Companies also are owning up to long-standing security blind spots, such as database administrators who play multiple roles, viewed as one part system administrator, one part developer. These privileged super-users work with sensitive data frequently, and with that freedom comes the potential for accidental or intentional abuse.
One of the most promising technologies for staying on top of this state of affairs is database activity monitoring, or DAM. These systems let companies monitor database events, in real time if they want, in hopes of responding to unauthorized activity. Some DAM products provide features for privileged-user monitoring and basic database auditing, two areas that have been underserved.
These products are still expensive; appliances run $25,000 to $50,000 each, while agent-based offerings cost $5,000 to $25,000 per database. There are tough architectural decisions to be made, especially for distributed enterprises. Expect some turf warfare among database, network, and security teams. But seeing as our databases are increasingly attack targets, a DAM system might be worth the investment.
DAM products monitor SQL activity in real time across multiple database platforms and generate alerts based on policy violations. The systems can aggregate and to some degree correlate activity from multiple database products, including Microsoft SQL Server and Oracle. Some products also provide the additional benefit of monitoring and storing records of activity outside the target databases, which can come in handy if the systems housing those databases are compromised.
Three Categories Of DAM
Systems can be grouped into three categories: Network monitoring, local agent monitoring, and remote monitoring.
Network monitoring products are typically appliances. With them, you need to consider if you want to do active or passive network monitoring.
In an active or inline setup, the appliance sits between the target database and the network infrastructure, and all SQL activity passes through the appliance before it reaches the database server. The DAM appliance looks for policy violations using pre-set rules, very similar to how intrusion-prevention systems work, with similar trade-offs. An active model lets IT go beyond just auditing and monitoring to proactively putting a halt to questionable activities. The downside is that it can hurt database performance, limit database scalability, and potentially disrupt service with false positives.
To read the rest of the article, download a free PDF