Compliance, data breaches heighten database security needs

By Neil Roiter, Senior Technology Editor, Information Security magazine 16 Aug 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Not that long ago, "database security" was almost an oxymoron, but today, demanding auditors and the drumbeat of customer information breaches are forcing corporations to pay serious attention to who has access to sensitive data and what their doing with it.

The database itself is not intelligent enough to see suspicious activity over the wire or if authorized user is executing a command a million times. Noel Yuhanna, principal analyst, Forrester Research

That's good news for security managers, who are now getting boardroom attention, and database security vendors, who are seeing increasing interest in this still small (generally estimated at less than $100 million for third-party products), but growing market.

"Many of the companies in this space have been growing 100 percent a year for a couple of years," said Andrew Jaquith, a senior analyst at Boston-based Yankee Group. "They'll probably double again in 2007. It's a big area in funding priorities."

This market includes three product categories:

• Database monitoring/auditing: Companies use these to watch for unauthorized or unusual access activity, and produce comprehensive audit reports without hundreds or thousands of man hours poring through logs. Vendors include Application Security, Inc., Embarcadero, Guardium, Imperva, IPLocks. Lumigent technologies, RippleTech, Sentrigo, Symantec and Tizor Systems. "The database itself is not intelligent enough to see suspicious activity over the wire or if authorized user is executing a command a million times," said Noel Yuhanna, a principal analyst at Cambridge, Mass.-based Forrester Research. "That's why you have to have these tools."
• Vulnerability assessment: Specialized VA scanners, from companies like Application Security and Next Generation Software, that assess the security strength of databases, detecting security holes and misconfigurations.
• Encryption: Highly granular encryption with centralized administration and policy creation and strong key management. Vendors include Protegrity, Ingrian Networks and Application Security.

The market growth is fueled by heightened security sensitivity, as one spectacular breach disclosure after another undermines customer confidence, and demanding, albeit somewhat vague, regulatory compliance pressures.

"The single biggest driver has been SOX; it's changed the audit requirements for companies, and we're seeing a little bit of PCI," said Rich Mogull, a research vice president at Stamford, Conn.-based Gartner Inc. "Although the regulations don't specifically call out the things we're talking about, they definitively nudge you in that direction."

The fundamental driver isn't auditors per se," Jaquith said. "It's embarrassment and reputation risk."

Database platforms lack the robust native encryption, monitoring, assessment and management tools to meet these demanding new security requirements. Further, large, heterogeneous organizations often have multiple database platforms. Oracle and Microsoft SQL Server are getting better, but still have a long way to go.

Database security: Database security undermined by protocol loopholes, lax defenses: A security expert warns database administrators about a continued loophole in database communication protocols. Black Hat 2007: Forensics software security holes revealed: Researchers from iSEC Partners tell the Black Hat 2007 audience that the industry's leading forensics software is susceptible to attack. Black Hat 2007: New database forensics tool could aid data breach cases: Database security researcher, David Litchfield of UK-based NGS Software will release a free Forensic Examiners Database Scalpel, he says could aid data breach investigations. Database authentication, encryption getting priority in some businesses: While more organizations are seeking database authentication and encryption technologies, others are turning to database monitoring to secure data.

"There is a lot of space in the next year to see much more activity from database vendors, either by partnering or own their own," said Charles Kolodgy, a research director at Framingham, Mass.-based IDC.

Yuhanna sees clear signs that the monitoring and auditing market is stepping up to the next level, now that companies are convinced of their value. He expects to see large companies investing in deployments of 50 to 100 appliances.

On the other hand, database encryption is still relatively low on the list of solutions, despite concerns about data theft and the exemption of encrypted data under most state breach disclosure laws. Despite improved tools, it's still difficult to deploy and manage. Analysts caution that database encryption is a two-three-year project. Legacy systems are particularly tough.

"Database encryption was third on people's list to buy," though the market will continue to grow, Kolodgy said. "No one does encryption on a whim. There has to be a clear understanding of need; a clear delineation."

"I would say only 5% are doing encryption at the database level," Yuhanna said. "It's too difficult."

An important part of implementing encryption is selectivity, knowing what needs to be protected. For example, you can encrypt customer credit card and Social Security numbers, but leave names and addresses in plain text.

Analysts differ a bit in their recommendations, but generally suggest activity monitoring, which could give the most return on investment. Selective field level encryption is also recommended.

"Determine what kind of sensitive information you have, what kind of databases and how many," Jaquith said. "Simply walking around and querying databases is helpful, but you need empirical evidence. Use scanning tool to survey your data and figure what's sensitive."

"Sensitive customer information is like asbestos," he said. "We've been building housing with it for years and only recently discovered its toxic when airborne."

Tags: Database Security Management,  Enterprise Data Governance,  Disk Encryption and File Encryption,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Enterprise Data Governance Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Compliance in the cloud How to write technology outsourcing contracts Disk Encryption and File Encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? What are the export limitations for AES data encryption?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary