Not that long ago, "database security" was almost an oxymoron, but today, demanding auditors and the drumbeat of customer information breaches are forcing corporations to pay serious attention to who has access to sensitive data and what they are doing with it.
That is good news for security managers, who are now getting boardroom attention, and database security suppliers, who are seeing increasing interest in this still small (generally estimated at less than $100 million for third-party products), but growing market.
"Many of the companies in this space have been growing 100% a year for a couple of years," said Andrew Jaquith, a senior analyst at Boston-based Yankee Group. "They'll probably double again in 2007. It's a big area in funding priorities."
This market includes three product categories:
- Database monitoring/auditing: Companies use these to watch for unauthorised or unusual access activity, and produce comprehensive audit reports without hundreds or thousands of man hours poring through logs. Suppliers include Application Security, , Embarcadero, Guardium, Imperva, IPLocks. Lumigent technologies, RippleTech, Sentrigo, Symantec and Tizor Systems. "The database itself is not intelligent enough to see suspicious activity over the wire or if authorised user is executing a command a million times," said Noel Yuhanna, a principal analyst at Cambridge, Mass.-based Forrester Research. "That's why you have to have these tools."
- Vulnerability assessment: Specialised VA scanners, from companies like Application Security and Next Generation Software, that assess the security strength of databases, detecting security holes and misconfigurations.
- Encryption: Highly granular encryption with centralised administration and policy creation and strong key management. Suppliers include Protegrity, Ingrian Networks and Application Security.
The market growth is fueled by heightened security sensitivity, as one spectacular breach disclosure after another undermines customer confidence, and demanding, albeit somewhat vague, regulatory compliance pressures.
"The single biggest driver has been SOX; it has changed the audit requirements for companies, and we are seeing a little bit of PCI," said Rich Mogull, a research vice president at Gartner "Although the regulations don't specifically call out the things we're talking about, they definitively nudge you in that direction."
The fundamental driver is not auditors per se," Jaquith said. "It is embarrassment and reputation risk."
Database platforms lack the robust native encryption, monitoring, assessment and management tools to meet these demanding new security requirements. Further, large, heterogeneous organisations often have multiple database platforms. Oracle and Microsoft SQL Server are getting better, but still have a long way to go.
"There is a lot of space in the next year to see much more activity from database suppliers, either by partnering or own their own," said Charles Kolodgy, a research director at IDC.
Yuhanna sees clear signs that the monitoring and auditing market is stepping up to the next level, now that companies are convinced of their value. He expects to see large companies investing in deployments of 50 to 100 appliances.
On the other hand, database encryption is still relatively low on the list of solutions, despite concerns about data theft and the exemption of encrypted data under most state breach disclosure laws. Despite improved tools, it's still difficult to deploy and manage. Analysts caution that database encryption is a two-three-year project. Legacy systems are particularly tough.
"Database encryption was third on people's list to buy," though the market will continue to grow, Kolodgy said. "No one does encryption on a whim. There has to be a clear understanding of need; a clear delineation."
"I would say only 5% are doing encryption at the database level," Yuhanna said. "It is too difficult."
An important part of implementing encryption is selectivity, knowing what needs to be protected. For example, you can encrypt customer credit card and Social Security numbers, but leave names and addresses in plain text.
Analysts differ a bit in their recommendations, but generally suggest activity monitoring, which could give the most return on investment. Selective field level encryption is also recommended.
"Determine what kind of sensitive information you have, what kind of databases and how many," Jaquith said. "Simply walking around and querying databases is helpful, but you need empirical evidence. Use scanning tool to survey your data and figure what's sensitive."
"Sensitive customer information is like asbestos," he said. "We have been building housing with it for years and only recently discovered it is toxic when airborne."