The director of strategic development at Franklin, Tenn.-based AIM Healthcare Services Inc. has savvy database administrators who encrypt all data that's archived or traveling through the network and who monitor database usage with auditing tools built in-house.
Still, Solesby said he has recently started to test third-party database security tools.
Why? "We have implemented policies and procedures like crazy here," Solesby said. "But databases are not hardened. They are still on the low end of the spectrum in terms of security."
Solesby isn't alone. Even though their licenses cost tens of thousands of dollars, big commercial databases aren't meeting user demand for increased data security and privacy, analysts said.
While database vendors are beefing up security in their products, "companies should look to third-party vendors to supplement additional requirements that are not yet met by DBMS vendors, such as database firewalls, assessment, simplified encryption and granular auditing solutions," Forrester Research Inc. analyst Noel Yuhanna wrote in a Nov. 29 report.
Other observers said users have focused on guarding the entry points to their networks when they should be worrying about internal threats posed by unscrupulous employees with high-level access.
"At Fort Knox, the fuss isn't about who's guarding the brick wall -- it's who's watching the gold," said Raj Sablach, senior vice president of operations at Embarcadero Technologies Inc. The San Francisco-based vendor offers a real-time database activity monitor that Sablach said is easier to use than built-in tools and doesn't slow the database.
Other vendors of database security tools include Lumigent Technologies Inc., IPLocks Inc., Guardium Inc. and Protegrity Corp.
Built-in functions
Users and analysts agree that the latest commercial databases are much more secure out of the box than their predecessors.
For example, Microsoft Corp. now acknowledges that its SQL Server 2000 was installed with many security features turned off by default. Ease of use was the reason, but it led to one notorious hole in which Windows systems administrator accounts were also automatically given administrator accounts on SQL Server, said Jon Hwang, senior database administrator at OpenTable Inc. in San Francisco.
"It's better if vendors assume you might have a very junior crew of DBAs and prevent a lot of these loopholes upfront," said Hwang, who runs SQL Server 2000 to support OpenTable's Web-based restaurant reservations system. He's testing the 2005 version, which he says provides a "dramatic" improvement in security.
Tom Rizzo, Microsoft's product manager for SQL Server, said that besides new features such as encryption of data "at rest" within the database, SQL Server's configuration tool turns off some features, such as support for native Web services, to keep inexperienced database administrators from inadvertently creating security holes. SQL Server 2005 even challenges administrators who try to create accounts without passwords by scolding them in pop-up messages, though it stops short of blocking the practice.
"We think that's like driving at 120 miles an hour without seat belts," Rizzo said.
But, he added, "we have to make SQL Server flexible as well as secure."
Rizzo also welcomed third-party providers of database security tools. "We are not threatened," he said. "We live and die by our partners."
Oracle Corp., in contrast, suggested that features built into its July release of Oracle 10g R2 -- such as identity management, encryption and security hole scanning -- should be enough for users.
"We already do what most of these third-party tools do today," said Paul Needham, director of database security at Oracle.
That's debatable, said Peter O'Kelly, an analyst at Midvale, Utah-based Burton Group. But the trend of database vendors adding security features will only grow. That could crowd out third-party vendors, which will have to stay ahead of the big vendors in terms of features or be content to sell to users of older, less-secure versions of databases or to those who run databases from multiple vendors and are seeking convenient, centralized reports, O'Kelly said.
Whether all of this leads to truly increased data security depends on database administrators following best practices using either built-in or third-party tools.
"You can't expect magic," O'Kelly said. "You still have to read the manual."