Sitting Target - Database Security Goes To The Top Of The List
"There's an enormous movement under way for securing databases in light of regulatory requirements," said Gretchen Hellman, vice president of marketing and product management at Vormetric, a Santa Clara, Calif.-based database security vendor.
Of course, compliance as a security driver is hardly a new phenomenon: The Payment Card Industry (PCI) Data Security Standard, a set of requirements for securing cardholder data enacted in 2004, has been stimulating security deals for the past few years, and it continues to do so.
"PCI is still driving a lot of business," said Nick Puetz, director of security assessments at FishNet Security, Kansas City, Mo. "It contains a lot of requirements for application security and making sure things are being coded properly and being protected from the application layer."
Now there's a new driver, as the Health Insurance Portability and Accountability Act (HIPAA), long derided as toothless and ineffectual, has finally gained the enforcement measures it needed. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the 2009 American Recovery and Reinvestment Act (ARRA), took effect in November and augments HIPAA with stricter security and privacy measures governing electronic transmission of health-care data. More importantly, HITECH also calls for the nationwide disclosure of health-care data breaches and gives state attorneys general the power to sue companies on behalf of the state.
Health insurance firm Health Net is the first company to feel the impact of this particular aspect of HITECH. After a hard drive with personal data on 1.5 million customers went missing in May 2009, Health Net took six months to notify the Connecticut state attorney general's office. That's a big no-no under HITECH, and Connecticut Attorney General Richard Blumenthal sued Health Net in January for failing to disclose the breach--which affected 446,000 of his state's citizens--in a timely manner.
The stiff penalties ushered in by HITECH means that security industry denizens who used to laugh at HIPAA aren't laughing anymore.
"The HITECH Act is helping HIPAA to grow teeth," Vormetric's Hellman said.
PCI, HIPAA, HITECH and state-enacted data protection laws such as the ones in Massachusetts and Nevada all require the encryption of data at rest, and that's where security VARs are seeing the most business right now. Many older databases don't have built-in encryption and, in the past, highly regulated verticals such as financial services would solve the problem by building encryption into the application layer, which is where attackers usually target.
"Database security is particularly problematic for older, legacy systems that were not designed with security mechanisms," said Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based security solution provider. "Newer products have a lot of built-in security mechanisms that do not require special third-party adapters and such. But older Oracle or mainframe systems often require complex middleware to manage security controls and/or encryption."
The good news for VARs is that when it comes to storing data and acting as a repository for information, database systems don't phase out very quickly. In the enterprise, a system could be 25 years old and still be perfectly functional, according to solution providers.
Ed Moyle, analyst and co-founder of SecurityCurve, Amherst, N.H., says there are plenty of opportunities for solution providers to add encryption to legacy database platforms.
"Vendors are building security into their new products in response to customer demand, which is a logical step," said Moyle. "But for folks that bring that to legacy platforms, encryption is a big trend."
Good Guys Vs. Bad Guys
Hackers have successfully employed a variety of methods to penetrate databases. Last December's hack of social networking startup Rock You yielded the passwords of 32 million users. Later, it was discovered that the company had been storing users' log-in credentials in plain text, making the data susceptible to the classic SQL injection attack, a well-worn method hackers have been using for years.
The TJX hackers who absconded with credit card data on 45 million customers in 2007 found their way into the company's database through a poorly secured wireless network. Brute force password attacks have also proven effective at separating a company from its customer data.
Although blame usually lies with the companies, the reality is that securing databases requires multifaceted expertise encompassing the skills of developers, security experts and network administrators. And this combined pool of expertise is just the baseline of what's needed for keeping up with the accelerating evolution of database threats.
"Threats will continue to change. Particular to the database threat vector, we have seen many variants of SQL injection," said Greg Hanchin, principal of security integrator DirSec, Centennial, Colo.
To detect malfeasance, "You need to be able to check the Web application for HTTP behavior and how it interacts with the browser. And at the application to the Web browser and back, you need to do a database check to make sure the data hasn't been tampered with," Hanchin said.
Adrian Lane, analyst and CTO at Securosis, a Phoenix-based security research firm, says data theft is the principal worry with databases, but manipulation is also a growing problem.
"Attackers aren't just intruding into databases like the script kiddies of the past. Now they're dropping in backdoors and using very subtle ways to collect and manipulate data that avoid detection," Lane said. "That's why database security has become inherently detective as well as preventative."
Of the vendors that focus specifically on database security, Guardium and Imperva are two that occupy prominent spots on the radar of both security VARs and vendors. IBM in November bought Guardium, a pure-play vendor with deep experience in pure database security, picking up technology that identifies patterns and anomalies in data access and usage to detect fraud and maintain data integrity.
Security VARs say this deal could be the first of many to come as other vendors shift their attention to database security. IBM plans to use Guardium's technology to automate IT governance processes and comply with both PCI and HIPAA and will weave the company into its Information Management software group.
Redwood Shores, Calif.-based Imperva has a product portfolio that includes database security as well as a Web application firewall. In terms of database security technology, Imperva and Guardium are virtually indistinguishable, according to FishNet Security's Puetz.
"They really do go head-to-head, especially on the database side. We haven't seen anyone say that one is blowing the other out of the water from an engineering standpoint," Puetz said. "They're both high-quality products, so it really comes down to the relationship the vendor has within the account."
It may have taken government involvement, but database security has finally become a top priority for companies that house customer data. Perhaps this is the result of endless negative headlines about companies losing hard drives or having laptops stolen from their mobile employees. No matter why, security VARs are pleased to see this trend--and not just for financial reasons. It's because in many ways, database security reflects the core principle of IT security itself: keeping valuable assets as protected as possible.