In November 2009, IBM announced its acquisition of Guardium, a privately held company based in Waltham, Mass., and the planned integration of Guardium’s Database Activity Monitoring (DAM) technology into IBM’s Information Management and Business Analytics and Optimization initiatives. Financial terms were not disclosed.
Aberdeen’s research shows not only that DAM represents the most widely used non-native database security technology in current use, but also that DAM users actually experienced fewer audit deficiencies and fewer incidents of data loss or data exposure than non-DAM users over the last 24 months. Guardium’s real-time database monitoring and protection solution is designed to help its enterprise customers to:
- continuously monitor database access and activity, safeguarding critical data in production, test, development, training and even archival environments against threats from both external and internal sources;
- automate and streamline regulatory compliance tasks, reducing the ongoing cost of sustaining compliance with ever-changing industry and government mandates such as HIPAA, the European Data Protection Directive, the U.S. federal government’s NIST 800-53 standard, and the PCI Data Security Standard; and
- support the most widely used databases and application frameworks (both IBM and non-IBM) running on all major computing platforms, enabling the detection of unauthorized access and fraud from enterprise applications such as ERP, CRM or data warehousing.
The acquisition of Guardium extends IBM’s business analytics strategy, which has been backed by an overall investment of more than US$12 billion in acquisitions and organic growth. IBM’s recently announced Business Analytics and Optimization Consulting organization, for example, incorporates 4,000 consultants across a network of business analytics solution centers.
Guardium also marks the 28th acquisition in support of IBM’s Information Management initiative, which has more than 35,000 experts dedicated to helping IBM customers use information as a strategic asset to transform their business. The combination of IBM and Guardium technology is intended to help organizations safely realize the promise of business analytics and use information which is trusted throughout its lifecycle to drive smarter business outcomes.
Attention on the Market
Companies give high priority to protecting their databases because databases are the repositories for a significant percentage (nearly two-thirds, based on Aberdeen’s benchmark research) of the sensitive information that must be protected as part of any organization’s overall approach to security, risk management and compliance. For many companies, “protecting the database” actually means protecting multiple databases, supported by multiple database management systems (DBMSs), running on multiple computing platforms, supporting multiple enterprise applications, located in multiple physical locations, and managed by multiple database administrators (DBAs). The fact that a wide range of database security technologies are currently available in the market confirms two points:
- First, that database security is a high priority for buyers, as solution providers are naturally motivated to invest and innovate to address the market’s most important problems.
- Second, it speaks to the complexity and diversity of the typical enterprise database environment, where a single technical approach cannot address the unique mix of requirements for every organization.
Solutions that address security and compliance requirements with minimal impact on performance, minimal changes to existing applications, and low cost of ownership will gain their fair share of a growing market. Based on the findings from previous Aberdeen research, the real payoff is that Best-in-Class organizations are successfully supporting their security, risk management and compliance requirements for protecting the database — for more complex database environments — while minimizing operational impact and total cost.
Aberdeen’s research has shown that in absolute terms, native security capabilities provided within the DBMS itself and database activity monitoring (DAM) were highest in terms of current use. In relative terms, however, the broadest gap between the leading performers and lagging performers in the use of enabling technologies was in some form of encryption or obfuscation of critical data (e.g., database encryption, specialized data vaults, format-preserving encryption, data masking, and data tokenization). In general, Aberdeen’s research indicates that the strongest market interest is in non-native database security capabilities — once again, a nod to the complexity and heterogeneity of typical environments.
What About Results?
An analysis of 23 users of IBM database solutions (DB2 or Informix) from Aberdeen’s “Protecting the Database” study shows that current IBM customers are already using DAM technologies to a higher degree than all respondents by a factor of 1.67. IBM’s move to enhance its database security capabilities by incorporating DAM into its Information Management Software portfolio therefore seems well-aligned with market demand from their own customer base. In addition, Guardium’s heterogeneous support for the most popular databases, application frameworks and computing platforms paves the way for new opportunities for IBM’s armies of information management and business analytics consultants in the broader database security market.
DAM was found to represent the most widely used non-native database security solution … but does it actually correlate with achieving better results? In the context of protecting payment card information, an analysis of 46 DAM users and 47 non-DAM users from a recent Aberdeen study shows that over the last 24 months, users of DAM solutions did in fact experience fewer audit deficiencies and fewer incidents of data loss or data exposure in the most relevant of the 12 high-level security requirements defined by the PCI DSS.
In one of these requirement areas, protecting stored cardholder data, 15 percent of DAM users in Aberdeen’s PCI DSS study experienced an audit deficiency or a data loss/data exposure incident within the last 24 months, compared to 27 percent of non-DAM users. DAM users experienced similar advantages over non-DAM users in the requirement areas of developing and maintaining secure systems and applications and tracking and monitoring all access to network resources and cardholder data.
In a separate Aberdeen report on log, information and event management, the top performers were 1.7 times more likely to have begun integrating data from DAM solutions, and twice as likely to have deployed network behavior analysis solutions as part of their efforts to monitor network activity, bandwidth and protocol usage to flag new, unknown or abnormal patterns that might indicate the presence of a threat. Looking ahead, the most valuable IT security professionals will be those who can successfully interpret the implications of security-related logs, activities, information and events, and more importantly who can successfully drive actions that positively impact the business.
The Proactive Approach
IBM’s acquisition of Guardium brings to light the role of database activity monitoring solutions to aggregate, normalize and correlate data from heterogeneous systems and generate real-time alerts on violations of policy. Aberdeen’s research shows not only that DAM represents the most widely used non-native database security technology, but also that DAM users actually experienced fewer audit deficiencies and fewer incidents of data loss or data exposure over the last 24 months.
Beyond the mere use of enabling technologies, however, Aberdeen’s research has made it very clear that the companies with top performance in protecting the database have a proactive, committed approach with respect to the policy, planning, process, and organizational elements of implementation.
The more laissez-faire approach taken by lagging performers just does not get the job done. This is by no means a new concept; setting aside the events and circumstances we cannot control, we get the database security we deserve, based on our investments and our actions.
Derek E. Brink is vice present and research fellow for IT security at Aberdeen Group. Nathaniel Rowe research associate for IT security at Aberdeen.