Those of you familiar with DAM already know that over the last four years DAM solutions have been bundled with assessment and auditing capabilities. Over the last two years we have seen near universal inclusion of discovery and rights management capabilities. DAM is the centerpiece of a database security strategy, but as a technology it is just one of a growing number of important database security tools. We have already defined Database Security Platform, so now let’s spend a moment looking at the key components, how we got here, and where the technology and market are headed. We feel this will fully illustrate the need for the name change.
Database Security Platform Origins
The situation is a bit complicated, so we include a diagram that maps out the evolution. Database Activity Monitoring originated from leveraging core database auditing features, but quickly evolved to include supporting event collection capabilities:
- Database Auditing using native audit capabilities.
- Database Activity Monitoring using network sniffing to capture activity.
- Database Activity Monitoring with server agents to capture activity.
So you either used native auditing, a network sniffer, or a local agent to track database activity. Native auditing had significant limitations – particularly performance – so we considered the DAM market distinct from native capabilities.
Due to customer needs, most products combined network monitoring and agents into single products – perhaps with additional collection capabilities, such as memory scanning. The majority of deployments were to satisfy compliance or audit requirements, followed by security.
There were also a range of distinct database security tools, generally sold standalone:
- Data Masking to generate test data from protection data, and to protect sensitive information while retaining important data size and structural characteristics.
- Database Assessment (sometimes called Database Vulnerability Assessment) to assess database configurations for security vulnerabilities and general configuration policy compliance.
- User Rights Management to evaluate user and group entitlements, identify conflicts and policy violations, and otherwise help manage user rights.
- File Activity Monitoring to monitor (and sometimes filter) non-database file activity.
Other technologies have started appearing as additional features in some DAM products:
- Content Discovery and Filtering to identify sensitive data within databases and even filter query results.
- Database Firewalls which are essentially DAM products placed inline and set to filter attack traffic, not merely monitor activity.
The following graph shows where we are today:
As the diagram shows, many of these products and features have converged onto single platforms. There are now products on the market which contain all these features, plus additional capabilities.
Clearly the term “Database Activity Monitoring” only covers a subset of what these tools offer. So we needed a new name to better reflect the capabilities of these technologies.
As we looked deeper we realized how unusual standalone DAM products were (and still are). It gradually became clear that we were watching the creation of a platform, rather than the development of a single-purpose product.
We believe the majority of database security capabilities will be delivered either as a feature of a database management system, or in these security products. We have decided to call them Database Security Platforms, as that best reflects the current state of the market and how we see it evolving.
Some of these products include non-database features designed for data center security – particularly File Activity Monitoring and combined DAM/Web Application Firewalls. We wouldn’t be surprised to see this evolve into a more generic data center security play, but it’s far too early to see that as a market of its own.
Market and Product Evolution
We already see products differentiating based on user requirements. Even when feature parity is almost complete between products, we sometimes see vendors shifting them between different market sectors. We see primary use cases, and we expect products to differentiate along these lines over time:
- Application and Database Security: These products focus more on integrating with Web Application Firewalls and other application security tools. They place a higher priority on vulnerability and exploit detection and blocking; and sell more directly to security, application, and database teams.
- Data and Data Center Security: These products take a more data-centric view of security. Their capabilities will expand more into File Activity Monitoring, and they will focus more on detecting and blocking security incidents. They sell to security, database, and data center teams.
- Audit and Compliance: Products that focus more on meeting audit requirements – and so emphasize monitoring capabilities, user rights management, and data masking.
While there is considerable feature overlap today, we expect differentiation to increase as vendors pursue these different market segments and buying centers. Even today we see some products evolving primarily in one of these directions, which is often reflected in their sales teams and strategies.
This should give you a good idea of how we got here from the humble days of DAM, and why this is more than just a rebranding exercise. We don’t know of any DAM-only tools left on the market, so that name clearly no longer fits. As a user and/or buyer we also think it’s important to know which combination of features to look at, and how they can indicate the future of your product. Without revisiting the lessons learned from other security platforms, suffice it to say that you will want a sense of which paths the vendor is heading down before locking yourself into a product that might not meet your needs in 3-5 years.
Comments