Volume 9, Number 17 -- April 28, 2009

Guardium Adds DB2/400 Support to Database Security Tool

Published: April 28, 2009

by Alex Woodie

Guardium has added support for DB2/400 (DB2 for i) with its database security software, the company announced this month. Guardium's software monitors all major database management systems in real time for signs of unauthorized or malicious activity from internal and external threats, such as malevolent DBAs and SQL injection attacks. The software does not affect database performance and provides another layer of protection for critical business systems on top of traditional network security tools, the company says.

As a follower of strong IT security practices, you know that nothing can protect you from all threats, and therefore you must build multiple overlapping layers to provide the full level of protection for your organization's valuable data and applications. If your IT shop is connected to the Internet (and whose shop isn't these days), you undoubtedly have installed a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS) to provide a layer of separation from internal systems and the big, bad external network.

While firewalls, IPSs, and IDSs play a critical role in network security, they are not effective in detecting internal threats, such as the system administrator who didn't get a raise this year and is running rough shod over a database. More than 70 percent of threats to databases come from within an organization, according to Forrester.

Similarly, SQL injection attacks--which, according to a recent IBM X-Force report, are quickly becoming one of the preferred ingress routes for hackers looking to break into corporate computer systems from the outside--can also be tough to spot using traditional network security apparatus.

Guardium says it can help companies block both of these security threats by guarding an oft-overlooked component of their IT infrastructure--the database layer.

"The key issue for database security is that most companies have no visibility into what's really going on with their database," says Phil Neray, Guardium's vice president of marketing. "They don't really know who's accessing those databases, and they don't have any mechanisms for identifying unauthorized or suspicious activity."

Guardium gives customers better visibility into database activities in a couple of ways. First it provides real-time protection by running all database transactions through policy-based controls and anomaly detection routines. It also creates an audit trail of all database activities, including the "who, what, when, where, and how" of each transaction, which even native database logging software has a tough time providing.

Relying on a packaged database management system's native logging facilities can give a false sense of security, according to Neray. "Any administrator who wants to cover their tracks can easily change what's stored in that system or simply disable it," he says. "Anybody with system-level access can do whatever they want. They can look at credit card data. They can delete a table."

Similarly, manually implementing database controls can be expensive. "Many companies have some controls in place, but they're manual and script based and they take a lot of time to look through these logs and figure out exactly what went wrong," he says.

On most systems, Guardium bypasses a platform's native logging facilities and does its own database monitoring instead, ensuring that its audit trail is tamper-proof and complete. The company has created a series of lightweight, host-resident probes that relay data to the Guardium analysis component, which is delivered as a pre-configured appliance or a "virtual" appliance residing in VMware. S-TAPS provide database monitoring for databases running on open systems platforms, while Z-TAP was developed for the mainframe. The probes cause a 2 to 4 percent performance hit on the database servers, the company says.

Guardium does things a little bit differently on the System i server and actually uses the local journaling facility that's native to i OS (i5/OS), Neray says. "On the AS/400 we're actually relying on the journaling facility, except we're exporting it into our system, and then analyzing it and producing reports from there."

While relying on i OS journaling could theoretically enable a malicious admin to shut down database monitoring, doing so would require turning off journaling, which would raise some giant red flags. Just the same, Guardium may choose to develop a native i probe, a la the Z-TAP developed for the mainframe, if customer demand on the platform is strong enough. They could even call it the I-TAP.

It is true that the System i server's journaling facility enables it to keep and maintain an accounting of database transactions that is arguably more thorough and tamper-resistant than most platforms. In that sense, the benefits provided by Guardium are marginal.

However, when you factor in the work required to manually parse through the data or build your own power tool, the benefits start to tip in Guardium's favor. When you consider that Guardium already supports all the major database platforms you're likely to run into--including all flavors of IBM DB2 and Informix, Oracle 8i through 11g, Microsoft SQL Server 2000 through 2008, MySQL, Teradata, and Sybase--then you can see where Guardium can give you a decided scalability advantage.

"Most companies have a mixture of different database platforms and servers. We provide a centralized audit repository for all our platforms," Neray says. "Many companies are implementing our solution not just because it's a more effective way of catching unauthorized access, but also because it saves money."

Guardium, which is based in Waltham, Massachusetts, was founded in 2002, and is currently in the growth phase of its business. The company says its software is used in about 450 data centers around the world, with heavy concentration among Fortune 100 firms, including three of the top four global banks, three of the top five insurers, and two of the top three global retailers. Many of these organizations use the System i in addition to other platforms, and they requested that Guardium add i OS support to give them broader coverage of their databases.

Guardium is currently on version 7. The security solution starts at about $75,000. For more information, visit www.guardium.com.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

Linoma's Solutions will Protect your data

Crypto Complete
Guard sensitive data fields automatically with Crypto Complete. With strong AES encryption and integrated key management, Crypto Complete helps System i shops quickly comply with regulations and PCI requirements. No source code changes are required for encryption. Crypto Complete provides an intuitive user interface and comprehensive audit trails.

Automate data transfers with encryption including OpenPGP, AES, SFTP, FTPS and HTTPS with GoAnywhere. GoAnywhere is used to quickly set up and automate Secure FTP transmissions without the need for programming.

To learn how to protect your data
and get a free trial,

Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Vision Solutions:  New white paper! Review the full range of Data Protection & Recovery options.
SafeData:  FREE White Paper - Best Bets for iSeries Rapid Recovery with Virtualization
Aberdeen Group:  Take the 2009 ERP in Manufacturing survey, get a free copy of complete report


IT Jungle Store Top Book Picks

Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
The iSeries Express Web Implementer's Guide: List Price, $49.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
Can the AS/400 Survive IBM?: List Price, $49.00
Chip Wars: List Price, $29.95

The Four Hundred
IBM Launches Power6+ Servers--Again

Power Systems Down A Bit in IBM's First Quarter

COMMON Europe Opens Up Global i Top Concerns Survey

Four Hundred Guru
Don't Ignore the View

Releasing File Member Locks With QSH

Trouble-Shooting i5/OS Printer Problems in a Warehouse Environment

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

System i PTF Guide
April 25, 2009: Volume 11, Number 17

April 18, 2009: Volume 11, Number 16

April 11, 2009: Volume 11, Number 15

April 4, 2009: Volume 11, Number 14

March 28, 2009: Volume 11, Number 13

March 21, 2009: Volume 11, Number 12

TPM at The Register
Sun says it's time for MySQL 5.4

Sun mates MySQL with more iron

IBMware priced 40% higher on Nehalem

Come on out, Power6+, you win

AMD pulls forward six-shooter Opteron cannon

IBM boasts Sun-HP server pact pillaging

AMD chases Nehalem with speedier Shanghai

Ex-Red-Hat brains decide to ride cloud

Unisys scratches labels off Dell Nehalems

VMware unmasks next-gen hypervisor

Big Blue defies server crash with Q1 profit

Canonical punts Ubuntu Jaunty Jackalope

King Larry launches Oracle-Sun combo at Big Blue, Cisco

HP pits Matrix against Cisco's California


ProData Computer Services
Maximum Availability
Linoma Software
Guild Companies

Printer Friendly Version

Twitter from an AS/400? Kisco Lets You Do It

nuBridges Pushes 'Tokenization' with New Encryption Tool

BCD Adds Features Throughout App Modernization Suite

Guardium Adds DB2/400 Support to Database Security Tool

Lawson Retrenches as it Reconnects with Customers

News Briefs and Product Shorts:

LANSA Acquires aXes Products; Customers Likely Candidates for RAMP . . . i OS Spool Files Go In, Structured XML Comes Out . . . CCSS Cracks Down on Long-Running Jobs . . . MySQL 5.4 Brings Scalability, Performance Improvements . . . QlikTech Develops a BI Client for iPhone . . .

Four Hundred Stuff


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2009 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement