1 Management Summary
Databases are arguably still the most widespread technology for storing and managing business-critical digital information. Manufacturing process parameters, sensitive financial transactions or confidential customer records - all this most valuable corporate data must be protected against compromises of their integrity and confidentiality without affecting their availability for business processes. The area of database security covers various security controls for the information itself stored and processed in database systems, underlying computing and network infrastructures, as well as applications accessing the data.
Among security risks databases are potentially exposed to are the following:
- Data corruption or loss through human errors, programming mistakes or sabotage;
- Inappropriate access to sensitive data by administrators or other accounts with excessive privileges;
- Malware, phishing and other types of cyberattacks that compromise legitimate user accounts;
- Security vulnerabilities or configuration problems in the database software, which may lead to data loss or availability issues;
- Denial of service attacks leading to disruption of legitimate access to data;
Consequently, multiple technologies and solutions have been developed to address these risks, as well as provide better activity monitoring and threat detection. Covering all of them in just one product rating would be quite difficult. Furthermore, KuppingerCole has long stressed the importance of a strategic approach towards information security. Therefore, customers are encouraged to look at database security products not as isolated point solutions, but as a part of an overall corporate security strategy based on a multi-layered architecture and unified by centralized management, governance and analytics.
In this Leadership Compass, however, we are focusing on a relatively narrow segment of database security solutions to avoid comparing functionally distinct products and to exclude market segments already covered in other KuppingerCole’s reports.
First and foremost, we are focusing primarily on security solutions for protecting traditional relational database management systems (RDBMS), which are still by far the most widespread type of databases used by enterprises; however, solutions that extend their protection to NoSQL databases as well are going to be rated higher. Secondly, we are not explicitly covering various general aspects of network or physical server security, identity and access management or other areas of information security not specific for databases, although providing these features or offering integrations with other security products may influence our ratings.
Still, we are putting a strong focus on integration into existing security infrastructures to provide consolidated monitoring, analytics, governance or compliance across multiple types of information stores and applications. Most importantly, this includes integrations with SIEM/SoC solutions, existing identity and access management systems and information security governance technologies.
Solutions offering support for multiple database types as well as extending their coverage to other types of digital information are expected to receive more favorable ratings as opposed to solutions tightly coupled only to a specific database (although we do recognize various benefits of such tight integration as well). The same applies to products supporting multiple deployment scenarios, especially in cloud-based and hybrid infrastructures.
Another crucial area to consider is development of applications based on the Security and Privacy by Design principles, which are soon going to become a legal obligation under the EU’s upcoming General Data Protection Regulation (GDPR). Database security solutions can play an important role in supporting developers in building comprehensive security and privacy-enhancing measures directly into their applications. Such measures may include transparent data encryption and masking, fine-grained dynamic access management, unified security policies across different environments and so on. We are taking these functions into account when calculating vendor ratings for this report as well.
These are the key functional areas of database security solutions we are looking for in this rating:
- Vulnerability assessment – this includes not just discovering known vulnerabilities in database products, but providing complete visibility into complex database infrastructures, detecting misconfigurations and, last but not least, the means for assessing and mitigating these risks.
- Data discovery and classification – although classification alone does not provide any protection, it serves as a crucial first step in defining proper security policies for different data depending on their criticality and compliance requirements.
- Data protection – this includes data encryption at rest and in transit, static and dynamic data masking and other technologies for protecting data integrity and confidentiality.
- Monitoring and analytics – this includes monitoring of database performance characteristics, as well as complete visibility in all access and administrative actions for each instance, including alerting and reporting functions. On top of that, advanced real-time analytics, anomaly detection and SIEM integration can be provided.
- Threat prevention – this includes various methods of protection from cyber-attacks such as denial-of-service or SQL injection, mitigation of unpatched vulnerabilities and other database-specific security measures.
- Access Management – this includes not just basic access controls to database instances, but more sophisticated dynamic policy-based access management, identifying and removing excessive user privileges, managing shared and service accounts, as well as detection and blocking of suspicious user activities.
- Audit and Compliance – this includes advanced auditing mechanisms beyond native capabilities, centralized auditing and reporting across multiple database environments, enforcing separation of duties, as well as tools supporting forensic analysis and compliance audits.
- Performance and Scalability – although not a security feature per se, it is a crucial requirement for all database security solutions to be able to withstand high loads, minimize performance overhead and to support deployments in high availability configurations. For certain critical applications, passive monitoring may still be the only viable option.
Below you will find a short summary of our findings including the diagrams showing vendors’ positions on KuppingerCole Leadership scales.
1.1 Overall Leadership
In the Overall Leadership rating, we find IBM and Oracle among the Leaders, which is completely unsurprising, considering both companies’ global market presence, broad ranges of database security solutions and impressive financial strengths. However, the fact that IBM’s solutions are database-agnostic, while a half of Oracle’s portfolio only focuses on Oracle databases has influenced KuppingerCole’s decision to position IBM as the overall leader in Database Security.
The rest of the vendors are populating the Challengers segment. Lacking the combination of exceptionally strong market and product leadership, they are hanging somewhat behind the leaders, but still deliver mature solutions exceling in certain functional areas. The segment includes both large veteran players with massive customer reach like Imperva, Gemalto, Thales e-Security, McAfee and Fortinet and smaller but impressively innovative companies like HexaTier, MENTIS Software and Axiomatics.
There are no Followers in this rating, indicating overall maturity of the vendors representing the market in our Leadership Compass. Still, there is a number of smaller companies or startups with innovative products entering the market, worth mentioning outside of our rating. These companies are briefly covered in the chapter 14 “Vendors to watch”.