Feature

Database security, software appliances review: Readers Choice Awards

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Security Products Readers' Choice Awards 2007."

Download it now to read this article plus other related content.

In the trenches


The heart of the business

Databases contain the lifeblood of your business; preventing data breaches and satisfying demanding auditors can be a resource-draining exercise in frustration without the right tools.


Security is at the core of all operations when you're in the business of producing enriched uranium for commercial power plants, but as a publicly traded company, USEC faces the same challenges as other corporations satisfying SOX requirements for strong controls over its financial databases.

"We had to monitor access to privileged accounts, primarily for financial systems," says David Vordick, USEC's CIO. "We had to be sure of our internal controls for privileged users, primarily DBAs, to be sure they weren't misusing that right.

"Our SOX audit has gone well," says Vordick, who has been using Guardium's SQL Guard database monitoring and auditing tools for about 18 months. "The technology was a key part. The solution is identified in our internal controls, and we had no problems."

Regulatory pressure is driving many corporations to deploy database security tools, and they are keenly aware that an embarrassing breach of sensitive non-public information can severely damage their business.

"We have key databases with phone records, personal information and credit card numbers used by call centers," says Christopher Knauer, vice president of information security

    Requires Free Membership to View

for Vonage, which recently deployed RippleTech's Informant database monitoring product. Notably, information security falls under the legal department at the VoIP phone service provider. "At lower levels, access is very restricted, but we have concern at higher levels of access--we want to know exactly what they are doing."

Database security is not for the faint of heart. Even with the best processes and policies in place, organizations are hard-pressed to wade through mountains of logs or crawl through databases without the right tools to verify security controls and expose vulnerabilities, access violations and fraud.

"Our system has 35 schools, large and small. At small schools, the DBA may also be the programmer and the Web master," says Scott Woodison, IT audit manager for the board of regents for the University System of Georgia. Using Application Security's AppDetective database vulnerability assessment tool helps Woodison to act as a roving pen tester throughout the system.

"We had a huge logging problem, devoting an FTE to manually review gigabytes of daily logs and produce reports," says the security manager for a mid-market financial institution. "Auditors were not impressed with manual auditing of 20 to 30 databases and less than thrilled with the accuracy of the human brain to parse through millions of lines from logs."

The financial institution bought Imperva's Secure-Sphere tools to help bring the process under control.


This was first published in April 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: