When choosing a security solution, what you need to consider.
If you want to have custom software developed, who would you contact? If you needed a database security product, who would you call? The database vendor? A big security vendor? A small security startup? Would Cisco or Juniper make your list?
It’s an interesting question to which I am always looking for input or perspective. I certainly have some ideas on the subject, but as every company environment is different there is no ‘right’ answer for the market in general. You can however weed out a few things you should NOT do. What got me in a recent snit was discovering that a couple companies who have purchased network and/or appliance based database security solutions are less than happy. OK, no surprise, but when I learned that these same companies had contacted their vendors to write custom software to overcome the issues I just about blew a gasket. Why on earth would you work with an appliance vendor to make software, especially Network Appliance people working on Database Software. That is absolutely nuts!
Some background: When IPLocks introduced the Database Monitoring Suite, the competition was mostly network based Intrusion Detection Systems (IDS) and agent based System Event Management (SEM) vendors. Over time, the IDS evolved into more database aware network solutions, and Database Activity Monitoring (DAM) was born. Later, as these network based DAM appliances missed too may events, the Appliance/Agent DAM combo arrived on the scene. It still falls short, so now we are seeing the migration from network appliance to full blown software solution.
Why?
#1 Cost – The biggest reason. Those $100k appliances are an expensive way to cover databases, and in a geographically disperse environment, simply untenable.
#2 Unfit for purpose. The market has changed, and no matter how many appliances you throw at the problem, they are not going to address PCI compliance.
#3 Virtualization can obviate network scanners. If you are not thinking along these lines, you need to be. Depending upon your virtualization model, you may render your IDS and DAM appliances completely irrelevant.
#4 Context. Peer based software solutions do not miss transactions that are invisible to network sniffer’s, and can be invisible to external protocol based agents as well. Peerage to the database not only addresses this deficiency as well as provides referential medium for dynamic adjustments to remediation.
#5 Flexibility of software. The network is a simple ‘lowest common denominator’ to build a quick and cheap scanner, but appliances do not adapt as quickly as software, which be adjusted in far less time and money as IT Environments change.
Software development should not be taken lightly
I have been preaching this for a long time that for certain types of issues, looking at the network is an efficient way to provide security, but wholly unfit for other type of security. Typically packet inspection is inappropriate for Database Security and Compliance. The lack of visibility to all activity and the lack of contextual understanding requires a solution that is above the network layer, or at least a combination of network and peer based scrutiny. But this is not just about market appropriateness!
While the software architect in me has been very amused, smug even, as I watch other vendors alter their architecture every 12 to 18 months, there is a different dimension to this. IPLocks experimented with appliances prior to our first product delivery, but dismissed the idea in 2002. We went with a software only solution and decided on our architecture at that time. However, that meant a complete systemic overhaul of engineering staff, tools and process! Any software development manager will tell you that appropriate engineering team skill sets, QA, appropriate development processes and depth of domain experience are critical. Any single deficiency can completely break a project. Throw architectural deficiencies on top and the migration from appliance to software, from network to database, is a very risky proposition to invest in.
Don’t get me wrong, in some cases appliances are the right solution. In other cases software may be right for you. It really depends upon your security and compliance goals, as well as the quality of the offering. But if you want database security software, asking a network monitoring vendor is really asking for trouble.
Recent Comments