How a Smarter Database Can Protect Your Data

Feb 23, 2007 (12:02 PM EST)

Read the Original Article at

Firewalls, intrusion detection systems, authorization and authentication all have their place in securing the enterprise, but these technologies rarely plug a hole that has leaked millions of records with sensitive information since the well-publicized ChoicePoint breach about two years ago, according to the Privacy Rights Clearing House. Data inside a database that is protected by all of the above is still easy plunder for a legitimate user or a hacker successfully masquerading as one.

"The database isn’t smart enough to care that you execute the same type of SQL query over one thousand times in a matter of seconds and walk away with a list of social security numbers," explains Noel Yuhanna, analyst with Forrester Re-search. "And the network doesn’t care either; it just looks at packets, which may or may not contain the personal information of all your customers." What is lacking, according to Yuhanna, is an end-to-end security solution. Such a solution would be impressive as it would have to address security concerns from the network stack layer all the way up to the application layer. Nothing like that exists, currently, and IT managers would be ill advised to wait for it to materialize.

Chose Hardware or Software

In the meantime, there are point solutions in particular products that can build enough intelligence into your database to let you know when things don’t look right. They fall into two categories: appliances that consist of hardware and soft-ware, and software-only solutions. The latter have a cost advantage, starting at around five thousand dollars and they tend to be simple to install. Both let you monitor behavior and trigger an alert on the execution of suspicious queries. The appliances, though more expensive, claim to be less intrusive since they watch network traffic in real time outside the database, adding no CPU cycles to transactional hardware. Tizor’s Mantra product is one example of this type. "You can configure monitoring around several dimensions: time, content, location, vol-ume, operation, user, session ..." says Tizor CEO Joel Rosen. "This takes you way beyond the binary, ‘Do you have authorization to query the database or not?’"

These appliances are rightly classified as network sniffers, but Ron Ben-Natan, CTO of Guardium, another appliance vendor, is quick to point out that these boxes are not ordinary sniffers. "Generic sniffers, don’t have to be all that intelligent since HTTP traffic has only nine or so com-mands," he explains. "We understand the complexities of databases, for example a SQL "Select *" statement that pulls Social Security numbers without a "where" condition is something Guardium can easily flag."

Another reason the appliance vendors are wary of the sniffer label is that a sniffer will miss anything that doesn’t go over the wire, such as an insider who has direct access to the machine. The appliance vendors solve this problem by putting ad-ditional software agents on the database server, but this comes at the price of a small performance hit, on the order of two to five percent, according to Yuhanna. The software-only solutions can see everything because they more closely watch all transactions on the server, but this adds a five-percent to twenty-percent per-formance drag, Yuhanna says.

IPLocks, a software-only solution provider, con-tends the performance hit is minimal, especially on newer databases. "We have a satisfied South American telco customer who monitors hundreds of millions of transactions per day," says IPLocks CTO, Adrian Lane.

Who's Watching the Hen House?

Both classes of products will trigger alerts if, in the example of the telco customer cited above, there is a sudden spike in phone recharges from cards with a spe-cific sequence of numbers. That could indicate that a street vendor selling the cards had just been robbed, but just who gets the alert can be a sensitive sub-ject.

The appliance solutions, since they are network devices, naturally tend to alert network security folks, while the software-only solutions are more often under the jurisdiction of the DBA, who will likely get the alert. "It's the DBAs job to keep the database open and accessible," says Ben-Natan, "and this does not foster the right state of mind for security."

The appliance/nonappliance choice often involves a decision about role separa-tion. This may be fine, but it does get to a fundamental issue concerning data-base security. A good database is supposed to facilitate fast and easy accessibil-ity of massive volumes of data, and so there may be some natural contradictions built into a dual role of data security leader and DBA. (See related case study, " Nuclear Fuel Supplier Tightens Database Security.