What IBM's Acquisition Of Guardium Really Means

IBM's acquisition of database activity monitoring (DAM) vendor Guardium has created a lot of buzz in the security industry. This is the first major acquisition in the database security market, the first time a large company has bet on DAM technology, and if the rumored sales price is accurate, then it suggests IBM paid a premium. And given the value this product can provide to IBM customers, it looks like a good investment.Database monitoring has been around since 2002, but has not taken off in the manner some had expected. Vendors have continued a slow and steady pace of improvement during the past seven years, and their offerings have matured into enterprise-quality security products, yet they remains a niche product. Let's face it: Database monitoring addresses what we call a "quiet threat." The damage caused by stolen data is impossible to quantify, and when it does happen, it doesn't stop people from working. It's not destructive like a virus, and it's not annoying like spam, but it's just as costly. There just isn't a killer application, and unless a company suffered a breach by attack or malicious employee, it's not perceived as a need.

Despite all DAM products being conceived as security tools, compliance has become the primary use case. What's more, they work: They detect threats and can automate controls other platforms simply cannot. Vendors have struggled because customers really didn't get how it helps with compliance. Sarbanes-Oxley, the Gramm-Leach-Bliley Act, PCI, and privacy laws say nothing about DAM. You need to really drill down to understand that your credit card data is stored in a database, or that your financial systems are automated to the extent that you simply cannot enforce many controls without automated assistance.

IBM will be able to leverage the Guardium investment into its existing customer base. IBM is, after all, one of the biggest database vendors in the world -- not just for its considerable mainframe installed base, but the DB2 UDB and Informix platforms both have dedicated followers, too. Incredible revenue opportunities exist within its own customer base, and the heterogeneous database support Guardium provides IBM Global Services is a database-agnostic platform.

Large vendors in multiple verticals have had quiet discussions with DAM vendors regarding partnerships and acquisitions for several years now. While customer adoption of the technology has lagged, providers of operations management, security, governance, and compliance have seen the value. DAM may not get a lot of press, but insiders are well-aware of the technology, and it is surprising to me we have not seen an investment of this size, or larger, during the past year.

Still, IBM's presence in this space likely provides a lift to the entire segment. I estimated the DAM market size at $70 to $80 million in 2008, and estimate $85 million for 2009. I base this on a combination of inside information, communication with customers, very chatty former employees of DAM vendors, and some educated guesses. I am excluding assessment and auditing revenue, the latter of which is extremely difficult to quantify. Regardless, it's tiny.

I'm willing to bet IBM can double the size of the market in less than a year. IBM sales has the ability to educate the market in a way that even Fortinet cannot. Meanwhile, Application Security, Imperva, Netezza, Secerno, Sentrigo, and the handful of other vendors -- all lacking an "evangelical sale" where you have to prove your product and the value it provides -- also benefit in terms of visibility, reduced sales cycles, and more customers. As revenues increase, expect further acquisitions of these remaining providers.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading.