ASI, Eruces Bolster Database Security

Companies develop software and hardware tools for encrypting database data.

Database security tool makers Application Security Inc. and Eruces Inc. are responding to customers demands that databases be secured against a rising flood of attacks.

ASI is joining with nCipher Inc. Ltd. to produce a hardware/software database security module, in addition to rolling out an updates to its database security software for Microsoft Corp.s SQL Server and IBM DB2 databases.

For its part, Eruces, is expanding the database and operating system support of its Tricryption Engine security software, as well as readying a new service that manages database security.

ASI is readying a product that packages its DbEncrypt database encryption software with nCiphers encryption hardware. A ship date for the product has not been set. The ASI software tool encrypts rows and columns in a database with a variety of encryption algorithms. It includes templates from which users can build their own encryption procedures, with a point-and-click user interface for installing and managing the encryption. nCiphers cryptographic hardware is certified to Federal Information Processing Standard 140 Level 3, a benchmark for cryptographic security best practices.

nCipher, of Woburn, Mass., last year began shipping Secure.Data F3 for Oracle 8i, a database security bundle with ASI rival Protegrity Inc.

New York-based ASI is expected to roll out Version 2.0 of its DbEncrypt for SQL Server software in two weeks. New features in the upgrade include improvements to the server module. The task of selecting data is now performed three times faster, officials said An Automatic Session Management feature spares database administrators or security officers from having to manually recycle sessions. Before, if they revoked column access, theyd have to execute a command line order to see the results.

Also new in Version 2.0 are updated encryption API examples. These canned scripts can be used for Encrypt/Decrypt, Sign/Verify and Hash functions to build custom-tailored encryption systems and serve as a reference for developers when using the low-level API available in the DbEncrypt Server-side Module.

DbEncrypt can be configured to accept either a password or "Standard Authentication" when securing a logins private key. Standard Authentication replaces OS File authentication and improves on it with enhanced security, the officials said.

Earlier this month, the company released Version 3.0 of its AppDetective application security vulnerability scanning software for DB2.

Meanwhile, Eruces, of Kansas City, Mo., within a few weeks will roll out version 3.1 of its Tricryption Engine, which uses a patent-pending automated encryption key management process to protect electronic data such as databases or multimedia files.

The upgrade adds support for Sybase Inc. databases for storage of cryptographic keys. Tricryption Engine already supports MySQL, DB2, SQL Server and Oracle Corp. databases. Version 3.1 also adds support for the AIX operating system. The software already supports Linux, Solaris, and Windows NT/2000/XP.

Other new features include new caching mechanisms that increase performance to over 750 transactions per second on modest hardware platforms—for example, on a 1GHz Pentium III with 236MB of RAM, officials said. The Tricryption SDK, which originally offered integration with Java and COM/COM+, now also supports C/C++.

TE 3.1 pricing starts at $50,000 and goes up based on instances of installed engines.

In addition to the product news, Eruces will soon launch a managed Web service called KeyMatrix that leverages the Tricryption Engine key exchange technology to provide protection of files via remote key management, officials said.

Patrick Dunn, a senior application developer for Booz Allen Hamilton Inc. and a beta tester of DbEncrypt 2.0 for SQL Server, said that the need for security around databases is on the rise for a number of reasons: the increasing sensitivity of data stored in databases, the growth of hacking and the sharper attention enterprises are paying to security, with sniffers and logs showing malicious activity ratcheting up.

"[The data] is getting more sensitive, and people are acknowledging that we need to do something with these databases," said Dunn, in Lexington Park, Md. "Databases like SQL Server arent as secure as people think."

Joe Zhou, who has tested software from ASI, Eruces and Protegrity is recommending DbEncrypt to his users because of its good interface, usability and affordability, Nevertheless, Zhou, security specialist at Sprint Corporate Security, in Kansas City, Mo., said that none of the products is perfect yet. He found performance slow in DbEncrypt and was dissatisfied that users can only encrypt certain data types with it.

Aaron Newman, chief technology officer for ASI, said that the performance of encryption software such as DbEncrypt has everything to do with encoding data correctly.

"You want to pick [the data that] is really important and encrypt it and make a business decision on if you want to lose, say, 30 percent performance for that data," Newman said.

Pricing is not yet available for the nCipher/DbEncrypt package. DbEncrypt for SQL Server is priced at $9,995 per database, with an additional 20 percent annual maintenance fee.