Symantec Corp. has deployed a database security appliance at seven pilot customer sites and could roll the product out to wider release next year.
The security firm built the appliance in its Advanced Concepts Group, a research division within Symantec that focuses on developing emerging technology and makes recommendations for new company products. After the as-yet unnamed appliance is tested by the select customers, Symantec executives will decide whether to commercialize it.
“We believe the application tier will be the critical next tier for security,” said Stephen Trilling, vice president of Symantec Research Labs. “Databases are obviously a big part of that, considering that a single security breach with those applications can have devastating consequences.”
Health care and financial services are heavily represented among the customers Symantec selected, since compliance issues tied to the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act will be a major driver for the appliance.
“A major aspect of the appliance is auditing capability,” Trilling noted. “This will satisfy the governmental requirements surrounding protecting information and informing customers of a breach.”
Trilling admitted that in its present version, the appliance relies on intrusion detection, rather than providing prevention measures. But he anticipates that subsequent tweaks will put prevention in place.
If Symantec does enter the market, it will be the first major vendor to develop this type of appliance. Some smaller companies, such as Imperva Inc. and Guardium Inc., focus on the area, which they believe is due for a boom.
“People are paying more attention to security for databases because theyre recognizing that most tools are good at identifying illegitimate users, but the real problem is at a different level,” said Shlomo Kramer, Impervas founder and chief executive. Legitimate users, like employees, are able to access information without any security controls, he noted.
Databases are generally better protected by appliances, rather than software, which makes the market compelling for security vendors like Symantec, said Forrester Research analyst Paul Stamp.
“Database servers dont like having any software installed on them,” said Stamp. “And database administrators are even less keen to deal with it.”
Also, by using an appliance, there is a separation between the DBA and security, Kramer added. “If you put the DBA in charge of the security solution, it could be like the cat guarding the milk,” he said.
A potential rise in database security appliances would be in line with increasing use of other types of security appliances, Stamp noted. “There are some interesting vendors emerging the space,” he said. “Symantecs leap will be worth watching.”