Sarbox drives database-security solutions development, adoption
By Roberto Michel, Senior contributing editor -- Manufacturing Business Technology, 6/1/2006 12:00:00 AM
Yet another kind of software is hardly what most CIOs want, but when it comes to control over data as part of Sarbanes-Oxley (Sarbox) compliance, another layer just may be in order. Database security solutions, say vendors and at least one analyst, can monitor access trends and database changes, automatically creating detailed audit reports.
"The first concern with compliance was in meeting an auditor's requirements, no matter what it took, but now, companies want to find ways of doing that more efficiently," says Phil Neray, a VP with Guardium, a database security vendor. "Automating the generation and distribution of reports is a big part of the answer."
Guardium's solution consists of a network-based server "appliance" that runs the security software separately from the databases being monitored, and the software itself, which scans all activity—including unusual access trends—and generates reports for third-party auditors or internal security officers. The benefits of the solution, says Neray, include less administrative work for IT staff—which would need to cobble together reports—and avoiding the performance drag from using native monitoring tools within databases.
"For many midmarket companies, producing these reports would take additional staff and effort, so much so that the only way to do it efficiently is with a solution that monitors the data, generates the needed audit reports, and automatically distributes the reports," says Neray.
Noel Yuhanna, a senior analyst with Cambridge, Mass.-based Forrester Research, says other database security vendors include Application Security, Imperva, IPlocks, Lumigent, and Tizor. These smaller players also compete with security software and storage giant Symantec. In essence, says Yuhanna, database-security software constantly "sniffs" database activities and handles reporting. Some solutions lean toward intrusion detection, while others focus on compliance and audit reporting, though some offer a blend of both.
Yuhanna confirms that a key advantage to these solutions is that they avoid the heavier computing load from the use of native auditing tools. What's more, he says, the solutions can monitor multiple databases. "Even a midsize company with $100 million in annual revenue might have interest in one of these solutions, but generally, the larger companies with the most interest are going to have multiple databases, so they need an automated solution that monitors heterogeneous database environments," he says.
Waltham, Mass.-based Data Intensity, which offers application hosting and other managed services, has begun using Guardium's solution for its clients, including Lydall, a $300-million, Manchester, Conn.-based manufacturer of specialty engineered products. Kevin Kennefick, president and CEO of Data Intensity, says the company's customer advisory board recommended adding a database security layer to simplify data governance and Sarbox auditing.
One client, says Kennefick, spent between $60,000 and $100,000 to set up audit reports without the benefit of an automated solution, and was looking at an ongoing annual cost of $60,000. The Guardium solution, he adds, avoids these costs because consultants don't need to be hired to create the reports.
"A database security solution is going to mean fewer administrative tasks, and less consulting overhead," says Kennefick. "Our customer advisory board urged us to go this route because they were getting killed [by the cost of creating audit reports on their own]."
