In-Depth

IPLocks Tackles Database Security

IPLocks takes a double play on securing databases. One analyst advises you look at your needs or you’ll strike out.

• By Chris DeVoney
• 08/21/2007

Application security has cropped up often in recent discussions with industry users and analysts. The reasons for such emphasis vary: clients demand more, networks have more sensors and do additional checking, and operating systems are better.

Relative to most of the IT chain, you can argue that applications have more exploitable vulnerabilities. The bottom-line answer, however, is that application security is important because the payoff at the end of the IT criminal’s rainbow is where the money is. The target is no longer just the applications—it's the database.

Every entity I know has valuable data. From an IT prospective, there is structured data (as in a database) and unstructured data (most everything else, including spreadsheets, word processing lists, graphics, and anything that fits into a flat file). Given the large amount of unstructured data versus the smaller amount of structured, but concentrated, data, I have no clue which has greater value—it will vary by company. I do know that databases represent a high-yield, high-value target when that structured data contains financial transactions in a single, harvestable collection point.

Given the effort required and the possible value of the outcome, do you break into a garage (a network) or a jewelry store’s vault (the databases)? More cyberthefts are concentrating on the latter.

With this in mind, I spoke with Adrian Lane of IPLocks, Inc. which makes security tools that work with databases, including IBM’s DB2, Oracle, Sybase, Microsoft’s SQL Server, and Hitachi's HiRDB. The product line has three prongs: vulnerability scanner, database monitoring, and compliance auditing.

Much of the initial interest by companies has been toward vulnerability scanning. After corporate acquisitions and disparate home-grown application efforts thrown together haphazardly, many consolidated IT departments flail about trying to patch up the database software and tighten security settings. Just discovering all of a company's databases can be an enlightening experience. Scanners offered by IPLocks do justice to both needs.

Like other companies in the database security market, IPLocks tries to emphasize the fine differences between database monitoring and auditing. Although both are post-event tasks, database monitoring watches activity for specific behaviors, usually in the context of security; compliance is a close second to real-time reaction. Auditing, on the other hand, is a comprehensive recording and analysis of database activity and is usually report-based. However, the analysis for spotting anomalies or assuring compliance usually lags by twelve or more hours. Monitoring is normally configured to trigger e-mails and control-console alerts, allowing closer to real-time remediation.

Security professionals and analysts with whom I’ve discussed this issue are split about which should take priority—monitoring or auditing. For compliance reasons, auditing is essential. For some companies, overnight runs of compliance-checking software are good enough. Some analysts and professionals, nevertheless, are keen on near-real-time response in order to either quicken the remediation response or prevent compliance violations and fraud.

IPLocks has large and small customers. Their biggest may be Softbank of Japan, whose Yahoo! Japan service can generate over 90 million user-account transactions a day that are filtered through their products.

Interestingly, U.S. companies have used compliance monitoring as the major motivator for purchasing the monitoring/auditing tools. Lane thinks PCI will be the major motivator in the immediate future for more sales. Overseas, and particularly in South America, fraud and theft prevention have been the driving force,.whether attributable to government or societal impetus is unclear, though I suspect both..

Scott Crawford, Enterprise Management Associate’s security and risk management research director, also sees compliance regulations driving the market; and Web and other attacks at the database level are increasing. He also says, "Information security risk is a huge problem because content is everywhere, but structured content [the databases] are the value or some of the most valuable content of corporations."

He also sees that IPLocks’ products map themselves well to enterprises; they scale and work well in distributed environments.

Crawford also sees the transition in IT organizations, from delivery of iron and operating systems to pushing more application layers and security/compliance reaching into the "platform." The emphasis on application infrastructure optimization is reflected not just in companies such as F5 and Citrix; others (such as Cisco) have entered the market.

Crawford’s has three recommendations for companies considering applications security:

• Application security is not optional.
• Attackers recognize that application security isn’t yet well practiced by companies and these variations represent opportunity.
• Content security is very challenging, but this doesn’t mean all problems must be solved at once. Use a stepwise approach with tangible, achievable goals, and make advancements accordingly.

That attackers are focusing on the money is obvious—and a lot of that money is structured data located in databases. Companies such as IPLocks offer tools that drill security deeper into the IT infrastructure where attackers are focusing. If your goal is to not appear as the next TJX, scrutinizing your needs and examining these tools are prudent steps.