How to protect a database from the inside out

Your databases contain your company's most sensitive information -- credit card numbers, bank records, customer account information, financial records and so on. Chances are your database security is based on building a secure perimeter around the database, but this still leaves the data at risk. Sentrigo puts a sensor on your database to detect each illicit activity so you can detect, alert and prevent data breaches. This sensor helps protect databases from the inside out.

In 2008, more than 285 million sensitive records were reported to have been breached. 99.9 percent of the records were stolen from servers and applications. The companies held accountable for the breaches paid hundreds of millions of dollars for notifications, restitution and fines. And according to Slavik Markovich, CTO for the database security company Sentrigo, we can expect an increase in not only the number of data breaches but also the sophistication of how they happen.

10 woeful tales of data gone missing

When we think of data security and how to prevent serious data breaches, we tend to think of building a perimeter around the database. If we secure the access paths to the data, in theory, no one should be able to get to it, right? Unfortunately, that's not the case. Despite the best efforts of deploying firewalls, user authentication systems, intrusion-prevention systems and so on, the data sitting in databases is still vulnerable. This leaves the truly important stuff -- the Social Security numbers, the credit card numbers, the financial records -- open to risk.

The database companies do build security into their products, but even these measures have occasional vulnerabilities. When the vulnerabilities are discovered by "the good guys" -- the database companies themselves or ethical hackers -- a patch is issued to plug the holes. Sometimes these vulnerabilities are so serious that that US-CERT, the National Cyber Alert System, issues a technical cyber security alert to help broadcast the availability of a patch. (For an example of such an alert, see here.). The problem with such alerts is that they tell the unethical hackers where the security weaknesses are.

Even when a database patch is available, many companies using that database fail to apply the patch quickly, if at all. It often takes weeks for a company to thoroughly test a database patch before applying it to ensure the patch isn't worse than the problem it's meant to solve.

Then there's the insider threat. Database administrators (DBAs) and privileged users know where the most sensitive data is and how to get to it. They know how to get around or disable security safeguards. If you think you can trust your insiders, think again. According to the Verizon Business RISK Team, publishers of the 2009 Data Breach Investigations Report, 20% of the breaches investigated by this team were instigated by trusted insiders.

All of these points make the case for a different kind of database security. Instead of protecting the data from the outside, Sentrigo has developed the means to protect it from within. Sentrigo's Hedgehog Enterprise product guards the data, not the access points. Hedgehog sees all database activity in real-time, regardless of where it originates from, and can act upon an event immediately if that event violates security rules.

Sentrigo puts a small "sensor" on the database host server to monitor all database transactions moving through shared memory. This sensor communicates with the Hedgehog server, which evaluates every action based on a set of rules that you configure or write. You can react in real-time when a rule violation is determined. Depending on the severity of the violation, you can log the event, send an alert, terminate the user's session, and/or lock out the user for a period of time.

The sensor adds minimal overhead to the database performance -- about 1% to 2% of CPU usage. What's more, the sensor can't be bypassed, and it sends an alert if there is an attempt to tamper with it. This helps prevent the knowledgeable insider from skirting the Hedgehog security.

Hedgehog Enterprise also performs virtual patching. When a database vulnerability is discovered, Hedgehog rules are updated to include the patch, even if the DBA hasn't implemented the actual database patch yet.

Sentrigo has a "Red Team" of ethical hackers that continually conduct database security research and work in conjunction with leading researchers worldwide. Their research leads to new security rules and virtual patches in the Hedgehog product as well as real patches that get issued by the database companies.

Hedgehog supports all the major databases and operating systems, and it works even if you use data encryption or have a virtualized environment for your databases. If you're interested to learn more about how Hedgehog works, download and evaluate the full product from Sentrigo for free at

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)