that guy that I just like and I think I amuse him so that makes me happy too.

Check out his musings on the old fashioned notion of Security v. Privacy rather than private data secured appropriately to type place & time:

Security vs. Privacy

If there's a debate that sums up post-9/11 politics, it's security versus
privacy. Which is more important? How much privacy are you willing to give
up for security? Can we even afford privacy in this age of insecurity?
Security versus privacy: It's the battle of the century, or at least its
first decade.

In a Jan. 21 New Yorker article, Director of National Intelligence Michael
McConnell discusses a proposed plan to monitor all -- that's right, all --
internet communications for security purposes, an idea so extreme that the
word "Orwellian" feels too mild.

The article (now online here) contains this passage:

In order for cyberspace to be policed, internet activity will have to be
closely monitored. Ed Giorgio, who is working with McConnell on the plan,
said that would mean giving the government the authority to examine the
content of any e-mail, file transfer or Web search. "Google has records
that could help in a cyber-investigation," he said. Giorgio warned me, "We
have a saying in this business: 'Privacy and security are a zero-sum

I'm sure they have that saying in their business. And it's precisely why,
when people in their business are in charge of government, it becomes a
police state. If privacy and security really were a zero-sum game, we
would have seen mass immigration into the former East Germany and
modern-day China. While it's true that police states like those have less
street crime, no one argues that their citizens are fundamentally more

We've been told we have to trade off security and privacy so often -- in
debates on security versus privacy, writing contests, polls, reasoned
essays and political rhetoric -- that most of us don't even question the
fundamental dichotomy.

But it's a false one.

Security and privacy are not opposite ends of a seesaw; you don't have to
accept less of one to get more of the other. Think of a door lock, a
burglar alarm and a tall fence. Think of guns, anti-counterfeiting
measures on currency and that dumb liquid ban at airports. Security
affects privacy only when it's based on identity, and there are
limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline
security: reinforcing the cockpit doors, passengers realizing they have to
fight back and -- possibly -- sky marshals. Everything else -- all the
security measures that affect privacy -- is just security theater and a
waste of effort.

Spooky thoughts to all for a Happy Halloween. Ms. Thang is Nancy Drew & Sweet Cheeks (cheekier than ever) is a very very cute dragon this year. They both hate coconut so I'm hoping for lots of Almond Joy this year.

Wednesday Oct 07, 2009

What \*is\* the Cloud?

It's been a while & I've been very busy indeed. I hope to share a good bit of the concepts I have learned & the ideas that I have about governance in an extended computing context. Today is still not that day but I did get some great silliness from my buddy that I must share:


What is the cloud? Magic carpet with laptop in hand? Not really, although we did think technology would have advanced to the point where we \*could\* fly at this point. (Thank you Carrie's hubby: http://www.kqed.org/epArchive/R909080737)

Is it merely a buzzword for stuff we've already done for years? Ahem, some who may be richer than a few of the Pharohs may say it's so but that rant itself may turn out to be buzz too... It's a strange new world so I'll just not go there today.

This thing is that a resource that \*may\* be capable of
- recapturing the 80%+ of wasted computing cycles,
- may actualy trigger a meaningful federated ID strategy with meaningful RBAC,
- may force a discussion regarding ownership, retention and juristdiction,
- and may just allow faster information rich businesses to escallate using technology rather than being limited by capital start up costs for servers & networking gear

certainly catches the imagination doesn't it?

Maybe it's not a new new innovation, but rather the culmination of the Network is the Computer. From where I sit as a governance geek, not entirely unheard of is good. Capable of well planned architecture to provide audit, accountability and authenticity is nice. Understood governance and security and privacy governance models applied in a slightly more innovative business environment is good too.

Maybe the Cloud is just a good idea we've all had for a long time that has had time to become real.

I still wish we could fly.

Just a thought...

Monday Aug 10, 2009

Update- Rita Matz, Silver Medalist

Mrs. Matz took Silver in both the shot put & discus for the 70- 74 women's category in the 2009 National Senior Games this past weekend!! That she was over 70 & there was incredible. That she was only surpassed by new National Record holders was impressive. That hundreds of fellow Olympians were also there COMPETING was inspirational.

The men's 80-84 age group 400 meter race was during the discus finals & I tell you what, these gentlemen not only could kick my sorry butt but one of them even gave me a victory wave & wink. Sassy!!

Now, what does this have to do with Cloud Computing? Well the whole experience got me thinking about identity management within Clouds. Grouped together were like kind time, place, activity shared history, intentionality and proclivity to excellence. If you took a snapshot of National Games' data, you would learn a host of information about health, lifestyles, longevity and Olympic history amongst other things. (One of the track stars one competed against the great Wilma Rudolf. See http://www.myhero.com/myhero/hero.asp?hero=wilmaRudolph) In other words, you would have a good idea of context for a limited period of time and in a limited setting.

Here's where my -- stretched -- cloud thinking comes into play. Given the rather large data set based upon the Senior Games, many many valuable inferences can be made. Many personally identifiable details have been offered up by participants either because they are known to be excellent, as in the case of our medalist's name and status as a winner, or are a part of organizing the event itself, the athletes were all in California for their events & not at home, for example.

Stored in other, sometimes overlapping information clouds (small C as we're not really talking IaaS, PaaS, or SaaS here, just conceptual formations) are the elements of PII related to these specific humans but out of context regarding their significant sports' achievement-- religion, hobbies, professional lives, family designations, etc. These elements are lost in this contextual discussion UNLESS there is an identifier that inter operates across these various clouds to paint a very specific picture of a human for a very specific period of time. (Time is so often NOT mentioned in the talk of cloud governance & privacy management that I feel compelled to drag it back into the picture as often as needed.) It is this correlation cross cloud that poses, I think, one of the great governance challenges in the cloud world where information is virtualized across many data centers and the fiduciary is only capable of controlling his or her bit.

The challenge of triangulation of data has, of course existed for as long as we have had various entities knowing various details about us, but automation and decentralization make this particular governance challenge all the more urgent.

In any event, GO RITA & Coach SUZANNE!!! Just being near you inspires me to work on being a better person even if I never earn a silver medal.

Just a thought & a cheer for a Monday...

Monday Aug 03, 2009

Our Very Own Olympian!

This week is a particularly exciting one for Stanford University as it hosts the 2009 National Senior Games.  http://www.2009seniorgames.org/sports-track-field

You have to be 50+ to compete.  I am 40 something and sitting at my desk makes me sleepy.

If you happen to be in the 70-74 category in discus and shot put, and you happen to be my best friend from college's mom, Rita Matz, you just may be one of my heros.

My family is particularly honored to be hosting Mrs. Matz & her daughter, (who also happens to be her coach and a champion in track & field in her own right back in the day) this week.  We will be cheering from the sidelines with all our might.  The ladies Matz will be staying in the very finest Pepto Pink suite in our home, as ceded by Miss. Thang for the occasion.

Wherever you may be and whatever your feelings on cloud, identity, privacy or respect for information about humans, stop for a moment and give a cheer for Rita Matz, my favorite Olympian. 

Tuesday Jul 28, 2009

Just makes sense to me

Just a quick blurb from an exchange I was having with a very smart privacy diva that was worth sharing:

Data is an asset.  You know.  I know.  CPO's know. Some CISO's know.  soooooome lawyers know.  Greed is an

excellent motivator that is not antithetical to ethics & this notion may be the primary way forward in these challenging times.  The Cloud only serves to amplify this simple fact.

Fact is, Grace Hopper was right.  Data ultimately will be on the balance sheet as it generates predictable outcomes and can be associated with profit or failure.

How to measure it?  How to audit your Cloud provider to be sure they make a good accounting of it?  This is where the normative value of best practices & standards will help us.  This is where GRC measurement tools are critical.  (By the way, in my mind "Governance" inherently includes "Compliance" and "Risk" but the acronym does persist so there you have it.)

I am very interested in being a part of these threads coming together to create something so practical and irresistible that it will seem obvious to the naysayers.

Just a thought while I procrastinate some more...

Friday Jun 19, 2009

Proud Momma Keep on Rollin'

Not info. governance/ cloud/ privacy today.

A peer review from Miss Thang's classmates for the end of the school year:

You are funny... like the time you licked your glue.

It's fun to be your partner at P.E.

You are nice and make me laugh.

You have good sense of humor.

I like that you don't quit things.

I'm happy that you're in the tree with me and not destroying my room.  {Note from the editor-- huh??}

I like how you never give up.

You're nice, respectful, and a good friend.

I can always trust you.

I love your jokes.  They're hilarious.

You're always doing nice things.  In games you're a good sport and never cheat. 

I like your funny jokes.

I think it's really funny when you chase boys.  {Note from the editor-  gulp}

You are friendly.

You tell funny jokes that I laugh at.

You never argue with me.

I really like how you always help the situation.

Okay, so I would have like to have seen "Miss Thang is the smartest person in the class & her mother is clearly the best ever" but all in My little buttercup rocks.   She deserves a safe cloud to manage data in an extended information management environment.  So does Miss Sweet Cheeks.  I think I'll go help build it...

Thursday Jun 11, 2009

Obsession for the session & no more

I am in love.  No...I am obsessed.  I have been accused,
inaccurately, of loving this object because it was one of the few
tangible Sun branded "THINGs" sitting on my desk rather than the
trickier stuff going on back in the data center.  Sorry to disappoint,
but that ain't it.

Hello.  My name is Michelle Finneran Dennedy & I love thin client computing.  

never have professed to be a technology savant-- far from it.  I have,
however learned a thing or three about the gear gathering & pumping
out data faster than we can produce oxygen.  Here's the thing, having a
data strategy and information asset plan is a beautiful thing.  A
breathtakingly beautiful thing (to float with the oxygen notion for a
moment more). 

But, like the rain forest, I've never personally
seen one up close & personal.  Sure I've seen drafts & pictures
& plans but the truth of the matter is that information integrity
is a bit like clean water.  Big oceans cover much of the planet but
potable water is a somewhat scare resource.  Big fat data centers are
growing & growing & growing-- thank God because I rather like
being employed-- but information protected well & wielded as an
asset is an increasingly lower percentage of the total and I don't see
that problem slackening.

I love this problem & will likely continue to pursue the
resolution of this problem either for the rest of my days or as soon as
we architect integrity & humanity into every data transaction
throughout it's life cycle-- whichever comes first.

In sneaks my obsession for the thin client.  Our version is called the Sun Ray.  We've partnered with others like CSC &
even IBM to bring these babies to market all around the world.  See

have never audited the data on the Sun Ray device itself.  40,000+ of
these babies all over the world just in our company alone and not a
drop of data resting on any of them.  No plans to delete stuff-- it's
not there;  No need to review cast off gear-- there's nothing on it; 
Move around all you like & reuse & reuse & reuse machines--
your identity stays with you & not on the gear;  The server based
compute utility providers (could be internal, could be a service
provider) secure the data and manage the data assets-- not every single
user using every single device with individual technology awareness
must protect the entire system.  You get the drift.  I'm a fan.

type of technique becomes particularly interesting for the consumer of
information services who is simply doing that...consuming information
services.  It's awfully nice to be able to go to a device, get the
information nugget, move away from the device with the information in
head & not worry about any residual hackable non-managed data
residue. If I could have a thin client phone that actually was reliable
enough to NOT cart my data everywhere, I'd fall in love with that too. 
("Smart phone" inventors, here's your consumer sample size of 1 but I
don't think I'm alone.)

If you are thinking about a cloud strategy or consuming a cloud
service to deliver content, thin clients are a pretty cool little
number to add to your plan. 

Hello.  My name is Michelle Finneran Dennedy & I'm a data geek who loves thin client computing. 

Monday Jun 08, 2009

Center for Democracy & Technology & TrustE event June 3, 2009

Last week was a bit of a marathon of data control in the clouds.  One of the many events was a thought provoking panel held by CDT & TrustE.  If you are particularly dedicated-- it's an hour-- check out this web video regarding Cloud De-mystification with Jim Dempsey, CDT, Lindsey Finch, Salesforce & Steven Levy, Wired. 

You'll see that, although I really am trying to behave myself, the Larry Loves the Cloud quote did come up right off the bat.  If you hang in there for the whole thing, you'll hear that I've not given up on privacy...as long as we have people, we'll have some form of privacy.

<embed flashvars="autoplay=false" width="400" height="320" allowfullscreen="true" allowscriptaccess="always" src="http://www.ustream.tv/flash/video/1602806" type="application/x-shockwave-flash" />

Here's the link to the website where you can find the video if this embedded link thingy doesn't work:  http://www.ustream.tv/recorded/1602806

I also ran into the wonderful & talented Linda Skrocki last week (@ JavaOne)who has shown me how to embed videos & links many times.  One day I'll actually remember these things & make my blog a more beautiful & linked up place.  One day...

On a final note, Miss Thang's last day of school is this week.  Next week it's theater camp.  My money's on Ms. T for maximum drama & perhaps a bloggable story or two.

A thought AND a video tonight...

Friday May 29, 2009

Great Read for Fun for Cloud & Info Geeks

Please read "Snow Crash"  by Neal Stephensen.  See http://www.booksamillion.com/ncom/books?pid=0553380958

SO worth it even if you're not particularly a sci-fi fan.  I won't ruin it for you but the Cloud implications and data protection implications online and off are at once subtle and right up in your face.

It's becming a bit Catcher in the Ryeish for me as I read it before I came to Sun when I mostly cared about medical device patents, again when I entered Privacy Nation, and I was thinking about picking it up again because the Cloud is so obviously implicated.


Remember the ACLU's Pizza Delivery guy call demonstrating data proliferation several years ago?  http://www.aclu.org/pizza/images/screen.swf

That the protagonist in Snow Crash is a pizza delivery dude makes it all the better.

 While we're all feeling nice & literary this fine Friday evening, I started in on Dan Geer's latest security as a business proposition book.  The "Info on the Balance Sheet" from Rear Admiral Hopper quote is on page 42...  Coincidence?  I think not.  I am love love loving it.

This is the book I imagined I could write one day, only I didn't imagine writing it this well.  (Funnier, perhaps.)  The title is Economics & Strategies of Data Security.  That I am reading it before digging back into Neal Stephensen's world again is probably telling.

 Note to self, get babysitter & go out from time to time...

 Nighty night Hackers!!! 

Thursday May 21, 2009

What's Standards got to do with it??

So, here's the thing.  There is no comprehensive Standard (read:  hugely politically debated adopted scoffed at embraced published THING) for The Cloud for information governance (read: slightly insane mixture of art and law and business technique and documentation and compliance and policy and pragmatic execution). 

There isn't.  I've looked.

Why???  Well, mostly because we can't seem to stop debating who has the bigger better faster definition for Cloud or the most internet based services that can be crammed into the latest buzz generating tech new kid on the block.  Once we settle on the what & the scope of the what, we can start to focus on the how.

While we wait for some of the Cloudness to come to earth, I believe that we \*can\* leverage frameworks in the various data governance categories to begin to define the scope of protection in the appropriate context-- if you've read my data musings for more than 10 seconds you know I'm a gal all about context and the decisions we make based thereon.

Security is one of those critical categories.  While a Cloud Standard does not yet exist, we must recognize that a statement, "I am secure"-- as if being secure were a static state or indeed possible in an empirical sense-- is simply not enough.  

I can say, "I am happy" because it is a statement I have chosen to make given a context I uniquely experience.  3d parties can make this state a challenge or temporarily impracticable, but the happy party is largely in control of this state.

"Security" in the enterprise context is a bit different.  An enterprise can be temporarily incident free or incident attempt free, but the fact remains that active or inadvertent mischief  is wildly out of the guards' zone of ultimate control.  Attackers have all the time in the world to find just one way in whilst the governance teams must think of every possible entre and plan and resource accordingly.  It's a noble calling but never a steady state and rarely one for which the enterprise servant is given thanks.

Sigh.  Was I just talking about happiness a few lines ago...?  

SO, you have choices.  (Ah, making choices & feeling some control is indeed a psychological factor in basic happiness and self efficacy studies, so I think we're getting somewhere on this rant.  I \*did\* studymy Psych books between beers at OSU after all, Mom & Dad!!) 

One choice is to look at the myriad of security standards and Standards and pay to play standards, pick one best suited to purpose and context and audience and apply it to Cloud offerings as best fit as possible.  Once done, a good old fashioned gap analysis, risk assessment and mitigation plan can be set in motion.  It may not be text book because the text book isn't written yet, but it sure feels like progress.  It also feels a lot like deja vu.

 Remember grabbing the Fair Processing Principles and applying them to personal data before all the specific regs and data breach laws were promulgated?  Worked then & a similar practice may wprk now to at least get this Cloud party into a more stable state and ready for bigger and more diverse work loads. 

More on this on another night.

Cute kid story for Miss Sweet Cheeks that's utterly unrelated to Clouds, security but intimately related to happiness.

SC had her check up at the doctor this week.  The good doc was asking my husband developmental questions (relating to the girl, not him) & then went over her measurements.  

Doctor: "Well, she's 84% for ..." 

Sweet Cheeks (interrupting):  "I am NOT 84, I'm THREE!"

Doc: "Nothing wrong with her development.  You can take her home."

Ah, the good old notions of immediate access to personal data and correction from an authenticated (though often unreliable) source.  Makes a Momma proud.

Sweet dreams Info Nation! 

Tuesday May 12, 2009

Team Sun Rides on!!

This is not an information governance entry but something that is important to this information governance geek.

So, I was riding along at 5:45 AM & these two little guys roll down the window of their Prius & shout, "GO SUN!!!  We love you!!!".  Granted, I nearly fell off my bike from shock, but, once recovered, I looked down at my bike jersey & finished the rest of my ride with a big happy grin.  It \*has\* been fun here.  Team Sun the Multiple Sclerosis fightin' biker warriors make me happy too.

Here's some info for you so that you can join Team Sun for at least one more ride:

Bike MS: Waves to Wine Ride 2009 - Sept. 12th and 13th

New in
2009: We’ll be starting from the UCSF Mission Bay Campus quad.

MS:  Waves to Wine Ride takes you on an unforgettable two-day journey
from San Francisco up Highway 1 to Healdsburg in Sonoma County. More
than 1,700 riders will cruise along scenic roads riding anywhere from
50 to 175 miles. Six full meals, generous amenities, stunning
landscapes, stocked rest stops every 12 to 15 miles at spectacular
sites, and spirited festivities that include music and a beer garden
are all included.

This is the link to my page (got my money & my cycle where my mouth


This is the link to the Team Sun page:


Thanks everyone!!!

Monday May 11, 2009

Operation Transparent Cloud

It's in the works.

Here's the problem statement I gleaned from RSA:

What is cloud?

How do I use/ leverage/ own cloud?

How can I trust cloud?

How we answer this problem statement is, in my opinion, critical to how this thing plays out over the next 10 years of development.  We can make meaningful improvements to the state of informational asset management if we don't give up because we are too frightened or too weak or just too darn cynical.  We are none of those things & I think it's time we invite users, hackers and builders onto the same page to start writing how we thing this thing should go.

It's not too late to try.

Just a thought...

Wednesday Apr 15, 2009

A little love for Fordham Law School

The US News & World Report is soon to
issue it's Law School
rankings.  This issue is always met with much discussion in my house as
my husband attended the country club Stanford Law School which
pitter-pats back & forth with Harvard for the #1 spot each year. 
(I still have to explain how the 4th amendment actually works when we
watch Law & Order.  He kicks my butt when it comes to leveraged
buys outs but outing him where I can is always good sport.)  ;-)

 I had much more humble beginnings as a
night school law student at Fordham Law School in the heart of New York
City where I was able to keep my job and attend night classes.  I was
also able to act as Summer Clerk to the Hon
M. McLaughlin (which is a clerk to the clerks kind of job where the pay
is zero, the experience is priceless and the clerks have remained great
friends and supporters.)

Fordham's night program is about to be ranked as #3 for
evening programs & I couldn't be more thrilled.  Fordham's
commitment to service and leadership through respect and service to
those led shaped and guided me as a young woman trying to make it in
the big city. The education I received there from fellow classmates
& faculty guides me today.

Great to see some good things coming to good people!!

Just a rah rah & a thought today...

Tuesday Apr 07, 2009

Governance-- A top 10 of sorts

Open?  Yes.

Interoperable/ data portable?  check.

Beyond the buzz I would like to start getting specific about the
elements of a rough cut on a Cloud Governance Framework.  All of
the elements have their private cloud (traditional IT systems or
outsourced IT) corollary but I will suggest that the mass scalability
and distributed nature of Cloud add nuance if not new to this list:

1.  Privacy – control or “get over it”?  (Guess which one we like???)

2.  Intellectual Property – what's mine, yours & theirs

3.  Security – which perimeter are we protecting anyway?

4.  Export control – no bad guys & bombs

5.  Social Engineering – who do you train not to be

6.  The Cops - investigation requirements and allowances

7.  Inappropriate Content – keeping naked & rude out

8.  Audit – what, how much & by whom?

9.  E-Discovery – how many docs does it take to make the

10.  Public policy -- how do we want external parties, users
and owners to interoperate & cause redress to happen in this

Harm, ownership and fiduciary obligation notions emerge and
diverge.  "The Framework" isn't ready for public
consumption beyond these skeletal issues at this point, but these are
some of the issues I'm starting to frame up.  Complex issues
such ID management, entitlements, document ephemerazation and context
decision management live in the nooks & crannies of this top 10
in my mind.

Just a bit of a hmmmm for today... 

Thursday Apr 02, 2009


Was it Alice in Wonderland or Willie the Pooh who observed "curiouser & curiouser..."?

Wednesday Mar 25, 2009


Today's thought is not about governance in the Cloud.  Instead it is about Jake Desantis, formerly of AIG as of last night.  Take a look at his resignation letter in the New York Times.  I read it over Corn Flakes & read it again here: http://www.nytimes.com/2009/03/25/opinion/25desantis.html?_r=2&pagewanted=1&ref=opinion

Here's a guy who took a $1.00 pay check to keep the company going & then was villified as one of "those people".  I must confess that I was as outraged as anyone that any of my taxes went to anyone's bonus while my daughter's public school loses every enrichment program like music, art, phys ed.  I was mad.  Really mad.  I don't do mad gracefully.

Mr. Desantis is mad too & I don't blame him either.

I guess what strikes me most and my take away here is that identity management is as hard on the macro business scale as it is in the technical implementation scale.  Some guys need to go to jail.  Some guys are just jerks who took 56 million when they, unlike Mr. Desantis if his claims are true, fundementally sucked because they failed to lead.

We need our leaders to be smart.  Duh.  That's a prerequisite.  We need them to be breathing too but we don't make a point of telling everyone how much oxygen they  consume. 

We also need Leaders to be prepared to lead by example even when keeping a bonus would be "fair".  (The guy made only one dollar last year in a job category that pays a great deal more than mere mortals can comprehend.  I do think that's fair but that's my opinion with no facts to back it up.)  We need to know that when the chips are down, whether you take the money or not, our leaders stand with us and fight for us when our voices are not present in that room.  When we're asked to give our best and we do there may not always be cash compensation in this market, but there is acknowledgment and solidarity. 

So bravo to this fellow.  You reminded me that there is one unwavering truth-- there is only truth from a myriad of perspectives and each only gets his or her slice of that truth.  Better still, your team needed you & by going public with your own anger, frustration & a bit of pride, you gave them a voice too.  THAT's leadership.

Anyway, I was moved by this guy & wanted to share.  There are no winners in this story, but it blasted me in the side of the head to learn some lessons & to drop my absolute outrage.  Godspeed Jake Desantis & team and all the silent others grinding away to bring your best to the show today.  We can do this. 

Friday Mar 20, 2009

I'm 3 and...

Here's a very quick note about compliance and governance & a great kid story for a Friday after a pretty wild week.

Just a note of lexicography.  We're putting together a framework
for Governance for Cloud Computing.  Governance includes security,
privacy, audit etc.-- all the stuff that helps a customer understand
what to expect & how to make their choices so that they are not
surprised when the system doesn't act with perfection and zero error or,
alternatively, when the system bombs out because its beta and clearly

should be distinguished from Governance.  They are not synonymous. 
Compliance is a subsection of governance where we adhere to existing
and known laws (including those private 'laws' called policy). 
Governance is the art of providing enough protection to meet customer
expectation and anticipate new models/ uses/ risks that may have yet to
be regulated. 

The non-secret to all of this is to allow for as much
transparency as possible.  This leads to the way you license stuff,
open technologies, stds, etc.  The who what why when & where.

Which leads me to my kid story du jour:

put  Sweet Cheeks up on ski's for the first time.  She was so darn cute in her ski suit & helmet  that we had trouble actually walking
anywhere without someone stopping us to tell me how cute she is-- I
know, it's transparent for all to see.

We arrived at ski school
& the rules/ policies are that the child must be 3 & must be
potty trained.  We explained these rules to Sweet Cheeks as incentive
for training exercises that have been vigorously applied over the last
several months.  (When one uses the expression to "take S\*\*\* from
someone, I know from whence they speak, but that's another story...)

Sweet cheeks wastes no time, marches up to the registration desk and announces, "I'm 3 and I am wearing panties."

All I could add was, "I'm 40 & I am too."  Policy requirements met, skiing ensued.

Transparency.  It's a good thing.

Happy weekend & happy March Madness all. 

Wednesday Mar 18, 2009

Community East-- Welcome to Sun's Public Cloud!!

It's public.  Sun's building a public cloud.  We're also throwing in access to the tools to help everyone else play in this space.  It's a bit like Alice Waters publishing cookbooks-- the recipes were all lovingly created & tested over time but you can take them home & riff off of them to feed your family & friends well. 

That said, if you want the best meal you're likely to ever eat, come to Chez Panisse.

It's all about choice and creativity and ingredients that are world class.  There will be & should be many in this space.  Everyone who wants to play should consider well the ingredients.

As for the data, there is more to come in this space-- People, Process AND Technology.  We can protect it.  We can operate with the highest ethical standards.  We can shape our information environment today and we must for it will most certainly shape us. 

An unrelated vid sent to me by my friend Wini that's worth a watch is attached here.  It will make you want to work harder and play harder & try to love both along the way.  Enjoy the wind in your hair today!

Just a thought... 


<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/VJMbk9dtpdY&hl=en&fs=1&rel=0"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/VJMbk9dtpdY&hl=en&fs=1&rel=0" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object>

Monday Feb 09, 2009

Shut up & build it.

I've got a new job. 

In all these years as Sun's Chief Information Strategy & Privacy Officer, I have set up privacy impact assessments, done training, reviewed product offerings, managed incidents and questions and generally spurred on an emerging culture of respect for data.  Looking back, I feel very good.  We fought hard when no one supported us until they did.  We leveraged every opportunity to practice what we preach about fair information practices.  We created privacy governance frameworks where ever there was a need across the business on nearly every continent and in organizations outside of Sun-- for vendor support, mergers & acquisitions, outsourcing deals, complex customer engagements & so on.   We've been tirelessly bringing the message to the world in whatever forum would have us.  My team has been busy, effective and, with great emphasis, fun and I couldn't be more proud of each and every one of them.

In short, moving on from this role was not an easy choice. 

Where I'm going is a very easy choice.  My new role at Sun is as Sun's first Chief Governance Officer for Cloud Computing.  Although "Cloud" is the new buzz word, John Gage coined the phrase "The Network is the Computer" back in 1985 to describe Sun's long term strategy & The Cloud is simply that vision technically and culturally coming to its natural fruition.  Extended networks are here to stay.  Some of these networks will be multi-tenant, while some will mimic our current private IT systems as solo tenant models.

What is certainly needed here is a common framework that will help the organizations, employees, customers and customers' customer understand the who what why how when and where of their data and ultimately to provide certainty in the information derived from all of this data.  The move from privately maintained IT infrastructures & kluged together governance structures  to distributed, often virtual and sometimes 3d party owned compute resources represents a massive cultural shift and exponential innovation on the technical side. Our governments won't know what to make of this Cloud any more than they did the early internet & it's up to us to help teach them.  Our users and developers have never had the opportunity to be as self empowered over their own resources as they will be in this evolution of computing & it's up to us to help them understand what's possible.

Hence, a Governance Officer will leave her comfy post as corporate policy wonk and advisor to roll up sleeves and build a framework that will mold the people, process & responsibility aspects of The Cloud.  I'm putting my career where my mouth is & I'm gonna start helping the build out.

It's a monster challenge & I'm scared as hell which makes me happier than I've been in a long time-- and I'm a pretty happy kinda gal! 

Monday Dec 08, 2008

Don't Give Up On Your Everything

Economic duress can lead to stupid, but duress can also lead to innovation.

Data protection & information assets are not only a nice to have when times are easy.  Having a firm grasp on one's information assets is fundamental to the success of every organization. 

Every connected customer who has a need fulfilled well & on time is a beneficiary of solid information practices. 

Every employee recognized and rewarded for his or her objective contribution has been lead by a leader who understands this fundamental fact:  Information is as least as valuable as currency & we must protect it, govern it & provide leadership to every organization that aspires to be great.

As my 7 year old Miss Thang says, "Momma, don't ever give up on your everything."

Come what may in the months to come, I won't & neither should you.   Thank you for reading & sharing the Privacy & Information Strategy ride with me.

Tuesday Nov 25, 2008

Your assets DO look fat in that data center!

Privacy Enhancing Launch-o-mania.  Your Turkey may not be safe, but your data stands a chance.

Apparently while the US is getting fat on Thanksgiving feasting, the whole world can fulfill its data strategy appetite with two very exciting things of note from Sun.  Neither is particular to data protection, but both can make all the difference as part of a good governance strategy.

The first is a thing (more precisely a family of things) called the Sun Storage 7000 Unified Storage System. http://www.sun.com/launch/2008-1110/index.jsp You can go to the link & hear about cost savings and speed and eco stuff because you have a lowered physical footprint. 

HOWEVER the way \*I\* read it, this Sun Storage 7000 Unified Systems  thing
is just another way of saying,

"Sun has stuff that can turn piles of
crap data that may be sitting around stuck in systems or on storage
devices doing nothing but creating risk into actual information
assets that you can govern, create compliance to data sensitive
regulatory schema while leveraging audit & control features that
give the ability to provide proof that you are actually governing data
to your employee, customer or regulator."

It's the Big Friggin'
Information Control Switchl!!!  To do this, we use open technologies
like Solaris & ZFS-- both of which have specific data controls and,
most important to governance & government folks, audit capabilities.

We also contemplate using heterogeneous systems & provide for the
inevitable push to virtualization using container technology in the OS
and our  virtualization software coupled with nice control features in
Solaris like DTrace.

It's flexibility is also a benefit to governance.  Where regulatory
schema differ, appropriate data silos can be created, tracked &

I'm pretty excited.

All of these features must be configured & governed appropriately
within any environment-- which is never a given-- but it's an
open platform that \*can\* do what we \*want\* to do which is turn an
overwhelming avalanche of data into something of value for our
customers & our communities. 

That's why the message of 'fast',
'efficient' 'easy to configure' & all that may be thrilling to the
technical community but doesn't actually mean much to me as a
governance officer with head in noose when things go wrong in the
information assets department. 

High quality, verifyable, stable,
visible, auditable, reliable & known are words that make me break
down & cry.  Many \*say\* these words, but this combination of
innovations in the storage arena where the data resides actually makes it POSSIBLE. 

The CIO's might be happy but, if we can make them understand what this
means, the CFO's, Risk, Privacy Officers& information governance
folks should be peeing themselves.  I think I may have done.

SO after all that could there be MORE????? 

Another privacy enhancing technology brought to you by S U N.

We've heard what our customers have been telling us regarding getting data centers under control and eliminating old data or hot new data stored on equipment being relocated from one location to another.  The data erasure service recognizes the need to erase data from storage arrays and
other equipment before they are serviced, physically
relocated, end of lifed or redeployed.  Sending millions of
data records containing IP, confidential data, and personally
identifiable data stashed on the back of a truck or in the hands of a
repair person who has no awareness of the sensitivity of the data
stored within is unconscionable.  It's an economic imperative for every
one of us to lower our risk of loss.  Here's some more chat & actual information about this stuff.


\*Sun Product Intro\*

\*Blog talk radio\*


Privacy, intellectual property and other data assets are NOT dead.  We
still must breathe life into this system & get it in place &
govern it well, but, dammit, we have POSSIBILITY.  Check this stuff out
& see if you can resist how big this is.  Betcha can't.

Thursday Nov 06, 2008


I can't say anything yet.  Next week Sun's bringing on more information asset/ privacy enhancing capable cool stuff.

Change has come to the data center.

also a new service that I can't talk about 'till next week.  If you
have data anywhere in your enterprise, you need this service.  It will
sound not huge, but it is. 

So is deodorant.  

Tuesday Nov 04, 2008


Nothing at all to do with privacy today.

I am \*almost\* tempted to break my own rule about not publishing pictures of my girls online to post a picture of Miss Thang, placing my absentee ballot in the ballot box this morning.  She woke up at 5 am all excited & said "IS IT TIME TO VOTE FOR  xxx?!"

At 7am, we cast our vote for the future. I wore my red cole haans (my only tip to luxury items) & she wore silver sparkel shoes, a Red white & blue star covered T-shirt & US flag design baseball cap with her beautiful pony tail hanging out the back & a smile that I'll never forget.

Whomever they may be.  Let's hope the new team in the US gets it together to lead us out of this mess.  We have a fresh chance. 

Saturday Nov 01, 2008

November, Numbers & Thanksgiving on its way

So,  every year I torture my work teams with a gooey, but sincere
public airing of thankfulness.  I always copy my entire virtual team,
supporters & the big bosses including Scott McNealy & Jonathan
Schwartz who, after all, give me the freedom & the finances to do
what we do.

I have to admit that I am a person typically so filled with
hope and idealism that it has, in the past, become something of an
Achilles heel for me.  I want to believe that motives are pure-- if
misguided-- and that good will prevail despite the sometimes obvious

 Anyway, if you know anything about Sun, you know that
this was a really dark week for us.  The folks who love Sun are the
folks who care about secure data.  Banks & governments are our
bread.  The dot com boom for Sun was largely driven by investors'
recommendation that start ups move with scale, reliability & data

So, this week, the formula wasn't hard to read.  No financial institution spend in IT =  rotten quarter for Sun. 

What's an optimist to do?  Be thankful.

haven't written this years' message, but I shall post here, my internal
to Sun message of thanks (with just a few confidential program cut
outs) from last November.  It still holds true today & this
thinking keeps me focused. 

Stay hopeful & strong out there.  If you can, please buy something large from Sun. Thanks for reading.

Here it is:

Dear Privacy Nation & Big Bosses who support us,
Annual Warning: The following is a heartfelt thank you in the spirit of Thanksgiving.
If you are too cranky to read admittedly gooey sentiment, extirpate this message, read
your other email & move on. A grateful Privacy Nation loves you anyway.

This is my 7th year at Sun. To say that I have learned a great deal during my years at Sun
would be an understatement. To say that I am thankful for the opportunities I have enjoyed
would be an even greater understatement. To say that I have partnered with, learned from
and observed some of the finest human beings on the planet doing great things would be the truth.

So, of the many many things for which I am deeply Thankful this year here are but a few
(in no particular order):

-Our partners in Public Policy. I had a little out of body experience in XXXXXXX this past
summer. [My partner in public policy] & I were drinking tea, discussing authentication, data
transfer & data driven economic development with one of the senior party officials who will
have a hand in determining the course of privacy legislation & enforcement [in his country].
It was an incredible discussion that I will remember for a very long time. Many many lives
will be impacted by our work.

-Partners & public help for the privacy cause. WOW. What a year it was for connections with
a vibrant & growing data asset management & privacy community! Internal & external
supporters have started to view data privacy as a place for leveraging information as well
as managing risk. Let the \*real\* discussion begin.  Can't wait.

-The Privacy Crisis Management team. Although I was sorry we had to kick it into turbo
drive a few times this year -- thankfully all false but credible alarms! -- we did & this team
delivered better than we imagined. We learned a lot & are stronger than ever. I am so very
grateful for this horizontal team, the pace at which you all came together and the absolute
politic & BS free zone. I hope I don't have to talk shop with you, but I sleep better knowing
you're out there.

The Customer Data Protection Team. XXXXXXXXXXXXXXX The push from the field
itself to get this done to help them do business better was a pure treat. This was a big win
for Sun & we've only just gotten started!!

There is so much more, but it's late & I haven't even scratched the surface.

This was a very difficult & painful year for many members of our team. We had deaths in
our families, illness, war casualties, accidents and other life cropping up everywhere. We
never have enough time or resources to do the things we want to do on our wish list.

Nonetheless, in good times & in bad, the many folks who care about privacy & security at
Sun deliver with grace & style, humor & wisdom, passion & relentlessness. I am so very
grateful to know you & to work side by side with you.

If you're still hanging in for the rest of my holiday ramble, I'll end with a personal story.

My family was not passed over by challenging times this year. We lost both of my remaining
grandparents in rapid succession. At my grandfather's burial, my grandmother smiled at me
& then reached out to hold my 6 year old daughter's face gently in her hands. She said, "I've
seen so many wondrous things. Keep your eyes open."

She died 5 days later peacefully in her bed to be with her husband of 65 years. She was 94 years old.

My eyes are wide open & I can indeed see many wondrous things. Thank you all for being part
of those things.

Have a happy, healthy & peaceful Thanksgiving!

I feel better now.  I'll work on pithiness this year but I felt the need to expel some bad mojo.

Buy from Sun because our products are actually fantastic.  They can enhance and protect your
information strategy & privacy program.

Be optimistic.


Just few more thoughts...

Wednesday Oct 08, 2008

Data Classification & Thick Ankles

So, one of the best things about my Data Asset Management job (love that DAM job) is that I get to talk to really really really smart, creative & brave people.  I lunched with one of those today.  Sun acquired the company that he founded & where he worked as it's CEO.  Now he works with me & boy are we going to have some fun!

We were discussing various issues in the data world, including Data Classification.

Here's what I think about this little beauty that I like to call the enterprise version of the "Why don't I have Cindy Crawford's booty?" problem.


I would love love love if every bit of data was metatagged at it's collection & further tagged with an expiration date.  How I wish I had a backside that looks like a fashion model after \*she's\* has a couple of kids.  (Hey, I'm not \*that\* mean to myself!)

 Here's the thing.  I love donuts.  I ride my bike all the time but I travel all the time and, well, I love donuts.  I'm also genetically only 5'6" with legs that only comprise about 2" of that.

 You have legacy data.  We all do.  We love to acquire companies, their customer expectations, policies, IT systems and their strange data & data habits along with their people & technology.  (That's how we acquired this very very cool new company and, my new buddy.)

You also are not stopping to take the time to classify your data comprehensively all the time.  You're not.  If you \*think\* you are, we're having a rather large sale on free downloads for a billion dollars per download-- just kidding legal people. ;-)

Data classification is a bit like cutting down on donuts or taking up exercise.  I t will always help you build awareness and increase the probability that you are spending the right money on the right data protection problem.  BUT...data classification applied today is an investment in going forward over time.  It will take some hard work & discipline to make it a habit & eventually a healthy addiction.

Data Classification will not make you taller or prettier.  You need the rest of the people, process and technology all married to the appropriate culture to work that kind of DNA magic.  You can and should & may soon be legally required to do the best you possibly can to protect your data assets.  Your ultimate ability to compete will likely turn on your ability to leverage your unique information assets & classification is a part of that story.

Hmmm.  Wonder what will happen if I have a donut \*on\* my bike ride tomorrow...  I still won't have Cindy's booty, but I'm willing to take the risk.

Just a thought.... 

Friday Sep 12, 2008

We shall not fail nor falter

We shall neither fail nor falter; we shall not weaken or tire ... Give us the tools and we will finish the job.

~ Winston Churchill

Here's a little note from two of the many voices in my head:

Clean up your data centers & get rid of your excess data baggage. Invest in identity systems but think and keep thinking about why you deploy them in the first place. Embrace a cryptographer. Buy a Black Box. There is much to be done in the world of data asset management. We shall neither fail nor falter. We will continue to invent the tools and deploy the tools to finish the job.

In the interim, I am spending the weekend with over 1,000 of my pals cycling in the National MS Society's Waves to Wine bike tour to raise cash & awareness about multiple sclerosis. This disease stinks. We shall not weaken nor tire. We don't have the tools to finish the job. The meds we do have not only make you feel like a truck ran over you pretty much all the time but are expensive and a pure luxury for even those with great insurance. You can help. Kick start your weekend by donating to Team Sun.

Finish the job. www.wavestowine.org




« December 2016