IBM uses Vormetric Products – Should You?
Most data stored within enterprises is securely locked up in
a variety of databases far beyond the reach of any malcontent.
Or is it?
The leading relational database vendors have had security
baked into their products for many years. Take SQL Server, despite rather flaky
security a few years ago (remember the blank SA password?) the product has
evolved into a very good database able to compete well against the likes of DB2
and Oracle. The new version of SQL Server, currently in release candidate form,
improves security even further by including native transparent data encryption.
Although database security may have improved there is often
a vast amount of data that simply sits around the network with little or no security
waiting to be compromised. Clearly a strategic approach needs to be taken to
secure this data at rest in either databases or on the network, and Vormetric (www.vormetric.com) believe they have a
solution with their Data Security Expert product.
Vormetric Data Security is designed to combine encryption,
access control, auditing and application integrity protection all in the one
place.
The encryption solution operates at a file level, which
makes sense as this is the first point of attack. The good news is that it is a
non-invasive solution that can be deployed across multiple databases and file
storage systems without requiring administrators or DBAs to make changes to
their applications. Quite frankly any
solution like this that did need hyper-conservative DBAs to change their
applications would be sunk before the software could be unwrapped.
At the heart of Vormetric Data Security is separation of
duties, so that those backing up data are not authorised to view the detail of
what is being copied. This has caused problems for many enterprises in the past
as DBAs and systems administration staff used to have full and unfettered
access to all data at all times – clearly inappropriate and in violation of
security best practices.
Although encryption appeals to many as a great answer to any
security question (“let’s just encrypt everything then”) most who have
experienced encryption are only too aware of its Achilles heel – key
management. Vormetric Data Security comes with another hardware product,
bizarrely called the Vormetric Data Security Server, which is responsible for
key storage and management. This has a number of features including key
generation, storage, backup and rotation. Although no key management system currently
invented is perfect, the people at Vormetric appear to have thought through
most of the big management headaches.
Vormetric Data Security access control is context sensitive,
using a who/what/when/where/how approach to managing who can get to bits of
data. This can result in unauthorised users being blocked, correctly, from
accessing data as they attempt to get financial data at midnight when the
accounts department is closed.
Auditing and logging of users is a vital part of Vormetric Data
Security and the ability to produce an audit log that complies with the acronym
soup of compliance legislation is of course as important. Audit and event
notification can be sent to administrators in real time or written to a log for
later examination and of course alert thresholds can be set appropriately.
These features are
set in the context of a system designed to be scalable across an enterprise
with appropriate failover in the event of any problems. Vormetric Data Security
Servers can be clustered using the conventional heartbeat approach so any
failure will result in a second Vormetric Data Security Server picking up the
workload.
Clearly Vormetric have got the right idea in producing an
enterprise ready solution that can manage data at rest across an organisation.
The fact that IBM are using Vormetric’s encryption technology to provide data
protection in their DB2 databases is a significant endorsement. Maybe this will
persuade more end user organisations to see what Vormetric have to offer.