Compliance, data breaches heighten database security needs

By Neil Roiter, Senior Technology Editor, Information Security magazine 16 Aug 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Not that long ago, "database security" was almost an oxymoron, but today, demanding auditors and the drumbeat of customer information breaches are forcing corporations to pay serious attention to who has access to sensitive data and what their doing with it.

The database itself is not intelligent enough to see suspicious activity over the wire or if authorized user is executing a command a million times. Noel Yuhanna, principal analyst, Forrester Research

That's good news for security managers, who are now getting boardroom attention, and database security vendors, who are seeing increasing interest in this still small (generally estimated at less than $100 million for third-party products), but growing market.

"Many of the companies in this space have been growing 100 percent a year for a couple of years," said Andrew Jaquith, a senior analyst at Boston-based Yankee Group. "They'll probably double again in 2007. It's a big area in funding priorities."

This market includes three product categories:

• Database monitoring/auditing: Companies use these to watch for unauthorized or unusual access activity, and produce comprehensive audit reports without hundreds or thousands of man hours poring through logs. Vendors include Application Security, Inc., Embarcadero, Guardium, Imperva, IPLocks. Lumigent technologies, RippleTech, Sentrigo, Symantec and Tizor Systems. "The database itself is not intelligent enough to see suspicious activity over the wire or if authorized user is executing a command a million times," said Noel Yuhanna, a principal analyst at Cambridge, Mass.-based Forrester Research. "That's why you have to have these tools."
• Vulnerability assessment: Specialized VA scanners, from companies like Application Security and Next Generation Software, that assess the security strength of databases, detecting security holes and misconfigurations.
• Encryption: Highly granular encryption with centralized administration and policy creation and strong key management. Vendors include Protegrity, Ingrian Networks and Application Security.

The market growth is fueled by heightened security sensitivity, as one spectacular breach disclosure after another undermines customer confidence, and demanding, albeit somewhat vague, regulatory compliance pressures.

"The single biggest driver has been SOX; it's changed the audit requirements for companies, and we're seeing a little bit of PCI," said Rich Mogull, a research vice president at Stamford, Conn.-based Gartner Inc. "Although the regulations don't specifically call out the things we're talking about, they definitively nudge you in that direction."

The fundamental driver isn't auditors per se," Jaquith said. "It's embarrassment and reputation risk."

Database platforms lack the robust native encryption, monitoring, assessment and management tools to meet these demanding new security requirements. Further, large, heterogeneous organizations often have multiple database platforms. Oracle and Microsoft SQL Server are getting better, but still have a long way to go.

Database security: Database security undermined by protocol loopholes, lax defenses: A security expert warns database administrators about a continued loophole in database communication protocols. Black Hat 2007: Forensics software security holes revealed: Researchers from iSEC Partners tell the Black Hat 2007 audience that the industry's leading forensics software is susceptible to attack. Black Hat 2007: New database forensics tool could aid data breach cases: Database security researcher, David Litchfield of UK-based NGS Software will release a free Forensic Examiners Database Scalpel, he says could aid data breach investigations. Database authentication, encryption getting priority in some businesses: While more organizations are seeking database authentication and encryption technologies, others are turning to database monitoring to secure data.

"There is a lot of space in the next year to see much more activity from database vendors, either by partnering or own their own," said Charles Kolodgy, a research director at Framingham, Mass.-based IDC.

Yuhanna sees clear signs that the monitoring and auditing market is stepping up to the next level, now that companies are convinced of their value. He expects to see large companies investing in deployments of 50 to 100 appliances.

On the other hand, database encryption is still relatively low on the list of solutions, despite concerns about data theft and the exemption of encrypted data under most state breach disclosure laws. Despite improved tools, it's still difficult to deploy and manage. Analysts caution that database encryption is a two-three-year project. Legacy systems are particularly tough.

"Database encryption was third on people's list to buy," though the market will continue to grow, Kolodgy said. "No one does encryption on a whim. There has to be a clear understanding of need; a clear delineation."

"I would say only 5% are doing encryption at the database level," Yuhanna said. "It's too difficult."

An important part of implementing encryption is selectivity, knowing what needs to be protected. For example, you can encrypt customer credit card and Social Security numbers, but leave names and addresses in plain text.

Analysts differ a bit in their recommendations, but generally suggest activity monitoring, which could give the most return on investment. Selective field level encryption is also recommended.

"Determine what kind of sensitive information you have, what kind of databases and how many," Jaquith said. "Simply walking around and querying databases is helpful, but you need empirical evidence. Use scanning tool to survey your data and figure what's sensitive."

"Sensitive customer information is like asbestos," he said. "We've been building housing with it for years and only recently discovered its toxic when airborne."

Tags: Database Security Management,  Enterprise Data Governance,  Disk Encryption and File Encryption,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research Enterprise Data Governance Risk management must include physical-logical security convergence Simple information security mistakes can cause data loss, says expert Organizations struggle with data leakage prevention, rights management Encryption in data management should never be ignored, expert says Attackers cash in on fundamental data handling mistakes, Verizon finds Data loss prevention benefits in the real world Mass., Nev. data protection laws wrong, ineffective Cybersecurity hearing highlights inadequacy of PCI DSS Enforcing a vendor risk assessment to avoid outsourcing security risks How to Secure Cloud Computing Disk Encryption and File Encryption Database monitoring, encryption vital in tight economy, Forrester says Sophos integrates encryption into endpoint security Cryptography for the rest of us Encryption in data management should never be ignored, expert says The difference between AES encryption and DES encryption Security budget issues to resonate at RSA Conference Portable security storage device could replace OTP devices Mass. officials explain new data protection regulations A simple substitution cipher vs. one-time pad software Are encrypted, self-deleting USB storage drives worth the investment?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary