Database security products: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
IBM acquired Guardium in 2009, rebranding its database security tools as IBM InfoSphere Guardium. IBM InfoSphere Guardium Data Activity Monitor continuously monitors databases and access in the enterprise; IBM InfoSphere Guardium Vulnerability Assessment scans databases and their infrastructures for vulnerabilities.
IBM Guardium products are available as hardware appliances or as software. Appliances contain all necessary software out of the box. The software version comes as an image that an administrator can deploy as a VMware virtual appliance or on customer-owned hardware. Guardium supports a wide range of databases, including IBM DB products, Oracle, Microsoft SQL Server, Microsoft SharePoint, PostgreSQL, Sybase, Teradata, Cloudera, MongoDB and more.
IBM InfoSphere Guardium Data Activity Monitor product features
IBM Guardium Data Activity Monitor offers continuous, real-time, policy-based monitoring of database activities, including privileged user actions. Operating system-based agents discover databases and collect data transactions and activity across the network for in-house personnel and contractors. Predefined security policies let administrators easily enforce policies to trigger alerts when sensitive data is accessed, and block access if necessary.
Guardium Database Activity Monitor comes with many different preconfigured reports for Sarbanes-Oxley, PCI DSS and data privacy. Compliance audit trails cannot be changed and enable separation of duties. A feature called Integrated Compliance Workflow Automation lets administrators automatically distribute reports to an auditing team and get sign-offs.
The product also includes database traffic filtering, data classification, change control and group management with whitelists and blacklists.
IBM Guardium Database Activity Monitor also extends to big data environments and data warehouses, as well as file shares.
IBM InfoSphere Guardium Vulnerability product features
IBM InfoSphere Guardium Vulnerability Assessment (VA) comes with hundreds of vulnerability scans (or tests) that are preconfigured to work with the Center for Internet Security (CIS), the Defense Information Systems Agency's Security Technical Implementation Guide (STIG) and Common Vulnerability and Exposures standards. IBM claims that a VA test wraps up within minutes without impacting the performance of production databases. The product also includes built-in support for best practices such as those for CIS, STIG and Security Content Automation Protocol (SCAP). The Compliance Workflow Automation feature enables scans to be scheduled and run automatically.
Administrators can run either platform-specific static tests or dynamic tests. Static tests are run on a specific database and find insecure configurations; dynamic tests look for "behavioral" vulnerabilities like account sharing and excessive administrative logins.
Note: You can download a 30-day demo of Guardium Vulnerability Assessment to run in your own environment.
Pricing and licensing
IBM bases Guardium pricing on the number of processor cores (called capacity-based licensing), which can be complicated to sort through. IBM uses the term processor value unit (PVU) as a unit of measure for licensing purposes; the number of required PVU "entitlements" depends on the type of processor technology in use and the number of processors to be licensed. Per IBM, a processor refers to each processor core on a chip, so a dual-core processor has two processor cores.
Prospective customers must contact an IBM sales representative for pricing information specific to their environments.
IBM offers a well-developed online knowledge base and forums, but documentation for Guardium products can be difficult to find if not impossible without purchasing the product. Software subscriptions and support are included in the product price for the first year.
Part one of this series examines the basics of database security in the enterprise
Part two of this series looks at enterprise deployment scenarios for database security tools
Part three of this series offers nine steps for purchasing database security software
Part four of this series compares the top database security tools in the industry