This article can also be found in the Premium Editorial Download "Information Security magazine: Security Readers' Choice Awards 2008."
Download it now to read this article plus other related content.
DLP, Database Security and Risk and Policy Management
Though they lacked sufficient responses to merit awards, these important security tools are making their presence felt.
Data Loss Prevention
After coming down a bit from the top of the hype curve, data loss prevention (DLP) is showing signs of maturing as a market.
There has been a flurry of consolidation. Some of the biggest security companies--particularly among endpoint security vendors--validated this market through major acquisitions in the last year or so. The list is striking: Symantec (Vontu), Trend Micro (Provilla), EMC/RSA (Tablus), Raytheon (Oakley Networks) and Websense (PortAuthority). McAfee started the buying stampede by acquiring Israeli company Onigma.
The presence of Symantec, McAfee and Trend Micro in the market underscores the growing focus on the point of data creation, as well as the early attention on monitoring outbound traffic at network egress points. Some vendors, such as Verdasys, base their core technology on monitoring endpoints. They are among the independent companies in the DLP market space, including Vericept, Reconnex, Code Green, Fidelis Security Systems, Workshare, Orchestria, GTB Technologies and Palisade Systems.
| compliance is the primary driver behind companies' interest in buying DLP products, particularly with laws governing the disclosure of breaches involving customer information--at its most basic, flagging suspicious outbound lists of social security and/or credit card numbers. In a survey of security professionals by Enterprise Strategy Group, 72 percent of respondents cited government regulations as the key reason for protecting their data, while 62 percent expressed concern for intellectual property. In addition, 53 percent cited industry regulations and better corporate governance.
Databases were once secure simply because they were locked away in data centers, pretty much beyond the reach of hackers. No more. Porous Web-based apps expose customer information and sensitive corporate data, continuously open to attack via the Internet and extranets.
Nonetheless, the prime drivers for the database security market have been regulatory compliance first, security second. For the most part, we're talking about database monitoring/ auditing tools from companies like Guardium, Imperva, Tizor Systems, Lumigent, IPLocks, Sentrigo, Embarcadero Technologies and RippleTech. More recently, Symantec has helped validate the market, introducing its own product about 18 months ago.
To a lesser extent, this space includes database encryption, from Protegrity, Voltage, Decru (EMC), nCipher, Vormetric and BitArmor (Ingrian was recently acquired by SafeNet), and vulnerability assessment from the likes of Application Security, Inc. and Next Generation Security Software.
Native database security from Oracle, Microsoft and others has improved, especially in role-based access controls, but lacks the auditing capabilities and cross-platform reach of these third-party tools.
This was first published in April 2008