Database security products: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
The purpose of database security tools is to provide more complete protection of relational database management system offerings, beyond the security features that are integrated into those products. Some of these add-ons deliver high-end data, analysis and auditing tools as well. The appeal of database security tools is that they don't alter the database or application, and they result in only minimal performance impacts.
This article compares the strengths and weaknesses of several database security tools: database activity monitoring (DAM), database assessment and transparent database encryption products. The companies and products addressed in this article (shown in the following table) are all highly rated and leaders in the database security sector.
Fortinet FortiDB, IBM Guardium, Imperva SecureSphere and Vormetric Inc. are primarily appliance-driven products. The McAfee products (Database Activity Monitoring and Vulnerability Manager for Databases), HP Security Voltage, Protegrity USA Inc. and Trustwave DbProtect are primarily software-based products, and Oracle Advanced Security is an option with Oracle Database Enterprise Edition.
The database activity monitoring products have similar feature sets: audit policy compliance (Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act and so on), transaction blocking, separation of duties, centrally managed security, advanced reporting and more.
One differentiating factor is the underlying monitoring technology -- how the DAM gathers information -- which is typically via network monitoring, remote monitoring or local agents. Depending on a particular vendor's technology, the company might caution that SQL sniffing performed by network appliances or local agents offers limited visibility and can therefore miss some critical activity. Another may say that server input/output, network load and database performance is affected by agents needing to cache traffic to the local disk or send traffic over the network for analysis. In reality, today's agents are lightweight and typically impact performance by less than 5%, which is acceptable by industry standards. But there's no reliable way to compare the performance of various DAMs other than to test them in your own environment.
The types of supported databases is another factor to consider. Most DAM products can monitor Oracle, Microsoft SQL Server, IBM DB2, MySQL and Sybase, but some provide support for many more databases. Imperva SecureSphere adds IBM IMS, IBM Informix, IBM Netezza, MongoDB, PostgreSQL, Progress OpenEdge and Teradata to its list. However, vendors continually upgrade their products to be more inclusive and don't always have the most current information on their websites. So be sure to ask each vendor for a current list of supported databases.
Database assessment add-on tools check database configuration settings and patch levels to uncover vulnerabilities, and some integrate with DAM products for alerting and activity blocking. Assessment add-ons can be critical to database security because of the depth of inspection and reporting they offer, which is often lacking in database applications. Fortinet FortiDB, Trustwave DbProtect and Imperva SecureSphere include vulnerability management for databases, whereas IBM Guardium and McAfee sell it as a separate product.
For transparent database encryption, end-to-end protection, centralized policy management, scalability and minimal performance impact are important criteria. In this respect, Vormetric and HP Security Voltage shine. Both products are highly scalable and provide strong data encryption. Vormetric provides file system and volume encryption as well as access control. Voltage's data-centric security encrypts any kind of data element (payment card numbers, personally identifiable information), which includes variable-length strings, numbers, dates, and more. Vormetric edges out Voltage regarding the variety of supported databases and platforms -- Vormetric can encrypt nearly any type of database on Windows, Linux and Unix platforms.
Oracle offers table- and column-level protection, and Protegrity secures data at the application, file, database and column levels.
Ease of deployment and use
Appliance-based products, by design, tend to be fairly easy to install. That said, the more complex products, such as IBM Guardium and Imperva SecureSphere, can take weeks to deploy and properly configure.
Fortinet FortiDB appliances, on the other hand, get high ratings for simple deployment and setup -- organizations can begin monitoring a database within an hour of unpacking the box. The main configuration steps involve specifying an IP address range, selecting the type of database server to monitor, choosing a port range, and entering a username and password. Auto discovery takes it from there.
For the software-based database activity monitoring and assessment products, the McAfee products setup is wizard-driven and very easy to configure. The Trustwave DbProtect dashboard, meanwhile, is crisp and well-organized, and the product provides great performance charts as well as operational and compliance reports.
Setting up transparent database encryption is a complex process. Vormetric, Voltage and Protegrity require installation and configuration of a management console and agents. Because Oracle Advanced Security is an option in Oracle Database Enterprise Edition, installation is minimal. However, transparent database encryption requires significant policy configuration and keystore setup. In this respect, Vormetric, Voltage and Protegrity make use of graphical user interfaces (GUIs), whereas Oracle configuration is performed at the command-line interface or through a GUI.
As for demo and evaluation units, all of the vendors let potential customers try an evaluation unit in their own environment. Fortinet and Vormetric also offer online demos. Regarding HP Security Voltage, organizations have to get in touch with a sales rep to request a demo -- unlike the other vendors, the option to request a demo isn't readily available from the HP website. Organizations can download a trial of McAfee Database Activity Monitoring and McAfee Vulnerability Manager for Databases for free.
Database security tools pricing varies greatly, in both dollar amount and how the product is sold or licensed.
Regarding database monitoring and assessment products, Fortinet offers the most straightforward pricing. For example, Fortinet FortiDB appliances cost $15,000 to $37,000, and annual upgrade subscriptions and enhanced support add $3,700 to over $9,000 to the cost.
By contrast, Imperva SecureSphere Database Activity Monitoring is licensed by database transaction volume, so price varies based on the environment. With this model, a customer purchases only what's needed and can scale up or down as database activity monitoring needs change. The platform requires a virtual or hardware appliance and management server; the cost of a low-end hardware appliance alone starts around $30,000 and scales up to over $85,000 for higher-end units.
Some of the products, like McAfee Database Activity Monitoring and IBM Guardium, base pricing on the number of processor cores. In those cases, the companies prefer potential customers to contact the vendor or a reseller for specific pricing.
Pricing for transparent encryption is equally diverse. For example, Protegrity Database Protector is one of the highest priced products but is fairly clear-cut. Protegrity licenses its product for several different types of databases. The Protegrity Oracle Database Protector, for example, costs approximately $17,000 annually for a two-year license, or $45,000 for a perpetual license. And the management console -- Enterprise Security Administrator -- costs about $32,000 (two-year term) to $84,500 (perpetual) for a single environment.
In comparison, Oracle Advanced Security pricing is much more complex. The company sells Named User Plus agreements for smaller environments or Enterprise Edition per-core licenses for larger environments. Under a Named User Plus agreement, customers must purchase 25 licenses per processor, which cost $300 total, plus $66 for software updates, licensing and support. Enterprise Edition per-core licensing runs $15,000, plus $3,300 for software updates, licensing and support. Surprisingly, you can order Oracle Advanced Security licenses directly from the Oracle website.
All of the companies offer standard support via phone, email or a customer portal, as well as free access to Web knowledge bases. Standard support is typically Monday through Friday during business hours with a four-hour response time. Premium support with 24x7x365 access and various levels of response time is available, typically at thousands of dollars per package.
Budget is often the primary criterion in any security product, but database security tools' purchasing metrics vary significantly. Deciding factors are whether an add-on product has all necessary required features, how it performs in an organization's environment, and how much effort is required to set up and maintain the product.
Begin the vendor vetting process with a detailed list of features that your organization requires, then talk to vendor reps, get evaluation units or trial software, test the products in-house, and request accurate pricing for your particular environment. Then weigh the costs against completeness of feature set, ease of use and performance.
Fortinet and McAfee rank high on ease of use and cost for database monitoring and assessment, but they might not meet all of an organization's requirements. Regarding transparent database encryption, Vormetric, HP Secure Voltage and Protegrity edge out Oracle Advanced Security regarding ease of use and/or pricing simplicity.
Once an organization determines a short list of products, evaluate each vendor's longevity in the market. The database security sector has experienced a lot of churn over the last two to three years, with some companies making several strategic purchases and forming partnerships with cloud service providers, while others have been scooped up by the competition. It may be best to avoid vendors that are being acquired or are struggling to grow.
Be sure to check out the other features in this series: Part one is an introduction to database security tools for the enterprise. Part two defines four scenarios for deploying database security tools in the enterprise. Part three outlines nine steps you should take before purchasing database security products.
Learn the basics of database security tools in the enterprise