Review: GreenSQL Database Security
Business databases are the holy grail for hackers. Matt Sarrel reviews some products from GreenSQL that help protect databases.
There are many devices and services that are under constant attack in today’s business environments. Popular vectors for attack include browsers and smartphones, but the goal of an attack is not the device, service or application. Attackers exploit weaknesses in devices and services in order to get to important business information which is stored in a database. Thus it is essential that businesses protect critical information stored in databases.
GreenSQL provides database security that prevents SQL injection attacks, monitors database activity, protects systems behind a database firewall and applies dynamic data masking. The software began as an open source project in 2007; by 2009 it had become so popular that the founders got serious and rewrote the code base to be production ready. It has been downloaded over 130,000 times, and there are currently over 200 paying customers worldwide.
The company provides four product packages: Database Security, Database Activity Monitoring, Database Masking and the all-in-one Unified Database Security. Free trial versions are available for individual modules as downloads at http://greensql.com.
The Database Security package stops SQL injection attacks and blocks unauthorized database access and provides full separation of duties. A database firewall can be configured to protect entire database instances or individual tables.
This may sound complex, but it is far from it. New security rules can be created automatically using a learning mode which monitors database activity and then builds rules to protect critical information. Or rules may be configured manually. Rules can be based on source IP, database user/group, application name, time/day and query.
The Database Activity Monitoring package monitors database access and activity and tracks before-and-after audit values as well as real time alerts. The package also ensures full compliance with regulatory requirements such as PCI-DSS, Sarbanes Oxley and HIPAA. The package provides a full audit trail of administrative commands tracking user, application, time, table, action and IP address. There’s also advanced auditing of sensitive columns, such as client names or email addresses, that includes the original contents of the field and the contents of the field after it has been changed. In addition to auditing capabilities, real-time alerts can be issued via email or syslog.
The Database Masking package provides dynamic data masking that hides personally identifiable information (PII) on the fly from unauthorized users. The important thing is that this is done without changing the original information, and the data is masked based on user, application or IP address. For example, a company can collect Social Security numbers for an HR database, yet only show them to authorized personnel – all others, such as developers, would see only XXX-XX-XXXX.
GreenSQL brings all of the above together with the Unified Database Security platform. The combination of these packages results in one easy to install and configure security solution to protect corporate data. It also includes database acceleration features such as protocol optimization, database caching and connection management
GreenSQL supports Microsoft SQL Server, Microsoft SQL Azure, MySQL, PostgresSQL and MariaDB. The security packages can run as a virtual appliance for VMware or Hyper-V, or on top of Windows 2003 or Windows 2008 or Linux (Ubuntu 9.04 and above, CentOS 5.4 and above, Debian 6.0.4 and above). Management takes place through compatible browsers (Internet Explorer 7 and above, Mozilla Firefox 4.1 and above, and Google Chrome.
Matthew David Sarrel is executive director of Sarrel Group, an editorial services, product test lab and information technology consulting company. He is a contributing editor for PC Magazine, a contributing analyst for GigaOM and a frequent contributor to the Internet.com family of sites. Previously he was a technical director for PC Magazine Labs, where he led all testing conducted by the Applications, Enterprise and Development Software, OS and Utilities, Network Infrastructure and Wireless LAN teams. His career also includes stints as an executive at two Internet startups and as director of IT for the New Jersey Medical School National Tuberculosis Center.