Database Activity Monitoring and Data Leak Prevention may have the same focus-securing data-but they operate in two different areas.
Still, it all comes down to data, and while that may not mean the two products will become one, DAM could benefit from the content-awareness of DLP (Data Leak Prevention) products, analysts said.
“Most every security monitoring technology would benefit from DLP content awareness, which is the ability to recognize sensitive content on the fly,” said Paul Proctor, an analyst with Gartner. “DAM [Database Activity Monitoring] and DLP tools will not likely become one product because they have different buying centers and purpose, but DAM tools will likely become content-aware.”
Being able to recognize sensitive data on the fly reduces the necessity of proactively tagging or classifying it, he explained. As a result, more granular and effective policies can be built to address sensitive data.
“For example, record the administrator’s actions if the transaction involves SSNs or other privacy related data,” Proctor said. “With current technology this is something that can only be done based on the definition and classification of the column or field. Content-aware technologies can catch sensitive data in a comment field, for example.”
DLP tools use different data analysis techniques to monitor the use of sensitive content and enforce policies on data in motion, at rest and in use. The strength of DAM however is being able to watch administrator activity on the database and detect policy violations.
“DAM will definitely get content aware-in fact it’s easier, because databases provide all sorts of structure and context you can’t get off the network,” said Ted Julian, vice president of marketing and director of strategy at Application Security. “One key thing to consider is exactly how this happens. If the customer is required to have deployed monitoring on the database in question for this to work, they’ll miss stuff.”
DLP and DAM solve different problems
“We think its critical customers can discover sensitive data automatically, even on databases they don’t know they have,” Julian continued. “Network appliance-based solutions just aren’t practical in this regard, simply way too cumbersome and expensive.”
According to Bill Bartow, vice president of product management at Tizor, DLP and DAM solve very different but related problems.
“Longer term, it’s possible that the two areas could converge but, frankly, we see DAM as a much larger market than DLP,” Bartow said. “Lately, we are seeing more and more DLP customers deploying DAM for a more complete data security strategy.”
Some database monitoring products already include blocking capabilities, such as Guardium DBLP, which Guardium says locates and classifies sensitive data, then monitors traffic to and from database servers for unauthorized or suspicious activity.
It can also block transactions that violate policy if the appliance is configured as an in-line database firewall or as a passive monitoring device that initiates other enforcement actions such as TCP reset blocking, automated logouts of database users and VPN port shutdowns.
“DLP and DAM are important controls that most organizations should consider in their priorities,” Proctor said. “If you have DLP at the network and endpoints you will likely still need DAM controls inside your database.”
Gartner analyst Mark Nicolett said some DAM vendors are definitely enhancing the content awareness of their products, and may look to gobble up smaller companies to do so.
“We expect a few acquisitions of DAM vendors by large vendors that have DLP technology,” he said.