Database security isn't just for database companies anymore, observers say

Dark Reading Staff, Dark Reading

March 25, 2011

5 Min Read

McAfee's announcement this week that it would buy database security monitoring firm Sentrigo proves that database security is becoming a more integral part of broader enterprise security solutions -- and not just those offered by database vendors.

"Most of the previous acquisitions were mainly by database vendors -- except for Symantec, which did try to build its own database security solution three years ago, but it failed to sell, and they had to kill the product line," says Forrester Research principal analyst Noel Yuhanna, who believes McAfee made a wise move in buying instead of building.

Most recently the database security mergers and acquisitions market has been dominated by big deals from companies such as Oracle and IBM who have picked up database security companies to augment their existing database management system (DBMS) platform offerings.

Oracle recently released its Oracle Database Firewall based on the 2010 purchase it made of standalone player Secerno. While the release supports multiple DBMS platforms, it was particularly targeted to augment Oracle's platform positioning.

Meanwhile, following IBM's 2009 acquisition of Guardium, the company worked to align Guardium with its in-house database and mainframe offerings. Last fall IBM released expanded mainframe transaction monitoring and vulnerability assessment for DB2 on the mainframe, an upgrade that was helped along by the added Guardium expertise.

In McAfee's case, this acquisition is instead about completing an overall data security architecture that would be incomplete without database security.

"McAfee is known for security when it comes to email, network, Web, and data. But an area they have never ventured out into has been databases, and this acquisition jump-starts this area -- which makes sense since they lack the expertise. McAfee wants a bigger piece of the data security and GRC [governance, risk, and compliance] market, and without database-level security that cannot be achieved."

Yuhanna believes that McAfee's entrance into database security market stands to bolster a rapidly ascending security niche. He estimates that the $650 million market stands to double over the next four years.

According to some, McAfee's choice of Sentrigo over larger players in the database activity monitoring (DAM) market was a bit of a surprise. However, because Sentrigo was the OEM provider of McAfee's database security product and Sentrigo's technology is integrated into McAfee's e-Policy Orchestrator (ePO), the choice makes sense, experts say.

According to Yuhanna, Sentrigo likely offered a better acquisition price than the other players, as well. "I think McAfee played their cards right because they did pick a strong DAM vendor, probably at a very attractive price. Imperva and Application Security would have been more expensive," he explains.

McAfee officials say that while ePO integration certainly played a factor in the decision to go with Sentrigo, it was the technology and people that sealed the deal.

"[Sentrigo is] not the biggest currently, but from our perspective they had the best technology, the best vision, and the best people," says Martin Ward, senior director, risk and compliance product marketing, for McAfee. "We didn't buy Sentrigo just because it fits into ePolicy Orchestrator. The technology itself is hugely differentiated. Of course, we will use ePO as an advantage because anyone designing security for a data center is not going to be thinking only about the databases."

Sentrigo is being integrated into McAfee's GRC business unit, which offers a broad array of security capabilities for the enterprise. McAfee, itself, was recently acquired by Intel, which makes an even wider range of enterprise IT products.

Ward says McAfee was attracted by Sentrigo's ability to complement the McAfee GRC team's vulnerability and risk management operations, as well as its compliance strategies.

"They complement the vulnerability and risk management stuff by bringing in the vector for databases. Same thing on compliance -- they have database activity monitoring, which fits right into our continuous compliance strategy," Ward says.

While the addition of database security to the overall GRC stack makes sense within McAfee's strategic framework, its previous lack of experience in the insular world of database management could be more difficult to overcome than it thinks, says Josh Shaul, chief technology officer at AppSec

"It really is the first time a big security company has made a foray into the database security space, at least in the recent past," Shaul says. IBM purchased database security vendor Guardium and data analytics vendor Netezza in separate deals in 2010.

"I think the real challenge that McAfee will face is bridging the gap between their traditional market of information security teams and the database administrators that you have to be very close with in order to be successful in the database security space," Shaul says. "That's the hurdle for McAfee to overcome."

Overall, Shaul says his company is excited for the deal, and he expects McAfee will bring even more attention and marketing dollars to the database space, in general. However, the purchase of Sentrigo leaves both AppSec and rival Imperva as the last standalone DAM players in what was once a crowded field.

"It leaves AppSecInc and Imperva as the big players who are strong enough to stand on their own for now -- but puts pressure on them to develop their strategic vision, which is a traditional depth vs. breadth challenge in the security space," says Pete Lindstrom, research director for Spire Security. "I think [AppSecInc's and Imperva's] capabilities are proven -- and now that we’ve done a round of application security acquisitions, the database space may be more attractive to acquirers. Database security solutions can be much more effective out of the box than application security tools, but they are much less sexy as well."

Forrester's Yuhanna says he wouldn't be surprised to see either AppSec or Imperva snatched up sometime down the line. "They have very good technology, and it's just a matter of time that they will be acquired by a security or database security vendor," he says.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights