Database security heating up

Database security is a promising segment, driven by compliance and the mandate to protect confidential data. While it is too early to feel comfortable with how database security will evolve and if it will become a market, it is not too early to start sorting out vendor approaches.  There are a few more companies and products coming on the scene soon - here is how I see the differentiation between host and network based approaches.

+ Every approach needs to express its security policy and analysis of activity data in terms that the business managers can understand. Database security is critical to the business, so the interfaces need to support a business context.
+ Solutions should support at least activity auditing including privileged users, vulnerability scanning, configuration change control, application security for Web front-ends, patch management or virtual patching, data leakage detection, and segregated log file and administrativer duties.
- I view products that act strictly off of log file data as rather poor. The security mechanisms lose all timeliness when relying on log data. Also, enabling database logging is a sure way to degrade application performance while producing reams of data that no one can use.

Host-based solutions have certain advantages, including the ability to secure local access, better insight into the workings of the database (e.g. security on the host can see what stored procedure calls are doing), and cost effectively protect remote databases (compared to dealing boxes all over the planet). DBA's generally prefer host-based as they don't have to coordinate with network infrastructure groups for installation and support.

Network-based solutions also have their advantages, including the ability to protect multiple databases in the datacenter from a single appliance, visibility of the entire transaction from front-end through to the database, ability to discover new deployed databases as soon as they appear on the network, and a clear segregation between the application and security. Network-based approaches fare well with active network and security teams, or in support of virtualized datacenters.

Most large shops will have a mix of host-based and network -based. There is just no way to watch local access from the network, and no way for the host to discover what is happening with its application servers. I believe the network is the best place to deploy independent auditing solutions while the host is the best place to deploy integrated access control and configuration integrity.

There are new database security companies launching this summer. It will be interesting to watch the space heat up!