Database Security TLAs Make Me LOL

Wednesday, February 15, 2012

Josh Shaul


Did you ever notice how some markets go through never ending cycles of naming, re-naming and re-re-naming themselves?

It feels like déjà vu all over again in the Database Security space as we see a whole new set of acronyms being rolled out to cover the same technology from the same group of vendors as we’ve named several times before.

From Gartner, we are hearing DAM is dead, long live DAP. Almost simultaneously, Securosis launched DSP, abandoning DAM, and DAMP. Forrester hasn’t changed anything lately, but they generally say Database Auditing and Real-Time Protection (DAaRTP???). 

It’s like alphabet soup out there, and we have yet to consider all the terms the security and database vendors invent and throw around (I know that around AppSecInc HQ, we joke about our own product acronym, PDAMwAR – I’m sure the rest of the folks in this space have similar silliness).

Even when you work in this market, it can get confusing sometimes (ok, often). I can only imagine what folks go through when they’re shopping for simple solutions to improve the security of their databases. ‘Do I want DAM? DAP? DAMP? DSP? DLP? WAF????’.

Just deciding what you’re deciding about has got Excedrin written all over it. Let’s make it simple. If you are looking to improve the security of your databases, you’re probably going to need some or all of the following capabilities: 

  • Database Discovery– You’ve got to know about all the databases in your environment, because you can’t protect what you don’t know about.
  • Vulnerability and Configuration Assessment– It’s imperative to know if your databases are being exposed by high risk vulnerabilities (missing patches), weak passwords, or insecure configuration settings.
  • User Rights Analysis– Implementing least privileges and segregation of duties requires a means to evaluate and report on effective privileges in databases. You must be able to identify your privileged users and any employees with access to sensitive or regulated data.
  • Database Monitoring– Identify, alert, and respond to attempts to exploit known vulnerabilities or misconfigurations. Track any privileged commands or access to sensitive or regulated data.

If you can do these things, and do them for the databases that store your sensitive data and support your critical business applications, then it doesn’t matter what you call it. You’ve got the right stuff in place.

The folks playing the name games all have good reasons and explanations for what they’re doing. If you spend time with any one of them, they’ll explain their framework in detail – and if you compare the lot of them, you’ll find there isn’t much of a difference in what anybody is talking about. So make it simple.

Strip out the terms, ignore the acronyms, and focus on simply improving the security of your databases one step at a time.

By the way, if you’re wondering about PDAMwAR – that’s our Precision Database Activity Monitoring with Active Response! It’s our DAM, I mean DAP, I mean DSP………….Have a nice day :-)

Possibly Related Articles:
General Security Awareness
Databases Vulnerabilities Data Loss Prevention Vendor Management Configuration Information Security Database Activity Monitoring Security Solution Database Management System Privileges Josh Shaul
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.