A Blog dedicated to exploring privacy and technology

Posts Tagged ‘cloud’

Part 2 – Choosing the Assessments

Posted by Wayne on March 2, 2012

Once I had detailed the research questions I next needed to decide what privacy assessments I was going to use. First I looked to the security instruments out there to see what they had and found that several of the common security instruments did have a few questions that pertained to information privacy they were by no means comprehensive. For example the ISO/IEC 27002:2005 instrument has sections on privacy policy management and data classification but is missing specifics on notice, use, or retention as examples. The next place to look was for books on privacy assessments. Again though I found books that contained sections on privacy such as Debra Hermann’s book “Complete Guide to Security and Privacy Metrics” only about 10% of all the metrics listed were US-centric privacy metrics. US-centricity was a self-imposed requirement to managed the scope of this research.

Next approach was to try something that I figured this would be an easy step – run a few searches on the Internet and I’d probably have too many privacy assessments to choose from. Instead what I got was a lot of commercial consulting companies that have all developed their own assessments. Now what? More searches – only directed and emails to friends and friends of friends! I found three that seemed to be pretty good choices and also finding them detailed in an article written by Roger Clarke on Privacy Impact Assessments helped support the use of them.

DHS/DOJ Privacy Impact Assessment – The first one is the only mandated privacy assessment in the US which is mandated by the DHS/DOJ when deploying a new government system (also someone government specific as well). Since it is a privacy impact assessment it is designed to be used as a ‘pre-assessment’ before a system is implemented. I couldn’t determine the provenance of the DHS/DOJ PIA but I had to assume that it is a ‘best practice’ and is reviewed by the office of the CPO. Also the DHS/DOJ PIA only has 40 questions in it making it the briefest of assessments.

ISO/IEC 22307:2008 Financial Services Privacy Impact Assessment – This is an international standard and is financial services biased. It is also a pre-assessment instrument and has a total of 102 questions. I had to purchase this assessment for my research from ANSI who manages ISO standards here in the US.

SharedAssessments Privacy Assessment – Shared Assessments is a not-for-profit group that was created by leading financial institutions and accounting firms. The instrument I used was an earlier version and was freely available. However if you wish to access the tools today you have to become a member.The SharedAssessments tool that I used has 127 questions.

So these the three assessments I used. In my next post I’ll talk about the cloud providers I choose and why.



p.s. There is a bit of irony that I want to mention – a complete book on privacy impact assessments was published just recently that may be useful if you are interested in knowing more about this topic: Privacy Impact Assessment (Law, Governance, and Technology Series).

Posted in cloud, privacy, risk, Uncategorized | Tagged: , , , | Leave a Comment »

Part 1- An Introduction to my Dissertation Research

Posted by Wayne on February 11, 2012

Over the next few months I’ll finally be able to come out of hiding … not that I’ve been doing anything stealthy or that exciting even. I’ve been working on completing the hardest thing I’ve ever under taken in my life – a PhD. Four and a half calendar years and literally well over a thousand hours of time. For some I guess this is something they know they are going to do when they are young and full of energy and strong of heart and mind but for me this was my mid-life-crises.

Anyway – the coolest outcomes are: I definitely think a little different about things and the research that I got to do has some interesting and (I think) valuable results.

My initial goal was to do something epic, far reaching, and somehow alter the way we think about things. Did I accomplish that? Yes for me I did. I had some outstanding help from some great minds on my dissertation committee that helped me to explore a few things that will add to the science regarding privacy. I learned a lot from the body of knowledge already out there, from and about myself, and from those who supported me through the process.

The topic of study was “An Empirical Study of Privacy Risk Assessment Methodologies in Cloud Computing Environments” the initial abstract was published here and it has changed to look more like this. The abstract is not the only thing to change – the hypothesis changed, the research questions changed, and even the methodology changed. Fortunately what didn’t change was the data.

For this post I’m just going to share the research questions:

Q1.Do existing privacy assessment methods adequately assess privacy risk exposures of cloud computing for the enterprise?

Q2.By using the scoring system (outlined in the methodology section) are the new characteristics in cloud computing such as on-demand/self-service, broad network access, measured services, shared resources, and elasticity adequately evaluated or accommodated in existing privacy assessment methods?

The drivers for these questions were based on some basic phenomena that I had observed 4 years ago when I started looking for problems to explore. First and foremost I was (and still am) so excited about cloud computing. In my opinion Cloud is the most interesting technical thing to happen since the 80’s and Vax/VMS clusters ruled the computing world. The second thing that I realized was that privacy was also a domain that seemed to be important and was so incredibly polarizing with my peers in school and colleagues at work. The last thing that I noticed was that we seem to have this blind belief system and trust in assessment methods. Security folk call it checklist compliance – find a good checklist, check things off, and everything will be fine.

In the privacy domain risk assessments are very immature compared to the security world. Also what got me thinking about all this was – who says we’re asking the right questions? When we’re done why can’t we have a risk score like with our credit card score? I found some work done by Dr. George Yee (Estimating the Privacy Protection Capability of a Web Service Provider) that became the basis for my inquiry – how do we get assurances of privacy when we connect with web service providers?

More to come soon …


Posted in cloud, privacy, risk, security, Uncategorized | Tagged: , , , , | Leave a Comment »

Being Mentored

Posted by Wayne on December 2, 2011


Over the decades (yeah – decades) – I’ve had the opportunity to be mentored by many great people all through my career. 25+ years later I still seek out people who can guide and teach me new things and new ways to think. When I first started in the IT business I was a typical wet-behind the ears kid with an extremely curious side to me. I worked as a machinist for a company that made X-Ray equipment. I’d managed to get some college under my belt but wasn’t consistently going to school. I think one reason was I was making enough money to survive and part of it was I really didn’t find the domain I was studying (mechanical engineering) particularly interesting.

At the time the first “home” computers were coming out and I managed to acquire one and became completely infatuated with it. In no time I got pretty good at making it do stuff including things it wasn’t even really designed for (6502 assembly rocks!). One day my companies TRS80 that kept the warehouse inventory on it decided to eat a floppy disk with the inventory. Losing the inventory meant we all had to go home for the day while they tried to figure out what to do. Since I had time on my hands I decieded to go see what was up and offered to try to repair the disk. I ended up writing something that read all the blocks off the disk that were good – which was 99.9% of the inventory. Needless to say – things changed after that – I got offered a job as the system admin of our “mini-computer” almost immediately which was going to run a “real” MRP2 system. I didn’t know anything about mini-computers – but hey! I was now working in the field I really seemed to have a knack for and really was having a lot of fun too.

The manager of the IT department had a PhD and also did real-time microprocessor programming R&D for the companies X-ray systems. Once I got my sea-legs in the new job I started troubleshooting problems. I’d go to his office, ask for help, and he would ask what’s up? I’d explain the problem and he would always asked if I looked the error up in the manuals? and those first few times I’d always say no and he’d give me the look over his glasses that sent me on my way. I’d look the error up, chase the possible solutions through the manuals, narrow them down to the 1-2 most likely and go back to his office. He’d ask me what I learned and I’d tell him what I read and what I thought the problem was.

He’d ask how would I prove it was the right solution and he’d listen to me explain the approach and sometimes he would have to make a small adjustment or two so that I didn’t take the systems down or break something.  This went of for a good number of weeks until I realized that I might as well look stuff up, prioritize the solution, and then go tell him what I planned to do. Years later he confessed that he didn’t know any of the answers to my questions – what he did know was how he would go about seeking the answers. At the time I hadn’t realized all he did was mentor and teach me how to solve problems on my own.
My advise is if you are going to spend the time looking for a mentor – find someone who is not close to your skill and capabilit. Find someone who will stretch your abilities the most. Once you hit your stride with their help – you can achieve things beyond what you thought was possible.
I’ve had the benefit of a plethora of mentors I’ve also been able to shape my career from what I learned from them. I am, and always will be,  incredibly grateful and indebted to all of them. Just four years ago I started work on a PhD and decided I wanted to find a sponsor at work who would provide some guidance and oversight for my research. After knocking on more than twenty doors, and dozens of  meetings/calls, I found someone who was willing to shepherd my research and take on the added responsibility of being on my dissertation committee. He is one of the giants in the security industry, Dr.  Burton Kaliski, founding scientist at RSA. For over two years he mentored me as a budding researcher and scientist. Most recently I’ve been working on several patents in privacy and once again I reached out to someone who knows a lot the innovation process – Steve Todd EMC Distinquished Engineer. Steve has written two books on the topic and has over 15o patents filed, making him one of the most prolific inventors I’ve ever met. Both of these people are giants in the areas I wanted to learn more about.
In grad school I took a leadership course that taught us that to be a good leader you also had to be a good follower. In my next post I’ll share my thoughts on taking on the roll of mentoring and why I believe that if your are going to have a mentor find a way to give back and mentor someone yourself.


Posted in Mentor | Tagged: , , , | Leave a Comment »

Why Privately Exposed?

Posted by Wayne on October 3, 2009

Seems to me like privacy issues come up every day in the news whether it is good news, bad news, or just new regulations and laws about privacy – it is becoming harder to hide or be off the grid. I just googled the word privacy and got over 1 billion hits! The UK has installed over 10,000 cameras in 32 boroughs (dated 2007) and Washington DC has a penchant for the same type of privacy invasion with CCTV cameras appearing on every corner, at all public transport sites, all government buildings, etc

Add to this the fact that our lives are becoming a mere shadow of our digital existence and it quickly becomes an area that I think we should be paying close attention to. Security provides the instruments needed to protect our privacy – and privacy is information about us that we choose to share, we understand where that information is going to be seen and used, how it will be combined with other information, where it will be stored, how long it will be kept around, and have choices/consent when all this will happen with OUR information.

Add to that the “cloud computing” phenomena and now you have some really smart people scratching their heads about privacy in this new computing paradigm. What happens when information that used to be inside the chinese wall of the enterprise are now sitting in a 3rd party providers data center? Does the Patriot Act come into play in a different way than it did when the data was inside the enterprise? What about the use of 3rd parties that use 3rd parties? Do the protections flow with an “inheritance clause” or is each sub-level of agreement treated with a new service level and privacy protection level?

Like I said – the good news is some really smart people are spending a lot of time discussing  and working towards solving these issues – from government to academia to the enterprise. My hope is to help expose some of the good and bad of what is going on in the privacy domain (especially as it relates to cloud and the enterprise), put my opinion out there, show what I find in the research, and together we can come away with a new consensus on how to proceed.

Also – be warned – I’m here to learn and use what I learn in my research for my doctorate and beyond so I may want to contact you directly if you comment to find out more from you!


Posted in Uncategorized | Tagged: , , , , | Leave a Comment »

%d bloggers like this: