Leadership Compass

Database Security

Database security is a broad section of information security that concerns itself with protecting databases against compromises of their integrity, confidentiality and availability. It covers various security controls for the information itself stored and processed in database systems, underlying computing and network infrastructures, as well as applications accessing the data.

Alexei Balaganski


1 Management Summary

Databases are arguably still the most widespread technology for storing and managing business-critical digital information. Manufacturing process parameters, sensitive financial transactions or confidential customer records - all this most valuable corporate data must be protected against compromises of their integrity and confidentiality without affecting their availability for business processes. The area of database security covers various security controls for the information itself stored and processed in database systems, underlying computing and network infrastructures, as well as applications accessing the data.

Among security risks databases are potentially exposed to are the following:

  • Data corruption or loss through human errors, programming mistakes or sabotage;
  • Inappropriate access to sensitive data by administrators or other accounts with excessive privileges;
  • Malware, phishing and other types of cyberattacks that compromise legitimate user accounts;
  • Security vulnerabilities or configuration problems in the database software, which may lead to data loss or availability issues;
  • Denial of service attacks leading to disruption of legitimate access to data;

Consequently, multiple technologies and solutions have been developed to address these risks, as well as provide better activity monitoring and threat detection. Covering all of them in just one product rating would be quite difficult. Furthermore, KuppingerCole has long stressed the importance of a strategic approach towards information security. Therefore, customers are encouraged to look at database security products not as isolated point solutions, but as a part of an overall corporate security strategy based on a multi-layered architecture and unified by centralized management, governance and analytics.

In this Leadership Compass, however, we are focusing on a relatively narrow segment of database security solutions to avoid comparing functionally distinct products and to exclude market segments already covered in other KuppingerCole’s reports.

First and foremost, we are focusing primarily on security solutions for protecting traditional relational database management systems (RDBMS), which are still by far the most widespread type of databases used by enterprises; however, solutions that extend their protection to NoSQL databases as well are going to be rated higher. Secondly, we are not explicitly covering various general aspects of network or physical server security, identity and access management or other areas of information security not specific for databases, although providing these features or offering integrations with other security products may influence our ratings.

Still, we are putting a strong focus on integration into existing security infrastructures to provide consolidated monitoring, analytics, governance or compliance across multiple types of information stores and applications. Most importantly, this includes integrations with SIEM/SoC solutions, existing identity and access management systems and information security governance technologies.

Solutions offering support for multiple database types as well as extending their coverage to other types of digital information are expected to receive more favorable ratings as opposed to solutions tightly coupled only to a specific database (although we do recognize various benefits of such tight integration as well). The same applies to products supporting multiple deployment scenarios, especially in cloud-based and hybrid infrastructures.

Another crucial area to consider is development of applications based on the Security and Privacy by Design principles, which are soon going to become a legal obligation under the EU’s upcoming General Data Protection Regulation (GDPR). Database security solutions can play an important role in supporting developers in building comprehensive security and privacy-enhancing measures directly into their applications. Such measures may include transparent data encryption and masking, fine-grained dynamic access management, unified security policies across different environments and so on. We are taking these functions into account when calculating vendor ratings for this report as well.

These are the key functional areas of database security solutions we are looking for in this rating:

  • Vulnerability assessment – this includes not just discovering known vulnerabilities in database products, but providing complete visibility into complex database infrastructures, detecting misconfigurations and, last but not least, the means for assessing and mitigating these risks.
  • Data discovery and classification – although classification alone does not provide any protection, it serves as a crucial first step in defining proper security policies for different data depending on their criticality and compliance requirements.
  • Data protection – this includes data encryption at rest and in transit, static and dynamic data masking and other technologies for protecting data integrity and confidentiality.
  • Monitoring and analytics – this includes monitoring of database performance characteristics, as well as complete visibility in all access and administrative actions for each instance, including alerting and reporting functions. On top of that, advanced real-time analytics, anomaly detection and SIEM integration can be provided.
  • Threat prevention – this includes various methods of protection from cyber-attacks such as denial-of-service or SQL injection, mitigation of unpatched vulnerabilities and other database-specific security measures.
  • Access Management – this includes not just basic access controls to database instances, but more sophisticated dynamic policy-based access management, identifying and removing excessive user privileges, managing shared and service accounts, as well as detection and blocking of suspicious user activities.
  • Audit and Compliance – this includes advanced auditing mechanisms beyond native capabilities, centralized auditing and reporting across multiple database environments, enforcing separation of duties, as well as tools supporting forensic analysis and compliance audits.
  • Performance and Scalability – although not a security feature per se, it is a crucial requirement for all database security solutions to be able to withstand high loads, minimize performance overhead and to support deployments in high availability configurations. For certain critical applications, passive monitoring may still be the only viable option.

Below you will find a short summary of our findings including the diagrams showing vendors’ positions on KuppingerCole Leadership scales.

1.1 Overall Leadership

Overall Leaders in the Database Security segment [Note: There is only a horizontal axis; vendors to the right are positioned better]
Figure 12: Overall Leaders in the Database Security segment [Note: There is only a horizontal axis; vendors to the right are positioned better]

In the Overall Leadership rating, we find IBM and Oracle among the Leaders, which is completely unsurprising, considering both companies’ global market presence, broad ranges of database security solutions and impressive financial strengths. However, the fact that IBM’s solutions are database-agnostic, while a half of Oracle’s portfolio only focuses on Oracle databases has influenced KuppingerCole’s decision to position IBM as the overall leader in Database Security.

The rest of the vendors are populating the Challengers segment. Lacking the combination of exceptionally strong market and product leadership, they are hanging somewhat behind the leaders, but still deliver mature solutions exceling in certain functional areas. The segment includes both large veteran players with massive customer reach like Imperva, Gemalto, Thales e-Security, McAfee and Fortinet and smaller but impressively innovative companies like HexaTier, MENTIS Software and Axiomatics.

There are no Followers in this rating, indicating overall maturity of the vendors representing the market in our Leadership Compass. Still, there is a number of smaller companies or startups with innovative products entering the market, worth mentioning outside of our rating. These companies are briefly covered in the chapter 14 “Vendors to watch”.

1.2 Product Leadership

Product Leaders in the Database Security segment [Note: There is only a horizontal axis; Vendors to the right are positioned better]
Figure 13: Product Leaders in the Database Security segment [Note: There is only a horizontal axis; Vendors to the right are positioned better]

In the Product Leadership rating, we look specifically for functional strength of the vendors’ solutions. It is worth noting that, with the broad spectrum of functionality we expect from a complete database security solution, it’s not easy to achieve a Leader status for a smaller company.

Only the largest players in the market, which offer a wide range of products covering different aspects of database security can be found among the leaders. IBM Security Guardium, the company’s data security platform provides a full range of data discovery, protection and analytics across different environments, which has led us to recognize IBM as the Product Leader. Oracle’s impressive database security portfolio includes a comprehensive set of security products and managed services for all aspects of database assessment, protection and monitoring. With the strong focus on Oracle databases only that has led us to reduce the company’s overall rating somewhat, Oracle is positioned on the close second place. Somewhat behind them we find Gemalto with their unified data protection suite backed by a massive technology ecosystem.

Other vendors with their robust, but less functionally broad solutions covering at least several major functional areas of database security are populating the Challenger segment. Leading the group are Imperva with their portfolio combining strong database protection and monitoring with advanced security analytics, HexaTier with an innovative cloud-ready integrated database security suite, Thales e-Security with their recently acquired Vormetric encryption, data masking and key management platform and Fortinet with hardware appliances for database security, vulnerability management and compliance.

Somewhat behind we find several vendors with strong focus in single functional area only, namely McAfee with a portfolio strongly focusing on database activity monitoring, vulnerability management and virtual patching and Axiomatics – a leader in dynamic access control with a specialized ABAC solution for databases.

There are no Followers in our product rating.

1.3 Market Leadership

Market Leaders in the Database Security segment [Note: There is only a horizontal axis; vendors to the right are positioned better]
Figure 14: Market Leaders in the Database Security segment [Note: There is only a horizontal axis; vendors to the right are positioned better]

KuppingerCole’s Market Leadership rating is based on the number of customers, strength of partner networks, and global market presence.

Among the market leaders, we can observe Oracle, IBM, Thales e-Security (with their Vormetric portfolio), Gemalto (with SafeNet Data Protection suite) and McAfee. All these companies are veteran players in the IT market with massive global presence, large partner networks and impressive numbers of customers.

Other vendors are positioned in the Challenger segment. Leading here are Fortinet, which barely missed the leaders segment, and Imperva, whose recent financial results were not particularly impressive.
Somewhat behind we find MENTIS Software, which, despite offering an innovative and well-integrated suite of database security product, has not yet been able to win enough customers to compete with market leaders.

Axiomatics, despite being one of the leading providers of general-purpose access control solutions, is only just entering the database security market with their Data Access Filter with a handful of active deployments. We expect this number to grow in the near future.

HexaTier just barely avoids slipping into the Followers segment of the rating because several factors like limited presence outside of the US market and the size of their partner ecosystem. Given their unique focus on protecting Databases-as-a-Service in the cloud, the company desperately needs to have more partnerships with cloud service providers. However, the recent news about HexaTier’s acquisition by the Chinese technology giant Huawei indicate that the company’s market presence may dramatically increase quite soon.

1.4 Innovation Leadership

Innovation Leaders in the Database Security segment [Note: There is only a horizontal axis; vendors to the right are positioned better]
Figure 15: Innovation Leaders in the Database Security segment [Note: There is only a horizontal axis; vendors to the right are positioned better]

Finally, there is the Innovation Leadership rating, where we are looking specifically at the vendor’s ability to deliver new ideas or emerging technologies for a particular market segment. Innovation leaders are shaping the future of the market by coming up with innovative features that will eventually become standard for all their competitors.

In this rating, we again observe IBM and Oracle in the Leaders segment, reflecting both companies’ sheer development resources which allow them to constantly deliver new features based on innovative technologies. Worth noting here is IBM’s strong focus on advanced analytics and Oracle’s unique hybrid cloud management and privileged user control capabilities.

Most other vendors can be found among the Challengers. HexaTier’s unique focus on protecting cloud databases with a unified easy to use solution and Imperva’s unified security intelligence platform for behavior and endpoint analytics warrant their higher ratings.

Following them are MENTIS Software with their a la carte approach towards designing a data security suite, Fortinet’s hardware appliances with impressive out-of-the-box capabilities, McAfee with a real-time non-intrusive architecture for database protection and Gemalto with its unified data protection suite.

Thales e-Security with their innovative application and cloud encryption capabilities and Axiomatics with a unique application of ABAC to database access management conclude the Challengers list.
Again, there are no Followers in our innovation rating.

Please note that these ratings provide just a high-level comparison of the products we have tested. Depending on your specific requirements, vendors generally not recognized as the Leaders may still be the best choice. We recommend that you always perform a thorough product selection and evaluation process for your specific projects.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.