Guardium Adds DB2/400 Support to Database Security Tool
April 28, 2009 Alex Woodie
Guardium has added support for DB2/400 (DB2 for i) with its database security software, the company announced this month. Guardium’s software monitors all major database management systems in real time for signs of unauthorized or malicious activity from internal and external threats, such as malevolent DBAs and SQL injection attacks. The software does not affect database performance and provides another layer of protection for critical business systems on top of traditional network security tools, the company says.
As a follower of strong IT security practices, you know that nothing can protect you from all threats, and therefore you must build multiple overlapping layers to provide the full level of protection for your organization’s valuable data and applications. If your IT shop is connected to the Internet (and whose shop isn’t these days), you undoubtedly have installed a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS) to provide a layer of separation from internal systems and the big, bad external network.
While firewalls, IPSs, and IDSs play a critical role in network security, they are not effective in detecting internal threats, such as the system administrator who didn’t get a raise this year and is running rough shod over a database. More than 70 percent of threats to databases come from within an organization, according to Forrester.
Similarly, SQL injection attacks–which, according to a recent IBM X-Force report, are quickly becoming one of the preferred ingress routes for hackers looking to break into corporate computer systems from the outside–can also be tough to spot using traditional network security apparatus.
Guardium says it can help companies block both of these security threats by guarding an oft-overlooked component of their IT infrastructure–the database layer.
“The key issue for database security is that most companies have no visibility into what’s really going on with their database,” says Phil Neray, Guardium’s vice president of marketing. “They don’t really know who’s accessing those databases, and they don’t have any mechanisms for identifying unauthorized or suspicious activity.”
Guardium gives customers better visibility into database activities in a couple of ways. First it provides real-time protection by running all database transactions through policy-based controls and anomaly detection routines. It also creates an audit trail of all database activities, including the “who, what, when, where, and how” of each transaction, which even native database logging software has a tough time providing.
Relying on a packaged database management system’s native logging facilities can give a false sense of security, according to Neray. “Any administrator who wants to cover their tracks can easily change what’s stored in that system or simply disable it,” he says. “Anybody with system-level access can do whatever they want. They can look at credit card data. They can delete a table.”
Similarly, manually implementing database controls can be expensive. “Many companies have some controls in place, but they’re manual and script based and they take a lot of time to look through these logs and figure out exactly what went wrong,” he says.
On most systems, Guardium bypasses a platform’s native logging facilities and does its own database monitoring instead, ensuring that its audit trail is tamper-proof and complete. The company has created a series of lightweight, host-resident probes that relay data to the Guardium analysis component, which is delivered as a pre-configured appliance or a “virtual” appliance residing in VMware. S-TAPS provide database monitoring for databases running on open systems platforms, while Z-TAP was developed for the mainframe. The probes cause a 2 to 4 percent performance hit on the database servers, the company says.
Guardium does things a little bit differently on the System i server and actually uses the local journaling facility that’s native to i OS (i5/OS), Neray says. “On the AS/400 we’re actually relying on the journaling facility, except we’re exporting it into our system, and then analyzing it and producing reports from there.”
While relying on i OS journaling could theoretically enable a malicious admin to shut down database monitoring, doing so would require turning off journaling, which would raise some giant red flags. Just the same, Guardium may choose to develop a native i probe, a la the Z-TAP developed for the mainframe, if customer demand on the platform is strong enough. They could even call it the I-TAP.
It is true that the System i server’s journaling facility enables it to keep and maintain an accounting of database transactions that is arguably more thorough and tamper-resistant than most platforms. In that sense, the benefits provided by Guardium are marginal.
However, when you factor in the work required to manually parse through the data or build your own power tool, the benefits start to tip in Guardium’s favor. When you consider that Guardium already supports all the major database platforms you’re likely to run into–including all flavors of IBM DB2 and Informix, Oracle 8i through 11g, Microsoft SQL Server 2000 through 2008, MySQL, Teradata, and Sybase–then you can see where Guardium can give you a decided scalability advantage.
“Most companies have a mixture of different database platforms and servers. We provide a centralized audit repository for all our platforms,” Neray says. “Many companies are implementing our solution not just because it’s a more effective way of catching unauthorized access, but also because it saves money.”
Guardium, which is based in Waltham, Massachusetts, was founded in 2002, and is currently in the growth phase of its business. The company says its software is used in about 450 data centers around the world, with heavy concentration among Fortune 100 firms, including three of the top four global banks, three of the top five insurers, and two of the top three global retailers. Many of these organizations use the System i in addition to other platforms, and they requested that Guardium add i OS support to give them broader coverage of their databases.
Guardium is currently on version 7. The security solution starts at about $75,000. For more information, visit www.guardium.com.