According to various industry estimates, the database activity monitoring (DAM) market tipped the scales at around $200 million in 2010, and, by all accounts, is growing like a weed. In the past month alone, Imperva filed a $75 million IPO, Green SQL raised a new round of funding for $3.5 million, and Application Security brought back one of its initial founders, Jack Hembrough, to lead the company as CEO once again.
Market growth in the DAM space is driven largely by the need for compliance, but a number of other factors are also beginning to show their weight, observers say.
As enterprises begin to see how DAM fits into their overall IT framework, they're asking for tools that also can streamline security practices and technology in specific ways -- whether for operations, Web app security, SIEM integration, or simpler patching. These demands have driven the way that the market has consolidated and evolved, and analysts expect the trend to continue that way.
"[DAM offerings are] all being bundled in different ways, with supporting technologies to do other things," says Adrian Lane, security analyst and CTO for Securosis, a consulting firm.
"If you look at the way that Guardium bundles the technology with other technologies, like masking with assessments, you're looking at a corporate operations model," Lane explains. "If you look at the way Imperva is wrapping the technology with Web application firewalls and file activity monitoring, that is a Web app security model. Or if you look at Green SQL, that's a database performance model, almost like a database accelerator that does security as well as performance."
But compliance still rules the market, experts say. "Compliance remains significant, with regulatory initiatives such as PCI requirements for controls on databases access and separation-of-duties issues requiring vigilance over database access and manipulation," says Scott Crawford, analyst for Enterprise Management Associates. "The continued prevalence of threats to applications remains significant, however, with attacks such as SQL injection sadly remaining all too common, and sensitive database data a frequent target."
According to Crawford, monitoring for anomalous activity is the primary focus for most DAM users. "Enhancing awareness through insight focused on the database -- particularly the ability to use DAM tools to translate database, or DBMS-specific syntax or activity into information meaningful to security or compliance -- adds to overall awareness and can help correlate suspicious activity detected elsewhere," such as application or network activity, he states.
Crawford's observations jibe well with a study published earlier this year by Forrester Consulting and IBM, which examined the perspectives of 15 enterprises in regard to database security monitoring. In the study, participants complained that native database security features lack robust auditing and separation of roles within these toolsets.
Despite their complaints, the participants were spending significant budget on the problem: All 15 were spending between $100,000 and $5 million on database security. Around half of them said they were implementing a database auditing and real-time protection solution to better protect their databases and improve their compliance posture, Forrester reported.
"We need to get a consolidated view across all databases, more centralized audit control, real-time reporting, and logging," an information security analyst at a large bank told Forrester. "Today we spend countless hours trying to get some information across our databases, which is not good enough. We need a more enterprise-wide solution, which we plan to implement next year.”
Unfortunately, the growing use of DAM tools in the enterprises has not stemmed the frequency of database breaches. Database security issues will continue to crop up until organizations not only implement these tools, but also turn all the features on, Crawford says.
"In many cases, it isn’t so much that DAM isn’t meeting challenges as much as that many organizations allow their application environments to remain exposed to risk," Crawford explains. "The Liza Moon incident from this past spring is a salient example, affecting a number of databases where input validation may have simply been turned off.
"Some DAM tools can also prevent incidents, but organizations may be reluctant to enable a number of these features for performance or availability reasons or tuning needs," Crawford observes. "Attacks such as SQL injection remain distressingly common, suggesting that many organizations still have a ways to go in mounting a more effective defense against even the most common attacks."
Like all emerging markets, some settling is likely to occur, experts say. According to Lane, recent mergers and acquisitions have largely been in anticipation of users looking for better bundled DAM features. Guardium, for example, was snatched up by IBM to support operations initiatives, he says; Oracle picked up Secerno to ease the pain of patching. The motives for McAfee's recent purchase of Sentrigo still aren't clear from a bundling perspective, Lane says.
"Believe me, the DAM market is healthy, growing," Lane reports. "The issue is projecting what it will become -- how databases are used, continuing database threats, and synergies with other security products will push each offering in different directions."
No matter which way it leans, the market will probably continue to consolidate, experts agree.
"In our industry over the years, a lot of products that companies develop are features, not products," says Mike Murray, managing partner for consultancy MAD Security. "Database monitoring is a feature of a larger security information-gathering suite that includes IDS, that includes application firewalls, that includes all these other things. And when you've got all these companies that are developing features, you can't possibly think that the consolidation is done."
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.