Database activity monitoring helps them know who's accessing data.
The need to secure databases isn't new, but with the rapid growth of multivendor, multi-instance database environments, it's becoming increasingly difficult for companies to tell whether queries are coming from authorized applications and users, or from unauthorized snoops or even malicious attackers.
Companies also are owning up to long-standing security blind spots, such as database administrators who play multiple roles, viewed as one part system administrator, one part developer. These privileged super-users work with sensitive data frequently, and with that freedom comes the potential for accidental or intentional abuse.
One of the most promising technologies for staying on top of this state of affairs is database activity monitoring, or DAM. These systems let companies monitor database events, in real time if they want, in hopes of responding to unauthorized activity. Some DAM products provide features for privileged-user monitoring and basic database auditing, two areas that have been underserved.
These products are still expensive; appliances run $25,000 to $50,000 each, while agent-based offerings cost $5,000 to $25,000 per database. There are tough architectural decisions to be made, especially for distributed enterprises. Expect some turf warfare among database, network, and security teams. But seeing as our databases are increasingly attack targets, a DAM system might be worth the investment.
DAM products monitor SQL activity in real time across multiple database platforms and generate alerts based on policy violations. The systems can aggregate and to some degree correlate activity from multiple database products, including Microsoft SQL Server and Oracle. Some products also provide the additional benefit of monitoring and storing records of activity outside the target databases, which can come in handy if the systems housing those databases are compromised.
Three Categories Of DAM
Systems can be grouped into three categories: Network monitoring, local agent monitoring, and remote monitoring.
Network monitoring products are typically appliances. With them, you need to consider if you want to do active or passive network monitoring.
In an active or inline setup, the appliance sits between the target database and the network infrastructure, and all SQL activity passes through the appliance before it reaches the database server. The DAM appliance looks for policy violations using pre-set rules, very similar to how intrusion-prevention systems work, with similar trade-offs. An active model lets IT go beyond just auditing and monitoring to proactively putting a halt to questionable activities. The downside is that it can hurt database performance, limit database scalability, and potentially disrupt service with false positives.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.