Database Activity Control: The State of the Market

We recently conducted a poll to check the state of the database security market, focusing on activity control. The results offer a fascinating glimpse into the mindset of security professionals.

Let’s start with the unequivocally good news: every single respondent believes controlling database activity is important. Everyone agrees. In an industry often divided by conflicting methodologies, we have reached a consensus that securing the heart of our data infrastructure is critical. The era of debating the necessity of database security and activity control is over. The new question is about execution: how well are we doing what we know we need to do?

Look past the consensus, the data reveals a wide range of implementation stages:

55% believe they effectively control their database activity.
20% say they have controls, but those are ineffective.
25% say they don’t control their activity but know they need to.

The numbers are clear, but they represent perception, not reality. When we pull back the curtain, converting perception into the underlying reality, we reveal an almost inverted picture. Let’s break things down and reveal the hidden realities.

The “Frozen” Quarter (25%)

A quarter of the market is sitting on the sidelines. They know they have a problem and that they need to fix it. Yet, they do nothing.

The critical question is WHY? Is it a lack of a budget? Is the team too swamped? Are there higher priorities than protecting your core data? With some older technologies existing for over two decades, short-term excuses such as budget and time seem unlikely.

A more plausible explanation is that fear is the paralyzing agent. Many perceive database security to be a massive, complex beast that is too difficult to undertake. One that will drain resources and disrupt operations. They are “scared to go there”.

If you fall into this category, here is a dose of reality: It is not that bad. Technology and methodologies have evolved to eliminate impact, dramatically increase security value, and create a clear maturity path for you to follow. We have successfully implemented this many times.

The “too difficult” excuse is a ghost story preventing you from taking critical action. Don’t succumb to fear. Let us show you what modern database security looks like and help you achieve your goals without the pain you are anticipating.

The Frustrated Fifth (20%)

Then there are the 20% who have a solution but deem it ineffective. These organizations invested time and money but are dissatisfied with the outcome. It could be that they expect more security value and fail to achieve it. Or, maybe, they are plagued by performance issues, blind spots, and unmanageable complexity. One way or another, they are unhappy.

The question is simple: Is it truly impossible to have a successful database activity control project that delivers real value? One that meets the expectations of any security professional?

If you believe it to be possible, the logical next step is to change. To try another solution or a different implementation partner. But many in this group remain paralyzed, operating under the false assumption that “there are no good solutions out there”. Continuing to pay every year for something they believe is not working. The tragedy here is resignation. Sticking with bad solutions because they assume there is no alternative.

That is simply untrue. If your current tool isn’t working, it is not a limitation of the impossible – it is a limitation of your vendor. Newer and different technologies come with newer methodologies and will deliver a completely different experience for you. Your frustration comes from having appropriate expectations but an inappropriate solution. Better solutions exist, and our satisfied customers are proof of that.

It is possible to do more than you imagine. Let’s breathe new hope and see that the impossible is a reality within reach.

The Dangerous Majority (55%)

Finally, we arrive at the most interesting and potentially most dangerous group: The 55% who believe they have everything under control.

With all due respect, this confidence is dangerously misplaced. The reality is that most current controls are inadequate. The frustrated fifth have good reasons for their dissatisfaction with their solutions, and it is troubling that the majority fail to see that.

As always, the question is Why? Why did this group decide that their security is effective? Is it because they passed their audit? Or maybe because they received no alerts or indications of a problem?Measuring effectiveness is one of the biggest and most critical challenges in security. If you incorrectly assess the effectiveness of your controls, you will only discover that when it is too late: after you have a data breach.

Effective Security

So let’s define a baseline for effective database security. This baseline will help you determine whether your security is effective or, maybe, you are living under a dangerous illusion of control.

While there are many benchmarks, these four tests are at the core of it:

Expect False Positives: This sounds counterintuitive, but if your security system is silent, it isn’t working. Your system must be calibrated sensitive enough to occasionally flag an event. There will always be some anomaly in the activity to trigger an alarm. If nothing is triggering your security system, it means a breach will also go under the radar.
Simple test: Validate that your security system generated a few events in the past month. Not too many, but at least a few.
Expect Complete Visibility: You must know what is happening in your database. If you don’t have visibility into what is going on, there is no way to define controls. There is no way to identify gaps in the controls. Simply put, you cannot secure what you cannot see. Simple test: Verify you can answer the following questions on demand:
- Which users connected to your databases from which programs and IPs?
- Who touched your sensitive data in the past week?
- How much sensitive data was extracted yesterday?
- What anomalous application activity occurred in the past month?
Expect Total Forensics: You have to be able to “rewind the tape” to see what happened in the past. Regardless of the alerts you configured, you must always be able to go back, investigate security events, and find out what happened after the fact. Dangerous attacks and breaches never come through the path you predicted, or they wouldn’t be dangerous. If you have to predict the attack to capture it, you have already lost.
Simple test: pick a random user who was active yesterday and check whether you can find out what they did.
Expect to control ALL database activity: You should control ALL database activity, not just a small, pre-filtered portion. Do not just DBAs, DDLs, or whatever portion you carved out of the pie. You should have control over each and every portion of the activity. You need to have controls against all the threats and risks you perceive, including SQL injection, credential theft, abuse of privilege, and more.
Simple test: do you have controls that cover all the database activity, including DBAs, the application, and more? Do you have a list of risks and have controls against each one?

If you cannot answer these questions, you do not control your activity. You just think you do. And in the world of data security, a false sense of safety is far more dangerous.

It is time to stop grading your security on a curve and get in the game. Protect your data before someone else finds their way to it.

The Maturity Path

You may say, rightfully so, that our analysis implies everyone is doing something wrong. So what is the right solution?

The solution is continuous progress on a maturity path. Well, that sounds like an answer without an answer. So let’s explain.

You need two things:

A solution with the technologies that will enable you to achieve your goals.
A partner or vendor that will guide and train you on how to gradually increase your usage of these capabilities.

We don’t force our customers to a particular implementation, but find the balancing point where they feel comfortable with the difficulty and with the results. That usually lasts for 6 months to a year, and then some customers feel they want more. At that point, we help them design more powerful and complex controls that can take them further.

It is a process that takes time. Time for customers to start discovering what is happening in their environment. Time for them to adjust to the capabilities we give them. And time for them to develop more expectations and desire more.

This path is available to all our customers because our technologies are already there and allow for that. Our solutions come built-in with everything. While you are unlikely to take advantage of all the technologies right away, slowly you will.

Final Thoughts

Almost no one has control over all their activity. If you are one of the few who do, we would love to hear from you and compare your experience to ours.

Technologies continue to evolve, providing more power to both novice and experienced customers. But you need to take the first step to get on the path to success:

To the 55% who think they got things covered: We invite you to take the four effective security tests and stop grading on a curve. Join the 20% who are dissatisfied and admit: you need better. Don’t be limited by what you currently think is possible.

To the 75% who need better control: Stop paying for broken solutions. We invite you to come and see what modern technologies and methodologies can do for you. Let us show you why this is the most critical security you must deploy.

To the 25% who are waiting: Take action. Any action is better than waiting for a breach. And a breach is inevitable if you don’t protect your data.

To learn more, check out our database security checklist article. It will help you ensure you are covering all your bases and protecting the data where it lives.