Database Security Could be on the Menu for Acquisition

Fortinet's acquisition of database security technology from IPLocks could signal similar purchases are on the way.

UPDATED: When Fortinet announced it acquired technology from IPLocks June 17, there was talk the move could signal a round of acquisitions around database security.

While the verdict on that is not in yet, the database security market is certainly expanding, according to Forrester Research analyst Noel Yuhanna.

"The database is a like a bank; it holds corporate asset, and until now many enterprises felt that DBMS secure automatically, but with all the breaches it's not the case," he said.

In such an environment, purchases around database security may become increasingly common. There have already been other examples of such moves. IBM completed its acquisition of Consul and its data auditing technology last year, and Cisco Systems was among those who invested some $6.3 million in database security specialist Guardium in 2006.

"We believe that the traditional DBMS tools vendors -- CA and BMC, who currently don't have a database security offering -- will look for acquisition in the near term," Yuhanna said. "Also, large security vendors ... are likely to expand their stack to include database security at some point, as the market further consolidates."

With the recent spate of Web-based SQL injection attacks making headlines, an acquisition that combines Web application and database security could be an attractive option for some companies. In Yuhanna's book, some likely candidates for acquisition in the space include Guardium, Imperva, Protegrity, Tizor and Application Security.

In the deal with IPLocks, Fortinet purchased the company's vulnerability assessment tool, source code and related physical assets, as well as a broad license to IPLocks' database monitoring and auditing tools. The move is a curious one for Fortinet, whose bread and butter has been selling unified threat management devices to the small and midsize business market.

Anthony James, vice president of products at Fortinet, said the company saw an opportunity to extend its reach beyond network security and into database application security.

"We are actively exploring various integration opportunities, including integrating the IPLocks vulnerability assessment tool with FortiGate, but a fully-defined strategy is still pre-mature but forthcoming," James said. "In the short term, we are developing an appliance-based product line from the vulnerability assessment tool allowing customers to simplify the product deployment, reducing the overall cost of ownership."

Fortinet's hope is the acquisition will push the company past its competitors and accelerate its reach into the data center.

"Many competitors are still focusing on network security while cyber criminals are moving to more sophisticated application asset [database] attacks for financial gain," James said. "The addition of IPLocks assets further extends Fortinet's ability to protect corporations from these new attack targets."

IPLocks also pushes DAM (database activity monitoring) technology, an important piece of the puzzle when it comes to understanding what is happening in the database. However, analyst Eric Ogren was skeptical as to how it would fit into Fortinet's portfolio.

"I see DAM as just a small portion of an overall technology audit capability for application transactions, along with Web and file usage," said Ogren, founder of The Ogren Group. "Auditing is standard operating procedure in all other business functions, and is long overdue in technology. DAM is often confused with database security, but it really has little to do with preventing attacks or inappropriate access."

Update: A previous version of the story incorrectly stated Fortinet acquired all of IPLocks.