The boxes address these requirements by integrating reporting intelligence with a database security gateway, Web application firewall, network firewall and IPS (intrusion prevention system), thereby complying with the legislation by providing controls and reporting capabilities that span the complexity of the data center.
Alan Norquist, vice president of Impervas marketing, said the company is responding to customers desire to satisfy compliance requirements.
"We were already tracking and seeing all the transactions that were going to a database, and we were already able to tell a customer, Here is a dynamic profile of users, so theyd be able to do a real-time audit as far as what transactions could be attacks and what could be just changes in user behavior," he said.
"They just wanted it in a format to match regulatory requirements. So this allows customers to provide [that data and reporting] in a way that matches up with regulatory requirements," he said.
Often, when people—particular senior management—look at regulations, they get caught up in issues of reporting, Norquist said. Thats just the tip of the iceberg, however. The cost drivers are actually the ability to assess the current data center environment and to protect it.
As applications and databases change, adapting the security environment and compliance reporting to those changes takes a great deal of manual effort without a product such as Impervas, Norquist said.
Norquist pointed to one customer, a large retailer, which employs two full-time database administrators just to keep up with talking to auditors, saying, "people talk about the cost of software compliance and having to manually do this … Theres a desire to move to automate it. Part of that is having an infrastructure that can protect databases from attacks through the Web or from direct attack, and which can track information reported out."
SecureSphere Gateway appliances serve to automate the infrastructure costs by looking at live traffic and building profiles of what users are doing. With that baseline in hand, aberrant behavior can send up automatic flags.
Imperva has assessment reports that look at the actual traffic to see whats going on with particular users accessing sensitive data—a critical part of being able to report on people trying to access what they shouldnt.
Another piece of the puzzle that the appliances cover is ongoing auditing and being able to identify which transactions are authorized and which deviate from policy.
The hard part of making those identifications is knowing what, in the complete log, really matters, Norquist said. He described being at database user group meetings and asking members to raise their hands if they actually use such logs for significant transactions.
Nobody raised their hands. Instead, they laughed. Its simply too difficult to use the logs to see which transactions really matter, Norquist said.
Imperva appliances can automatically tell which transactions deviate from policy and which represent changes in user behavior or a change in an application. The last element is particularly important because security personnel are often the last to know when theres been an application change, Norquist said, and can mistake database or application change for an attack.
PCI requires businesses to restrict inappropriate access. With security policies generated by the appliance, a customer can choose to block actions disallowed by policy. For example, requests to drop in a database table in the middle of a production day are often attributable to SQL injection. With the SecureSphere Gateway appliances, such an action can be blocked and logged.
The appliances are available now. Pricing starts at $42,500 per SecureSphere appliance for any one of the three compliance modules.
Editors Note: This story was updated to correct pricing information for the SecureSphere appliance.