Imperva takes aim at compliance

Application firewall vendor Imperva is introducing software that makes it easier for customers to prepare reports for government and industry audits that determine whether businesses adequately protect sensitive information.

The company has written three software packages designed to answer security-assurance questions put forth by the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and payment card industry regulations.

The software is an add-on to Imperva’s SecureSphere Gateways, which are installed between Web servers and networks and analyze Web application and database traffic. Based on this analysis, they set baselines for normal traffic and block traffic that falls outside normal activity that might indicate an attack.

In performing these tasks, the appliances gather data to prove compliance with SOX, HIPAA, payment card industry regulations and other regulatory requirements. The software digests this data and formats it to comply with the reports required to meet these requirements.

SecureSphere appliances protect networks and gather data at the network level via a firewall; at the application level via a Web application firewall; at the database level via a database auditing and assessment engine; and the data itself by monitoring what data is stored.

One caveat is that no single reporting tool can deliver complete reports, says Diana Kelley, a senior analyst with Burton Group. Regulatory agencies want such a variety of disparate information that every business needs to develop a compliance toolkit that pulls together the data required.

“There’s no way you can do this manually and there is no one tool that does it all,” Kelley says.

For instance, regulations call for proof that documents are managed securely, something that falls outside the scope of what Imperva’s gear does. Similarly, Imperva does not deal with what business processes are in place to promote confidentiality, so that its gear could not document that processes comply.

“These three regulations are widely varied in scope,” says Michael Gavin, a senior analyst with Forrester Research. Regulations on the payment card industry “are very stringent about what data must be encrypted, for example. You can’t store certain data.”

Businesses should double-check whether the reports give enough data to meet the various regulations, Gavin says.

Imperva’s gear adjusts what it considers normal application use based on how applications are accessed over time and automatically adjusts what it will block as potentially threatening traffic.

This also reduces how much manual work administrators have to do to protect data as applications, databases or data usage change.

The three software packages – SecureSphere/SOX, SecureSphere/HIPAA and SecureSphere/payment card industry – are sold separately.

A SecureSphere appliance with one of the compliance modules costs $32,500.