Good Morning:
Today I need to send a shout out to my father-in-law Sandy, who turns 75 today. SEVENTY FIVE! Wow, that's a long time. I'd say something about spring chickens and being old, but he's one of the youngest guys I know. Sure there is a lot of mileage on his motor, but it still runs pretty OK. There are 75 year olds that are more like 90, waiting for their call to the great beyond.

And there are the 75 year olds that are more like 50-somethings. The difference? Engagement. It's as simple as that. Those that aren't engaged with hobbies, activities, maybe even a job are just waiting to die. Maybe it's because they have health problems or whatever, but there is clearly a correlation between someone's activity level and how young they appear.

Sandy is a stock broker and he loves it. He "works" pretty much every day. Not because he has to, but because he wants to. He would chart stocks even if it wasn't his living. In fact, he did chart stocks on nights and weekends before he became a full-time broker in his late 40's. It's his passion and his passion keeps him young. I can't tell you how much I've learned from watching someone actively engaged day after day, year after year, doing something they love. These are lessons I weigh every career decision against.

Happy Birthday Sandy. I'm looking forward to many more.

Have a great day.

Incite #8: Protect the Vault (that's where the money is)

The hackers continue to go where the money is by increasingly targeting the databases storing private information. Database vendor’s disdain for security doesn’t help, and creates an opportunity for database monitoring and security solutions to gain a foothold before this capability is subsumed into the DBMS and/or network fabric. Encryption infrastructure makes little to no progress in 2008, despite regulatory pressures – largely due to complexity and the nebulous compensating controls clause. 

Read the original Days of Incite post on this topic.

6-month grade: B+

In Incite #6, I talked about a hot market (full disk encryption), even in a crappy economy. Database monitoring is neither high profile nor particularly exciting - but it's happening slowly but surely. As opposed to the overheated NAC hype that set unmanageable expectations, database monitoring (for the most part) has flown under the radar. To be clear, this is still a very early market and the buying dynamics are still rather complicated (does the DBA or the security guy own/buy it?), but enough folks are looking at and interested in this space - that it'll end up being larger than another over-hyped market - DLP - this year.

But I don't want to get ahead of myself here, we talk about DLP tomorrow. Now the good news for the stand-alone database monitoring folks is that the big database folks have their respective heads in dark places. They are all focused on becoming something else, and a security vendor isn't high on the list. Oracle is an apps vendor, Microsoft is an everything vendor and it's not clear what Sybase is - but it's surely not a database vendor. So all these guys do offer their own flavors of database security, but it's clearly not a focus - which creates opportunities for the start-ups.

Is this a top priority issue? Does it need to be solved right now (like full disk encryption)? Nope. Unless you auditor has specifically required you to do so, as part of a compensating control for secure applications. So a lot of organizations will defer this purchase for a while. But I'll make the case for why it's important to do this sooner, rather than later.

Surprisingly enough, it gets back to REACT FASTER. Remember, we want to monitor as much as we can because we don't know where the next attack is going to come from. The network is really the first place we want to monitor (because the network doesn't lie), but after that I want to see what's happening in my database - that is where the money is, after all. Monitoring is good. So as you are looking at your priority list, keep that in mind.

What about the second half of the Incite, which is about encryption infrastructure. You know, that centralized key management function that allows those pesky little keys to be managed across applications. Kind of like a utility. Well, that's still nowhere. Encryption can and should be relatively transparent to developers, users, and pretty much everyone. In big environments, I get the value of centralizing management and escrow of the keys - but those use cases are few and far between. Most folks don't need it, and should focus on something that will yield more value in the short term. Like monitoring. :-)

Photo credit: "Bank Security Guard" by madaboutshanghai