One of the more frustrating things about the way we manage security is the gap between when vulnerabilities are disclosed and when the IT organization can actually deploy the patch that remediates the problem.
This problem can be particularly acute when it comes to databases from Oracle, Microsoft, Sybase and IBM that hold some of our most sensitive data. The simple fact is that it's usually beyond the capacity of an IT organization to deploy a database patch and then test all the applications that might be affected more than once a quarter.
This ongoing gap in our security defenses is what makes a company called Sentrigo, the maker of database security software called Hedgehog, pretty interesting. Not only to do they keep track of various database vulnerabilities, they have developed a way for IT organizations to deploy "virtual patches" on top of a database to protect it from specific vulnerabilities until they can get around to deploying the physical patch issued by the database vendor.
Increasingly, the database is the primary target for hackers. We spend an inordinate amount of money protecting the network perimeter and, in comparison, almost nothing on protecting our databases and the applications that reside on them. And yet many IT organizations are coming to the realization that while defending the network perimeter is still important, they can never completely win the battle against hackers at the edge of the network. That means they are looking for more efficient ways to protect the network, so more security resources can be shifted toward protecting the data and the applications themselves.
Sentrigo also offers a Hedgehog Identifier tool that audits end user activity to see who is accessing what data. Given that a huge percentage of the threats to our data come from internal employees, being able to audit their usage of data creates a trail that IT departments can follow should a breach occur.
The best part of Sentrigo, however, may be the policy engine that prevents end users from accessing data that they do not have explicit permission to use. As we have discussed before, theft of intellectual property has a lot more to do with lack of policies than any specific technology. But it's nice to know that the tools for implementing the policies are getting a lot better.