Information Centric Security

I delivered the Information Centric Security Lifecycle presentation at Tech Target ISD.  In it I went over all of the phases of the lifecycle, from creation to destruction, and discussed all of the tools and methods one might employ, along with a couple of different models for Information Centric Security.  At the end I was asked a question from the audience about "Where Do I Start?  If I wanted to begin this at my company today, where would I start?"

It is a surprisingly simple question, but one that I am not accustomed to answering, and I think that I did a poor job in addressing.  I basically pointed the guy back to the lifecycle and said "If it's new data, go through this process.  If it is existing data, go through this process".  Technically sound, but not very helpful.  If you are working at a large firm with hundreds of legacy systems and data strewn all over the place, the challenges are far greater than that.  It's not just a question of picking a model and adopting it, but what data, what tools, what policies, what security model, and how do all of these choices affect every single thing I do in IT, adversely or otherwise.

I have talked about different ICS models in previous ICS Posts.  One of the Information Centric Security Models that I am a big fan of, the virtualized application space, limit's the scope of use for data to that application space, and implements it's security and privacy policies based upon the assumptions of a small domain of users and functions.  The down side of the model is that this does not take into account other applications, and does not readily adapt to generic data at the end points.  It's more focused than that, and while it can provide a very granular data security model, as well as mediate end user and corporate data security policies, it is lacking in flexibility.  The digital rights management systems that I have seen that mimic this model do not account for the data sprawl problem and do not assist the IT professional in getting a handle on existing data.

I realize that in the adoption of Information Centric Security, the Data Loss Prevention (DLP) vendors that are moving into this space have done something very pragmatic, and very right, in that they are somewhat agnostic in their securing of information.  The idea is to analyze and protect everything that they can view, from the network to the end point.  The proceed from the premise that both they are not aware of all of the information that is on the network, and that users will try to bypass the controls.  To address they set up the application at logical choke points (users machine, network),  constantly scan, analyze and enforce.  This is why I tend to call DLP a data centric security model as opposed to ICS, and I tend to criticize it's general efficiency.  Still, there is a tremendous practicality in the approach, for it automates much of the discovery, analysis, protection and policy enforcement on an existing body of data as it moves around an enterprise.  It provides the means to move from a network or host based security philosophy to a information centric one.  I assume that the vendors will migrate into being application context aware in the future, but for now, what they offer may be enough for most enterprises. 

I did not get up on stage and pitch DLP, but I must say that the tools and approach of DLP does offer an advantage when considering how to move to a data centric security model. If you are wondering where to start, the content discovery, analysis and generic policy enforcement tools within many of the DLP suites offer some advantages. 

-Adrian

**This is a cross-post from Securosis**

I have a well publicized love-hate opinion of Digital Rights Management. DRM can solve some security problems but will fail outright if applied in other areas, most notably consumer media protection. I remain an advocate and believe that an Information Centric approach to data security has a future, and I am continually looking for new uses for this model. Still, few things get me started on a rant like someone who says that DRM is going to secure consumer media, and DRM in the Cloud is predicting just that.  

New box, same old smelly fish. Be it audio or video, DRM secured content can be quite secure at rest. But when someone actually wants to watch that video is when things get interesting. At some point in the process the video content must leave its protective shell of encryption, and then digital must become analog. Since this data is meaningless to someone unless they can view it or use it, at some point this transition must take place! It is at this transition point from raw data to consumable media when the content is most vulnerable- the delivery point. DRM & Information Centric Security are fantastic for keeping information secret when the people who have access to it want to keep it a secret. They are not as effective when there is a recipient who wants to violate that trust, and fail outright when that recipient has control of the software and hardware used for presentation.

I freely admit that if the vendor controls the hardware, the software, and distribution, it can be made economically unfeasible for the average person to steal. And I can hypothesize about how DRM and media distribution could be coupled with cloud computing, but most of these examples involve using vendor approved software, in a vendor approved way, over a reliable high speed connection, using a ‘virtual’ copy that never resides in its entirety on the device that plays it. And a vendor approved device helps a whole lot with making piracy more difficult, but DRM in the Cloud claims universal device support, so that is probably out of the question. But at the end of the day, someone with the time and inclination to pirate the data will do so. Whether they solder connections onto the system bus or reverse engineer the decoder chips, they can and will get unfettered access- quite possibly just for the fun of doing it!

The business justification for this effort is odd as well. If the goal is to re-create the success of DVD as stated in the article, then do what DVD did: twice the audio & video quality, far more convenience at a lower cost. Simple. Those success factors gave DVDs one of the fastest adoption curves in history. So why should an “Internet eco-system that re-creates the user experience and commercial success of the DVD” actually recreate the success of DVD? The vendors are not talking about lower price, higher quality, and convenience, so what is the recipe for success? They are talking about putting their content online and addressing how confused people are about buying and downloading!  This tells me that the media owners think that they will be successful if they move their stuff onto the Internet and make DRM invisible. If you think just moving content onto the Internet alone makes a successful business model, tell me how much fun it would be to use Google Maps without search, directions and or aerial photos- it’s just maps taken online, right? Further, I don’t know anyone who is confused about downloading; in fact I would say most people have that pretty much down cold. I do know lots of people who are pissed off about DRM being an invasive impediment to normal use; or the fact they cannot buy the music they want; or things like Sony’s rootkit and various underhanded and quasi-criminal tactics used by the industry; and the rising cost of, well, just about everything. Not to get all Friedrich Hayek here, but letting spontaneous market forces determine what is efficient, useful, and desirable based upon perceived value of the offering is a far better way to go about this. This corporate desire to synthetically recreate the success of DVDs is missing several critical elements, most notably, anything to make customers happy.  

The “Cloud Based DRM” technology approach may be interesting and new, but it will fail in exactly the same way, for exactly the same reasons previous DRM attempts have. If they want to succeed, they need to abandon DRM and provide basic value to the customer. Otherwise, DRM, along with the rest of the flawed business assumptions, looks like a spectacular way to waste time and money.

-Adrian

Reading the latest blog post over at the Data Centric Protection and Management site, and the observation on Virtualization and data security.  This is a very concise summation, and very much the point.  You might not, and probably should not, trust the network, the OS or other peer applications in certain contexts. Doubly so in a virtualized environment.  With Information Centric Security, you create a virtual container, wrapper or 'universe' for the data and the business rules.  You no longer care if some of the infrastructure has been compromised as you may still be able to keep data secure even if it has been copied or vMotion'ed off to some other place outside your control.  I have discussed the variations on implementation models in previous posts, but when it comes down to it there are only a handful.  But the general need for Information Centric Security became more pressing with SOA, and will likely become a necessity with an entirely virtualized data center. 

I am glad to see more people blogging on this topic.

-Adrian

(Cross post from Securosis ... which I will do from time to time when a post has relevance to InfoCentric security) -Adrian

Or more appropriately, "Why are we talking about ADMP?" In his first post on the future of application and database security, Rich talked about Forces and Assumptions heading us down an evolutionary path towards ADMP. I want to offer a slightly different take on my motivation, or belief, in this strategy.

One of the beautiful things about modern application development is our ability to cobble together small, simple pieces of code into a larger whole in order to accomplish some task. Not only do I get to leverage existing code, but I get to bundle it together in such a way that I alter the behavior depending upon my needs. With simple additions, extensions and interfaces, I can make a body of code behave very differently depending upon how I organize and deploy the pieces. Further, I can bundle different application platforms together in a seamless manner to offer extraordinary services without a great deal of re-engineering.

A loose confederation of applications cooperating together to solve business problems is the typical implementation strategy today, and I think that the security challenge needs to account for the model rather than the specific components within the model. Today, we secure components. We need to be able to 'link up' security in the same way that we do the application platforms (I would normally go off on an Information Centric Security rant here, but that is pure evangelism, and a topic for another day).

I have spent the last four years with a security vendor that provided assessment, monitoring, and auditing of databases and databases specifically.

Do enough research into security problems, customer needs, and general market trends; and you start to understand the limitations of securing just a single application in the chain of events. For example, I found that database security issues detected as part of an assessment scan may have specific relevance to the effectiveness of database monitoring. I believe Web Application security providers witness the same phenomenon with SQL Injection as they may lack some context for the attack, or at least the more subtle subversions of the system or exploitation of logic flaws in the database or database application. A specific configuration might be necessary for business continuity and processing, but could open an acknowledged security weakness that I would like to address with another tool, such as database monitoring.

That said, where I am going with this line of thought is not just the need for detective and preventative controls on a single application like a web server or database server, but rather the Inter-application benefit of a more unified security model. There were many cases where I wanted to share some aspect of the database setup with the application or access control system that could make for a more compelling security offering (or visa-versa, for that matter).

It is hard to understand context when looking at security from a single point outside an application, or from the perspective of a single application component. I have said many times that the information we have at any single processing node is limited. Yes, my bias towards application level data collection vs. network level data collection is well documented, but I am advocating collection of data from multiple sources. A combination of monitoring of multiple information sources, coupled with a broad security and compliance policy set, would be very advantageous. I do not believe this is simply a case of (monitoring) more is better, but of solving specific problems where it is most efficient to do so. There are certain attacks that are easier to address at the web application level, and others best dealt with in the database, while others should be intercepted at the network level. But the sharing of policies, policy enforcement, and suspect behaviors, can be both more effective and more efficient.

Application and Database Monitoring and Protection is a concept that I have been considering/researching/working towards for several years now. With my previous employer, this was a direction I wanted to take the product line, as well as some of the partner relationships to make this happen across multiple security products. When Rich branded the concept with the "ADMP" moniker it just clicked with me for the reasons stated above, and I am glad he posted more on the subject last week. But I wanted to put a little more focus on the motivation for what he is describing and why it is important. This is one of the topics we will both be writing about more often in the weeks and months ahead.

Believe it or not, I'm going to work with Rich Mogull at Securosis. Worst yet, I'm excited about it!

On the outside looking in, Rich and I have dissimilar backgrounds. I have been working in product development and IT over the last ten years, and Rich has been an analyst and market strategist. But during the four years I have known Rich, we have shown an uncanny similarity in our views on data security across the board. We are both tech guys at our core, and have arrived at the same ideas and conclusions about security and what it will look like in the years to come.

As our backgrounds are both diverse and complimentary, my joining Securosis will facilitate taking on additional clients and slowly expand the types of services provided. I will contribute to strategy, evaluations, architecture and end-user guidance, as well as projects that involve more ‘hands-on’ assistance. I will also be making contributions to the Blog on a regular basis as well. 

Anyway, I am really looking forward to working with Rich on a daily basis. And yes, before Amrit Williams has a chance to ask, I am a card carrying NAHMLA (North American Hoff-Mogull Love Association) member. We may even sell Polo Shirts on the web site.

DEMIDS is an early paper on how to detect misuse of a database (warning: PDF loads slowly).  As an overview, the paper describes a system where misuse is ‘detected’ by the use of a distance function.  It attributes a set of tables or database functions as the normal domain of a user, and everything that the user accesses outside of that specified domain has some distance factor associated with it.  Tables in other schema’s are viewed as being a certain distance outside of that domain, and tables in different database further still.  The further away a resource is, the more likely there is misuse.  It is a basic assumption that the users are sufficiently privileged to perform the access.  And it is inherent with the methodology described that the system is closely coupled to the database itself, and it performs the work of detection locally. 

While we have seen many papers on Intrusion Detection and Prevention for the general case, this was one of the first papers that I had seen written specifically for database misuse detection.  I mean two things by this, insiders vs outsiders, and using database internals as opposed to external information.  And as such, almost every patent application in the area of heuristic or dynamic database monitoring has to account for this work.   Database misuse detection through Heuristics is a somewhat tough problem to crack.  It’s not that we do not have the technology and the ability to detect the problems, we do. 

By looking at data and meta-data, examining objects and distance, by looking at users and time, by looking at history and present activity, by looking at location and function, and any combination thereof, we can actually do a really good job at detection.  The problems are two-fold, in that the way we use databases has actually changed considerably over the last 5 years, and that every company uses databases in slightly different ways.  That means that both user activity changes and the business rules change. It means that deployment of a good heuristic system is more expensive as the threat model is more complex, but also that a behavior based algorithm that can adapt to environmental changes require less tweaking and have a longer shelf life than.  Technically speaking, DEMIDS is a behavior based detection algorithm.

I have probably spent more time studying this paper than its author spent writing it at this point.  I have spent months with various patent attorney’s attempting to explain the distance function and how this differs from other patents, applications and prior art.  And months more educating patent examiners what this really means and how it differs from other claims.  That is because they read this paper and they think they know what it is doing and what is being described.  Pre-conceived notions are a powerful thing.  And my protestations to the contrary are met with skepticism.  Then I force them to work through the equations … a mathematical proof if you will … and they get random garbage rather than the numbers they were expecting.  When I explain again how the distance calculation actually works and produce an expected numbers, they can barely believe it.  Believe it.  What is going on here is subtle and clever, albeit not particularly useful in today’s world.  Still, anyone out there who is considering database misuse detection algorithms, this paper needs to be in your repertoire.  Any patent work you do in this area, the examiners will send this work back to you as prior at and ask you to explain how you are novel.  

I bring this up to illustrate the change in database usage has evolved considerably since 2000, as has our mindset on database security.  It is a testament to how far we have come in this industry as a whole; how databases are used, the volume of information moving through them, the number of users and roles, and how we distribute and share data.   When this paper was written the concept was well ahead of its time, but still has been eclipsed because of the vast amount of research and development into this field of expertise.  Typical uses of the database, like anonymous connection pools or mirroring are not appropriately accounted for.  Still, it is really worth a read to understand some of the early approaches to the problem of detecting authorized (re: insider) database misuse if this is a subject that interests you.

A few posts back I provided one of the simplest examples I could come up with for Information Centric Security.  To recap, consider having a PGP plug-in to an email tool like Outlook or Eudora.  The outbound email you send is encrypted with the receiver’s public key, and signed by your private key to ensure authenticity.  Conversely inbound email is encrypted with your public key, digitally signed by the sender.  Consider some of the advantages of this that a) your email is stored locally in a safe form, b) your email is reasonably safe in transit, c) you can verify the email came from the person on the ‘From’ line.  There are certainly secondary advantages in filtering spam, not having to worry about lost backups, in transit alteration, and can still communicate with other non-secured persons and applications at the users discretion just as you do today. 

 I also wanted to discuss a slightly more complex example to illustrate how Information Centric Security can solve other problems. 

Let’s say I am on my laptop at some coffee shop, using their 'secure' wireless hackspot.  I want to buy a book, so I go to Amazon, or some such site.  And they want to make this easy for me, the customer, to very quickly make my purchases with as little effort as possible.  A very easy process as I simply select a book after browsing the site, choose my shipping and click ‘Give us $$$ right now’ button.  They store my credit card whether I want them to or not, so no need for me to enter that data again after my first purchase.  I assume that I am directly connected to the merchant and that the ‘HTTPS’ and little lock symbol means something.  The vendor is a big, trustworthy company and does this type of thing all the time so I assume they must secure all of these credit card numbers, right?  And from the Identity perspective, the vendor is pretty sure I am me.  No password required, because the cookie on my machine told them I was me and cookies don’t lie.

What don’t I like about this?  I don’t like the merchant storing my credit card number.  There really is no good reason for them to have it to clear payment, and so it invites liability to store it.   I don’t like that there is no password required.  Even if they did want a password, given I am using my laptop at the hackspot, every piece of personal data passed across that link can be accessed in an man-in-the-middle attack.    

Let’s take a quick look at this from a packetized or object data model.  Let’s assume that the process is the same … I go to my WiFi spot, select a book, click checkout, and authorize the payment.  But this time there will be a couple small differences.  The first is that I am using a small tool kit that can encrypt or provide a digital signature (or both) to certain objects on my machine, and while I would not necessarily have it as a browser plug-in, but for simplicity, let’s say that is what it is.  In this case, when I get my book order confirmation, I am going to be sent an electronic purchase order from the merchant.  It will contain a short description of the purchase, a purchase Id, merchant Id, and amount, a timestamp and a customer Id.  I will pull my credit card from the secure tool kit, append that credit card number which has  been encrypted with the public key of the credit card processor, and digitally sign the entire PO.  I then return the entire blob back to the merchant.

The merchant will pass a copy of this back to the payment processor who will decrypt the credit card number, and verify the number belongs to the user who signed the PO.  They can then send some form of acknowledgment back to the vendor to verify the user was the owner of the credit card, and that the payment has been approved.  Merchant sends me back an order confirmation and the process is complete.  A remediation or dispute resolution is a simple process for the merchant that does not require a credit card number stored in the clear.

In this scenario the merchant can verify that I am me because of the digital signature, but I did not have to pass a password across the Internet.  It keeps the merchant from trying to keep credit card numbers lying around, which is an advantage to everyone.  It protects the merchant as it lessens the likelihood of replay attacks, forgeries, and the passwords or credit card numbers from being intercepted by a man-in-the-middle.  It protects the user from the same issues.  And as the toolkit can be used to store personal information on the laptop encrypted, reduces the possibility of the information being obtained during a physical theft.

As much of this can be automated by a local application, the user does not need to worry about all of the ugly details or be a cryptographic expert.  This is almost zero change to the shopping experience, a small addition of code to the user and merchant sides, and a moderate change to the underlying payment clearing process.  But it is my contention that this offers greater user & merchant security.  But best of all, this could do away with the entire PCI Industry as we know it, reducing costs for the merchant and fraud for the merchant banks! 

A perfect solution?  Not even close.  It opens up new attack vectors in key management and public key distribution, but these are more complicated, and more expensive, attacks.  And I still have the problem that if someone gets my laptop, they can order whatever they like without my assistance.  If they get a hold of the laptop, the only thing that keeps a thief from pretending to be me is a password.  If they can now guess the password(s), and I am not using some form of n-factor authentication, it’s game over.  But that is no different than what we have today.  With this packetized data model, information is stored on the disk like keys, credit card numbers and other valuable data is encrypted and not accessible without passing access control requirements.  And the vendor may have my credit card number, but that number is secured so that only the bank & I know what it is.  

 Thoughts?  Questions?  Character Assassinations?  Feel free to chime in.

I was having lunch the other day, discussing Information Centric Security, with someone I had never met before.  It was an amazing conversation, and it struck me as ironic that two people who have each spent the last dozen years at different companies working with different technologies have come to so many similar conclusions.  Both in the deficiencies in how we use the security tools we have today, or more correctly, the mis-application of those technologies.  We both had nearly identical concepts about how to move security forward, and how it will take a fundamental shift in the mentality and approach of the security practitioners to achieve these goals.  Our consensus was that it is not so much a technology issue, but will require a fundamental shift in perspective to advance IT security from where we are today.  There is more than enough technology available.  Our technology tool kit is full of cool stuff.  Technology is not the limiting factor.  How we approach solving problems is.  I called it an ‘Approach’, he called it a ‘Mind Hack’.  Whatever.  It is these types of meetings that keep me in this profession and get me excited about my work.

It is also interesting to see how biases and beliefs manifest themselves into different implementation strategies.  Forgive the crude analogy, but while we both fervently believe in Information Centric Security as a model, we worship at slightly different altars of implementation.  Some of us view the solution as a virtualized application space, which I believe is manifest of a business processing security perspective.  Others view the solution as a packetized encapsulation of data objects, which I believe originates from a perspective of personal data protection.  The former has a distinct advantage in the area of misuse detection and data policy management, the later has a decided advantage in privacy and application dependencies.  There will be other proposals, which will all have a common thread that data will have a playground in which it is used, accessed and stored.  The differences are where you draw your ‘line in the sand’, or the protective boundary around the data. Personally, the more the better as it shows the flexibility of the concept, but it can make it more difficult to get your head around.

To take this one step further, much of the security we have today is designed to protect the infrastructure.  It is external to business processing and in many cases is deployed as an ad-on at the network level.  ICS by contrast is systemic.  ICS places security directly on the asset of value, not the infrastructure.   ICS and Firewalls or IDS are not mutually exclusive, but take the opposite approach. 

Anyway, it is great to get a chance to sit down with someone who has been thinking about this for many years and hammer out some ideas and where to go with this. We are going to reach a critical mass on this in short order.

Assessment.  In the last post I mentioned that I believe that Rich Mogull’s number for the size of the Database Activity Monitoring market is about right; about $70M.  Over the last two years, the Request For Information & Request For Procedure documents I have reviewed for database security, Assessment forms a full 60% of the overall requirements.  The majority of the requirements.  My sampling size is about 40 such documents, so I believe this is a large enough number to be meaningful.  DAM, encryption, audit and the other items are in the remaining 40%.  More still, Monitoring provides critical value on a select number of critical servers, but assessment provides value across all of databases in an organization.  

Yet if DAM is at $70M, and Assessment is still in the $15-20M range, do you sense an issue here?  I do not think that this is an issue of pricing, but a mismatch in vendor offerings & customer requirements. It is also an issue of perception as many companies thought that their assessment vendor was already providing database assessment.  To a degree, they were, but the level of detail that is provided is insufficient.  Is this a limiting factor for success in the eyes of the customer?  You betcha!  If the solution does not meet the requirements as the customer perceives them, then the adoption rate will be lower. 

Policies.  I am at odds with many people on this one, but I have discussed this with many vendors and a few customers, so I still maintain this is the direction we are going to be heading: Policies as a security and compliance consolidator. 

What do I mean?  I mean that whatever security widget you sell today becomes a component in a larger framework.  The data it collects, the data it filters, the data it stores, how long, and what gets sent off to other applications will all be specified by a policy somewhere.  That policy will govern several security and reporting applications, and those policies will be geared toward meeting the business requirements in terms of function, compliance, regulatory requirements, service levels and just about every other operational vector within IT.

Why do I say that?  Because businesses have specific policies that they need fulfilled.  The people who know about these requirements and manage these requirements are not domain experts.  They do not know and do not want to know about firewall rules, do not want to know how SAP connects to a database, they just want to know their policy has been implemented. 

Let’s take this from the other direction.  Security challenges are complex.  I typically find that most customers have not performed a threat analysis or a risk analysis, and they are not even sure where to start.  The scope of the problem set is daunting.  So it is based upon this that the simpler, less complex concepts of a policy, and let the domain experts decide behind the scene how the policy is enforced.  I see this at larger companies all of the time when they create specifications on how a network is to be secured, how a database is to be secured, how an application is to be secured.  But the blending of technical implementation and business policy has little integration, and I am claiming that these policies and their associated implementation creates a fine bridge between the technical and business stakeholders.

Virtualization.  I cannot think of any single thing that will affect database security offerings more in the next couple of years than virtualization.  One simple point I want to make.  The first is your network will probably be virtualized along with your servers.  Your selection of a DAM technology – or any external technology for that matter – may stop working in a virtual environment if there is no wire or no mirror port to hook into.  And it certainly will have an impact to discovery and assessment methodologies. 

Dashboards.  I hear about Dashboards a lot.  A lot.  I think whenever someone does not really know what the next trend in XYZ technology or security widget, that a Dashboard is the next thing that the customer needs to truly realize their value potential. 

I have been hearing this in the database security realm as of late, and please, just stop it!  Look closely at the requirements for various regulatory (e.g. Sox) and compliance (e.g. PCI) challenges.  Look at the frameworks that are out there like Cobit, COSO, SCAP or whatever guide you choose.  Discovery and preventative controls are put into place, and detective controls to augment enforcement.  Separation of duties requires that the roles be separate and distinct.   Different policies, collecting different data, filtered and reported in a different way for each stake holder.  What is more, I may not want all of the collected data stored in a single location as that in and of itself may be a problem.  Access control resolves that you say?  Different views enforce roles?  Groups and roles can handle this?  Ha!  Make no mistake, reports are one of the principle values provided to the stake holders of data and application security, audit and compliance.   But the whole point in providing separation of duties means that there is not a central view and probably not a central repository of all activity as that defeats the purpose.   Generic ‘hub’ or ‘vault’ models that serve all audiences are probably not the right method.

Howdy!  Hola! Good Morning!  I had a good holiday.  Feeling good.  Five days off, at home, with wonderful weather will do that.  Plus there are a lot of changes in my life and a bunch of new professional opportunities that are really quite exciting.  So I am feeling better than good.  Unchained!  Even a little sassy.  Anyway, let’s get right into this post, shall we?

For those of you who know me, you know that I have been in data and database security for over 12 years now.  As CTO with various firms that develop security software, as a consulting security practitioner, and as a CIO.  And lately I have been doing a lot of research.  Too much.  Market trends, acquisitions, obscure executive quotes, public company PowerPoint presentations, how marketing organizations spin their value, PR and how they create image, blogs, face to face meetings, product analysis, analyst reviews and just about everything I can get my hands on.  

Lately a couple of things have happened.  First, a lot of research has illuminated a couple indicators within the database security industry.  Second, I have discovered some hard evidence to support a couple of quiet predictions that I have had for a while.  Finally, I find myself unburdened of several responsibilities so I can talk more freely about all of the above.  This has all lead me to a new series of posts on this blog that I will be making on the database security industry at large.  In this post, acquisitions and market sizing.

I am making the prediction that by year’s end, three of the top four database security companies will be acquired.   In fact, I will bet that 5 will be gone within an 18 month window of time.  There are a dozen firms or more for those of you who do not watch this segment on a daily basis.  And they will be gobbled up by larger firms.  Yes, some have been predicting this for 2 years.  This is the first time that I have made this statement because the market is no longer nascent, and there is genuine customer demand.  A lot of research and a lot of conversations, and I am convinced this we will no longer be waiting as these mergers & acquisitions will happen.  It does not require a huge leap of faith when you realize that there are about a baker’s dozen established firms in the areas of security, systems management and database management that have been circling and investigating the market space for a year or so.  But the music is about to stop in this game of musical chairs, and several key players who could genuinely use database security in their portfolio will be left out of the mix.  Yes, giant systems management & security vendor, I am talking about you.  Plus a few others who will wait until they feel the market size justified the investment, only to find that they waited too long. 

Second, the market size of database security is about to double.   Rich Mogull posted a comment last week on the Database Activity Monitoring size at $70M for 2007, plus or minus $20M.  I believe his number is accurate, but does not include assessment, which is half again as large, so I think 70 is a safe number. I am predicting $130M by the end of 2009.  I will leave auditing out of the picture for now as predicting its size, impact and customer demand is more black art than science.  As these components are not always tracked as a single offering as they should be, rather as fragments, the market size has the illusion of being smaller than it is.  Regardless, with the onset of the acquisitions, this market will quickly eclipse DLP.   

I do not believe I am not shimmying out on a slender branch here as growth of this segment should not be a big mystery.  The current group of players are small firms with small sales teams and limited reseller relations.  These products are about to be sold by an order of magnitude larger global sales forces, and quadrupling the number of customers who see these products.  The acquiring firms will lend additional credibility to the technology, bundle it with existing products that (hopefully) create a more compelling solution, and the professional services that are often a required step in their deployment.  And let’s face it, database monitoring, auditing, prevention and assessment are not considered a necessity by most enterprises today.  But that is changing rapidly as companies realize that AV, Access Control & IDS try to keep outsiders out, rather than being geared to protect sensitive information.  And where is a lot of the sensitive information stored that needs to be protected?  Today’s players have proven the value of these solutions, and now the larger companies will step in and make the market.

In future posts I will discuss and analyze these as they happen.  I will make comments on the business value proposition, the fit of the technology within the acquiring company’s existing product offerings, and provide analysis of strategic vision.  Later.  Next up will be product directions, roadmaps and synergies.