The news of the password breach at LinkedIn connects to my pursuit of cloud and security topics this week at HP Discover.

If your password was compromised at LinkedIn, that's bad news. It's worse news if you use that same password for lots of stuff. Your other accounts could be compromised too.

Some would argue that a password manager solves the problem, because it lets you have different passwords everywhere. If your LinkedIn password is compromised, a password manager contains the impact to LinkedIn. All you have to remember is a single master password. One password that grants access to all your accounts? Hmmm. Sure, the actual login password varies from site to site, but if your master password is compromised, they're all compromised. One Password to rule them all, One Password to find them, One Password to bring them all and in the darkness bind them.

Of course, you can make that one master password as long and complex as you can remember. Oops, there's that memory thing again. A fundamental problem with any password is that password crackers ride the Moore's Law wave (doubling in power every couple of years), but as a species we're not getting any better at remembering passwords. As individuals we get worse over time, thanks to age-related memory impairment (if I remember correctly). A weak master password is easier to break, and a strong master password is easier to forget.

There's also the question of where your password manager stores its data. You're paralyzed if it's not available. If the app and its data are on your laptop or your smartphone, you're out of luck if you don't have your device with you or the battery has died. You're in worse shape if your device is toast or lost and you don't have a backup.

Is there a cloud answer? A cloud-based password manager is certainly tempting. But what does the provider do to protect and preserve your data? Are you paralyzed if the cloud provider is not currently available? What if the provider goes out of business? Does it really work with the full range of devices you might find yourself using? These are the kinds of questions that sessions here at HP Discover encourage people to ask about their cloud providers.

My current answer to the password dilemma is a secure password manager that lets you work safely from any device you might use, and that also lets you keep both local and cloud copies. I made myself memorize a long, hairy master password, randomly generated at passwordcard.org. But I'm still officially nervous at having one master password that grants access to lots of stuff.

The keynote speaker for HP Discover 2012 today was Chris Anderson, editor-in-chief of Wired Magazine. His theme was the IT expectations of those he calls "the new creative class” – those who grew up with technology. Frankly, when topics like this arise, I've seen lots of fluff and pabulum about millennials and boomers. But not this time. This was a good talk.

Chris observed that until the last several years, the IT capabilities at work generally exceeded the IT capabilities most people had at home. The workplace had better networks, better printers, better computers. Now, the roles are reversed and the trend lines have crossed. People coming into the workforce often have cooler toys and fewer limitations compared to what they find at work. Going to work feels like a technology downgrade to more and more people. Innovation in consumer IT has outpaced innovation in business IT.

Chris's challenge to this IT audience was to get that trend line for business IT to start catching up with consumer IT. He stressed that if the gap gets too big between what people think they can accomplish on their own and what they get at work, and if they see IT as merely "the enforcement arm of the legal department,” they'll stop trusting you and they'll go to other resources to get their work done.

It brought to mind what I've said for years about IT: Does your target audience mostly see your IT services as A) an important contributor to their success, B) a necessary evil, or C) a hindrance on getting their work done. Essentially, Chris's challenge was to work toward the A answer by innovating, and his warning was that you could wind up with the C answer if you don't.

As Chris said, "If there are good reasons for the corporate technology, it has to be competitive.”

One of Chris's injunctions was that if you provide technology that people would take out in public, don't make it something they'd be embarrassed to have. Personal technology has become a "personal statement” for many people, and there's no one solution that will suit everyone's personal statement. See also my recent posting on BYOD.

He described the expectation that you'll have access to your resources wherever you go, which argues for cloud-based services and connective personal devices. He quoted Buckaroo Banzai (and called it a favorite movie, which shows he's a fine human being). Actually, I must be picky: he misquoted Buckaroo Banzai. He said, "Wherever you go, there you are.” The actual quote is "No matter where you go, there you are.” But we'll let this one slide. :-) (Yes, I've seen the movie. Several times.)

Chris also talked about the unstructured, adaptive nature of current consumer technologies. A smartphone app doesn't try to solve lots of problems. It tries to do one thing well. Google doesn't try to pre-categorize everything; it adapts to what it finds. This can run counter to older IT practices of taking a more one-size-fits-all, more rigid approach to IT solutions.

Chris's talk resonated with me, but I'll also note that after many years in federal contractor environments, I know many senior executives who lose sleep at night over the prospect of highly sensitive data inadvertently becoming accessible anywhere anytime. Cloud security is a main theme I'll be pursuing in sessions this week.

After Chris Spoke, Rich Geraffo (Senior Vice President and Managing Director, HP Enterprise Business, Americas) wrapped up with "Rich's Top 5 Must-Do List” for the conference: 5) Content. Content. Content. 4) Discover. Discover. Discover. 3) Learn. Learn. Learn. 2) Fun. Fun. Fun. His #1 to-do item for the week tied in with my focus for the week : 1) Network. Network. Network.

Will do.

A main theme for me this week at HP Discover (June 4-8 in Las Vegas) is networking. I'm referring to the people kind of networking in particular, not just the TCP/IP kind. Or, to borrow a distinction I liked from Mark Minasi, I'm referring to "carbon-based” networking instead of "silicon-based” networking.

I've been involved in user groups, conferences, and other IT professional activities for 30 years. My first computer conference, DECUS, was 30 years ago in Atlanta, in 1982.

As I've been saying for years, networking is a key benefit of these activities. You get to swap insights and perspective with other people who are facing problems you've already faced, or who have already faced problems you're just encountering. Sometimes, you meet people who'll become trusted colleagues for years to come. For me this year, a problem I'm facing is that my job was eliminated, so I'm making sure I stay in touch with my network. But as I mentioned in an earlier post (Networking at HP Discover), networking is networking, whether it's in support of a job search or your current job.

I thought I'd share a few ways that I'm using my iPhone in particular to support my networking activities.

Contacts Journal

The iPhone app that has become the centerpiece of my networking efforts is Contacts Journal by Zaal LLC. I'm using the full, paid version, currently $7.99 at the Apple App Store, but for the record I have no financial interest in Zaal or Apple.

I consider Contacts Journal "CRM Lite,” meaning it's great for individual use. I wouldn't use it for a corporate CRM solution.

What do I like about Contacts Journal? It gives me a way to track my interactions with my contacts. For each contact I create or import, I can keep a log of my interactions, I can set up to-do items, and I can attach documents. From within the app, I can call, text, or email a contact.

Logs

The log feature is nice. I can make notes on any interaction. I can make the entries after the fact and assign the correct date and time to them. There's a customizable menu of interaction types (meeting, call, lunch, email, etc.) to help me see at a glance how the interactions have taken place. When I open up a given contact, I can quickly skim that person's log. I can add, modify, and delete entries.

I can also view my log entries across all contacts. I'll do this when I want to review my recent networking activities.

A small downside of the log feature is that it's all manual. Incoming and outgoing calls, texts, and emails aren't automatically logged. You have to enter them manually. You can pick and choose what to log, which isn't a bad thing, but you have to remember to do it.

To-Do Items

The to-do list is another nice feature. If I get an email asking for follow-up, I create a to-do item tied to that contact. Like the log feature, I can skim the to-do items per contact, or I can get an overall view of all my to-do items. I can mark them completed when I'm done. A to-do item can have a due date and time, and a location. It can be a recurring item, and you can have the app alert you before or when the item is due. You can link an item into the iPhone Calendar. The recurring and alerting options are comparable to what you find in the iPhone Calendar. That's not as flexible as what you find in Week Calendar, a very useful calendar app, but it's still helpful.

Unlike a full-bore CRM system, Contacts Journal doesn't send you automatic ticklers like "You haven't contacted Ed in 4 weeks.” It's up to you to add your own to-do items and to review your logs.

Document Attachments

The document attachments are helpful in a few ways. The obvious use is to keep certain documents with certain people. There's no group document feature, though. You tie a particular document to a particular contact. One of my use cases is that is that I keep my resume and related documents attached to myself in the contact list, so I have them at my fingertips when I need them.

That leads me to another nice feature in Contacts Journal. You can create an email with the document attached. It does only one document at a time (one document, one email), but that's more than you can do with the iPhone email tool. Disappointingly, Dropbox doesn't give you an option for emailing a document, either. Contacts Journal fills that gap.

Reliability

Speaking of Dropbox… Contacts Journal uses Dropbox for backups and restores. It tells you clearly when you've got stuff to back up.

If you don't, won't, or can't use Dropbox, you can also back up Contacts Journal in an email attachment.

You can back up and restore across devices: back up on one, restore to another, and you've got manually synched data. That wouldn't scale well if lots of people want to use the same data, but it's handy if you've got an iPhone and an iPad.

Another thing I like about Contacts Journal is that it's very reliable. It has never crashed on me and it has never lost data. (Hey, what's that noise my iPhone just made???)

Integration With Contacts

Contacts Journal integrates with the iPhone Contacts tool. You can import from Contacts into Contacts Journal, en masse or selectively. In the other direction, any contact you create in Contacts Journal is created in Contacts. That's helpful if you want other apps to recognize contacts you're managing in Contacts Journal.

It's a Handy Tool

Those are my highlights of how I use Contacts Journal. It's my main networking tool on my iPhone. It doesn't scale into a corporate solution, but it's been very useful for me on an individual level.

I've got other iPhone apps in my networking toolbox, but I'll comment on those some other time (especially if there's interest).

Go for it, but proceed wisely. Be your own driver, and make it happen, and make it happen sensibly. Go for a device-neutral solution. Three recent articles help illustrate my point.

The UK government has approved the BlackBerry 7 OS at the Restricted level. That's Impact Level 3 (out of 6) in the UK, but there's still some rather sensitive stuff at that level. In a couple of ways, this news is pretty cool. It means the version 7 OS is taking security seriously enough to handle sensitive data. It shows that smart devices won't necessarily bring an end to civilization as we know it.

The problem, though, is that if you go nuts rolling out BlackBerry devices because of the extra security, you've locked yourself into one vendor's solution – when BlackBerry's future is often questioned. And then the audience you serve is going to look at you funny and ask, "You thought BYOD meant I wanted a BlackBerry???” The smart device market is still too wild and woolly to let you single out one device that'll be the One Best Choice for the next few years.

These other two recent items raise legitimately scary aspects of BYOD policies. They can lead you to suspect that BYOD = BOYD (Bring Your Own Device = Bring Out Your Dead).

CIO Magazine warns, quite rightly, that BYOD Stirs Up Legal Problems. You've got someone who needs assistance, and you wind up in physical possession of their device. Or you've confiscated someone's personal device because you're doing an e-discovery. Not only do you have access to your company's stuff, you have access to the owner's personal stuff on the device, including any accounts they use from their device. Where's their privacy? What if you find something you have no business seeing? What if you find evidence of wrong-doing unrelated to your reason for having the device? What if an impish person on your support staff posts something inappropriate using the owner's Facebook account? What if you lose the device? You can wind up with some dicey legal problems.

That's a minefield. I don't want my staff to be in routine possession of someone else's personal information. If a privacy matter blows up, I sure wouldn't want to be the one who was responsible for the device.

The minefield, however, comes from a fundamentally risky and unnecessary assumption: that the only way to get access to the company's data is to get full access to the entire device. That doesn't have to be the case. Use a "sandbox” app that isolates itself from the rest of the device with its own authentication and its own encryption. You don't know or care what else might be on the device. You manage the app, not the whole device. You do a remote wipe (when needed) on the sandbox, not the whole device.

The third item of interest is a column from Network World: Smartphone security is heading for 'apocalypse'. As the column points out, the drive to roll out new end-user features means that some fundamental security problems remain unfixed.

Here, too, the answer is to get an app that handles its own authentication and encryption, without worrying about what else is going on with the device. It may well take an apocalyptic event to get everyone's attention, but in the meantime, tighten up your focus so you're protecting only your company's data instead of waiting for the smart device industry to do a major security overhaul.

Go for it, and work up a sensible BYOD policy and a sensible BYOD solution. Be your own driver for BYOD. Get ready for the cheering crowd.

Among IT people I know through Connect and other organizations, opinions on "the cloud” range from "If you're not already doing it or exploring it, there's something wrong with you” to "What? Let some stranger look after my data?” and various points in between.

By the way, one of the big advantages of groups like Connect is that you get a sense of context. You get to find out what your peers are running into – what's easy and what's hard, the benefits and the gotchas. Their experiences can be illuminating even if it's just to highlight how your situation differs from theirs. That sense of context is helpful to me in executing my job, and it also gives me credibility within my organization if I know what other organizations are doing.

So let me share our context at CNA.

The Appeal

At CNA, the appeal of cloud-based solutions doesn't come from calling them cloud-based solutions.

Most of our senior management would have no idea what you're talking about if you offered up "cloud computing” or "cloud services.” To me, this is not a sign of cluelessness on their part. It's a sign that the label covers so much territory that it doesn't clearly mean one particular thing to the world at large. When we talk to upper management about cloud services, we have to be clear about particular offerings without relying on buzzwords.

What does appeal to them? Sometimes it's the infrastructure we won't have to maintain. Sometimes it's the availability of services, because we're not fully staffed 24x7 for all services. Sometimes it's the capabilities we're not staffed to offer.

Some articles claim cloud solutions are cheaper, more scalable, more flexible, more mobile, or quicker to implement. From what I've seen, those aren't universally true. The usual "Your mileage may vary” disclaimer applies. Certain solutions will have some or all of those attributes, but to assume they're a given for anything that invokes the "cloud” label is a mistake. Note to providers: Don't come in telling us it'll be all those things before you know anything about us and our requirements.

The Worries

Cloud solutions create instant worries for our senior management.

A big worry is "What if there's a spill?” That is, what if one of our employees puts data where it shouldn't be? For sensitive data spills, we're under strict requirements about how to do the clean-up, and how to show outside agencies that a proper clean-up occurred. If it happens on our equipment, we know where it's been, and chances are that everyone who had physical access to it was sufficiently cleared anyway. If it happens on some service provider's equipment, we might not know where it's been, the provider might not be able to vouch for the clean-up operation sufficiently, and chances are that those who have physical access to the equipment aren't cleared to the appropriate level. The provider's staff may well be cleared sufficiently for what's supposed to be there, but not for the stuff that's not supposed to be there. It's not their fault if our employees mess up like that, but it's our necks on the line.

On security overall, a worry is whether the controls described by the presales team match reality. We've seen it before, when the intended security policy and the actual security policy are only distant cousins.

Another worry is integration with our other solutions. How do we identify access levels? Would we have to manage a whole new set of user IDs and permissions? Will we be able to do data exchange between the cloud service and other apps we're using? So far, the cloud solutions that have the best shot here are the ones that are largely self-contained, requiring little integration with anything else we're doing.

Another worry is the likely stability and longevity of the service and the provider. What happens to our data if relations sour with the provider? What happens to our data if the provider goes out of business? What's the impact on us if the provider decides to stop offering this service?

The worries don't mean we won't do it, but they're the things people lose sleep over.

The Reality

We do indeed use some cloud-based services. So far, they tend to be self-contained and they carry relatively low risk for the organization. We also have some services that absolutely won't be sent out to the cloud.

At CNA, prospective offerings neither automatically win nor automatically lose by being cloud-based. Like anyone who wants win our business, prospective cloud solutions need to cover the "ibbles” appropriately: affordable, securable, flexible, reliable, scalable, usable, and manageable.