Thursday Dec 31, 2009

A Whole New Decade

So, it's new year's eve & I picked up the paper to read all these articles about how thrilled everyone is to see the 'lost' 'horrible' etc. decade be gone.

I will admit that there were times when I really wasn't sure what to think about the vast evil or massive power of nature or just the foolishness and economic hardship these last years.

The Panty Bomber who tried to blow up the plane a few days ago is just one of these incidents. That evil jerk will be locked up tight thinking about his panties for a long long time in thanks for his attempted mass murder. If he thought he didn't like us before, he's in for a whole new wake up call.

But, Panty Bombers and horribles aside, the dawn of the new millennia has been remarkable.

We are all here.

We have the ability to get to know one another in various forms and contexts and media like never before in human history.

We can befriend others from around the world, breathe in their culture and learn from them.

I find this rather cool.

Our identities are becoming refined and redefined every day. This is an overwhelming issue philosophically and an irresistible challenge technologically. How, when and with whom we wish to actually and virtually congregate is ours to own-- if we so wish.

In this new decade, I hope that we can respect the magic of this possibility and, like the Silk Road, leverage identities and personnas to carry forth new culture, commerce and understanding. Pollyanna? Perhaps.

For myself, I look back over the decade with nothing short of wonder.

I began as a newlywed in a career as a patent litigator that felt fine but uninspired for me. I was diagnosed with Multiple Sclerosis that year and was told by a quack with an Ivy medical degree that I would likely roll into 2010 in a wheelchair. I had been to Europe twice on the tourist circuit, Kenya on a safari trip and no where else. Sun was a building I passed on my way to work. Privacy was something you needed in the loo. Kids? Unimaginable.

Sure the road hasn't always been smooth, but wowee what a ride!

I am a fundamentally different person here on new years eve 2009 than I was in 1999. I have a vision and a purpose. I have touched miracles in my daughters and been bowed by devastating sadness in the passing of great humans. I learned first how to be a sick person with a chronic illness and then how to be a well person staring down MS and winning with every new day. I have looked at an impossible and unloved problem in the form of data protection and found pragmatic solutions that span the globe. I have grown and been enlightened and inspired and have loved more than I ever knew was possible; I have laughed and learned and traveled and grown and LIVED.

So poo-poo to the naysayers. I say Happy New Decade. My Identity story is just getting started and I'm ready for what ever's next. BRING IT ON!!!!!

I wish the same for you and yours-- let's turn every adversity into strength and innovation simply because we can and because it's more fun to do so.

Just a new decade's eve thought...

Tuesday Nov 03, 2009

Rest in Peace Don Bowen

My friend Don Bowen, great champion of ID management and all around creative innovator, has seen his battle with cancer come to a close. He died on Halloween. I can't say that he 'lost' his battle because he was strong, faithful and funny down to the last &, since we all have to go at some point, I'll call his a victory. I wish we could keep him here with us for many more decades.

Here is a link to our podcast, Pimp My Privacy: from back in 2007.

Wherever you are Don, I am a faithful fan. Rest in peace my friend.

Thursday Oct 29, 2009

An oldie but a goodie

I was clearing out my email box when I came across this little gem from the lovely Bruce Schneier. There something about that guy that I just like and I think I amuse him so that makes me happy too.

Check out his musings on the old fashioned notion of Security v. Privacy rather than private data secured appropriately to type place & time:
Security vs. Privacy

If there's a debate that sums up post-9/11 politics, it's security versus
privacy. Which is more important? How much privacy are you willing to give
up for security? Can we even afford privacy in this age of insecurity?
Security versus privacy: It's the battle of the century, or at least its
first decade.

In a Jan. 21 New Yorker article, Director of National Intelligence Michael
McConnell discusses a proposed plan to monitor all -- that's right, all --
internet communications for security purposes, an idea so extreme that the
word "Orwellian" feels too mild.

The article (now online here) contains this passage:

In order for cyberspace to be policed, internet activity will have to be
closely monitored. Ed Giorgio, who is working with McConnell on the plan,
said that would mean giving the government the authority to examine the
content of any e-mail, file transfer or Web search. "Google has records
that could help in a cyber-investigation," he said. Giorgio warned me, "We
have a saying in this business: 'Privacy and security are a zero-sum

I'm sure they have that saying in their business. And it's precisely why,
when people in their business are in charge of government, it becomes a
police state. If privacy and security really were a zero-sum game, we
would have seen mass immigration into the former East Germany and
modern-day China. While it's true that police states like those have less
street crime, no one argues that their citizens are fundamentally more

We've been told we have to trade off security and privacy so often -- in
debates on security versus privacy, writing contests, polls, reasoned
essays and political rhetoric -- that most of us don't even question the
fundamental dichotomy.

But it's a false one.

Security and privacy are not opposite ends of a seesaw; you don't have to
accept less of one to get more of the other. Think of a door lock, a
burglar alarm and a tall fence. Think of guns, anti-counterfeiting
measures on currency and that dumb liquid ban at airports. Security
affects privacy only when it's based on identity, and there are
limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline
security: reinforcing the cockpit doors, passengers realizing they have to
fight back and -- possibly -- sky marshals. Everything else -- all the
security measures that affect privacy -- is just security theater and a
waste of effort.

Spooky thoughts to all for a Happy Halloween. Ms. Thang is Nancy Drew & Sweet Cheeks (cheekier than ever) is a very very cute dragon this year. They both hate coconut so I'm hoping for lots of Almond Joy this year.

Monday Aug 10, 2009

Update- Rita Matz, Silver Medalist

Mrs. Matz took Silver in both the shot put & discus for the 70- 74 women's category in the 2009 National Senior Games this past weekend!! That she was over 70 & there was incredible. That she was only surpassed by new National Record holders was impressive. That hundreds of fellow Olympians were also there COMPETING was inspirational.

The men's 80-84 age group 400 meter race was during the discus finals & I tell you what, these gentlemen not only could kick my sorry butt but one of them even gave me a victory wave & wink. Sassy!!

Now, what does this have to do with Cloud Computing? Well the whole experience got me thinking about identity management within Clouds. Grouped together were like kind time, place, activity shared history, intentionality and proclivity to excellence. If you took a snapshot of National Games' data, you would learn a host of information about health, lifestyles, longevity and Olympic history amongst other things. (One of the track stars one competed against the great Wilma Rudolf. See In other words, you would have a good idea of context for a limited period of time and in a limited setting.

Here's where my -- stretched -- cloud thinking comes into play. Given the rather large data set based upon the Senior Games, many many valuable inferences can be made. Many personally identifiable details have been offered up by participants either because they are known to be excellent, as in the case of our medalist's name and status as a winner, or are a part of organizing the event itself, the athletes were all in California for their events & not at home, for example.

Stored in other, sometimes overlapping information clouds (small C as we're not really talking IaaS, PaaS, or SaaS here, just conceptual formations) are the elements of PII related to these specific humans but out of context regarding their significant sports' achievement-- religion, hobbies, professional lives, family designations, etc. These elements are lost in this contextual discussion UNLESS there is an identifier that inter operates across these various clouds to paint a very specific picture of a human for a very specific period of time. (Time is so often NOT mentioned in the talk of cloud governance & privacy management that I feel compelled to drag it back into the picture as often as needed.) It is this correlation cross cloud that poses, I think, one of the great governance challenges in the cloud world where information is virtualized across many data centers and the fiduciary is only capable of controlling his or her bit.

The challenge of triangulation of data has, of course existed for as long as we have had various entities knowing various details about us, but automation and decentralization make this particular governance challenge all the more urgent.

In any event, GO RITA & Coach SUZANNE!!! Just being near you inspires me to work on being a better person even if I never earn a silver medal.

Just a thought & a cheer for a Monday...

Thursday Jun 11, 2009

Obsession for the session & no more

I am in love.  No...I am obsessed.  I have been accused,
inaccurately, of loving this object because it was one of the few
tangible Sun branded "THINGs" sitting on my desk rather than the
trickier stuff going on back in the data center.  Sorry to disappoint,
but that ain't it.

Hello.  My name is Michelle Finneran Dennedy & I love thin client computing.  

never have professed to be a technology savant-- far from it.  I have,
however learned a thing or three about the gear gathering & pumping
out data faster than we can produce oxygen.  Here's the thing, having a
data strategy and information asset plan is a beautiful thing.  A
breathtakingly beautiful thing (to float with the oxygen notion for a
moment more). 

But, like the rain forest, I've never personally
seen one up close & personal.  Sure I've seen drafts & pictures
& plans but the truth of the matter is that information integrity
is a bit like clean water.  Big oceans cover much of the planet but
potable water is a somewhat scare resource.  Big fat data centers are
growing & growing & growing-- thank God because I rather like
being employed-- but information protected well & wielded as an
asset is an increasingly lower percentage of the total and I don't see
that problem slackening.

I love this problem & will likely continue to pursue the
resolution of this problem either for the rest of my days or as soon as
we architect integrity & humanity into every data transaction
throughout it's life cycle-- whichever comes first.

In sneaks my obsession for the thin client.  Our version is called the Sun Ray.  We've partnered with others like CSC &
even IBM to bring these babies to market all around the world.  See

have never audited the data on the Sun Ray device itself.  40,000+ of
these babies all over the world just in our company alone and not a
drop of data resting on any of them.  No plans to delete stuff-- it's
not there;  No need to review cast off gear-- there's nothing on it; 
Move around all you like & reuse & reuse & reuse machines--
your identity stays with you & not on the gear;  The server based
compute utility providers (could be internal, could be a service
provider) secure the data and manage the data assets-- not every single
user using every single device with individual technology awareness
must protect the entire system.  You get the drift.  I'm a fan.

type of technique becomes particularly interesting for the consumer of
information services who is simply doing that...consuming information
services.  It's awfully nice to be able to go to a device, get the
information nugget, move away from the device with the information in
head & not worry about any residual hackable non-managed data
residue. If I could have a thin client phone that actually was reliable
enough to NOT cart my data everywhere, I'd fall in love with that too. 
("Smart phone" inventors, here's your consumer sample size of 1 but I
don't think I'm alone.)

If you are thinking about a cloud strategy or consuming a cloud
service to deliver content, thin clients are a pretty cool little
number to add to your plan. 

Hello.  My name is Michelle Finneran Dennedy & I'm a data geek who loves thin client computing. 

Monday Jun 08, 2009

Center for Democracy & Technology & TrustE event June 3, 2009

Last week was a bit of a marathon of data control in the clouds.  One of the many events was a thought provoking panel held by CDT & TrustE.  If you are particularly dedicated-- it's an hour-- check out this web video regarding Cloud De-mystification with Jim Dempsey, CDT, Lindsey Finch, Salesforce & Steven Levy, Wired. 

You'll see that, although I really am trying to behave myself, the Larry Loves the Cloud quote did come up right off the bat.  If you hang in there for the whole thing, you'll hear that I've not given up on long as we have people, we'll have some form of privacy.

<embed flashvars="autoplay=false" width="400" height="320" allowfullscreen="true" allowscriptaccess="always" src="" type="application/x-shockwave-flash" />

Here's the link to the website where you can find the video if this embedded link thingy doesn't work:

I also ran into the wonderful & talented Linda Skrocki last week (@ JavaOne)who has shown me how to embed videos & links many times.  One day I'll actually remember these things & make my blog a more beautiful & linked up place.  One day...

On a final note, Miss Thang's last day of school is this week.  Next week it's theater camp.  My money's on Ms. T for maximum drama & perhaps a bloggable story or two.

A thought AND a video tonight...

Thursday May 21, 2009

What's Standards got to do with it??

So, here's the thing.  There is no comprehensive Standard (read:  hugely politically debated adopted scoffed at embraced published THING) for The Cloud for information governance (read: slightly insane mixture of art and law and business technique and documentation and compliance and policy and pragmatic execution). 

There isn't.  I've looked.

Why???  Well, mostly because we can't seem to stop debating who has the bigger better faster definition for Cloud or the most internet based services that can be crammed into the latest buzz generating tech new kid on the block.  Once we settle on the what & the scope of the what, we can start to focus on the how.

While we wait for some of the Cloudness to come to earth, I believe that we \*can\* leverage frameworks in the various data governance categories to begin to define the scope of protection in the appropriate context-- if you've read my data musings for more than 10 seconds you know I'm a gal all about context and the decisions we make based thereon.

Security is one of those critical categories.  While a Cloud Standard does not yet exist, we must recognize that a statement, "I am secure"-- as if being secure were a static state or indeed possible in an empirical sense-- is simply not enough.  

I can say, "I am happy" because it is a statement I have chosen to make given a context I uniquely experience.  3d parties can make this state a challenge or temporarily impracticable, but the happy party is largely in control of this state.

"Security" in the enterprise context is a bit different.  An enterprise can be temporarily incident free or incident attempt free, but the fact remains that active or inadvertent mischief  is wildly out of the guards' zone of ultimate control.  Attackers have all the time in the world to find just one way in whilst the governance teams must think of every possible entre and plan and resource accordingly.  It's a noble calling but never a steady state and rarely one for which the enterprise servant is given thanks.

Sigh.  Was I just talking about happiness a few lines ago...?  

SO, you have choices.  (Ah, making choices & feeling some control is indeed a psychological factor in basic happiness and self efficacy studies, so I think we're getting somewhere on this rant.  I \*did\* studymy Psych books between beers at OSU after all, Mom & Dad!!) 

One choice is to look at the myriad of security standards and Standards and pay to play standards, pick one best suited to purpose and context and audience and apply it to Cloud offerings as best fit as possible.  Once done, a good old fashioned gap analysis, risk assessment and mitigation plan can be set in motion.  It may not be text book because the text book isn't written yet, but it sure feels like progress.  It also feels a lot like deja vu.

 Remember grabbing the Fair Processing Principles and applying them to personal data before all the specific regs and data breach laws were promulgated?  Worked then & a similar practice may wprk now to at least get this Cloud party into a more stable state and ready for bigger and more diverse work loads. 

More on this on another night.

Cute kid story for Miss Sweet Cheeks that's utterly unrelated to Clouds, security but intimately related to happiness.

SC had her check up at the doctor this week.  The good doc was asking my husband developmental questions (relating to the girl, not him) & then went over her measurements.  

Doctor: "Well, she's 84% for ..." 

Sweet Cheeks (interrupting):  "I am NOT 84, I'm THREE!"

Doc: "Nothing wrong with her development.  You can take her home."

Ah, the good old notions of immediate access to personal data and correction from an authenticated (though often unreliable) source.  Makes a Momma proud.

Sweet dreams Info Nation! 

Monday May 11, 2009

Operation Transparent Cloud

It's in the works.

Here's the problem statement I gleaned from RSA:

What is cloud?

How do I use/ leverage/ own cloud?

How can I trust cloud?

How we answer this problem statement is, in my opinion, critical to how this thing plays out over the next 10 years of development.  We can make meaningful improvements to the state of informational asset management if we don't give up because we are too frightened or too weak or just too darn cynical.  We are none of those things & I think it's time we invite users, hackers and builders onto the same page to start writing how we thing this thing should go.

It's not too late to try.

Just a thought...

Tuesday Apr 07, 2009

Governance-- A top 10 of sorts

Open?  Yes.

Interoperable/ data portable?  check.

Beyond the buzz I would like to start getting specific about the
elements of a rough cut on a Cloud Governance Framework.  All of
the elements have their private cloud (traditional IT systems or
outsourced IT) corollary but I will suggest that the mass scalability
and distributed nature of Cloud add nuance if not new to this list:

1.  Privacy – control or “get over it”?  (Guess which one we like???)

2.  Intellectual Property – what's mine, yours & theirs

3.  Security – which perimeter are we protecting anyway?

4.  Export control – no bad guys & bombs

5.  Social Engineering – who do you train not to be

6.  The Cops - investigation requirements and allowances

7.  Inappropriate Content – keeping naked & rude out

8.  Audit – what, how much & by whom?

9.  E-Discovery – how many docs does it take to make the

10.  Public policy -- how do we want external parties, users
and owners to interoperate & cause redress to happen in this

Harm, ownership and fiduciary obligation notions emerge and
diverge.  "The Framework" isn't ready for public
consumption beyond these skeletal issues at this point, but these are
some of the issues I'm starting to frame up.  Complex issues
such ID management, entitlements, document ephemerazation and context
decision management live in the nooks & crannies of this top 10
in my mind.

Just a bit of a hmmmm for today... 

Wednesday Mar 25, 2009


Today's thought is not about governance in the Cloud.  Instead it is about Jake Desantis, formerly of AIG as of last night.  Take a look at his resignation letter in the New York Times.  I read it over Corn Flakes & read it again here:

Here's a guy who took a $1.00 pay check to keep the company going & then was villified as one of "those people".  I must confess that I was as outraged as anyone that any of my taxes went to anyone's bonus while my daughter's public school loses every enrichment program like music, art, phys ed.  I was mad.  Really mad.  I don't do mad gracefully.

Mr. Desantis is mad too & I don't blame him either.

I guess what strikes me most and my take away here is that identity management is as hard on the macro business scale as it is in the technical implementation scale.  Some guys need to go to jail.  Some guys are just jerks who took 56 million when they, unlike Mr. Desantis if his claims are true, fundementally sucked because they failed to lead.

We need our leaders to be smart.  Duh.  That's a prerequisite.  We need them to be breathing too but we don't make a point of telling everyone how much oxygen they  consume. 

We also need Leaders to be prepared to lead by example even when keeping a bonus would be "fair".  (The guy made only one dollar last year in a job category that pays a great deal more than mere mortals can comprehend.  I do think that's fair but that's my opinion with no facts to back it up.)  We need to know that when the chips are down, whether you take the money or not, our leaders stand with us and fight for us when our voices are not present in that room.  When we're asked to give our best and we do there may not always be cash compensation in this market, but there is acknowledgment and solidarity. 

So bravo to this fellow.  You reminded me that there is one unwavering truth-- there is only truth from a myriad of perspectives and each only gets his or her slice of that truth.  Better still, your team needed you & by going public with your own anger, frustration & a bit of pride, you gave them a voice too.  THAT's leadership.

Anyway, I was moved by this guy & wanted to share.  There are no winners in this story, but it blasted me in the side of the head to learn some lessons & to drop my absolute outrage.  Godspeed Jake Desantis & team and all the silent others grinding away to bring your best to the show today.  We can do this. 

Friday Mar 20, 2009

I'm 3 and...

Here's a very quick note about compliance and governance & a great kid story for a Friday after a pretty wild week.

Just a note of lexicography.  We're putting together a framework
for Governance for Cloud Computing.  Governance includes security,
privacy, audit etc.-- all the stuff that helps a customer understand
what to expect & how to make their choices so that they are not
surprised when the system doesn't act with perfection and zero error or,
alternatively, when the system bombs out because its beta and clearly

should be distinguished from Governance.  They are not synonymous. 
Compliance is a subsection of governance where we adhere to existing
and known laws (including those private 'laws' called policy). 
Governance is the art of providing enough protection to meet customer
expectation and anticipate new models/ uses/ risks that may have yet to
be regulated. 

The non-secret to all of this is to allow for as much
transparency as possible.  This leads to the way you license stuff,
open technologies, stds, etc.  The who what why when & where.

Which leads me to my kid story du jour:

put  Sweet Cheeks up on ski's for the first time.  She was so darn cute in her ski suit & helmet  that we had trouble actually walking
anywhere without someone stopping us to tell me how cute she is-- I
know, it's transparent for all to see.

We arrived at ski school
& the rules/ policies are that the child must be 3 & must be
potty trained.  We explained these rules to Sweet Cheeks as incentive
for training exercises that have been vigorously applied over the last
several months.  (When one uses the expression to "take S\*\*\* from
someone, I know from whence they speak, but that's another story...)

Sweet cheeks wastes no time, marches up to the registration desk and announces, "I'm 3 and I am wearing panties."

All I could add was, "I'm 40 & I am too."  Policy requirements met, skiing ensued.

Transparency.  It's a good thing.

Happy weekend & happy March Madness all. 

Wednesday Mar 18, 2009

Community East-- Welcome to Sun's Public Cloud!!

It's public.  Sun's building a public cloud.  We're also throwing in access to the tools to help everyone else play in this space.  It's a bit like Alice Waters publishing cookbooks-- the recipes were all lovingly created & tested over time but you can take them home & riff off of them to feed your family & friends well. 

That said, if you want the best meal you're likely to ever eat, come to Chez Panisse.

It's all about choice and creativity and ingredients that are world class.  There will be & should be many in this space.  Everyone who wants to play should consider well the ingredients.

As for the data, there is more to come in this space-- People, Process AND Technology.  We can protect it.  We can operate with the highest ethical standards.  We can shape our information environment today and we must for it will most certainly shape us. 

An unrelated vid sent to me by my friend Wini that's worth a watch is attached here.  It will make you want to work harder and play harder & try to love both along the way.  Enjoy the wind in your hair today!

Just a thought... 

<object width="425" height="344"><param name="movie" value=""></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object>

Monday Feb 09, 2009

Shut up & build it.

I've got a new job. 

In all these years as Sun's Chief Information Strategy & Privacy Officer, I have set up privacy impact assessments, done training, reviewed product offerings, managed incidents and questions and generally spurred on an emerging culture of respect for data.  Looking back, I feel very good.  We fought hard when no one supported us until they did.  We leveraged every opportunity to practice what we preach about fair information practices.  We created privacy governance frameworks where ever there was a need across the business on nearly every continent and in organizations outside of Sun-- for vendor support, mergers & acquisitions, outsourcing deals, complex customer engagements & so on.   We've been tirelessly bringing the message to the world in whatever forum would have us.  My team has been busy, effective and, with great emphasis, fun and I couldn't be more proud of each and every one of them.

In short, moving on from this role was not an easy choice. 

Where I'm going is a very easy choice.  My new role at Sun is as Sun's first Chief Governance Officer for Cloud Computing.  Although "Cloud" is the new buzz word, John Gage coined the phrase "The Network is the Computer" back in 1985 to describe Sun's long term strategy & The Cloud is simply that vision technically and culturally coming to its natural fruition.  Extended networks are here to stay.  Some of these networks will be multi-tenant, while some will mimic our current private IT systems as solo tenant models.

What is certainly needed here is a common framework that will help the organizations, employees, customers and customers' customer understand the who what why how when and where of their data and ultimately to provide certainty in the information derived from all of this data.  The move from privately maintained IT infrastructures & kluged together governance structures  to distributed, often virtual and sometimes 3d party owned compute resources represents a massive cultural shift and exponential innovation on the technical side. Our governments won't know what to make of this Cloud any more than they did the early internet & it's up to us to help teach them.  Our users and developers have never had the opportunity to be as self empowered over their own resources as they will be in this evolution of computing & it's up to us to help them understand what's possible.

Hence, a Governance Officer will leave her comfy post as corporate policy wonk and advisor to roll up sleeves and build a framework that will mold the people, process & responsibility aspects of The Cloud.  I'm putting my career where my mouth is & I'm gonna start helping the build out.

It's a monster challenge & I'm scared as hell which makes me happier than I've been in a long time-- and I'm a pretty happy kinda gal! 

Monday Dec 08, 2008

Don't Give Up On Your Everything

Economic duress can lead to stupid, but duress can also lead to innovation.

Data protection & information assets are not only a nice to have when times are easy.  Having a firm grasp on one's information assets is fundamental to the success of every organization. 

Every connected customer who has a need fulfilled well & on time is a beneficiary of solid information practices. 

Every employee recognized and rewarded for his or her objective contribution has been lead by a leader who understands this fundamental fact:  Information is as least as valuable as currency & we must protect it, govern it & provide leadership to every organization that aspires to be great.

As my 7 year old Miss Thang says, "Momma, don't ever give up on your everything."

Come what may in the months to come, I won't & neither should you.   Thank you for reading & sharing the Privacy & Information Strategy ride with me.

Tuesday Nov 25, 2008

Your assets DO look fat in that data center!

Privacy Enhancing Launch-o-mania.  Your Turkey may not be safe, but your data stands a chance.

Apparently while the US is getting fat on Thanksgiving feasting, the whole world can fulfill its data strategy appetite with two very exciting things of note from Sun.  Neither is particular to data protection, but both can make all the difference as part of a good governance strategy.

The first is a thing (more precisely a family of things) called the Sun Storage 7000 Unified Storage System. You can go to the link & hear about cost savings and speed and eco stuff because you have a lowered physical footprint. 

HOWEVER the way \*I\* read it, this Sun Storage 7000 Unified Systems  thing
is just another way of saying,

"Sun has stuff that can turn piles of
crap data that may be sitting around stuck in systems or on storage
devices doing nothing but creating risk into actual information
assets that you can govern, create compliance to data sensitive
regulatory schema while leveraging audit & control features that
give the ability to provide proof that you are actually governing data
to your employee, customer or regulator."

It's the Big Friggin'
Information Control Switchl!!!  To do this, we use open technologies
like Solaris & ZFS-- both of which have specific data controls and,
most important to governance & government folks, audit capabilities.

We also contemplate using heterogeneous systems & provide for the
inevitable push to virtualization using container technology in the OS
and our  virtualization software coupled with nice control features in
Solaris like DTrace.

It's flexibility is also a benefit to governance.  Where regulatory
schema differ, appropriate data silos can be created, tracked &

I'm pretty excited.

All of these features must be configured & governed appropriately
within any environment-- which is never a given-- but it's an
open platform that \*can\* do what we \*want\* to do which is turn an
overwhelming avalanche of data into something of value for our
customers & our communities. 

That's why the message of 'fast',
'efficient' 'easy to configure' & all that may be thrilling to the
technical community but doesn't actually mean much to me as a
governance officer with head in noose when things go wrong in the
information assets department. 

High quality, verifyable, stable,
visible, auditable, reliable & known are words that make me break
down & cry.  Many \*say\* these words, but this combination of
innovations in the storage arena where the data resides actually makes it POSSIBLE. 

The CIO's might be happy but, if we can make them understand what this
means, the CFO's, Risk, Privacy Officers& information governance
folks should be peeing themselves.  I think I may have done.

SO after all that could there be MORE????? 

Another privacy enhancing technology brought to you by S U N.

We've heard what our customers have been telling us regarding getting data centers under control and eliminating old data or hot new data stored on equipment being relocated from one location to another.  The data erasure service recognizes the need to erase data from storage arrays and
other equipment before they are serviced, physically
relocated, end of lifed or redeployed.  Sending millions of
data records containing IP, confidential data, and personally
identifiable data stashed on the back of a truck or in the hands of a
repair person who has no awareness of the sensitivity of the data
stored within is unconscionable.  It's an economic imperative for every
one of us to lower our risk of loss.  Here's some more chat & actual information about this stuff.


\*Sun Product Intro\*

\*Blog talk radio\*


Privacy, intellectual property and other data assets are NOT dead.  We
still must breathe life into this system & get it in place &
govern it well, but, dammit, we have POSSIBILITY.  Check this stuff out
& see if you can resist how big this is.  Betcha can't.

Saturday Nov 01, 2008

November, Numbers & Thanksgiving on its way

So,  every year I torture my work teams with a gooey, but sincere
public airing of thankfulness.  I always copy my entire virtual team,
supporters & the big bosses including Scott McNealy & Jonathan
Schwartz who, after all, give me the freedom & the finances to do
what we do.

I have to admit that I am a person typically so filled with
hope and idealism that it has, in the past, become something of an
Achilles heel for me.  I want to believe that motives are pure-- if
misguided-- and that good will prevail despite the sometimes obvious

 Anyway, if you know anything about Sun, you know that
this was a really dark week for us.  The folks who love Sun are the
folks who care about secure data.  Banks & governments are our
bread.  The dot com boom for Sun was largely driven by investors'
recommendation that start ups move with scale, reliability & data

So, this week, the formula wasn't hard to read.  No financial institution spend in IT =  rotten quarter for Sun. 

What's an optimist to do?  Be thankful.

haven't written this years' message, but I shall post here, my internal
to Sun message of thanks (with just a few confidential program cut
outs) from last November.  It still holds true today & this
thinking keeps me focused. 

Stay hopeful & strong out there.  If you can, please buy something large from Sun. Thanks for reading.

Here it is:

Dear Privacy Nation & Big Bosses who support us,
Annual Warning: The following is a heartfelt thank you in the spirit of Thanksgiving.
If you are too cranky to read admittedly gooey sentiment, extirpate this message, read
your other email & move on. A grateful Privacy Nation loves you anyway.

This is my 7th year at Sun. To say that I have learned a great deal during my years at Sun
would be an understatement. To say that I am thankful for the opportunities I have enjoyed
would be an even greater understatement. To say that I have partnered with, learned from
and observed some of the finest human beings on the planet doing great things would be the truth.

So, of the many many things for which I am deeply Thankful this year here are but a few
(in no particular order):

-Our partners in Public Policy. I had a little out of body experience in XXXXXXX this past
summer. [My partner in public policy] & I were drinking tea, discussing authentication, data
transfer & data driven economic development with one of the senior party officials who will
have a hand in determining the course of privacy legislation & enforcement [in his country].
It was an incredible discussion that I will remember for a very long time. Many many lives
will be impacted by our work.

-Partners & public help for the privacy cause. WOW. What a year it was for connections with
a vibrant & growing data asset management & privacy community! Internal & external
supporters have started to view data privacy as a place for leveraging information as well
as managing risk. Let the \*real\* discussion begin.  Can't wait.

-The Privacy Crisis Management team. Although I was sorry we had to kick it into turbo
drive a few times this year -- thankfully all false but credible alarms! -- we did & this team
delivered better than we imagined. We learned a lot & are stronger than ever. I am so very
grateful for this horizontal team, the pace at which you all came together and the absolute
politic & BS free zone. I hope I don't have to talk shop with you, but I sleep better knowing
you're out there.

The Customer Data Protection Team. XXXXXXXXXXXXXXX The push from the field
itself to get this done to help them do business better was a pure treat. This was a big win
for Sun & we've only just gotten started!!

There is so much more, but it's late & I haven't even scratched the surface.

This was a very difficult & painful year for many members of our team. We had deaths in
our families, illness, war casualties, accidents and other life cropping up everywhere. We
never have enough time or resources to do the things we want to do on our wish list.

Nonetheless, in good times & in bad, the many folks who care about privacy & security at
Sun deliver with grace & style, humor & wisdom, passion & relentlessness. I am so very
grateful to know you & to work side by side with you.

If you're still hanging in for the rest of my holiday ramble, I'll end with a personal story.

My family was not passed over by challenging times this year. We lost both of my remaining
grandparents in rapid succession. At my grandfather's burial, my grandmother smiled at me
& then reached out to hold my 6 year old daughter's face gently in her hands. She said, "I've
seen so many wondrous things. Keep your eyes open."

She died 5 days later peacefully in her bed to be with her husband of 65 years. She was 94 years old.

My eyes are wide open & I can indeed see many wondrous things. Thank you all for being part
of those things.

Have a happy, healthy & peaceful Thanksgiving!

I feel better now.  I'll work on pithiness this year but I felt the need to expel some bad mojo.

Buy from Sun because our products are actually fantastic.  They can enhance and protect your
information strategy & privacy program.

Be optimistic.


Just few more thoughts...

Friday Jul 25, 2008

Inspiration, Randy Pausch &

Randy Pausch died today. If you haven't heard The Last Lecture, do. It's a love story from Dr. Pausch to his wife Jai, to his three little kids and to life.

One of Dr. Pausch's virtual children (through some very smart doctoral types) is The proposition was to create something to get certain kids-- particularly young girl kids who are being culturized away from technology studies-- to become excited about programming. In Dr. Pausch's words "the head fake" was while the kids were learning to play games, they were also learning to sling code.

Here's one of my favorite quotes from the Lecture, "The brick walls are there to stop the people who don't want it badly enough. They are there to stop the other people."

I'm working on a wall that looks like this:

Data = Risk
Data = Value

DV > DR = Success

We will take this thorn covered wall down brick by brick in the coming months. It's inception and what this means for the future of data control has left my blog a bit silent in the last little while here, but more is on its way.

Thank you Dr. Randy Pausch. My thoughts & prayers are with your family & friends tonight. I hope we all can live up to your legacy & that we can all have as much fun as you did along the way!

Wednesday May 28, 2008

The missing chair in your boardroom

Hi all,

The attached is an article we did for Sun's Inner Circle newsletter. The lovely Robin Wilton-- IDm guru extraordinaire-- liked it well enough to blog about it here: at (Very cool!)

So, I am reproducing it here & would love to hear your thoughts.

Here's the link:

& the article:

The Missing Chair Around Your Boardroom Table

Protecting privacy is an inevitable challenge in a free society. With more and more personal information moving onto the Internet, what role must companies assume to protect employee and customer privacy? And globally, what are the implications for privacy with regard to cultural differences and harmonization of identity and data protection standards?

Sun Chief Privacy Officer Michelle Dennedy calls this participatory Web era the "Network of You." Below she shares her views on how companies can protect their assets and stakeholders by expanding the way they think about data privacy and personal information management.

Q: What is the "Network of You?"

A: The "Network of You" is a concept that links traditional business practices to evolving Web 2.0 practices in the new environment of data-enriched enablement. The Network of You recognizes that for the first time in human history, we can individually participate in a global web of information flow. There is obviously a strong economic benefit, but there is also a strong risk factor if we're not careful.

Q: What are the most worrisome threats to online users' privacy?

A: The most worrisome threats are the unplanned, unexpected uses of information that violate individual cultural or legal mores. Organizations can fail to notify users about why they're collecting information — or that they're collecting information at all. They can fall into the trap of abusing collected information for which they are a fiduciary, but not an owner. Information about individuals is the currency flowing through the enterprise and that enterprise becomes, in a sense, its banker. One of the biggest threats is failing to recognize the power of information as a leverageable asset. When you collect too much, not enough, or the wrong information, you store risk that doesn't drive value back into the organization.
Information about individuals is the currency flowing through the enterprise and that enterprise becomes, in a sense, its banker.

To quantify the risk involved, we can look at the case study of breach notification legal requirements. In the U.S., it's becoming typical for organizations that have been forced to notify customers about a data loss to provide two years of credit protection per record lost. So if you lose a laptop that contained 100,000 records with a standard credit protection cost of roughly $40 per record, per year, for two years, you're looking at a potential liability hit of $8 million. That figure doesn't account for brand loss, sales opportunities lost, lawyer fees, or the paper exercise of sending out letters. And that's just a ballpark — I've heard figures from banks up to $500 million, or $250 per record for a major breach.

Treating data as an asset up front and giving it the respect it deserves frees precious organizational time for communicating with customers about the stuff that drives revenue.

Q: Data control is said to now be a boardroom issue as well as an IT issue. Thoughts?

A: It's absolutely a boardroom issue due to the ascendancy of information as the most valuable asset. I think there is an empty chair at the CEO's table that is unique in charter from the chief financial officer, general counsel, chief information officer or chief privacy officer. If the trend to use, collect, and manage data and to connect with customers and workers on a global scale continues, there will be a significant role for new types of executive leadership in the boardroom.

There needs to be an information control officer who looks at information the same way you look at cash, with the nuance that information about human beings is non-replaceable. Once you have disenfranchised your customers or employees because you failed to protect their information, you can't get them back as readily as you can recover cash if you have executed poorly in your capital investments. One of the ongoing tasks for this new executive will be to partner with the CFO, CIO, HR, and R&D leaders to help drive in economic value and drive out risk by only collecting information that has value and doesn't cause harm.

In the short term, existing business unit leaders share in these new data asset and liability-driven duties, and each must become his or her own data advocate, legal advisor, and accountant.

The expanding universe of stakeholders and government regulations like the U.S. state data breach notification laws, the Gramm-Leach-Bliley Act, HIPAA, EU Directives, member state regulations, and the Canadian PIPEDA and other international regulatory frameworks will continue to complicate the business landscape. At the same time, a global community of users and creative entrepreneurial opportunities will continue to press for more data, more control, more transparency, and more respect than ever before.

Q: Is technology the problem or the solution? What technologies can be employed to protect privacy in the online world?

A: Technology can be both. If technology is used in the absence of people or processes, it can be a huge risk. Technology can gobble up more information than any human can possibly consume. Technology can share information faster than human minds can think it, so it can be harmful if you don't have that boardroom-level care of information as well as a system that sets up how information flows, where it is shared, who has access to it, what role those people play in the organization, and assurance that the information is audited.
Identity management technology is critical to understanding "who" is participating on your network.

Identity management technology is critical to understanding "who" is participating on your network. "Who" is your customer and "who" will serve that customer's various needs? Sun has deep identity management leadership and experience in helping with auditing and identity compliance. Sun's capabilities include user provisioning, role management, access management, federation, and directory services. These are examples of technology that can make a big positive impact when deployed with a clear strategy to get in front of the business challenge of "who."

You can centralize and better secure data by using ultra-thin clients like the Sun Ray, which greatly minimizes your data footprint and reduces risk. The only way to use a Sun Ray is by logging in, therefore every action is auditable. Instead of spreading data by duplicating and multiplying it across desktops, a greater proportion of the data stays centrally managed at the server level. Users authenticate and access information that is stored in a guarded place. Then security, privacy, and audit professionals can outreach, manage, and train the person who's allowed to use that interface.

Where data really "sticks" is in your storage strategy. That's where technology, management, and training help you figure out how to utilize your information as an asset. Sun's open data archive solutions enable organizations to change the economic equation for their IT departments because they are 10 times more scalable, use 50 percent less physical space, and can reduce energy costs by a factor of 10 over competing products.

It's critical to understand where you're storing stuff. Your CIO may not be looking at the risk and potential rewards implied by stored data. Which gets back to my "empty seat at the boardroom table" notion. Where it's appropriate, cut down your data footprint to keep the good investments of data that drive value, and systematically get rid of data that only serves to create unmanageable risk.

Q: What role should governments have in helping companies or individuals protect their privacy?

A: Hopefully not a heavy-handed one. My personal responsibility is to cover the globe, and we have business interests in almost every country. We must understand how to harmonize information flows with other governments and protect information through its lifecycle when that lifecycle goes from very restricted civil law countries, to common law jurisdictions, to socialist republics and beyond into emerging economies that are only now selecting a governance strategy for people and data.

We have to agree on the functional definition of how information is protected, despite differences in culture and legal strategies. We can look at how identity management strategies can be deployed to ensure that only the right people at the right time in the right place view authorized information.

Let's say Person A is fulfilling Function B and Strategy C is protecting it. Once you realize that the information pipe is secure, you can rationalize that protection in a common law society like the U.S. where we enforce by regulatory agencies and private litigation. In civil law societies like Europe, where the whip is felt from various agencies, protecting the data pipeline with rigor can satisfy those data protection authorities. When you get to other parts of the world with different notions of individual privacy, you can do that same calculus of role-based access — Person A, Function B, Strategy C — and if that protection is robust and transparent enough, it can satisfy all of these governments with differing enforcement strategies.
You need a leader who understands and cares about data protection and that person must scream from the mountaintops in the language of employees, vendors, and partners to let them know what is expected of them and that data governance is a valuable investment.

Q: What do executives need to be thinking about and planning for over the next five years?

A: People, process, and technology. Your people have to know what to do when. You need a leader who understands and cares about data protection and that person must scream from the mountaintops in the language of employees, vendors, and partners to let them know what is expected of them and that data governance is a valuable investment.

Process has a lot to do with your identity management strategy — who is going to be allowed to look at what when? How long is that information available to those individuals? How do you de-provision those people when they move on? It also has to do with how you determine data value, track it across your enterprise, and protect its integrity throughout its lifecycle.

You have to constantly look at your technology resources, whether you own them or whether you leverage Web 2.0 tools and communities, to determine what brings value. Sun leverages an open, interoperable architecture. The reason people come to Sun and the reason that we are the fiduciary for so much confidential, highly sensitive data is because this architecture allows you to think about the future and where information is going to be stored. All of the information that is housed on those storage media comes at a cost if you lose it, and can bring value if you leverage it well.

Thursday May 08, 2008

Data = Value

Smart thoughts from an inspirational lady:

Some day, on the corporate balance sheet, there will be an entry which reads, "Information"; for in most cases, the information is more valuable than the hardware which processes it. Rear Admiral Grace Murray Hopper

What a wonderful Privacy geek she was.

Monday Apr 28, 2008

A New Day

Hello world.

I felt it important to leave out a better piece of karma so I'm blogging in uncharacteristic succession to my last posting.

It's a sunny Monday following a glorious weekend where I (in not particular order), painted the girl's bathroom a lovely sky blue to match their sassy personalities rather than a rather depressing pale peachy thing; Hung out with my girlies & hubby to attend ballet, a fun math contest (we're geeks) & take the lovelies for a paddle in our local pool; ate fantastic Mediterranean food at a local joint called Dish Dash; drank fantastic wine & a strange waiter driven choice of beer & 7-UP (sounds disgusting but was rather good) & went bowling (& did NOT drink horrid "wine" served at said bowling ally) with my neighbors who also have 2.5 kids all of the same ages. All is well & good.

The point for Friday was really that while this stuff may sound obvious: Data = Value. Data = Currency. No privacy = No value, increased unplanned risk and no new currency sources. It's the Getting It Done bit that sometimes takes screwing up one's courage & never backing down in the face of power struggles and those that love sticking to status quo.

It's a bit messy & it's important to me to communicate that fact along with the other stuff that moves & inspires.

All said, I sincerely thank those of you who reached out a hand of support. I am thankful for your strength & appreciative of your ideas to keep data protection & management on the track of governance & added value.

I will end on a kiddo story as is becoming a bit of a theme for me. This one is from over a year ago, but I keep it close whenever I feel like giving up & giving in.

Data protection is global. Even if we didn't do business around the world (we do), users of data, customers and customers' customers live on every conceivable patch of habitable earth. Given this reality, I have to be on the road more than I would like. (To all you analysts tapping out reports in First Class, I'm the schlump typically crammed in the middle of the largest & often the smelliest people in the back of the plane. Send me a cookie or a drink some time! ;-) )

My daughter, the infamous Miss Thang is old enough to discuss her feelings about everything, & Mom's travel schedule is no exception. One day when she was particularly upset about my not picking her up after school each day, I asked her if she wanted me to quit my job & if that would make her happy. "I don't know. Can I get back to you?" She actually gave it some thought & then said with a bit of an exasperated sigh, "I do want you to be around when I want you, but I don't want you to quit."

"Why?" I said to her. (I was prepared to do her bidding if she really needed it but was greatly relieved to hear that she was okay.)

Miss Thang said, "Well, I \*do\* like the presents from the airports (busted), but most of all, when you talk to your privacy people it makes your face shine."

I hope she didn't look at my face Friday night, but I couldn't put why I do this crazy & sometimes thankless job better than she did. (Note to self, 5 year olds make excellent business coaches if you let them.)

This stuff is important to me because Data = Currency = Value = Social Responsibility. My kids & yours will buy, sell & save data currency & their lives will be either enriched or damaged thereby. If that's not worthy of putting up with a little occasional crud in the workplace, I don't know what is.

In short, I'M BAAAAAACK & I'm not backing down.

Friday Apr 25, 2008

Is That a Shiv in Your Pocket or Are You Just Happy to See Me?

So, for the most part, I try to keep it upbeat here in my bloggaphoric state. I reminisce about privacy glories past & future & chatter on about influences in my life that translate into how privacy strategy is inspired in my head. As I look back over the last several years of postings, I realize that the positive inspirations are pretty accurate.

What I cannot do is discuss actual governance issues that are live or specific to Sun or any of our Customers. What I have not done is talk very much about the day to day how to deal with the Darwinian slug fest of relevance & resources in a multinational corporation. Mostly because I find internal politics bewildering.

Today, I am polishing the newest item in my "shiv in the back" collection. It happens to everyone in the course of a career & from time to time you find that that supposed initial pat on the back or pretended collaboration has a sharp point. I am currently trying to figure out how gracefully to extract my latest shiv without allowing too much political blood letting.

I won't give anything away to shame the guilty party, but the learning process has certainly been instructive and 'character building' for me. In the spirit of transparency, I shall share a glimpse into the life of what is actually fairly functional Big Corp. All in I want to be very clear that I would never have sacrificed time spent with my kids if I didn't believe that Sun is a company with a very high standard of integrity overall. It is. Most days I love working here for that reason.

Privacy is one of those things that is ill defined in most organizations-- every business unit depends upon it to hire employees, deal with internal & external vendors and manage customer relationships. Every organization & business unit has some notion of ownership not only to the data but to the ways & means by which it travels, who gets to decide how to manage it & there is a sense of 'need to know' that is often hierarchical rather than functional.

I am certain that this is office folly rather than anything to do with any subject matter area but an underdefined space seems to invite these types of confrontations. Rather than meetings where people who know how to do things meet to exchange plans and ideas for solving problems, folks who don't understand the subject matter area but either want to block initiatives (sometimes I suspect for sport or a sad type of fun) or "own" the positive outcomes whilst keeping others close to offload any potential downside come late to the party & spend a great deal of time barking orders or undoing productive work. Ego massaging and empire building both are pretty ugly when viewed from the inside.

Such has been my day. We have a small but very experienced team of folks within my direct & virtual team. My job today was to stand in front of bluster & blow hards who would very much like to sound important or would like to seem like leaders because they are loud.

The folks doing the work were somewhat intimidated but, I hope, undaunted. Data privacy, to anyone who has been exposed to it & has been willing to learn, is a complex conversation that must by its very nature span many organizations.

Winning systemic data privacy control within an organization & spreading that control into products & services, marketing, IT, human resources, legal and other groups is a long term vision. The short term actions that lead to the vision require variant amounts of time, money, expertise, political wherewithal and an ability to compromise to do the best you can with the context and resources available.

I am really really really proud of my guys & feel very Momma Bearish when we are attacked to build up someone's ego. That said, this particular momma bear has learned to remember well the attacker but not to bite.

Shivs in the back are irritating, but they won't stop us. Bluster that things are not perfect, misses the point & loses you potential allies. (Things, of course, will never be retrospectfully "perfect" in the search for respectful relationships to personal data cross culturally over time.) The office nasties can whine & moan all they like-- the work doesn't get any easier & it still needs to get done.

The cool thing, of course, is that a certain level of time & experience has shown that a nice Friday afternoon and leaving the office with an empty briefcase for a rare change makes all the difference to me.

Snicker-snack Jabberwocky. THIS privacy junkie's left the building for the day. I'll be ready & nearly willing to take some of your nastiness on Monday but not before.

So, thank you. You have made me a little bit stronger. You made me hate a job that I adore & one that I do well for only a moment. You have forced me to test my resolve to stay & fight for what is right & what is achievable in data protection. You have made my team rally around each other. I shall shine your shiv with pride & laugh quietly to myself when I make you my ally.

Monday Apr 21, 2008

Context & Poetry that any Mother Could Love

A short poem for you:

In the winter the trees sway.
The cold, icy ground is hard and crunchy.
We play in the snow.
When we walk foot prints appear.
But when we see the snow melting we know it's Spring!

This is how it was actually drafted by Miss Thang (my little lady):

In the winter the trees swae.
The cold icy grawnd is herd and crunchy.
We play in the snoe.
Wen we wock foot prins apeer.
But wen we see the snoo melting we no it is Spring!

This lovely ode to Winter & Spring was accompanied by a picture split in half with a snowman waving from one side of the page under a gray sky to a barefoot girl walking on a flower strewn lawn under a blue sky & red sun.

The final contextual piece here is that Miss T wrote the poem & drew the picture in her bed late at night using her flashlight for her sister, Miss Sweet Cheeks' birthday.

The challenge and the allure of data protection is illustrated by this small information transaction. After first making a rather large assumption that one is communicating in English, obtaining access to the poem given the original searchable words can be a challenge-- not an insurmountable challenge as most of the decent search engines give alternative spelling choices.

Identifying the age and background of its author helps to further determine its credibility or at least how stringent or serious any judgment should be on its literary relevance.

Deciding to share the \*clear\* beginnings of artistic genius to the perhaps later in life chagrin of my Miss Thang was an easy choice.

Understanding the context of its creation and to whom it was written makes the retention schedule and security measures much higher for the original document... but only if you're me.

How we protect, what we protect, How long we protect & with whom we share are important lifecycle questions worthy of constant vigilance. I had this discussion with an IT architect this morning about a large mulitinational organization. Though significantly larger & more complex than my daughter's poetry, the steps we took to analyze his problem were not much different in theory than these.

Wednesday Apr 16, 2008

RSA Palooza 2008

So last week was the gigantor RSA Security conference in San Francisco. Does that sentence sound tired? It should.

The great thing about the SF venue is that it allows me to sleep in my own bed & to hold my girls each day-- after they have fallen asleep & before they awake. In between, I race up & down the Penninsula in madcap traffic & think & breathe security...and this year PRIVACY.

I expected the usual acronyms & tech talks about perimeter controls & bigger & better technology that would solve all ills if only "they" would buy more. This year was different in a very important way.

First, the Executive Security Action Forum (ESAF) meeting. This is the Monday pre-game meeting of ~200 security (and one or two privacy geeks) professionals. I moderated a session with BEA, Yahoo & Google regarding social networking and web 2.0 in the enterprise. I attended a very interesting session regarding the psychological profile of an insider likely to act to harm the enterprise. The discussions were confidential, but the feeling that something was changing started this day. The final session included rock star politicians and industry experts who discussed what we would say to the new US president about the cyber & information asset challenge.

RSA began with 4,000 of my security buddies & I listening to John Thompson, CEO of Symantec, taking about evaluating information, business priorities and what we need to communicate first BEFORE we add 0's & 1's...uh, who gave that cutie the privacy script? What was happening?? Is this a Security gig???

Fast forward through a long week-- I met with Secretary Chertoff, Asst Secretary Greg Garcia (of DHS) (interesting!), Participated in a privacy specific panel on emerging topics with CDT, BITS, Google & moderated by a USA Today reporter; a panel and working session on crisis management and communicating with the Board regarding information protection issues; I did my version of party like a rock star until 10pm at the Executive Women's Forum cocktail party; & capped off the week with a CNBC panel in a series entitled Bigger Thinking.

My fellow panelists for the CNBC bit were Mike Lynch, CEO Autonomy, James Powell, CTO Reuters
& Bruce Schneier, BT Counterpane (& crypto mega star). Intimidated anyone? I don't get nervous about these things because I really care about the topic, but this one had me thinking I would really really like a seat hidden in the corner of some coffee shop instead of playing the role of the whipping girl. I actually think it went off okay. I found the conversation quite fun & the moderator Simon Hobbs very gifted at keeping things moving and lively.

I shall post the URL here as soon as the session goes live on the Bigger Thinking website.

Bottom line, I was not the only person talking about pragmatic privacy at RSA this year. I was not laughed offstage nor did it seem that I was putting anyone to sleep. Not a single soul told me that I simply don't "get it" because I don't happen to believe that gear will do anything without sound practice, business correlation and the right people at the switches.

Something important is happening & I LIKE it...

Friday Mar 28, 2008

Nasal Networks

A brief thought for a Friday

So, I was recently at a business meeting when the man next to me leaned over & confidentially whispered, "You smell really good." Now I'm a girl who does not mind a nice cake of soap, but I have to say this was a new one for me.

Naturally, it got me thinking about privacy, authentication and the very individualized Network of You's that comprise the information web. (I mean come on, what \*would\* a gal think?)

Let's think about a mythical nasal network. I decide to bathe today. I decide the various "lotions & potions" to apply. Perfumes & other specific nasal sensitive additives applied according to mood & circumstance. Now we add the genetic factor. Biometric markers in a whole new category. Mix well with whatever I've decided to eat or drink during the day & my general degree of health. Voila-- a nasal network of authentication is born-- or airborne as it were.

Original, unique, driven by circumstance and user choice...

Authentication at first sniff & very difficult to over preserve, reuse or fail to delete after an appropriate time passes...

Could be a little out there but, before spring pollen season gets into full swing, think about the Nasal Network. My your credit smells lovely. MMM you smell like someone who should have HR data. I can just smell it all now.

Just a wacky Friday thought

Saturday Mar 08, 2008

The Ephemeral ID

I just looked this over briefly & understand that it reads a little rambling & quite longish. If I had more time, this would be short & pithy. It's not. It's a blog. If it makes any sense to you, I'd still love to hear your thoughts:


Ms. Thang is reading Little House on the Prairie with her dad & I can hear the rumble of a deep voice and the lilt of a giggle here & there. I took advantage of this moment of quiet to peek in on Miss Sweet Cheeks where she is sleeping peacefully, clutching a knitted sock dolly, her lovely eyelashes resting lightly on rosy apple blossom cheeks.

Have you ever loved someone so much you were sometimes in physical pain? My ribs feel like they must be broken & my head feels a little weird-- only way I can describe it.


Which leads me, naturally, to thoughts protection & identity management. Of course.

Both of my girls' identities are changing so rapidly. Each day their needs, desires, interests and abilities morph in & out, forward, backward & sideways. Imagine if you will, looking over the identity of just one \*system\* user over the course of time.

Would the 'mature' customer or employee ever bear resemblance again to the 'infant'? Would data collected in the early years of the relationship be relevant in the decision making of today or the strategy planning for tomorrow?

Furthermore, is this human data ever \*that\* great a long term predictor for that one user or is it the trend data for many similarly situated individuals that helps us make our plans?

Why then do we insist upon retaining account data associated with one person for any great length of time in an enterprise setting? Anonymous data for many purposes seems to be the more expedient vector.

Granted, there are some details either so static or so stark that they must be retained, but only as they continue to color the present & predict the future.

I, for example, am a human of the XX variety. Like it or no, for certain characteristics, that fact- collected if you will at my birth- continues to be a decent predictor of certain things.

The fact that I am a mom & have freely disclosed that fact is also significant & an okay predictor for some things and a fantastic predictor for others. Threaten a mommy's kids with serious harm, for example, and there's a pretty good chance she will crush your larynx with her pinkie & be more than able to sip a fat free latte guilt free 30 seconds thereafter.

(More ladies should be in senior management for the same reason, but that's a different topic for a different day.)

The point here is that identity management schemes and data collected that is associated with one's ID should contemplate the temporal who I am now, the role I intend to play in this interaction, the role you wish me to play and the roles into which we will both evolve over time.

Take for example, a key fob strategy-- tons of these have been proposed, with some louder than others but not all that different. I suppose one could chose a "role" based on any number of data elements, but that role would only work to gain access to goods or services or more data where the transaction partner has enough flexibility in authentication and alternative goods, services or more data to match the self selected role.

Here's what I mean: Am I an employee or a customer when I eat at the company canteen? Is it relevant know any of my work details to be sure I may enter? Should I bring "Sun employee" data element key fob, or "Sun employee, badge Number XXXXXXXXXXXXXXX, Chief Privacy Officer, digital access level XXX, etc..." Should we have to mess with a dual system or that much over collection just to authenticate into the building that houses the cafe just to get a salad? The system gets to dictate my role, not me.

Question is, in later years, the same user could return as a completely different role by virtue of time or circumstance & now the user would essentially change the role rather than evolving the relationship. Alternatively, the enterprise can assume that the role holder had changed & can start changing permissions and management of that user's data accordingly based on information that enterprise holds on other similarly situated users. Obviously it makes a difference if I am no longer employed at Sun but no one in the lunch room needs to know or cares if my rank is up or down. (I purposely picked a silly example to make a point, but a similar analysis applies where I am a manager v.when I am acting as an employee;n when I need HR data to figure out my benefits v. when I inspect that system for compliance.)

It's not a bad thought from a management perspective to add and add and add or whittle away notice because the predictive trust that the user gains may, in that case, outweigh the need for fresh 'clear & conspicuous' legal notice. Here, the old timer customer, gets a "Hi Michelle!" v. the dreaded "Hello Ma'am." or the frequent customer starts to get discounts and nice extras without clicking on an email offer.

But, you see, it is the individual data that often describes her role. It is the individual mom's right to dream that she will not grow old, that she will still be able to make her girls giggle with a kiss on the tummy or call them 'baby' long after she knows they are not. The role of goofy sentimental clown may beat in the chest of tough competitor and senior executive. No role based ID scheme easily can always discern which part of that human is presenting herself for system authentication or inspection. AND it is that individual's prerogative-- and often her legal right-- to change her mind.

Where the hell did that come from & why is it relevant, you may ask??

It is the data from our customers and employees that they hold most dear, that is most personal, that allows us to serve them...personally. We cannot and should not always predict that each year of service will equal a greater degree of skill for our employee nor will a new customer always purchase less than the tried & true account. Therein lies the rub of roles, role based management and Identities with a capital I.

I'm not saying that really really good IDm or RBAC is impossible or even that it's not valuable. I am, however, saying that it's tricky and that our developers must look to their software/ hardware platforms, their lawyers, their geography & culture lessons...and perhaps into their hearts just a little bit.

Personal data is, after all, personal.

A little bit of a crazy thought before I head in to read a little Harry Potter to Miss Thang...

Tuesday Mar 04, 2008

Farewell to a friend

This is not a privacy related blog today.

The world is short one more lovely young mother who was also a fellow Sun employee. I wish I had slowed my pace to know her better. I wish that various data traces that remain could describe her life & the impact of her untimely & sudden death.

To the blog o sphere, I send my warm regards. Let us all take time to care about the fellow humans pinging back & forth on the network.

One of my favorite & one of the saddest poems in modern literature. Rest in peace my friend:

A. E. Housman. 1859–

To An Athlete Dying Young

THE time you won your town the race
We chaired you through the market-place;
Man and boy stood cheering by,
And home we brought you shoulder-high.

To-day, the road all runners come, 5
Shoulder-high we bring you home,
And set you at your threshold down,
Townsman of a stiller town.

Smart lad, to slip betimes away
From fields where glory does not stay, 10
And early though the laurel grows
It withers quicker than the rose.

Eyes the shady night has shut
Cannot see the record cut,
And silence sounds no worse than cheers 15
After earth has stopped the ears:

Now you will not swell the rout
Of lads that wore their honours out,
Runners whom renown outran
And the name died before the man. 20

So set, before its echoes fade,
The fleet foot on the sill of shade,
And hold to the low lintel up
The still-defended challenge-cup.

And round that early-laurelled head 25
Will flock to gaze the strengthless dead,
And find unwithered on its curls
The garland briefer than a girl's.

Our data may be available for slicing & dicing forever, but our humanity makes all that data actually mean something at the end of the day.

Thursday Feb 14, 2008

Love that Uberpulse!!!

Happy Valentines Day everyone!! My little beasties are sleeping & my sweetie has a nice bottle of wine to go with our take away pizza so this will be a short post.

We had a really fun public facing do at the Sun headquarters over the last two days & the lovely story teller from uberpulse put together this great piece that tells my perspective on the CPO role as it exists today.

We also had some conversation regarding the ethical and organizational dilemmas that face every organization that manages data about other humans.

Check it out:

Privacy, my babies, sweetie & Valentines Day-- doesn't get much better than that for me! What a geek.

Tuesday Jan 22, 2008

Showing too much skin is never attractive.

A quick thought relating to an interesting discussion thread on one of the data policy affinity groups.

The debate began as one of ethics & I pose that question to you out there in the web wilderness:

Is it \*ethical\* to include a search of a potential student/ politician/ employee social networking activities & to include the results of that search in a decision making matrix?

What if the individual never intended the information to be public but shared it intentionally anyway?

What if the data is about legal activities clearly outside of the realm of the academic/ public duties/ employment context?

The answers to these questions are emerging & deserve a longer discussion than I'm in the mood for at the minute, but I thought I would share this interesting perspective from one of the group members (& I quote the idea, not the exact quote):

"The content and context of the disclosure almost don't matter. What matters to me is that this person has made a judgment call that this kind and sensitivity of disclosure is okay. That it is okay for that individual in a personal capacity still makes me question their judgment. This is not someone I would hire if I had other options."

Bottom line, over disclosure may imply bad judgment whether that assumption is true or false.

Trouble is, of course, that your definition of over exposure may be wildly, generationally or culturally different from mine.

To finish this light thought for tonight, I have a silly story exposing a bit of my past life working at a patent litigation firm.

There were almost no women at our firm and thus was I selected to be the lucky person to inform one of the staff that her clothes were a bit (okay outrageously) too revealing. (None of the guys were asked to have this little chat & may, in truth, have been hoping that my little heart to heart with this gal would be unsuccessful.) Since I billed out by the hour & was judged thereby I decided to cut to the chase & just put it to her like this:

"Here's the deal. You have a lovely figure and we have all seen enough of it to be in full agreement on this point. You have seen the written dress code. (We \*had\* one which was a bit weird considering that we were all well out of grammar school.) Here's the bottom line-- so to speak. When you are getting dressed to come to work, if you can't fit underwear \*under\* your clothing, the clothing is too small. If we can see any part that should be covered by said underwear, your bad judgment \*and\* your booty will be hanging out."

Now, \*I\* thought these guidelines were relatively straightforward, but I think she just went out & bought smaller undies. Go figure. Social networking policies, like corporate dress codes, may be the subject of interpretation for some time to come!

A light thought...

Wednesday Dec 12, 2007

SuperWeb? Web 2.0? The Network of YOU? It's got me thinkin'

So, today was one of those days that seemed like it lasted about 30 minutes but was jam packed full of activities. My thought for the day is a peek into one of my typically untypical days...

Before the crack of dawn, our US based team was on a call with our EU team, discussing our own internal systems' virtualization work and the project plan to build in governance to that new way of global business.

At 10am, I sat down for the pre-show warm up with my fellow privacy tribal members, Joanne McNabb from the CA State Office of Privacy Protection, Dierdre Mulligan, Law Professor extraordinaire from Berkeley Law School, Jim Allen, CPO of Agilent, Barb Lawler, CPO of Intuit &, Dr. Moira Gunn of NPR's Tech Nation (she was our moderator).

(This event was also graciously and generously attended by some of the very best of the local industry & government policy makers and practitioners who were not otherwise engaged in Globe trotting.)

WOW. Now, if you're not a full fledged privacy geek like me, you may not realize how very cool that particular group of brains are. You'll have to trust me here. This is Woo-eee time.

Check out for the full video & some other stuff relating to the open door panel discussion of The Network of YOU & how empowered data is changing the people, process and technology equation. To cut to the end of the story-- there is a lot of data flowing all around us. It's up to us to decide as a planet where & how we wish to maintain some control or fall victim. You do have privacy for as long as we have anything to say about it. Join The Movement!

After the media palooza, I crunched my head back into the Sun governance world again to participate in the latest internal Mash Up to discuss the Web2.0 expanded view of where the boundaries of the greater Sun Microsystems communities have yet to be explored, much less governed or measured. To cut to the end of this particular tale-- we're only at the beginning. (Ironic, no?). The expanding enterprise is something to discuss in much greater detail on another day.

5pm & time for an even more intimate meeting with team, budget & vendor. Interesting how much good help is worth & costs in this Network of YOU. Sometimes I feel like its the world wide purchase order.

7pm & time for books, jammies, diaper change, bath, diaper change, more books and about 1,000 sloppy kisses from my beautiful little ladies & even a few from my sweetie who was kind enough to bring himself and even a few of his data sensitive portfolio company CEO's to our public event today.

It's 9:30 now & the perfect time to reach out to the good folks in Asia before passing out to do something totally different, yet equally exciting tomorrow.

A good day.

Wednesday Dec 05, 2007

Privacy is Possible, but maybe not secrecy in the Network Of YOU

Here's a little vid that someone shot during a discussion we were having about emerging markets and emerging technologies.

The weird head movements I may have to disown, but I endorse the message even when perhaps captured on video for perpetuity:

Check it out! Thanks to!!




« July 2016