Solutions
Download a Whitepaper
Understand the technical challenges of implementing database security on virtualized servers.
Next steps
Request a demo
Contact me
Sales
+1 (781) 935-2867
OR +44 (0)2076 499959
Download Now
DB Security and Virtualization
Running your database in a virtual environment, or even in the cloud, presents some unique challenges for database security. The benefits of virtualization are clear, including: the ability to share resources through server consolidation, quickly scale up (and down) capacity based on changing needs, and to flexibly update servers without impacting production. Less hardware can even mean a greener datacenter.
But, this flexibility results in a much less static environment that must be carefully monitored to ensure that sensitive data is always protected. It is much harder to consistently monitor a database server, when it may in fact be on a different piece of hardware (or running across multiple physical servers), potentially spanning different network segments, each day. In most virtual environments, additional VMs for the database are provisioned on demand to meet capacity requirements, and often move over the course of a day to balance workload.
And where in the past it may have been possible to monitor network traffic between applications and the database, if these are now running on separate Virtual Machines (VMs) on the same physical server, traffic may not even be visible to network monitors. For other monitoring solutions, virtualization poses significant challenges… but Sentrigo’s memory-based sensor architecture, makes managing database security in a virtualization environment as easy – and as secure – as standalone physical servers.
Monitoring VM-to-VM transactions on the same server
If you’ve deployed virtualization to allow hardware to be shared by various applications, the communications between those applications and the dbms running on another VM on the same server occurs entirely locally to the server. For example: if your financials or HR application is accessing data from your database, an insider with access to the application could easily attack the dbms without being detected. Or a hacker attacking the database from a vulnerability in that application (SQL injection, or buffer overflows are common threats), would be able to reach the database without setting off alerts. Unlike network-based Database Activity Monitoring, which misses this traffic between VMs, Sentrigo Hedgehog Enterprise sensors are in-memory, and see all traffic, even between virtual machines on the same server.
To provide coverage for the cases missed above, network-based solutions may add a local agent. However, unlike the Sentrigo sensor, which runs autonomously to locally protect the database, the network-agent model cannot efficiently handle high volumes of inter-process requests between applications running on various VM's on a shared system. Instead, these agents merely send suspect traffic out for processing by the network server, consuming significant resources on the local system, as well as excessive bandwidth on the network. The performance penalty of deploying this type of agent to monitor a database on a VM could likely consume the full resources of that VM under even light or medium loads. Sentrigo Hedgehog Enterprise is architected as a true distributed processing model, where local sensors on each VM are managed centrally to set security policy and send alerts for processing, but are fully responsible for local protection, making Hedgehog the most efficient solution in a virtualized environment.
Monitoring Databases in a Dynamic Environment
In a virtualized infrastructure, and especially in a cloud computing environment, the machines (both virtual and physical machines) running your database are likely to change over the course of a day or week, as more or less resources are needed.
Every new database server that is provisioned needs to be monitored effectively in order to ensure regulatory compliance with your organization's information security policies. Which means, every new VM running a database must have the necessary software installed on it, be configured properly based on the specific data it is serving and the rules governing protection of that data, and be set up to send alerts to the appropriate management console(s).
Many DAM systems require agents which are difficult to install in the first place, interfering with VM provisioning by requiring kernel level changes and reboots for example, and are not as resilient to the starts/stops prevalent in a virtualized environment. Automating the provisioning (and also de-provisioning) of VMs, a key requirement of most virtualization implementations, may not even be possible with these systems, as changes are often required at the management server. In the Sentrigo architecture, the sensor can be set to automatically install or provision on a new VM as part of the startup process, and will automatically connect to the management server if a VM previously not in use is started or restarted.
This combination of effective and efficient database activity monitoring, makes Hedgehog Enterprise the best fit for organizations utilizing virtualization for their database infrastructure.