It's that time of the year again. No, I am not writing about the best time in a quarter (which is approaching very fast). It's time for the annual PCI Security Standards Council community meeting. Two years ago the meeting took place in Toronto. Last year in Miami and now in Las Vegas. It is very encouraging to see how the community evolved into a large, influential group. The number of active members and other participants that are passionate about PCI and data protection in general is growing very nicely. As one can imagine, there is a direct correlation between the number of data breaches and compromised credit card records and the number of PCI professionals :-( 

Christopher Novak from Verizon Business provided the (black) color background when he presented the 2009 Data Breach Investigation Report (DBIR), a document that was discussed in detail in different places, including this blog, yet there are some points that should be highlighted as it seems that as PCI gains more momentum we need to continue to educate people about data security challenges:

1. Most breaches and nearly all records stolen are a result of “external sources” activity.
2. 90%+ of breached records attributed to organized crime activity. 
3. Of the 284 million records that were compromised last year, most damages from external sources

(It should be noted however that stats are a funny thing indeed. Conversations I've had with Brian Contos - Imperva's Chief Security Strategist - suggest that a greater number of breaches are actually internally sourced. And if you combine partners along with employees, contractors, etc as  the group considered "insiders" - as they all have elevated levels of trust and access, then the great majority of successful breaches occur from insiders - at least the ones we know about. Brian further suggests that these breaches are a combination of malicious, careless or negligent activity; they aren't all "bad guys."  Finally, Brian sites some stats from InfoSecurityAnalysis.com that show that in many cases - even when the number of attacks from outsiders might be higher, the number of records stolen, and the dollar amounts are much greater when the attack or mistake is from someone within. 

To quote Brian, "When it comes to insiders and outsiders the terms are losing meaning; it's about data security regardless of the source. If we agree that data is valuable and data mostly resides in databases, and we also agree that most users interact with that data via Web applications, then prudence dictates that safeguards be applied at the Web application and database layer."

Okay - so let's get back to Mr. Novack's findings.)

Next month, Oracle will host its annual conference in San Francisco. We will be there of course:

As a person (partially) responsible for Apples iPhone success I now pay close attention to the company. (I traded my BlackBerry for an iPhone about two months ago when they fixed the issues I had, helping Cupertino's gem to sell 5.2 million iPhones last quarter…a 626 percent over a year-ago!) 

Riva Richmond of the Wall Street Journal tells small companies how to to protect themselves against hackers. It's the same story again, but now the Nation's respectable paper adds some protection advises as the attacks are growing. 

Attackers are increasingly infiltrating small businesses' Web sites and using them to quietly drop malicious programs, typically designed to steal personal financial information, onto the computers of visitors, security experts say. Some are also digging around in databases for valuable information or trying to capture e-commerce customers' credit-card numbers.

So Microsoft SQL Services is now Microsoft SQL Azure. 

Effective immediately, SQL Services will be called Microsoft SQL Azure, and SQL Data Services will be Microsoft SQL Azure Database.  

Is there anything behind the name change? Apparently the answer is "no".

This name change doesn’t reflect a change in the products themselves; we will still be providing a powerful relational database foundation to the Azure Services Platform.  

By standardizing our naming conventions, we’re demonstrating the tight integration between the components of the services platform.  More intuitive names also help to reinforce the relationships between our on-premises and cloud solutions. Ultimately, the goal is to drive simplicity and clarity for customers as they consider on-premises and cloud computing approaches for solving their IT needs.

I guess that I'm old school. I'd like to see name changes tied to new releases, additional functionality or any other type of substantial content change that justify a name change.

If you insist on using names as the integration tool, please think about all of those that do not automatically use the word for sky-blue color ("Azure") as "clouds". If simplicity is important to you, use a simple word. At any rate, I would argue that years from now, long after Azure will be renamed,  people will still remember and use the name MSSQL and the delivery method to describe the solution they are using. 

In the previous episode of YFC (the Yummy Food challenge) I won big time. It wasn't difficult to resist chocolate cake (with tons of butter). But this time I was facing a tough opponent. A scientifically engineered steak designed to be perfect. 

Steak won. Big time. It was so good that I asked for dessert. 

Reuters tells us about an upcoming newly developed "easy-to-use, automated software tool that can remotely break into Oracle databases over the Internet to simulate attacks on computer systems" that will be released next week during the Black Hat conference in Las Vegas.

Earlier I wrote about the Accenture 2009 global risk management study. Even though it focused on business risk the ideas, concepts and findings are relevant to Data Risk Management.

Effective risk management is also a matter of using the information derived from risk assessment and analysis to make better and more timely decisions. In this way risk management becomes more than just a matter of mitigation, compliance and control, as important as those processes may be. 

Risk management can become a proactive, continuous initiative focused on creating value and driving growth, not simply a reactive exercise in protecting value or guarding against failure. By optimizing both risks and rewards, companies with an effective and integrated risk management capability link risk and profitability objectives, improve strategic capital decisions and increase shareholder returns. They better coordinate risk measurement, capital allocation, performance assessment and management across the enterprise.  

Not surprising, SecureSphere Data Security Suite and specifically the DAS product were designed with that approach in mind to provide Risk Management capabilities based on data discovery and classification and vulnerability assessment scoring. 

Interesting Accenture survey: The 2009 Global Risk Management Survey results shows that 85% of corporate executives believe their companies need to overhaul their approaches to managing risk. 40% of managers said their organizations had already increased their investments in risk management or planned to do so in the next 6 months; another 31% said their companies were considering future increases in investment. 

Accenture conducted a survey of 260 chief financial officers, chief risk officers and other executives involved with risk management at large companies in 21 countries in Africa, the Asia Pacific region, Europe and North and South America.  The purpose of the survey, which was conducted via the Internet between November 2008 and February 2009, was to understand the challenges companies face with regard to their enterprise risk management capability as well as the approaches, tools and structures that help some companies manage risk more successfully than others.