Article

Compliance, data breaches heighten database security needs

Neil Roiter

Not that long ago, "database security" was almost an oxymoron, but today, demanding auditors and the drumbeat of customer information breaches are forcing corporations to pay serious attention to who has access to sensitive data and what their doing with it.

    Requires Free Membership to View

The database itself is not intelligent enough to see suspicious activity over the wire or if authorized user is executing a command a million times.
Noel Yuhanna,
principal analystForrester Research

That's good news for security managers, who are now getting boardroom attention, and database security vendors, who are seeing increasing interest in this still small (generally estimated at less than $100 million for third-party products), but growing market.

"Many of the companies in this space have been growing 100 percent a year for a couple of years," said Andrew Jaquith, a senior analyst at Boston-based Yankee Group. "They'll probably double again in 2007. It's a big area in funding priorities."

This market includes three product categories:

  • Database monitoring/auditing: Companies use these to watch for unauthorized or unusual access activity, and produce comprehensive audit reports without hundreds or thousands of man hours poring through logs. Vendors include Application Security, Inc., Embarcadero, Guardium, Imperva, IPLocks. Lumigent technologies, RippleTech, Sentrigo, Symantec and Tizor Systems. "The database itself is not intelligent enough to see suspicious activity over the wire or if authorized user is executing a command a million times," said Noel Yuhanna, a principal analyst at Cambridge, Mass.-based Forrester Research. "That's why you have to have these tools."
  • Vulnerability assessment: Specialized VA scanners, from companies like Application Security and Next Generation Software, that assess the security strength of databases, detecting security holes and misconfigurations.
  • Encryption: Highly granular encryption with centralized administration and policy creation and strong key management. Vendors include Protegrity, Ingrian Networks and Application Security.

The market growth is fueled by heightened security sensitivity, as one spectacular breach disclosure after another undermines customer confidence, and demanding, albeit somewhat vague, regulatory compliance pressures.

"The single biggest driver has been SOX; it's changed the audit requirements for companies, and we're seeing a little bit of PCI," said Rich Mogull, a research vice president at Stamford, Conn.-based Gartner Inc. "Although the regulations don't specifically call out the things we're talking about, they definitively nudge you in that direction."

The fundamental driver isn't auditors per se," Jaquith said. "It's embarrassment and reputation risk."

Database platforms lack the robust native encryption, monitoring, assessment and management tools to meet these demanding new security requirements. Further, large, heterogeneous organizations often have multiple database platforms. Oracle and Microsoft SQL Server are getting better, but still have a long way to go.

Database security:
Database security undermined by protocol loopholes, lax defenses: A security expert warns database administrators about a continued loophole in database communication protocols.

Black Hat 2007: Forensics software security holes revealed: Researchers from iSEC Partners tell the Black Hat 2007 audience that the industry's leading forensics software is susceptible to attack.

Black Hat 2007: New database forensics tool could aid data breach cases: Database security researcher, David Litchfield of UK-based NGS Software will release a free Forensic Examiners Database Scalpel, he says could aid data breach investigations.

Database authentication, encryption getting priority in some businesses: While more organizations are seeking database authentication and encryption technologies, others are turning to database monitoring to secure data.

"There is a lot of space in the next year to see much more activity from database vendors, either by partnering or own their own," said Charles Kolodgy, a research director at Framingham, Mass.-based IDC.

Yuhanna sees clear signs that the monitoring and auditing market is stepping up to the next level, now that companies are convinced of their value. He expects to see large companies investing in deployments of 50 to 100 appliances.

On the other hand, database encryption is still relatively low on the list of solutions, despite concerns about data theft and the exemption of encrypted data under most state breach disclosure laws. Despite improved tools, it's still difficult to deploy and manage. Analysts caution that database encryption is a two-three-year project. Legacy systems are particularly tough.

"Database encryption was third on people's list to buy," though the market will continue to grow, Kolodgy said. "No one does encryption on a whim. There has to be a clear understanding of need; a clear delineation."

"I would say only 5% are doing encryption at the database level," Yuhanna said. "It's too difficult."

An important part of implementing encryption is selectivity, knowing what needs to be protected. For example, you can encrypt customer credit card and Social Security numbers, but leave names and addresses in plain text.

Analysts differ a bit in their recommendations, but generally suggest activity monitoring, which could give the most return on investment. Selective field level encryption is also recommended.

"Determine what kind of sensitive information you have, what kind of databases and how many," Jaquith said. "Simply walking around and querying databases is helpful, but you need empirical evidence. Use scanning tool to survey your data and figure what's sensitive."

"Sensitive customer information is like asbestos," he said. "We've been building housing with it for years and only recently discovered its toxic when airborne."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: