Feb 23, 2007 (12:02 PM EST)
How a Smarter Database Can Protect Your Data

Read the Original Article at InformationWeek

1   2  

Firewalls, intrusion detection systems, authorization and authentication all have their place in securing the enterprise, but these technologies rarely plug a hole that has leaked millions of records with sensitive information since the well-publicized ChoicePoint breach about two years ago, according to the Privacy Rights Clearing House. Data inside a database that is protected by all of the above is still easy plunder for a legitimate user or a hacker successfully masquerading as one.

"The database isn’t smart enough to care that you execute the same type of SQL query over one thousand times in a matter of seconds and walk away with a list of social security numbers," explains Noel Yuhanna, analyst with Forrester Re-search. "And the network doesn’t care either; it just looks at packets, which may or may not contain the personal information of all your customers." What is lacking, according to Yuhanna, is an end-to-end security solution. Such a solution would be impressive as it would have to address security concerns from the network stack layer all the way up to the application layer. Nothing like that exists, currently, and IT managers would be ill advised to wait for it to materialize.

Chose Hardware or Software

In the meantime, there are point solutions in particular products that can build enough intelligence into your database to let you know when things don’t look right. They fall into two categories: appliances that consist of hardware and soft-ware, and software-only solutions. The latter have a cost advantage, starting at around five thousand dollars and they tend to be simple to install. Both let you monitor behavior and trigger an alert on the execution of suspicious queries. The appliances, though more expensive, claim to be less intrusive since they watch network traffic in real time outside the database, adding no CPU cycles to transactional hardware. Tizor’s Mantra product is one example of this type. "You can configure monitoring around several dimensions: time, content, location, vol-ume, operation, user, session ..." says Tizor CEO Joel Rosen. "This takes you way beyond the binary, ‘Do you have authorization to query the database or not?’"

These appliances are rightly classified as network sniffers, but Ron Ben-Natan, CTO of Guardium, another appliance vendor, is quick to point out that these boxes are not ordinary sniffers. "Generic sniffers, don’t have to be all that intelligent since HTTP traffic has only nine or so com-mands," he explains. "We understand the complexities of databases, for example a SQL "Select *" statement that pulls Social Security numbers without a "where" condition is something Guardium can easily flag."

Another reason the appliance vendors are wary of the sniffer label is that a sniffer will miss anything that doesn’t go over the wire, such as an insider who has direct access to the machine. The appliance vendors solve this problem by putting ad-ditional software agents on the database server, but this comes at the price of a small performance hit, on the order of two to five percent, according to Yuhanna. The software-only solutions can see everything because they more closely watch all transactions on the server, but this adds a five-percent to twenty-percent per-formance drag, Yuhanna says.

IPLocks, a software-only solution provider, con-tends the performance hit is minimal, especially on newer databases. "We have a satisfied South American telco customer who monitors hundreds of millions of transactions per day," says IPLocks CTO, Adrian Lane.