Sitting Target - Database security goes to the top of the list

By on
Sitting Target - Database security goes to the top of the list

Companies are finally paying more attention to the security infrastructure surrounding their databases, and for security vendors and solution providers, this is creating a tidy, predictable revenue stream.

Given the large amount of legacy databases out there in the corporate IT netherworld that need securing, this trend looks likely to continue for some time.

"There's an enormous movement under way for securing databases in light of regulatory requirements," said Gretchen Hellman, vice president of marketing and product management at Vormetric, a US-based database security vendor.

"Database security is particularly problematic for older, legacy systems that were not designed with security mechanisms," said Andrew Plato, president of Anitian Enterprise Security, US-based security solution provider. "Newer products have a lot of built-in security mechanisms that do not require special third-party adapters and such. But older Oracle or mainframe systems often require complex middleware to manage security controls and/or encryption."

The good news for VARs is that when it comes to storing data and acting as a repository for information, database systems don't phase out very quickly. In the enterprise, a system could be 25 years old and still be perfectly functional, according to solution providers.

Ed Moyle, analyst and co-founder of SecurityCurve said there are plenty of opportunities for solution providers to add encryption to legacy database platforms.

"Vendors are building security into their new products in response to customer demand, which is a logical step," said Moyle. "But for folks that bring that to legacy platforms, encryption is a big trend."

Good Guys Vs. Bad Guys

Hackers have successfully employed a variety of methods to penetrate databases. Last December's hack of social networking startup Rock You yielded the passwords of 32 million users. Later, it was discovered that the company had been storing users' log-in credentials in plain text, making the data susceptible to the classic SQL injection attack, a well-worn method hackers have been using for years.

The TJX hackers who absconded with credit card data on 45 million customers in 2007 found their way into the company's database through a poorly secured wireless network. Brute force password attacks have also proven effective at separating a company from its customer data.

Although blame usually lies with the companies, the reality is that securing databases requires multifaceted expertise encompassing the skills of developers, security experts and network administrators. And this combined pool of expertise is just the baseline of what's needed for keeping up with the accelerating evolution of database threats.

"Threats will continue to change. Particular to the database threat vector, we have seen many variants of SQL injection," said Greg Hanchin, principal of security integrator DirSec.

To detect malfeasance, "You need to be able to check the Web application for HTTP behavior and how it interacts with the browser. And at the application to the Web browser and back, you need to do a database check to make sure the data hasn't been tampered with," Hanchin said.

Adrian Lane, analyst and CTO at Securosis, a US-based security research firm, says data theft is the principal worry with databases, but manipulation is also a growing problem.

"Attackers aren't just intruding into databases like the script kiddies of the past. Now they're dropping in backdoors and using very subtle ways to collect and manipulate data that avoid detection," Lane said. "That's why database security has become inherently detective as well as preventative."

Of the vendors that focus specifically on database security, Guardium and Imperva are two that occupy prominent spots on the radar of both security VARs and vendors. IBM (NYSE:IBM) in November bought Guardium, a pure-play vendor with deep experience in pure database security, picking up technology that identifies patterns and anomalies in data access and usage to detect fraud and maintain data integrity.

Security VARs say this deal could be the first of many to come as other vendors shift their attention to database security. IBM plans to use Guardium's technology to automate IT governance processes and comply with both PCI and HIPAA and will weave the company into its Information Management software group.

Redwood Shores, a US-based Imperva has a product portfolio that includes database security as well as a Web application firewall. In terms of database security technology, Imperva and Guardium are virtually indistinguishable, according to FishNet Security's Puetz.

"They really do go head-to-head, especially on the database side. We haven't seen anyone say that one is blowing the other out of the water from an engineering standpoint," Puetz said. "They're both high-quality products, so it really comes down to the relationship the vendor has within the account."

It may have taken government involvement, but database security has finally become a top priority for companies that house customer data. Perhaps this is the result of endless negative headlines about companies losing hard drives or having laptops stolen from their mobile employees. No matter why, security VARs are pleased to see this trend--and not just for financial reasons. It's because in many ways, database security reflects the core principle of IT security itself: keeping valuable assets as protected as possible.

Multi page
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
data centre database security software strategy

Partner Content

How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra

Sponsored Whitepapers

Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management
2025 State of Machine Identity Security Report
2025 State of Machine Identity Security Report

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services
Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security
MSPs pressed to review ransomware response as new reporting rules commence

MSPs pressed to review ransomware response as new reporting rules commence
Tech Research Asia to present Australian IT M&A report

Tech Research Asia to present Australian IT M&A report

Log in

Email:
Password:
  |  Forgot your password?