• 
  • Solutions Overview
  • Database Activity Monitoring
  • • Privileged User Monitoring
  • • Monitoring Applications for Fraud
  • • Preventing SQL Injection Attacks
  • Auditing & Compliance
  • • Compliance Workflow Automation
  • • SOX
  • • PCI
  • • Data Privacy
  • Change Control
  • Vulnerability Management
  • Database Leak Prevention
  • Mainframe Visibility
• 
  • Product Overview
  • Architecture
  • • Core Technology
  • • Enterprise Scalability
  • • Enterprise Integration
  • • Secure Platform
  • Audit & Report
  • Monitor & Enforce
  • Assess & Harden
  • Discover & Classify
  • Supported Platforms
• 
  • Partner Overview
  • Reseller Partners
  • System Integrators
  • Trusted Advisors
  • Technology Partners
  • Partner Certification
  • Channel Portal
• 
• 
  • Support Overview
  • Technical Services
  • Professional Services
  • Training
  • Customer Login
• 
• 
  • Guardium Overview
  • Why Guardium
  • • Industry Recognition
  • Leadership
  • Careers
  • Contact Us

Guardium Unveils First Cross-DBMS Solution to Block Privileged Users from Accessing Sensitive Data

For the First Time, Organizations Can Fully Enforce Separation of Duties – Without Disrupting Business Processes or How DBAs Do Their Jobs

View the on-demand Webcast for additional technical information.

WALTHAM, Mass. (May 23, 2008) ─ Guardium, the database security company, today announced the first cross-DBMS solution that prevents privileged users – such as DBAs, application developers and outsourced personnel – from viewing sensitive data in corporate databases. 

Guardium S-GATE™ is the only technology that allows organizations to safeguard enterprise data and meet compliance requirements – such as Sarbanes-Oxley (SOX), PCI-DSS and data privacy laws – without the cost and complexity of modifying databases, application code or existing business processes, and without relying on “after-the-fact” mechanisms such as logging and alerting.

S-GATE’s ability to enforce granular access control policies that apply only to privileged users means that organizations can now implement robust preventive controls – without the risk of blocking legitimate business access.  S-GATE also strengthens security and enforces separation of duties (SOD) by preventing DBAs from performing security functions such as creating new database accounts and elevating privileges for existing accounts.  At the same time, authorized individuals can continue to use their super user or system privileges to perform day-to-day administrative tasks – including backups, patching and tuning – without interruption. 

Exposing the Database Security Gap: Privileged User Access
Role-based access and other built-in DBMS controls are designed to prevent end-users from accessing sensitive data in databases, but they cannot prevent DBAs and other privileged users who have the ability to execute any database command, on any database object, as part of their daily jobs.

Newer technologies such as database activity monitoring (DAM) provide an additional layer of protection by generating detailed audit trails and real-time security alerts whenever anomalous activity is detected or access policies are violated – including privileged user violations.  While DAM is an important element of a defense-in-depth strategy, DAM has traditionally been limited to providing detective controls rather than preventive controls because monitoring alone cannot enforce security policies and prevent unauthorized actions from occurring.

Real-Time Preventive Controls; Zero Disruption to IT Infrastructures
Implemented as a lightweight, host-based software agent with fine-grained security policies, S-GATE provides automated, real-time controls that prevent privileged users from performing unauthorized actions such as:

• Executing queries on sensitive tables
• Changing sensitive data values
• Adding or deleting critical tables (schema changes) outside change windows
• Creating new user accounts and modifying privileges

S-GATE is completely non-intrusive, and does not require add-on functionality inside the database.  As a result, it’s implemented quickly without disrupting business-critical applications such as Oracle E-Business Suite, PeopleSoft, Siebel, SAP, Business Objects and in-house applications. 

S-GATE provides strong advantages over database-resident controls, including:

• Cross-Platform Support: S-GATE allows organizations to define a single set of access policies for their entire application and database infrastructure, rather than controlling access for only a specific DBMS platform or version.
  Because it is implemented outside of the database, S-GATE supports all major DBMS platforms (Oracle, Microsoft SQL Server, IBM DB2 and Informix, Sybase, MySQL and Teradata) on all major OS platforms (Windows, Linux, UNIX).
• Ease-of-Use for Non-DBAs: Database-resident controls require DBAs to administer them – raising issues around separation of duties.  S-GATE can be managed by IT security, compliance or risk teams because it uses simple, English-language policies that can be customized via drop-down menus, without requiring knowledge of database commands and structures.  In addition, S-GATE uses a hardened, Linux-based network appliance to manage access policies, preventing privileged users from disabling or modifying policies, and further strengthening separation of duties.
• A Single Solution for Policy Enforcement and Auditing: Compliance regulations require storing a complete audit trail of all privileged user actions, in order to document compliance and aid in forensic investigations.  DBMS vendors typically offer fine-grained auditing and audit repositories as separate add-ons.  Guardium 7 offers policy enforcement and fine-grained auditing in a single solution, further reducing cost and complexity
• Policies that Examine Query Results, Not Just Incoming Queries: Database-resident controls are limited to controlling execution of specific SQL commands on specific objects.  S-GATE goes one step further by also examining query results.  For example, a connection from an anomalous script or application that is suddenly seen to be extracting PII from the database can be terminated, while a valid application that extracts the same PII data will be allowed.
• Non-Stop Enforcement: Some database-resident controls must be turned off for routine maintenance operations such as backups and patching.  During these maintenance windows, privileged users can take advantage of disabled controls to perform unauthorized actions.  S-GATE provides continuous enforcement of access policies because it does not require disabling certain privileged accounts inside the database
.

S-GATE, available with Guardium 7, is an extension to S-TAP™ (“software tap”), Guardium’s lightweight, host-based agent.  Unique in the industry, S-TAPs are non-intrusive software probes that monitor network streams at the OS level of database servers, including both network access and local access by privileged users (via shared memory, named pipes, Oracle Bequeath, etc.).  S-TAPs have minimal impact on server performance because they relay all traffic to separate Guardium appliances for policy evaluation, analysis, reporting and secure online storage of audit trails. 

“Our customers have been asking for this capability because it is the ultimate in database security and separation of duties, and it’s essential for compliance,” said Ron Bennatan, Ph.D., Guardium CTO and author of Implementing Database Security and Auditing (Elsevier Digital Press, 2005).  “Customers already using S-TAP can easily upgrade to S-GATE to start enforcing access at a very granular level – without disrupting their application environments.”

This is the fifth in a series of announcements revealing Guardium 7’s new capabilities.  Other highlights include:

• The first solution to integrate database vulnerability assessment with other critical database security functions such as database activity monitoring, configuration auditing and policy-based controls, in a single system with a unified Web console, back-end data store and workflow automation system.
• The first solution to monitor encrypted database traffic such as Oracle ASO, IPSEC and other encryption methods, without the security risk and added complexity of uploading keys to the appliance.
• The first DAM solution to integrate with SIEM and log management leaders such as ArcSight ESM, CA, Cisco MARS, LogLogic, RSA enVision and SenSage
• The first DAM solution to support Microsoft SQL Server 2008 and its advanced security features, such as monitoring of encrypted SSL connections

About Guardium
Guardium, the database security company, delivers the most widely-used solution for ensuring the integrity of enterprise data and preventing information leaks from the data center.

The company’s enterprise security platform is now installed in more than 350 data centers worldwide, including more than 60 Global 500 and Fortune 1000 companies in all major industries.  Customers include 3 of the top 4 global banks; one of the world’s largest PC manufacturers; a global soft drink brand; a top 3 global retailer; and a leading supplier of business intelligence software.

The company has partnerships with Oracle, Microsoft, IBM, Sybase, BMC, EMC, RSA, Accenture, NetApp, McAfee, and NEON, with Cisco as a strategic investor, and is a member of IBM’s prestigious Data Governance Council and the PCI Security Standards Council.

Founded in 2002, Guardium was the first company to address the core data security gap by delivering a scalable enterprise platform that protects databases in real-time and automates the entire compliance auditing process.

Guardium, S-TAP, S-GATE and Safeguarding Databases are trademarks of Guardium, Inc.

###

Media Contacts:
Corinne Federici and George Robertson
Corporate Ink
617.969.9192