Database software makers have continued to refine built-in security features and automatic controls to facilitate regulatory compliance. Today’s databases have far superior out-of-the-box security features than those provided in software releases from just two or three years ago.
One of the hotter security trends in databases is the new breed of software commonly known as a database firewall. The database firewall can be a part of a layered approach to data security by proactively checking for anomalous and suspicious SQL statements before they are executed in the database.
IBM (with their Guardium unit) and Oracle (following its acquisition of Secerno) are the leading database firewall providers. Database firewalls will increasingly become a part of data security, as part of a perimeter protection strategy to thwart unauthorized database access and threats to data. Imperva and Application Security are the other two makers of leading database firewall products. The addition of database firewalls to the DBA’s arsenal of security tools helps minimize the exposure of production data to unauthorized SQL code. Database firewalls monitor live data for anomalous activity and unauthorized connections and are considered helpful in preventing well-known SQL based attacks such as a SQL Injection attack. Database firewalls also fit in nicely with several regulatory requirements.
Over the past few years, database encryption, both in the form of encrypting network data traffic as well as “at rest” data encryption, have attracted much interest from database vendors, with Oracle coming up with its Transparent Database Encryption solution to encrypt data both at the column as well as at the tablespace level. Microsoft, IBM and others offer strong data encryption capabilities as well.
Identity management continues to grow in importance as a central component of database security. Identity management, with its centralized control of database access and authorization, is a must for any decent-sized company that wants to instill strong access controls. Most regulations and standards that form the regulatory landscape require that you have strong centralized access and authentication controls in place, so there’s a natural push toward implementation of the identity management products.
Identity management services, which offer immediate and visible gains such as fast user provisioning, are only the initial entry point in this area. Access management and fraud prevention systems are quickly becoming integral parts of an overall identity management framework.
Governance, Risk and Compliance
Regulatory compliance is going to drive even a larger amount of innovation by all database vendors. IBM Rational AppScan (for Web application assessments) and Oracle Audit Vault and Database Vault are newer products (or acquisitions) that are geared toward the compliance and security arena. We can expect more developments in this area.
An increasingly common development in database software is the addition of built-in compliance features. Microsoft’s SQL Server 2008 has introduced several new auditing and compliance features. Of the three components of GRC, compliance is still the leading player. Numerous security and privacy mandates have made compliance a big part of a CIO or CISO's responsibilities. Several companies, both large and small, have come up with tools to help companies simplify and automate the compliance and auditing processes. Tools that consolidate disparate audit data in a centralized location and help you create useful reports, are fairly common, and you can look forward to more innovate solutions in the GRC area due to the unrelenting pressure of audits and compliance requirements.
Cloud-Based Data Environment
Probably the biggest database trend that we’re going to see in the coming years will be the increasing move toward cloud-based database environments. Cloud computing offers a faster way to do things such as creating what-if scenarios, without the time delays inherent in provisioning extra server and storage capacity. Virtualization is already a major trend in databases and that’s going to speed up even more in the coming years. Securing databases both on the cloud and in virtual environments is going to receive increased attention in the coming months.
Increasingly, firms are realizing that while network security strategies such as sophisticated firewalls and advanced routers and intrusion prevention systems have made system penetration by intruders increasingly difficult, web applications and databases expose them to several cyber dangers. Since critical data lives in the databases, firms must protect themselves both from external but also from internal attacks, which are much higher than most of us assume.
Several companies such as Imperva, Application Security and Sentrigo offer good database security products, including database firewalls. While some of these products claim to search for thousands of known vulnerabilities, you must understand that a vast majority of these vulnerabilities have been fixed over time by newer releases of database software. While a good vulnerability assessment tool or even a more expensive tool such as a database firewall can certainly help, remember that there’s no better starting point for securing your databases than by following the best practices in configuration and implementation of databases, as well as the rest of the technology stack, such as operating systems, Web applications and Web servers.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access