Guardium Unveils First Solution to Block Privileged Users from Accessing Sensitive Data - Across All Major DBMS Platforms

Business Wire, May 23, 2008

For the First Time, Organizations Can Fully Enforce Separation of Duties - Without Disrupting Business Processes or How DBAs Do Their Jobs

WALTHAM, Mass. -- Guardium, the database security company, today announced the first cross-DBMS solution that prevents privileged users - such as DBAs, application developers and outsourced personnel - from viewing sensitive data in corporate databases.

Guardium S-GATE[TM] is the only technology that allows organizations to safeguard enterprise data and meet compliance requirements - such as Sarbanes-Oxley (SOX), PCI-DSS and data privacy laws - without the cost and complexity of modifying databases, application code or existing business processes, and without relying on "after-the-fact" mechanisms such as logging and alerting.

S-GATE's ability to enforce granular access control policies that apply only to privileged users means that organizations can now implement robust preventive controls - without the risk of blocking legitimate business access. S-GATE also strengthens security and enforces separation of duties (SOD) by preventing DBAs from performing security functions such as creating new database accounts and elevating privileges for existing accounts. At the same time, authorized individuals can continue to use their super user or system privileges to perform day-to-day administrative tasks - including backups, patching and tuning - without interruption.

Exposing the Database Security Gap: Privileged User Access

Role-based access and other built-in DBMS controls are designed to prevent end-users from accessing sensitive data in databases, but they cannot prevent DBAs and other privileged users who have the ability to execute any database command, on any database object, as part of their daily jobs.

Newer technologies such as database activity monitoring (DAM) provide an additional layer of protection by generating detailed audit trails and real-time security alerts whenever anomalous activity is detected or access policies are violated - including privileged user violations. While DAM is an important element of a defense-in-depth strategy, DAM has traditionally been limited to providing detective controls rather than preventive controls because monitoring alone cannot enforce security policies and prevent unauthorized actions from occurring.

Real-Time Preventive Controls; Zero Disruption to IT Infrastructures

Implemented as a lightweight, host-based software agent with fine-grained security policies, S-GATE provides automated, real-time controls that prevent privileged users from performing unauthorized actions such as:

* Executing queries on sensitive tables

* Changing sensitive data values

* Adding or deleting critical tables (schema changes) outside change windows

* Creating new user accounts and modifying privileges

S-GATE is completely non-intrusive, and does not require add-on functionality inside the database. As a result, it's implemented quickly without disrupting business-critical applications such as Oracle E-Business Suite, PeopleSoft, Siebel, SAP, Business Objects and in-house applications.

S-GATE provides strong advantages over database-resident controls, including:

* Cross-Platform Support: S-GATE allows organizations to define a single set of access policies for their entire application and database infrastructure, rather than controlling access for only a specific DBMS platform or version. Because it is implemented outside of the database, S-GATE supports all major DBMS platforms (Oracle, Microsoft SQL Server, IBM DB2 and Informix, Sybase, MySQL and Teradata) on all major OS platforms (Windows, Linux, UNIX).

* Ease-of-Use for Non-DBAs: Database-resident controls require DBAs to administer them - raising issues around separation of duties. S-GATE can be managed by IT security, compliance or risk teams because it uses simple, English-language policies that can be customized via drop-down menus, without requiring knowledge of database commands and structures. In addition, S-GATE uses a hardened, Linux-based network appliance to manage access policies, preventing privileged users from disabling or modifying policies, and further strengthening separation of duties.

* A Single Solution for Policy Enforcement and Auditing: Compliance regulations require storing a complete audit trail of all privileged user actions, in order to document compliance and aid in forensic investigations. DBMS vendors typically offer fine-grained auditing and audit repositories as separate add-ons. Guardium 7 offers policy enforcement and fine-grained auditing in a single solution, further reducing cost and complexity.

* Policies that Examine Query Results, Not Just Incoming Queries: Database-resident controls are limited to controlling execution of specific SQL commands on specific objects. S-GATE goes one step further by also examining query results. For example, a connection from an anomalous script or application that is suddenly seen to be extracting PII from the database can be terminated, while a valid application that extracts the same PII data will be allowed.