The IBM acquisition of Guardium Inc., a privately-held database activity monitoring (DAM) vendor, is far from a validation statement of DAM as a viable security market segment.
Vendors including Embarcadero Technologies Inc., IPLocks (acquired by Fortinet Inc.), Lumigent Technologies Inc., Symantec Corp. and Tizor Systems Inc. (acquired by Netezza Corp.), have already given up on the DAM space, leaving companies such as Application Security Inc., Imperva Inc., Secerno Inc. and Sentrigo Inc. fighting to divvy up a total annual market of well less than $100 million. The IBM acquisition of Guardium helps the company gain information management technology and a capability to drive professional service revenues in the data center.
While the database activity monitoring segment has been hyped, it is a functionality that has only a marginal impact on data security and ultimately should be supplied by the database vendors to make it easy for IT to audit activity. Imperva Inc., a Guardium competitor, commissioned a research survey asking respondents to select technologies that enable PCI DSS compliance and then to rate the relative cost effectiveness with respect to achieving PCI DSS compliance.
According to the report, only 18% considered database scanning and monitoring highly cost effective for PCI DSS compliance -- ranking 15 out of 18 security technologies surveyed. In fact, almost half (49%) gave DAM a low rating for cost effectiveness in enabling PCI DSS compliance. Database activity monitoring had its roots in inspection of SQL traffic for indications of data loss. However, most database access is through an application path which has its own security mechanisms. There are other ways of looking at this acquisition other than an endorsement of DAM features.
IBM security acquisitions drive service revenues. IBM's most recent security acquisitions, Consul Risk Management Inc., Datapower, Internet Security Systems, Ounce Labs Inc. and Watchfire Corp., generate data that can be used by IBM consultants in business context and eventually can be integrated into core IBM products. Guardium helps discover databases and profiles, identify troublesome connection requests and anomalous usage patterns that can add technical controls that enhance IBM's information management business.
Sometimes industry analysts and the trade press get it wrong. The DAM market was hyped well ahead of actual customer requirements and well beyond the track record of early entrants to the space. The requirements shifted from appliances augmenting IBM DB2, Microsoft SQL Server and Oracle auditing to software agents enforcing tight controls over privileged operators. While there are useful security features, for the most part the market definition and expectations set by analysts did not match the reality of the enterprise IT.
Security technology needs to evolve into the infrastructure to be effective and efficient. New security concepts are often necessarily layered on existing infrastructures to lessen side-effects on applications while the security technology and administration procedures mature. However, over time selective capabilities such as database activity monitoring should be assimilated into database systems and application designs to improve performance and reduce overhead costs.
The acquisition of Guardium by the information management practice at IBM is a good move for both companies. The timing is right as Guardium would be challenged to grow to the next level and IBM can solve customer problems within an IBM-based data center. This move by IBM and the recent Fortinet IPO are terrific news for security entrepreneurs looking forward to a profitable exit. Imperva has an interesting and comprehensive approach to application and information security, but it now has to wonder if it is the last vendor standing when the DAM music ends.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.