When you enter your credit card information into a Web form, you can take comfort in the reassuring padlock icon on your browser. Peek behind the vendor’s network perimeter, though, and you might lose some sleep.

Although companies assure us that transactions are protected in transit by the “military grade” encryption offered by Secure Sockets Layer, once the data pass behind the companies’ perimeter it is often protected by much weaker security, if at all. Last week in Florida, a spammer was indicted on 139 counts for reportedly stealing 8.2G bytes of personal data from a company that stores information on “virtually every adult in the U.S.” The digital heist was reportedly perpetrated using a legitimate username and password acquired while working for a company contracted by the victim.

Information protection in the data center is critical to the overall security of a company’s data. Computer-crime statistics show that the majority of computer security breaches (80%, according to a CSI/FBI 2003 Survey - see link below) are committed by insiders, yet data centers are filled with unprotected sensitive data.

One of the greatest risks comes from information sitting in databases, where it can be stolen en masse and at leisure. Unlike data in transit, which is fleeting and requires sophisticated “eavesdropping,” data in databases is often accessible by a wide range of systems and users: Web servers, back-up systems, database administrators and data-entry personnel. Although all databases provide access control, it is often difficult to apply and maintain these security measures consistently. Guardium and Ingrian are two vendors that are addressing this problem from two different angles.

Guardium’s SQL Guard security appliance can be placed on a network segment next to a database server to monitor all database queries. Although similar products have existed for performance monitoring, SQL Guard focuses on securing database access. As a monitor it can examine each database query to identify the who, when, what and where of each access request. After monitoring “normal” access for a while, administrators of the appliance can define a baseline policy and be alerted to “exceptions” that may indicate foul play. Furthermore, if the appliance is placed in-line (in front of the database) it can also perform access control and actively block queries that deviate from the policy.