Shouldn't data security actually secure the data?

There have a been a bunch of posts and gobs of marketing blurring the lines of distinction between data security products like database activity monitoring solutions and network security products like web application firewalls.

Even within data security - say across DLP, DAM, and database scanning - it can get murky. Some of this is certainly the result of vendors casting about for traction in the market. Nothing like some data security lipstick to gussy up that network security pig.

To be fair, at some point many of today's discrete data security solutions (like DLP and DAM) will consolidate into unified solutions in much the same way firewalls, anti-spam, anti-virus, etc. have combined to create UTM solutions.

But that will take years to occur and in light of all of the data breaches most large enterprises can't wait until then.

So what should you do and how will these markets evolve? Recently, Adrian Lane at Securosis had a great post shedding some much needed light on this topic.

I agree that customers looking for quick time to value are far more likely to reap benefits from creating synergy across processes that relate to the same IT assets (for example, across discovery, assessment, and monitoring as they relate to databases) than they are for similar processes across different IT assets (for example, monitoring across web applications, databases, and packaged apps).

Mainly this is true because a more coherent group of people are involved and it’s easier to set policy.

For example, you might decide to monitor all access to the credit card column and to scan critical databases to ensure that default IDs/PWs for privileged accounts have been changed.

The beauty of this approach is that within a day or two, organizations can dramatically tighten controls on their most valuable data and document that they have done so.

In contrast, setting policy across disparate IT elements is far more complex. What policy do we need to protect our sensitive data across the web application, the database, packaged, apps, and so on?

Holy moly - a committee of twelve could work on that for weeks and not get anywhere. And even if they did - would you really be better off?

If you got lucky and picked the right attack vectors across the several thousand possibilities - maybe.
Databases ultimately house the crown jewels at most organizations.

The millions of conduits to this data are merely the means to an end of lost data or grounds for a failed audit.

While protecting these conduits (which is essentially what security professionals have tried to do over the past 10 years) may necessary, it's certainly not sufficient - witness the many data breaches and failed audits.

Extending our control framework to where our data lives is certainly at least part of the solution because the conduit becomes irrelevant. As such, basic scanning and monitoring directly at the database level is arguably the quickest bang for the buck right now for security and compliance pros.

Application Security, Inc. provides database security solutions for the enterprise and was named to Inc. Magazine's 2007 list of America's Fastest Growing Private Companies (Inc. 500). Its products proactively secure databases and delivers up-to-date database protection that minimizes risk for companies.