Skip the navigation

Building Up Database Defenses

By Robert L. Scheier
August 28, 2006 12:00 PM ET

Harvey Ewing, senior director of IT security at Carrollton, Texas-based Accor North America, which owns and operates about 1,200 hotel properties in the U.S., Canada and Mexico, chose RSA Key Management from RSA Security. He says it provides a single key management system across the company's various applications.

Application programming interfaces from RSA allow Accor developers to easily adapt applications to access decryption keys as they need them, says Ewing. Without such keys, legacy systems wouldn't be able to perform any functions requiring that data, or would be unable to display that data correctly.

Another shortcoming of native database encryption is that it can't hide sensitive data from database administrators, says Burton Group's Henry. That's changing, he says, with products such as Oracle Corp.'s Oracle Database Vault, an option for Oracle databases that allows customers to "substantially limit what the DBA can do," he says.

No Silver Bullet

Customers, analysts and vendors agree that a mix of technologies is required to meet the needs of each unique environment. In addition to encryption, Ewing uses SecureSphere application layer firewalls from Imperva Inc. to protect his Web and database servers, as well as vulnerability and penetration testing tools.

Customers rely largely on access control and database access monitoring tools to comply with the Sarbanes-Oxley Act, says Prat Moghe, founder and CEO of Tizor Systems Inc. in Maynard, Mass., but they are using encryption more often to comply with PCI.

Even with products that allow users to encrypt only specific database columns (such as those holding credit card numbers), administrators may still need to restructure some databases to make encryption feasible. If a customer's Social Security number is used as the "index" field that helps locate all other information about that customer, encrypting Social Security numbers could require decryption of that column for every query and thus cripple database performance. Another approach, says Jeff Montgomery, director of product marketing at Cambridge, England-based nCipher, is to encrypt all but the last four digits of the sensitive number.

Rather than modifying applications so they can decrypt data, says Mogull, companies can also merely encrypt the file or hard drive where the data is stored (to deflect attacks on the database) and use data access monitoring tools to watch for suspicious activity from within the applications.

Making the wrong choice about where, for example, to use encryption can waste a lot of money, risk a lot of data and make a lot of users unhappy. That's why it's so crucial to first understand the threats facing your data and only then begin building your defense.

Database Protection Vendors
Here's a sampling of vendors with tools designed to protect corporate databases. Although some vendors offer more than one product, most organizations will need to work with more than one vendor to create an in-depth defense that includes control and authentication, vulnerability scanning, data access monitoring and encryption.

VendorProduct Name(s)Product TypesCapabilities
Application Security Inc.AppDetective, AppRadar, dbEncryptVulnerability scanning, database access monitoring, encryptionScans databases for misconfigurations or security vulnerabilities; monitors real-time access to databases; provides software-based, column-level database encryption and key management.
Consul Risk Management Inc. Insight Suite Database access monitoring Captures and normalizes log information from applications, operating systems and databases to provide reports on access by various user types.
EMC Corp. To be announcedEncryption Plans to add encryption to many products using technologies from its planned acquisition of RSA Security. Already offers protection for unstructured data.
Guardium Inc. SQL HealthGuard, SQL Audit Guard, SQL PolicyGuardVulnerability scanning, access control and auditingAlso offers PCI Accelerator for Database Compliance, which has predefined templates for PCI compliance.
Imperva Inc.SecureSphere Database Monitoring Gateway; Database Security Gateway; Web Application Firewall and MX Management Server Database monitoring, auditing and reporting; Web application firewall; security management server Offers automated database audit appliances for MS-SQL, Oracle, DB2, and Sybase environments deployed as non-inline network monitors.
Ingrian Networks Inc.DataSecureEncryptionOffers hardware-based cryptography, field-level encryption at the Web server, application server or database layer as well as centralized key management.
IPLocks Inc. Database Security and Compliance Solution Software-based vulnerability scanning, access monitoring, auditing/analysis and reporting Compares database settings to industry best practices to help ensure compliance.
Lumigent Technologies Inc. Audit DB Database vulnerability scanning, access monitoringAudits databases for users' access activity, identifies changes to the structure and permission levels and violations of access policies.
nCipher Corp. KeepSecure: SecureApp, Secure DB, Secure FSEncryption and key management Software- and hardware-based encryption. Protects data in structured databases and identity management tools.
Protegrity Corp. Defiance Security Software Suite Access monitoring, encryptionProvides policy-driven, software-based encryption, key management and access audits, and DBA separation of duties.
Tizor Systems Inc. MantraAccess monitoring for databases and file serversAudits multiple databases, file servers and application servers from a network-based appliance; has templates for compliance with various regulations.
Valyd Inc. KeepSecure Software-based data access monitoring, audits and encryption of both structured and unstructured data Centralized management console controls policies, separation of duties, reporting and auditing. Adapters integrate with databases, file systems and business applications.

Scheier is a freelance writer in Boylston, Mass. He can be reached at rscheier@charter.net.

Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.



Our Commenting Policies