Don't Wait To Lock Down DB2

Existing access control, trusted context features in DB2 are not widely deployed
Given that many of these security features in DB2 are often ignored by DB2 administrators, speculation as to what kind of technical features IBM will integrate from Guardium seems almost superfluous. Even so, analysts wonder whether IBM will be able to take advantage of Guardium's previously close relationship with DB2 technology and those who administer it to help shepherd use of both existing and future technical controls in the database product.

"Guardium has spent a lot of time thinking about DB2 and thinking about Z," says Nick Selby, managing director of consultancy Trident Risk Management. "In the past they've done partnerships where they've needed to, but now there's the ability to have IBM internal knowledge helping Guardium with its R&D around specific products that target IBM database products. It's going to be a no-brainer."

Even more important, though, could be the added ingredient of IT cultural awareness that Guardium brings to the mix. In a world where DBAs and security pros are at odds -- the former focusing on performance, the latter on data privacy and integrity -- Guardium brings the added ability to "speak DBA" to the IBM mix, Selby explains.

"I do think IBM is positioned to leverage not just the technology, but the ability of the Guardium people to really communicate the benefit of the product category and get people thinking in a more holistic way about how databases themselves and the security of database and database applications work together to increase an organization's overall security posture," Selby says.

IBM's Lee confirms that this is, in fact, the strategic direction in which IBM is headed.

"I think the biggest gap I've seen with clients is not necessarily a specific DB2 function, but rather understanding overall security," Lee says. "What is overall protection? Is it just locking down access to a table? Or is it the overall security that includes locking down data, backing up and encrypting data, and understanding access to data? That's what we call overall security, and that's what we're trying to get clients to understand."

The fact is many of the security lapses made within organizations are hardly fixated just on DB2. "I don't think there are any specific DB2 things that people aren't doing anymore than they're not doing in MySQL or Oracle or whatever," Selby says. "I think that what it comes down to is understanding good configuration practices and good application practices."

And this is why IBM is planning a lot of its Guardium integration not just around DB2 enhancement, but on integrating monitoring and configuration controls into the overall IT security and operations management features of tool sets such as Tivoli, Lee says.

"As much as I'd love to say that everybody only uses DB2, it's not true. And we have to face the reality that, at the end of the day, the drive behind what we do is what our clients want," Lee says. "And what they're looking for is a solution that, yes, protects the IBM database, but now when you go pass the single database, what else can it do for you?"

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.