Product Happenings: Guardium, SafeBoot, Palo Alto, and Vontu
Despite my departure from the analyst world, thanks to the blog some of the vendors out there are still keeping me updated on their products. I also still have to track big swaths of the market to support my consulting work. While I don’t intend to this blog to just spew PR dribble, I do see some cool stuff every now and then that’s worth mentioning.
Disclaimer: I do not currently have a business relationship with any of the vendors/products in today’s post, but based on the nature of my business I do work with vendors and often have discussions about potential projects. I will disclose these relationships when I can, and while I strive to remain objective no matter who I work with you should never go buy something just because I said it was cool. Do the research, get balanced opinions, trust no one. I’m not endorsing these products over their competitors, just highlighting some interesting advances, and you’ll probably see competing products pop up in other posts over time.
Here are a few things that have caught my eye:
First up is SafeBoot, just acquired by McAfee. Overall I think the acquisition is positive, but there’s really no reason to consolidate whole drive encryption with endpoint DLP. File-level encryption linked to DLP is more interesting, but also very challenging and I suspect at least a couple years out for McAfee other than some basic content like Social Security Numbers. It’s wait and see on this one, but SafeBoot stands up on its own.
Next is Guardium, who just updated their product for the mainframe. Guardium briefed me last Friday on this and I meant to get something up earlier. This is a really smart move, especially since they partnered with Nuon Neon who sells to the mainframe buying center. They can now offer full database monitoring (including SELECT queries) on the mainframe outside of network sniffing (which misses certain kinds of connections). Why you care? Now you have an independent way to enforce separation of duties on mainframe administrators without interfering with how they work or affecting performance. And you can integrate the policies for alerts, and the logs, with all your other database monitoring. I think I was more excited about this one than the guys giving me the briefing- it’s one of these “small but big” markets.
An industry contact I work with pointed me towards Palo Alto Networks and I had a brief conversation with them about a month ago. Basically, they parse and secure network traffic based on the application, not just port and protocol. This is a big problem for things like DLP solutions that don’t really like it (or work as well) when they have to figure out which application is tunneling over port 80 this week. I think these guys have a lot of partnership opportunities down the road.
Last up today is Vontu, who just released version 8. The news here is increasing their endpoint capabilities to start blocking and integration with document management systems. This release isn’t notable for any new world-changing feature, but because most of the work was on the back end and increasing the capabilities of the product line. DLP is settling down a bit and focusing on maturing, rather than land-grabbing with hyped up features. I’ve had some other DLP briefings lately and I’m seeing this focus on maturing the platforms across the board; moving from start-ups to mature products is some seriously hard work. Blocking activity on the endpoint is a big deal and it’s nice to see Vontu add it (a few competitors also have their own flavor of it, so it’s not unique).
That’s it for now. I probably won’t do these more than once a month or so and I’ll only include any updates that seem interesting to me either because they are innovative of because they show an industry trend. I’m happy to take briefings from just about anyone, but that by no means guarantees a mention on the blog.
Now back to the absolutely thrilling world of data classification…
Adrian Lane Oct 10
Not wanting to play Dr. Killjoy today, I will start with some positive comments. I think that the Mainframe Database is an under-served platform when it comes down to main stream security. I am glad to see vendors recognize and acknowledge its existence and offer products in this area because it continues to grow, is solid and mature, and I have seen work in concert with other non-monolithic platforms beautifully.
In specific response to your post, the fundamental challenges with the mainframe is not the database itself, but the database administrators. The issues being that there are tools that allow direct access into the data set and data facilities, and *bypass* the database engine. I know this because when we introduced our mainframe solution in 2004, both engineers at BMC and IBM were more than happy to demonstrate how a very good DBA could avoid detection and could examine database information. It was demonstrated that unless you had a callback or hook into the OS, you would not be able to detect them through the database, the network, or the various connection protocols. IBM, Quest and BMC are all aware of the issue and non of them have solved it to date. Last I checked, not even IBM Tools advertises a solution for this with their release of AME and purchase/Integration of Consul, which are both geared to solving compliance issues and provide separation of duties. Most likely it will be IBM and IBM only that solves the insider threat on the mainframe platform. I imagine that Guardium will be able to provide some security and some degree of separation of duties against the non-DBA crowd, like all those who came before them, they will not succeed against the sophisticated DBA. Adept marketing, but be careful around the technology Kool-Aid!
Following your earlier suggested strategies, there is no single product that solves this issue, rather complementary products and policies.
****
The note on Vontu is important and thanks for sharing. I think it is yet another example of ‘moving up the stack’, where network and end point security as a team are required to address the challenges in the DLP area.
****
Is there a wager line on which extrusion company gets acquired first? Is Vegas posting odds?
rmogull Oct 10
First the easy answer- it was PortAuthority. Websense bought them last year. RSA/EMC just acquired Tablus, and McAfee bought Onigma a while ago, but that’s endpoint only.
Back to the mainframe- I don’t want to have vendor shootouts here on the blog, but I did neglect to mention that IPLocks also has a mainframe product. Consul is still weaker than all of you on the database, on any platform from what I’ve seen. I’ll look into what Guardium is doing deeper, and encourage them to respond here.
Adrian Lane Oct 10
If my comments came off as hostile … I apologize as that was not my intent. Rather every security product, mine included, needs to be buttressed by good processes as well. As many of the posts on your blog are about good process and strategy, I wanted to point out that this is not a technology only problem and there is no easy solution. I promise, no vendor shootouts at the securosis-corral.
rmogull Oct 10
Nope- I took it as very cordial and reasonable, and really appreciate all your feedback. The business context discussion in articular really hit home and I need to hide in a corner and figure out a better way to work that into the model.
I wish more vendors would respond directly on blogs with real content as you’ve been doing here- I know for a fact the end users appreciate it, and especially you CTO types have a lot of good ideas to contribute. More often than not we just see marketing responses (not here, but I’ve seen it on other blogs).
Our industry is often too acrimonious considering the stakes (the security of end users). That’s the reality of competition, but doesn’t mean we can’t have good discussions of value.
Damn, I sound like some fluffy “attitude” coach. Time to go hack something…
Phil Neray Oct 12
Adrian correctly identifies privileged access to the database as a key requirement, but he mixes things up when he talks about direct access to the data set and bypassing the database engine. In the UNIX/Windows world, that’s the equivalent of someone touching the file system directly.
Well, I hope the mainframe OS and DB application have been configured to prevent a DBA from doing that. Plus, the mainframe has fairly sophisticated tools like RACF, ACF2, and Top Secret which are also used to control access to system resources. Security people know they shouldn’t rely on a single layer of security and that multiple layers are needed (and that no single product can solve all of the world’s security problems), and it’s no different on the mainframe.
While these tools have been around for a long time and do a great job, they are BLIND when it comes to identifying the “who/what/how/when” of database access. They can tell you that someone logged in with privileged credentials at a certain time but they can’t tell you what SQL commands were executed, which tables were added or deleted, and which data was viewed or changed by whom, for example.
Our customers have been hammering us to do this for a while and it’s a problem which no one else has solved to date (including Mr. Lane’s company).
Adrian Lane Oct 14
Mr. Neray,
Thank you for the response. I am not entirely sure I follow your reasoning, specifically in the second paragrapgh. If RACF, ACF2 and Top Secret could solve issues of mainframe misuse, there would be no need for SIM, SEM, log monitoring, auditing or other security tools. If the database access control systems could stop database misuse, there would be no need for monitoring and auditing tools to verify use, transactons, data integrity and verification of data privacy as well. I do wholeheartedly agree with you that multiple layers are needed to address the issue specifically on the Mainframe, which is the point of the original post.