IBM and Vormetric announces a deal yesterday where… well, I’ll let them say it:

LAS VEGAS, NV – (MARKET WIRE) – 10/18/2007 – Vormetric, Inc. today announced that it has partnered with IBM to deliver database encryption capabilities for DB2 on Windows, Linux and Unix. IBM will offer Vormetric’s highly acclaimed data security solution as part of its data server portfolio, addressing customer demand for increased protection of sensitive data. This new capability is delivered in IBM Database Encryption Expert, initially available for the new DB2 9.5 “Viper 2” data server.

First of all, I need to say I’m a big fan of Vormetric. They were the first distributed encryption product on the market and watching what they’ve done has really helped me evolve my thinking on enterprise class encryption.

That said, I have a huge nit to pick with them over database encryption. Mostly because they don’t do it, at least as most think about database encryption.

Vormetric is a file encryption product. A good one, with some cool additional features like user and application level access and encryption controls. but they don’t do field-level database encryption.

Remember, I think encrypting the database files, especially when used with Database Activity Monitoring, is an extremely effective security control. But it doesn’t replace field level encryption, not in the long run.

The role of file level encryption for databases is media protection first, with a little separation of duties second. It protects that database on disk and in backups. It also limits who can access the raw database files, but offers no protection for authorized users and administrators in the database.

The role of field (column) level encryption is to provide separation of duties within the database. You can protect sensitive fields from those who have database access, including protection against database administrators.

Two kinds of encryption. Two different roles. Two different problems solved.

This is where I get annoyed with Vormetric’s (and now IBM’s) marketing. It confuses customers and tries to position file level encryption for databases as superior, instead of admitting that it solves a different problem. They seem to refuse to admit that field-level encryption plays a valid role in protecting database data.

I realize it’s the job of their marketing to best position their product, but it’s my job to cut through the marketing and give you practical advice. Here it is:

Vormetric does file encryption, which is a good option for media protection. Field level encryption is better for enforcing separation of duties, but since it’s hard to implement on certain systems you may need to start with file-level (preferably used with DAM) to buy you the time to migrate to field level. If you don’t need separation of duties, you don’t need field-level encryption, and file encryption is fine.

I don’t like marketing that could place customers at risk or is designed to confuse the market, even when I like the product being marketed.