Most data stored within enterprises is securely locked up in a variety of databases far beyond the reach of any malcontent.
Or is it?
The leading relational database vendors have had security baked into their products for many years. Take SQL Server, despite rather flaky security a few years ago (remember the blank SA password?) the product has evolved into a very good database able to compete well against the likes of DB2 and Oracle. The new version of SQL Server, currently in release candidate form, improves security even further by including native transparent data encryption.
Although database security may have improved there is often a vast amount of data that simply sits around the network with little or no security waiting to be compromised. Clearly a strategic approach needs to be taken to secure this data at rest in either databases or on the network, and Vormetric (www.vormetric.com) believe they have a solution with their Data Security Expert product.
Vormetric Data Security is designed to combine encryption, access control, auditing and application integrity protection all in the one place.
The encryption solution operates at a file level, which makes sense as this is the first point of attack. The good news is that it is a non-invasive solution that can be deployed across multiple databases and file storage systems without requiring administrators or DBAs to make changes to their applications. Quite frankly any solution like this that did need hyper-conservative DBAs to change their applications would be sunk before the software could be unwrapped.
At the heart of Vormetric Data Security is separation of duties, so that those backing up data are not authorised to view the detail of what is being copied. This has caused problems for many enterprises in the past as DBAs and systems administration staff used to have full and unfettered access to all data at all times - clearly inappropriate and in violation of security best practices.
Although encryption appeals to many as a great answer to any security question ("let's just encrypt everything then") most who have experienced encryption are only too aware of its Achilles heel - key management. Vormetric Data Security comes with another hardware product, bizarrely called the Vormetric Data Security Server, which is responsible for key storage and management. This has a number of features including key generation, storage, backup and rotation. Although no key management system currently invented is perfect, the people at Vormetric appear to have thought through most of the big management headaches.
Vormetric Data Security access control is context sensitive, using a who/what/when/where/how approach to managing who can get to bits of data. This can result in unauthorised users being blocked, correctly, from accessing data as they attempt to get financial data at midnight when the accounts department is closed.
Auditing and logging of users is a vital part of Vormetric Data Security and the ability to produce an audit log that complies with the acronym soup of compliance legislation is of course as important. Audit and event notification can be sent to administrators in real time or written to a log for later examination and of course alert thresholds can be set appropriately.
These features are set in the context of a system designed to be scalable across an enterprise with appropriate failover in the event of any problems. Vormetric Data Security Servers can be clustered using the conventional heartbeat approach so any failure will result in a second Vormetric Data Security Server picking up the workload.
Clearly Vormetric have got the right idea in producing an enterprise ready solution that can manage data at rest across an organisation. The fact that IBM are using Vormetric's encryption technology to provide data protection in their DB2 databases is a significant endorsement. Maybe this will persuade more end user organisations to see what Vormetric have to offer.