Not that long ago, "database security" was almost an oxymoron, but
today, demanding auditors and the drumbeat of customer
information breaches are forcing corporations to pay serious
attention to who has access to sensitive data and what they are
doing with it.
That is good news for security
managers, who are now getting boardroom attention, and database
security suppliers, who are seeing increasing interest in this
still small (generally estimated at less than $100 million for
third-party products), but growing market.
"Many of the companies in this space
have been growing 100% a year for a couple of years," saidAndrew Jaquith, a
senior analyst at Boston-based Yankee Group. "They'll probably
double again in 2007. It's a big area in funding
priorities."
This market includes three product
categories:
- Database monitoring/auditing: Companies
use these to watch for unauthorised or unusual access activity, and
produce comprehensive audit reports without hundreds or thousands
of man hours poring through logs. Suppliers include Application
Security, , Embarcadero, Guardium, Imperva, IPLocks. Lumigent
technologies, RippleTech, Sentrigo, Symantec and Tizor Systems.
"The database itself is not intelligent enough to see suspicious
activity over the wire or if authorised user is executing a command
a million times," said Noel Yuhanna, a principal analyst at
Cambridge, Mass.-based Forrester Research. "That's why you have to
have these tools."
- Vulnerability assessment: Specialised
VA scanners, from companies like Application Security and Next
Generation Software, that assess the security strength of
databases, detecting security holes and
misconfigurations.
- Encryption: Highly granular encryption
with centralised administration and policy creation and strong key
management. Suppliers include Protegrity, Ingrian Networks and
Application Security.
The market growth is fueled by
heightened security sensitivity, asone spectacular breach disclosure after anotherundermines customer confidence, and
demanding, albeit somewhat vague,
regulatory compliance pressures.
"The single biggest driver has been
SOX; it has changed the audit requirements for companies, and we
are seeing a little bit of PCI," said Rich Mogull, a research vice
president at Gartner "Although the regulations don't specifically
call out the things we're talking about, they definitively nudge
you in that direction."
The fundamental driver is not auditors
per se," Jaquith said. "It is embarrassment and reputation
risk."
Database platforms lack the robust
native encryption, monitoring, assessment and management tools to
meet these demanding new security requirements. Further, large,
heterogeneous organisations often have multiple database platforms.
Oracle and Microsoft SQL Server are getting better, but still have
a long way to go.
"There is a lot of space in the next
year to see much more activity from database suppliers, either by
partnering or own their own," said Charles Kolodgy, a research
director at IDC.
Yuhanna sees clear signs that the
monitoring and auditing market is stepping up to the next level,
now that companies are convinced of their value. He expects to see
large companies investing in deployments of 50 to 100
appliances.
On the other hand, database encryption
is still relatively low on the list of solutions, despite concerns
about data theft and the exemption of encrypted data under most
state breach disclosure laws. Despite improved tools, it's still
difficult to deploy and manage. Analysts caution that database
encryption is a two-three-year project. Legacy systems are
particularly tough.
"Database encryption was third on
people's list to buy," though the market will continue to grow,
Kolodgy said. "No one does encryption on a whim. There has to be a
clear understanding of need; a clear delineation."