Database security: protecting the crown jewels

Combined with its database vulnerability features, Guardium has helped his organisation carry out separation of duties, wherein administrators can't have access to the critical data itself, catch and block attempted SQL injections and other pests, repair systems, and finetune access control policy.

Guardium also gets close to the database while not in the database. In this case, it resides in the database's underlying operating system to avoid impact on performance.

In yet another approach, appliance-based IPS-like devices are being stood up in front of databases. This approach works well for a web-front-end business, such as Intuition Systems, a Florida-based national payment processing firm for government agencies and utilities.

"We originally wanted to see what traffic is happening from our website, but also began to use it to protect against insider threat," says system manager Kevin Alwood, who's organisation uses Imperva to watch the database and web server connections.

On the database side, his team can monitor user IDs running, the queries they were running, what tables they were accessing, and compare that to their permissions, he says. And on the web application side, they can see attempted scans and intrusions - which can be blocked based on location and other rules.

Ultimately, database security controls will need to tie into management infrastructures that support database monitoring, system hardening, and encryption and access control rules. Beyond that, they'll need to tie into larger overall data loss prevention and security information management frameworks.

This eventuality makes vendor-agnostic frameworks an appealing option. Novell's Sentinel offerings (identity and access management, threat and vulnerability management) answer this need.

"The issue is, how do you ensure that the databases themselves are fortresses in this complex, layered environment?" says Nick Nikols, vice president of identity and security products at Novell. "To do this, you need an understanding of identity-based events through your SIM."

How to proceed depends on what's in your database and how you want to protect it, says Purdue's Clifton. "Unfortunately, to do it right, the database security configuration is more complex than the data itself," he adds.