IBM announced late last year that it was buying US-headquartered database security start-up Guardium for $225m. Jason Stamper caught up with its VP of security strategy, Phil Neray, to find out why.
Q. Almost all organisations have a plethora of security tools already. Why did IBM think database security was important enough to splash out $225m on it?
A. Perimeter defences are not sufficient. Web applications are open to vulnerabilities — that’s what happened with the Heartland breach, where 132 million credit cards were breached. Database admins have the potential to do something wrong either intentionally or unintentionally. You may have someone whose only job is backups, but once you have the privileges to do backups you might have privileges to view all records, or delete them.
I met a major UK bank where the DBA had changed the production server as a favour for a developer, who had then accidentally deleted the wrong table. The bank was operating with bad data for several days, and unpicking the mess cost millions.
Phil Neray, Guardium
Q. Wouldn’t IDS/IPS pick most of these issues up?
A. Intrusion detection or prevention [IDS/IPS] is looking for threats when you don’t know exactly what you are looking for. In the database space it’s very deterministic: for example don’t share accounts because it is a violation of policy. Another example is that when an application server accesses the database it uses a highly privileged account, which someone could use to bypass security. Without [Guardium-style] monitoring you would never even know that it was occurring.
The other issue is that many companies are having to spend a lot of time putting together reports that the auditors are requesting — the auditors are saying, ‘show me what DBAs did in the last week’. It’s very labour intensive for the organisation and often they can’t give the visibility that is required. For example you might be able to say that the DBA logged in but not exactly what they did.
Q. Why did IBM, in particular, want Guardium?
A. The acquisition made a lot of sense: there is a commitment to heterogeneous support — we support Oracle, Microsoft, DB2, DB2 for the mainframe, Sybase, MySQL, Informix and Teradata (Teradata is interesting because it shows people want this kind of capability for their data warehouses, not just their transactional systems). There’s also the complimentary applications and middleware, and Guardium supports the mainframe: all these capabilities made a lot of sense for IBM.
Because all of our customers tend to be IBM clients in some way, we now have a lot more visibility [into those clients’ IT environments]. They nearly all must have all sorts of security technology, but they often haven’t realised why they needed a security layer at the database.
Q. How tightly integrated will Guardium be?
A. The sales force will probably be staying as specialists. We’ve started integrating with Tivoli Security Event Manager (TSEM), so it can accept Guardium feed alerts, and we’ve started shipping the first phase of that. You’ll see tighter integration.
Q. Did most of your staff stay on?
A. The vast majority of our staff stayed: the CEO, CTO and more.
Q. You’re a start-up; what size is the business today?
A. We have over 400 customers including all of the top five global banks. We’re profitable, and have been growing at 60% per year for the past three years at least.
Q. How is your technology deployed?
A. We usually deploy it as an appliance on-premise, though it can also be deployed as a virtual appliance if a company is using VMware.
Q. What is the average starting price?
A. The starting price is around $50k, going up to half a million dollars and a million dollars plus. Pricing is based on the number of transactions being monitored which we base on the number of CPUs in the database.
Q. Do you care how many processor cores there are?
A. Not yet, but we might have to in the future.