Andrew Lawton explains to Janine Milne how database security could prevent another T-Mobile-style data loss disaster
Q What are the particular issues with database security?
A The problems T-Mobile had recently [where one or more employees sold private customer details to third parties] show how there’s a lot of pressure to get more control over users. We’re hoping government will put stronger controls in place about data protection. If database administrators are corrupt, then they have complete power over data. The fact that T Mobile was unaware of the problem should be unacceptable.
We’ve seen a number of other cases where data has been sold. For example, there was a case of health information stolen from a private doctor on Harley Street, who had outsourced database management and that company outsourced again to India where a database administrator sold the data. A lot of companies are asking their outsourcers to prove what their staff are doing.
Q What singles you out from other players in the market?
A What we provide is like an IPS (intrusion prevention system) for databases – it’s like putting a firewall around a database. There are a set of rules that control access to the database even for privileged users. Everything can be built into the rule set. The software is real-time, so security faults are flagged immediately.
There are a lot of other players in security, but few in database security that do what we do in the way we do it. We control the centre – the database access management and control – and there are few competitors in that space. We are real-time and have 100% connection between users and actions in the database. Often applications people pool IDs and then it’s very difficult to track one individual user. So from a SOX (Sarbanes Oxley) or PCI compliance perspective, if you need to absolutely track users’ activity, you can do it against set of rules. We can group users or go down to an individual level, whereas other companies don’t go down to the individual level.
Q Given the high-profile disasters, such as the T-Mobile example, is database security becoming something that is an easy sell to corporates?
A It is becoming easier. People realise that the level of control that is available has benefits. We talk to four sets of people: security, audit people, compliance people and business/IT operations. The market is seeing it as best practice, so auditors are picking up on that and seeing that DBAs shouldn’t have control over how DBAs work – it should be a different set of people. There’s also the issue of brand protection – T-Mobile is a brilliant example of this.
Protecting the database should be best practice, and that has happened in Italy, Turkey and Russia because of legislation. The separation of data is not clear in European data privacy laws but it is in SOX. If you look at what’s happening in the marketplace, a Verizon report said 90% of database infringement was due to cybercrime. An SQL injection attack allows you to manipulate a database and set up as a super user. If there’s no separation between DBAs and others, no one would notice; an outside threat is delivered as an inside threat. 95% of all activity is aimed at getting data from databases.
Q Where are your key markets?
A Key sectors for us are finance and telcos and to a certain extent retail, though retail is not as strong a market partly because PCI is not a strong a driver as you’d expect it to be. The thing that’s driven them is brand awareness. We’re talking to a large retailer who has two main projects currently: PCI and loyalty cards. Our technology is applicable to both, but it is protecting the loyalty card data that they are interested in.
We’re well-established within EMEA with a good customer base. We’re stronger in Italy and Turkey and the Middle East than in the UK, mainly because of compliance legislation in those countries. In Italy, the Mafia bribed a database administrator to get data, which is why there is a strong uptake there for our database security products in that market. In the UK market we are strong in certain areas such as big banking customers that are doing well. Some customers see database security as best practice. More and more often we see it as part of companies’ fraud avoidance or risk mitigation strategies, so customers are making it part of their own internal best practice.
Q What was business like through the recession and how do you see the year ahead?
A It is a relatively big ticket item so probably through 2009 people were not starting new projects, and were focusing on consolidation and improving efficiency. I think we’ve gone through that process and there’s now a bit of a light at the end of the tunnel and companies are looking at new products and one of them is definitely database security. The strategy for 2010 is to educate the market.