Startups Ready Security Wares for Databases

As hackers continue to find ways around edge-of-network security walls, several companies are readying software and appliances that drive protection deeper-to database files.

As hackers continue to find ways around edge-of-network security walls, several companies are readying software and appliances that drive protection deeper—to database files.

Two companies, Vormetric Inc. and Decru Inc., this week will unveil products that encrypt database files in storage as well as in transit and give administrators close control over access. Later this spring, startup Liquid Machines Inc., will release its new security platform, capable of embedding access control rights in documents, then modifying applications to read and enforce those rights.

All these products are at the forefront of what customers and vendors see as a shift away from technologies such as intrusion detection and firewalls that have proved to be less than reliable.

"We want to protect the data itself and not the infrastructure. We need to innovate instead of taking old code thats very buggy and trying to clamp down on it," said Jim Schoonmaker, CEO of Liquid Machines, based in Lexington, Mass. "The primary stakeholder is the enterprise, and we put them in charge."

Vormetric and Decru are headed down a similar path. Vormetrics CoreGuard system comprises a software agent on the host and an appliance that sits in the data center between the host and the storage network. Administrators can select any or all of the stored files to encrypt—which is done via Triple-DES (Data Encryption Standard) or AES (Advanced Encryption Standard), as the customer chooses. Once a file is encrypted, the system separates metadata and keeps it in clear text so that database administrators and other employees can manage files without read rights.


The server agent sits between the application and the operating system and communicates with the Vormetric appliance. It enforces the access control policies. Read and write access permissions are doled out based on user ID, time of day and requested resource. If the parameters do not fit set policies, access is denied.

"Even if a box is vulnerable to a particular problem, if I tell this software that I dont want anything running as root at a certain time, you cant take advantage of that vulnerability," said a security specialist at a large media company that is testing CoreGuard. "I can tell our division presidents that this wont prevent them from doing their daily business."

To prevent rogue processes from accessing network resources, CoreGuard also digitally signs all the applications that are authorized to go through the appliance. The appliances are priced from $29,500, and server agents are $2,995 each.

Decru, based in Redwood City, Calif., takes a similar approach with its new DataFort FC520 appliance. The heart of the box is a custom-encryption chip encased in tamper-resistant epoxy. All the encryption keys are stored on the appliance, and administrators can separate departments by creating unique keys for each.

Liquid Machines, meanwhile, is working on a different solution. Its as-yet-unnamed platform assigns rules-based information access usage policies based on a users role in the organization. Each document or resource has certain access rights data embedded in it, dictating which users are able to read, modify or print the document. The platform will make small code modifications to each application on the network, enabling the applications to read and enforce the access rights.

The company plans to roll out its platform in June.