by Michael Day

Guardium targets payment card security

Opinion
Sep 12, 20054 mins

* Guardium aims to help companies meet payment-card industry data standard

By now we have all heard of the recent security breaches at a third party credit card processing company and alumni association, plus other assorted security breaches that have exposed the personal information of millions of people. The saddest part of those exposures is that all of them were avoidable.

Legislation is gradually coming out to hold accountable those responsible for their lackadaisical approach to security, but that is only so much hindsight in the eyes of those whose information was compromised. And what about the poor souls responsible for the lack of security? No one feels their pain, but quite often the implementation of adequate security can be a daunting, if not overwhelming, task for budget-strapped IT departments.

If your company has customer credit card information stored in a database, then you are probably wondering if this could happen to you. Just because your databases aren’t accessible via the Internet doesn’t make them safe from the threat of unauthorized access; an alarming number of breaches have had help from within. Believe it or not, the credit card industry is trying to help.

There’s a new standard called PCI, as in the “Payment Card Industry data security standard” that went into effect June 30, 2005. It consists of 12 technology requirements for securing networks and applications, protecting cardholder data, maintaining a vulnerability management program, and regularly validating compliance via a third-party assessment.

Working closely with Visa International, a company named Guardium has developed a product packaged with its SQL Guard platform that just might be worth consideration to achieve PCI database standards compliance. Guardium has a number of integrated applications, all part of its SQL Guard platform, that are dedicated to keeping your databases – and the data within – safe.

Guardium’s SQL Guard platform is an enterprise-class, network-based, database security product that enables organizations to continuously and efficiently monitor, control and audit all database access activity without any impact on database performance. SQL Guard is operating-system-independent as well as database-vendor-independent, allowing the solution to work in many environments.

Guardium recently added SQL Guard PCI Accelerator to the SQL Guard platform. SQL Guard PCI Accelerator is an integrated set of PCI-specific software modules that is packaged with Guardium’s SQL Guard Security Suite and SQL Guard platform designed specifically to help companies meet PCI compliance standards. Some of the key features are:

* Monitors for PCI Policy Violation: You can automate the base lining of access policies. This allows intelligent database access control and policy enforcement.

* Complete Monitoring and Auditing of Databases: Continuous, concurrent monitoring of all database access activities, as well as automated auditing. Included in this is the ability to archive and retrieve extensive audit trails for forensic analysis.

* Automated PCI Compliance Report Card Generation: The PCI Accelerator will continuously assess key metrics for determining the level of database security health. Using this data, it will then generate a high-level, human readable, automated “report card” for instant feedback on security health.

* Automated Workflow Scheduling: Workflow accountability is automated throughout the data access auditing cycle. Personnel are easily identified with a system that provides visibility to signoffs and real-time alerting/notification. Deliverables can even be mapped to owners with this platform.

* Access Mapping of the Cardholder Database: This feature maps inventory of application to database access. It will let management view all aspects of database access, including: who accessed it, when it was accessed and how the database was accessed (SQL query, SQL enabled application, etc.). It also differentiates between unique, shared and generic IDs.

Although some of these features can be accomplished through traditional means, the process for doing so is time intensive as to be impractical. Add to that the requirement of human intervention, and you’ve just introduced human error into the equation.

Guardium has automated these procedures in such a manner that report generation, alerting, auditing and compliance with the PCI standard are all accomplished in an non-intrusive, well packaged appliance.

Michael Day is Chief Technology Officer for Currid & Company. You can write to him at mailto:michael.day@currid.com