The Business Case for Database Security

Managing risk, simplifying compliance, and

reducing the cost of securing databases

Introduction
Databases are the most strategic asset of any organization
because they store extraordinarily valuable information:
White Paper
customer records, financial data, and partner information.
Because databases house such sensitive data, government
and private industry have enacted a raft of regulations that
force organizations to audit and secure their databases. With
new regulations enacted every year, IT staff is saddled with
a mushrooming number of compliance reporting processes.
This paper examines the database security and compliance
requirements imposed on today’s organizations, including:
» Monitoring access to sensitive data
» Auditing changes to financial records
» Protecting databases from attack and internal abuse
» Demonstrating compliance through clear, comprehensible reports

This paper then evaluates in financial terms the various

alternatives that organizations can use to satisfy these
requirements, including Imperva SecureSphere Database Security
Solutions. Finally, it presents the business case for organizations
to choose SecureSphere for their database compliance and
security requirements.
The Business Case for Database Security

Business Requirement – Compliance

Regulatory Compliance under the Microscope
Complying with dozens of government and industry regulations is no longer the exception, but the rule, for
many businesses today. Organizations must comply with multiple laws that govern labor, financial controls, data
confidentiality, and security. Each year, new compliance laws are introduced and existing laws change. Rather
than tackling each regulation one-by-one and marginalizing compliance efforts, organizations should develop
a comprehensive company-wide governance and risk management plan. By proactively addressing compliance,
organizations can eliminate redundant compliance efforts, automate manual processes, and shorten auditing
engagements, saving millions of dollars in the process. The first step to realizing efficiencies is to look at
compliance laws and find common requirements.
Most regulations fall into one of two categories: data integrity or data protection. Data integrity laws require that
businesses monitor changes to data, verify that actions meet internal controls, and record activity in audit trails.
On the other hand, data protection laws set forth security policies to protect the confidentiality and integrity of
sensitive information. The following table lists seven key regulations and identifies sections that address data
integrity and data protection.

Regulation Name Integrity or Security Requirement

Payment Card Industry Data Security
Standard (PCI DSS)
Sarbanes-Oxley Act (SOX)
Financial Instruments and Exchange
Law in Japan (J-SOX)
Health Insurance Portability and
Accountability Act (HIPAA)
California Senate Bill 1386
Gramm-Leach-Bliley Act (GLBA)
EU Privacy Directive
Section 10 requires that merchants track and monitor all access to cardholder
data. Merchants must “implement automated audit trails for all system
components” and “secure audit trails so they cannot be altered”.
Section 302 requires management to setup controls on financial statements,
evaluate the controls and report on their effectiveness.
Section 404 mandates IT controls and periodic reports to validate these
IT controls.
J-SOX requires management to evaluate and prepare a report on the effectiveness
of financial reporting. Companies must also demonstrate that system
development and operations, change management, and security processes are in
place and followed.
Title II of HIPAA defines the following security safeguards:
• 164.308(a)(1) mandates risk analysis, risk management, and information
system activity review.
• 164.308(a)(6) enforces security incident response including mitigating and
reporting on security events.
Businesses must disclose any breach of their personal information to California
residents.
The Financial Privacy Rule governs the collection and disclosure of customers’
financial information. The Safeguards Rule requires financial institutions to
design and implement safeguards to protect customer information.
Directive 95/46/EC protects personal data that is processed or transferred.
European companies must have IT controls in place to ensure and prove to
auditors that data is processed correctly.

As shown above, government and industry regulations force organizations to track changes to sensitive
information. Data governance laws require that organizations implement database controls and that they
maintain database audit trails that are independent of the individuals being audited. While data protection laws
focus on securing data, they often stipulate that companies monitor sensitive data activity to ensure that data
has not been compromised. For example, the PCI Data Security Standard (PCI DSS) requires that merchants track
all access to credit card data. Section 10 in the PCI standard lays out over two dozen auditing requirements,
including tracking individual access to cardholder data and protecting audit trails from unauthorized
modifications.

Compliance Is Not a Choice

For today’s enterprises, compliance is not a choice – it is the cost of doing business. U.S. public companies that
fail to meet SOX requirements can face hefty fines or be unable to file their quarterly earnings reports. Executive
officers that willfully violate SOX legislation can face imprisonment.

Imperva White Paper < 2 >

The Business Case for Database Security

All businesses that process, store, or transfer credit cards must comply with the PCI standard or be subject to
fines of up to $500,000 USD per incident. Merchants that fail to comply may lose the right to process credit
cards altogether. For many merchants, processing credit cards is not optional; it is a fundamental business
requirement. Like PCI and SOX, violating dozens of other regulations can lead to fines and government
sanctions. Other requirements, such as ISO standard certification, may be necessary to retain business partners
or customers. The financial consequences of non-compliance can include lost revenues and brand damage.
Tackling compliance head-on by establishing well thought out, comprehensive processes and initiatives will not
only achieve efficiencies, it will ensure long term business viability.

Stricter Database Auditing Obligations

With the increase in regulation, database auditing requirements have become more stringent and structured.
In the past, it involved monitoring a few database tables, with virtually no prior planning and no oversight. As
new legislation has raised the bar for database auditing, organizations have scrambled to keep up with the new
requirements. Many businesses may attempt to leverage existing investments to meet these elevated regulatory
requirements, but they face a number of obstacles including exploding administration costs and reduced
business agility.
Organizations with a handful of databases can find today’s auditing requirements challenging and operationally
expensive. Enterprises with a greater number of databases can discover that managing database audit rules and
log files and updating applications for today’s strict audit requirements is cost prohibitive. Each new regulation
compounds these expenses.

Auditing Requirements Demystified

Fortunately, even in the current regulatory environment, it is possible to recognize consistent themes across
most compliance mandates. Achieving compliance becomes a much simpler and more affordable proposition
when organizations can satisfy the following four auditing requirements.
» Full Audit of All Activity and Operations – The scope of the audit must be broad enough to cover the entire
database and database infrastructure, rather than focusing on some databases, tables, columns, or users.
» Separation of Duties – The audit process must be independent of the audited systems instead of being tied to, or
a part of the audited databases.
» User Accountability – The audit trail must clearly establish user accountability, even over pooled connections,
rather than identifying only the application.
» Changes in User Activity – The audit mechanism must be able to separate suspicious behavior and material
variances from all the other normal activity, instead of simply providing mounds of unintelligible recorded logs.

Demonstrating Compliance
Besides complying with numerous mandates, organizations today must document and demonstrate compliance
to external auditors and governmental agencies. Organizations must prove that compliance processes
are in place and obeyed. Lastly, they must collect pertinent audit and security data and present it in clear,
understandable reports. Since compliance reports are an unnamed, but nevertheless essential, requirement for
governance, any compliance initiative must include:
» Compliance Reports – Organizations must produce multiple reports for each compliance initiative, including
reports documenting security events, user activity, change management, vulnerability assessment and system
administration.
Many regulations stipulate that compliance reports should be distributed, reviewed and approved by key
stakeholders. To meet regulatory and internal security and auditing requirements, compliance reports must
often be reformatted and distributed to internal and external audiences.
Again, like database auditing, reporting requirements can drive up operational expenses, especially when
reporting processes are manual. Businesses should seek to optimize and automate reporting processes to reduce
operational overhead.

Imperva White Paper < 3 >

The Business Case for Database Security

Business Requirement – Security

Protecting Sensitive Data
Corporate databases perform a vital role and contain organizations’ most strategically valuable assets: customer
data, employee information and financial accounting records. Due to their import, organizations must ensure
that databases are protected against attack and abuse. Unfortunately, few businesses are equipped to handle
the overwhelming range of security threats that imperil corporate databases. To illustrate this point, a new
sensitive data breach is disclosed every week. Over 245 million records containing sensitive information have
been compromised between January 2005 and December 20081. Whether due to a malicious attack, insider
abuse, or an inadvertent leak, a large-scale data breach can be devastating to an organization. A data breach can
lead to brand damage, customer loss, lawsuits, and fines. In extreme cases, a detrimental database compromise
has forced corporate executives to resign or, as in the case of payment processor CardSystems, actually drove the
company out of business.
To quantify the impact, the Ponemon Institute estimates that in 2007 the total average cost of a data breach
was $6.3 million USD per breach or $202 USD per compromised record2. Data compromises are extraordinarily
expensive because businesses must investigate the breach, notify victims, and often provide credit monitoring
services to victims. In addition, many businesses spend millions of dollars on auditing services, legal defense,
public relations, and inbound and outbound communications costs. However, lost business and customer churn
provide the greatest impact on the financial bottom line, accounting for 56% of the total cost of a data breach.
For these reasons, no company should overlook the security of their sensitive data.

Database Security Threats

Malicious users have numerous means to steal or alter database data. Whether abusing the trust bestowed
on the user or exploiting a well known database weakness, malicious users are often able to compromise
sensitive data. The following examples illustrate common database attack techniques that can lead to a costly
database breach.
» Database Privilege Abuse occurs when a rogue user abuses database access privileges for illicit purposes.
For example, a customer services representative with privileges to access a customer account database could
download sensitive customer information and sell it to a criminal identity broker.
» Database and Platform Attacks exploit vulnerabilities in the database software and the underlying operating
system. Database software is rife with vulnerabilities; while database vendors devote significant resources to fix
these vulnerabilities, it often takes months for vendors to issue security patches for complex issues.
» Weak Authentication is one of the most simple and yet most pervasive database threats. Many organizations
adhere to some sort of organizational standard for database account names and do not enforce strong passwords.
Weak authentication standards enable malicious users to perform brute force attacks and uncover legitimate
user credentials.
» Application Attacks exploit vulnerabilities in Web applications to access or destroy data in back-end databases.
One such attack strategy, known as SQL injection, takes advantage of input validation vulnerabilities in Web
applications to pass unauthorized SQL queries to a back-end database. Using this technique, a malicious user can
gain unrestricted access to the contents of an entire database.

Database Security Requirements

Since databases contain an organization’s most valuable and sensitive information and since they perform an
instrumental role within the organization, it is imperative that databases are protected against data compromise.
To safeguard databases data, organizations must implement security controls. A comprehensive database
security strategy consists of the following measures.
» Database and Sensitive Data Discovery – To protect sensitive data, organizations must first locate it. Businesses
must have an accurate and complete picture of all databases on their network. Furthermore, they must know
which databases contain sensitive data such as credit card and social security numbers. Identifying all sensitive
data will help organizations prioritize risk and improve spending efficiency.

1
Privacy Rights Clearinghouse, “A Chronology of Data Breaches”
2
Ponemon Institute, “U.S. Cost of a Data Breach Study”, 2008

Imperva White Paper < 4 >

The Business Case for Database Security

» Vulnerability Assessment – Organizations should assess their databases for the configuration flaws and
vulnerabilities that could lead to a data breach. Assessment tests should identify and present discovered
vulnerabilities, their severity level, and vulnerability mitigation steps in clear, comprehensible assessment reports.
» Database and Application Attack Prevention – To protect database data, organizations should monitor and
block attacks to databases. Due to the unique nature of database attacks, a security solution must recognize
known database exploits, but it must also identify changes in user activity that could signal insider abuse. Since
many database attacks are launched through Internet-facing Web applications, organizations should fortify their
Web applications against application attacks. An intelligent Web application firewall can provide the first line of
defense against database attacks.
» Database Activity Auditing for Forensics – If unauthorized activity does occur, organizations must be able to
track the source of the data leak. Comprehensive database auditing enables organizations to reconstruct past
events and determine the extent of a compromise. An auditing solution helps reduce the scope of a data breach
and limit liability by identifying the individual records that may be exposed, rather than the entire database.

Deployment and Operational Considerations

Organizations that store sensitive data in databases must implement controls to secure and audit that sensitive
data. However, databases’ strategic business role makes them subject to stringent deployment and operational
requirements. Operational considerations include availability, performance, deployment risk, and centralized
management.
» Availability – Database availability is paramount for many organizations. Downtime has an immediate negative
impact on revenues, customer satisfaction and productivity. Database security solutions cannot introduce new
points of failure or threaten stability in any way.
» Performance – Database infrastructure is carefully designed to meet specific performance metrics including
throughput, transaction rates, and latency. Therefore, the performance of a database security solution must match
or exceed other elements of the infrastructure. Additional capital costs of compensating for decreased database
performance, new databases or increased memory must be considered.
» Deployment Risk – Database infrastructure is finely optimized. Any change to database applications, server
software, server hardware, or network devices introduces risks to availability, performance, and security.
Mitigating this risk requires costly and time consuming testing and tuning that is a serious barrier to deployment.
A database security must be deployed transparently with no changes or impact to the existing infrastructure.
» Centralized Management – Database infrastructure is often distributed across the globe. Security managers
need to manage policy, monitor status, and collect audit data from multiple locations without being required
to manage each security gateway separately. In addition, many distributed businesses run federated models
that require hierarchical policy considerations. Therefore, organizations must be able to administer the database
security solution through a single, unified management interface that matches the organizational requirements of
the business.

Alternative Options for Database Security and Compliance

While database security is not new, most solutions currently available are cumbersome and expensive. The
vast majority only address one aspect of database security, usually at the cost of database performance or
operational agility. Today, organizations can attempt to cobble together a database security solution by
combining native database audit tools, manual reporting processes and network security products. The
following section examines several alternatives for database security.

Native Tools for Database Auditing and Reporting

Auditing mission-critical databases can be an expensive undertaking. Until recently, the only way to monitor and
audit databases was through the use of native database logging mechanisms. However, these native logging
tools were not designed to meet today’s compliance requirements. For example, database log files are managed
by DBAs, the same individuals whose actions are supposed to be audited. These native auditing mechanisms are
not only difficult to manage; they significantly degrade database performance – by as much as 30 to 50% for full

Imperva White Paper < 5 >

The Business Case for Database Security

database auditing. Because corporate databases perform such a fundamental role to the business, organizations
must maintain optimal database performance, typically by purchasing additional database software and
hardware. Native database auditing entails hundreds of thousands or even millions of dollars of capital expenses.

Making it Manual
In addition to the performance impact, organizations that use native database logging tools must invest money
on personnel to manage, collect, and review log data and to produce meaningful compliance reports. With these
operationally-expensive manual processes, it is not surprising that U.S. businesses spent over $2.5 billion USD
on head count costs for SOX compliance in 20073. These compliance expenses escalate disproportionately every
time a new regulation is introduced. For many businesses, the decision to “do nothing” and follow a status quo of
native logging tools and manual compliance processes is an extremely expensive proposition.

Traditional Network Security: Not Fitting the Bill

While network security products such as firewalls and intrusion prevention systems (IPSs) perform a vital role
within the organization, they do not understand SQL communications and cannot perform granular query-level
inspection. In addition, traditional network security products cannot identify database privilege abuse or SQL
protocol exploits. Besides these glaring deficiencies, firewalls and IPSs cannot scan databases for vulnerabilities
nor protect Web applications, the entry point for many database attacks. Organizations that try to repurpose
IPS products for database security will squander IT resources configuring the IPS to perform a task that it was
not designed for. With diminishing returns from IPS products, organizations seeking to shore up their database
security must look beyond traditional network security solutions.

SecureSphere – The Trusted Choice for Database Security

SecureSphere Database Security Solutions provide organizations with effective and practical solutions to
meet their security and auditing requirements. SecureSphere not only monitors and audits database activity, it
also assesses databases for known vulnerabilities and it can block database attacks and unauthorized activity.
Supporting heterogeneous environments that include Oracle, Microsoft SQL, Sybase, IBM DB2, and Informix,
SecureSphere offers a comprehensive database security solution that lowers organizations’ auditing expenses
while bolstering database security. SecureSphere’s database activity monitoring capabilities, up-to-date attack
protection, multiple deployment options, and in-built compliance reports have made SecureSphere the trusted
choice for database monitoring and auditing.

What Are SecureSphere Database Security Solutions?

SecureSphere Database Security Solutions are a family of appliances that audit and protect databases.
SecureSphere Database Activity Monitoring supports database discovery, assessment, monitoring, auditing, and
reporting. The SecureSphere Database Firewall, in addition to monitoring and auditing, can proactively protect
database assets. These SecureSphere Database Security Solutions include a lightweight database agent to
monitor local privileged operations by the DBA. SecureSphere distinguishes itself from native database tools and
from competitive solutions by the following features:
» Complete Auditing of All Database Operations – SecureSphere audits DML, DDL, and DCL with full query,
response, and even row-level auditing. SecureSphere records the context of database operations, including the
date and time, source application, source URL, and hostname. SecureSphere captures prepared statements, stored
procedures and bind variables.
» Automated Compliance Reports – With over 250+ graphical reports high-level summaries and detailed, drill-
down reports, SecureSphere saves businesses time and money and ensures reports meet regulatory requirements.
Customizable report templates can be easily adapted to suit individual reporting needs. Compliance workflows
streamline the report distribution and approval process.
» User Accountability – Any audit trail must record the individual user that performed the action. Unfortunately,
in multi-tier environments with pooled connections, it can be difficult, if not impossible, to identify the individual
end user. SecureSphere’s unique Universal User Tracking combines several identification techniques to accurately
identify end users without requiring any changes to existing applications.

3
AMR Research, “With GRC Spending at an All-Time High, What Happens to SOX?”, 2008

Imperva White Paper < 6 >

The Business Case for Database Security

» Independence and Separation of Duties – To ensure integrity, database audit trails should be managed by
individuals outside of the database administration team. SecureSphere enables separation of duties and it can be
deployed without database privileges. It can be operated by compliance or security staff without DBA expertise. In
addition, audit logs can be digitally signed and encrypted to prevent tampering.
» Material Variance in User Activity – SecureSphere’s Dynamic Profiling technology automatically creates and
maintains a baseline profile of each user’s activity. Database traffic can be compared to the assessed baseline or to
job function or regulatory requirements. By learning database users and query groups, SecureSphere reduces the
time required to configure audit rules and security alerts from weeks to just minutes.
» Database and Sensitive Data Discovery – SecureSphere scans a network IP range to detect all existing
databases including rogue databases. Then SecureSphere searches each database for sensitive information such
as social security numbers, credit card numbers and national ID numbers. With SecureSphere, customers obtain a
clear and accurate report of all sensitive databases in their network.
» Vulnerability Assessment – SecureSphere delivers both configuration and behavior assessment. With over 500
assessment tests, SecureSphere can accurately uncover a myriad of vulnerabilities and poor business practices.
Assessment results are presented in clear, actionable reports that prioritize risk and describe mitigation steps.
» Database Protection – SecureSphere’s integrated Intrusion Prevention System (IPS) detects and blocks database
attacks and SQL protocol exploits. With up-to-date policies from the Imperva Application Defense Center (ADC),
SecureSphere enables DBAs to apply database vulnerability patches on their own schedule.
» Web Application Protection – SecureSphere can protect transactions from the end user through the Web
application to the database. With a simple license upgrade to the SecureSphere Data Security Suite, SecureSphere
can not only protects databases, but also safeguards Web applications. SecureSphere leverages multiple defenses
to accurately block SQL injection, XSS, session hijacking and other Web application attacks. SecureSphere protects
more Web sites than any other commercial Web application firewall.

Deployment and Operational Efficiency

Imperva understands that database performance and availability are essential to business success. To that end,
Imperva has developed a database security solution that audits and protects database data without impacting
database response speeds or reliability. Multiple deployment options guarantee fast, easy deployment with no
changes to the existing network or applications. Automated SQL query profiling along with pre-defined audit
rules and reports streamline administration and reduce operational overhead.
» Transparent Deployment – SecureSphere can be installed as an inline layer 2 bridge or as a non-inline monitor,
allowing drop-in deployment in any environment.
» Ultra-High Performance – SecureSphere delivers multi-gigabit performance and sub-millisecond latency,
meeting the performance demands of the largest datacenters in the world. Benchmark results from the Tolly
Group validate SecureSphere’s blistering speeds.
» High Availability – With multiple high availability options, including Imperva’s sub-second IMPVHA protocol, fail
open interfaces, VRRP, RSTP, and non-inline monitoring, SecureSphere maximizes uptime.
» Centralized Management – The SecureSphere MX Management Server unifies initial configuration,
management, monitoring and reporting of multiple, distributed SecureSphere appliances. It supports hierarchical
management for large organizations with federated models.
» Automated Security and Reporting – SecureSphere’s Dynamic Profiling technology simplifies management in
two ways: first, it automatically learns database structure, users, and queries which makes defining audit rules
a snap; secondly, Dynamic Profiling develops a baseline of normal activity and recognizes deviations from this
accepted behavior for security purposes. SecureSphere pre-built knowledge of business applications and its host
of compliance and security reports eliminates manual reporting processes.

Imperva White Paper < 7 >

The Business Case for Database Security

Cost Savings with SecureSphere

SecureSphere Database Security Solutions4 are designed from the ground up to meet the auditing, assessment,
and security requirements of mission critical databases. The SecureSphere Database Security Solutions provide
conclusive cost-savings based on their auditing and reporting features alone by offloading operationally-
expensive logging from database servers and by driving down manual compliance reporting costs. On top
of these benefits, SecureSphere also provides undeniable value because of its security, assessment, and
forensics capabilities.

Reducing the Cost of Auditing

While database vendors offer in-built database logging capabilities, turning on these features come at the cost of
database performance. Imperva evaluated database auditing options in depth in the white paper: “The Hidden
Costs of Free Database Auditing”. According to this analysis, logging all database activity will degrade database
performance by a minimum of 30%. To maintain the previous level of performance, organizations must invest
in additional server hardware and software. For a medium size business, the cost comes out to $1.6 million USD.
Surprisingly, 80% of this outlay goes directly to the database vendor in the form of additional per-CPU database
software licenses. In addition to the infrastructure costs, an organization must dedicate operational resources to
manage auditing rules. Based on a rigorous evaluation, the total infrastructure, support, and administrative costs
of native database auditing over five years equals $2.04 million USD. These excessive costs may help explain why
an overwhelming majority of DBAs are reticent to turn on native database auditing. Alternatively, the cost to
purchase the SecureSphere appliance and a support contract plus the administrative overhead to manage the
SecureSphere products for five years totaled $144,000 USD. The overall cost savings of SecureSphere compared
to native database auditing was 93.4%.

Automation of Manual Reporting Processes

While the overhead to manage database audit rules is excessive, it is dwarfed by the operational costs of
compliance reporting. For many regulations, organizations must demonstrate and document compliance. This
can entail expensive manual reporting processes that include scouring through reams of logs to extract relevant
data and then organizing this data into presentable reports. These reporting processes are duplicated for every
new regulation. Compliance reporting processes cost many organizations in excess of a million dollars every
year. SecureSphere Database Security Solutions can cut that cost 90% by automating compliance reporting.
SecureSphere provides the most complete set of complaints reports available, including pre-defined SOX, PCI,
and HIPAA reports. In addition, SecureSphere contains pre-built reports for Oracle EBS, PeopleSoft and SAP, as
well as a wide array of security and internal audit reports. With SecureSphere, organizations can quickly generate
business relevant reports that document compliance.

Return on Security Investment

While hard to quantify, SecureSphere provides immense benefits by safeguarding database assets. SecureSphere
delivers the most comprehensive and accurate protection available, detecting database attacks, SQL protocol
violations, and unauthorized behavior. These features alone can save companies millions of dollars compared to
the economic impact of a data breach.
In addition to real-time security, SecureSphere can directly help organizations focus and prioritize their IT
security spending. SecureSphere can discover database servers in the organization and report where sensitive
data is in these databases. In addition, it can assess databases for vulnerabilities and configuration flaws. These
capabilities can fundamentally help organizations understand the scoping of their compliance efforts, the risk to
data, and help take a risk based approach to IT security spending.

Ancillary Financial Benefits

SecureSphere provides a wealth of benefits above and beyond database auditing, reporting, and security. For
example, many organizations currently pool user connections, making it difficult to identify the individual
end users that connect to a database. For organizations that have failed an audit due to poor user controls,
SecureSphere can provide immediate cost benefits. SecureSphere’s Universal User Tracking can associate
application users with database transactions, helping organizations pass their audits at a much lower cost than
application re-coding.

4
SecureSphere Database Activity Monitoring provides the same discovery, assessment, auditing and reporting capabilities of the Database
Firewall, but it cannot block attacks or unauthorized transactions.
Imperva White Paper < 8 >
The Business Case for Database Security

SecureSphere’s comprehensive audit data boosts forensics efforts. By recording every query to sensitive tables,
SecureSphere can enable IT staff to track suspicious transactions after a security event occurs and accurately
assess the scope of a security incident, limiting overall liability.
SecureSphere Database Security Solutions provide additional benefits such as enforcing separation of duties for
database audits and eliminating the human error in compliance reporting processes. Considering the auditing,
reporting, and security cost savings that SecureSphere offers, organizations can follow the lead of hundreds of
the world’s top businesses by selecting SecureSphere to audit and protect their databases.

Imperva SecureSphere Delivers Value to Leading Companies

Japanese Television Network
A leading Japanese television broadcasting company needed to comply with Japan’s Financial Instruments
and Exchange Law, commonly referred to as J-SOX because of its resemblance to SOX legislation in the United
States. Like many Japanese companies, the TV Network witnessed SOX saddle publicly-traded U.S. corporations
with excessive regulatory costs and the TV Network wanted to learn from this experience to optimize its own
compliance initiatives. By this time, many U.S. businesses had implemented database auditing tools because
they could automate compliance processes and slash operational costs. The TV Company determined that it
could avoid millions of dollars in J-SOX-related expenses by investing early in a database auditing solution.
The IT Security staff sought an auditing solution that would strengthen controls over financial data and establish
a governance framework to meet J-SOX requirements. The solution had to document and to demonstrate J-SOX
compliance without impacting database performance.
After a comprehensive evaluation, the IT Security team selected SecureSphere because it:
» Provided comprehensive database auditing, reporting, and security capabilities
» Supported transaction-intensive networks and applications without affecting performance
» Offered zero impact on the production environment
For the Japanese TV Network, SecureSphere eliminated human error in manual audit processes and offered
immediate visibility into privileged database operations. SecureSphere Database Activity Monitoring delivers
multi-Gigabit throughput speeds, easily surpassing the scalability requirements of the TV Company. With
multiple deployments options, including a transparent layer-2 bridge and a non-inline sniffer, the SecureSphere
appliance monitors and audits changes to financial records without impacting the organization’s database
infrastructure.
A wide array of audit policies and reports designed for SOX and J-SOX streamline the TV Company’s compliance
processes. Imperva frequently updates compliance reports and audit policies to keep up with today’s evolving
regulatory landscape, so the leading Japanese TV Network will be able to demonstrate J-SOX compliance today
and in the future.

Major Commercial and Investment Bank

A global financial services company, like many publicly traded businesses, was overburdened with cumbersome
SOX, GLBA, and PCI compliance processes that cost over $2.5 million dollars annually. To streamline these
processes and reduce human error in compliance reports, the Bank turned to Imperva.
By implementing the Imperva SecureSphere Database Firewall, the Bank was able to reduce compliance
cycles from several weeks to a day. SecureSphere gave the Bank the ability to define and create audit rules
automatically based on database activity profiles. SecureSphere then identified materially relevant data usage
and verified compliance with the Bank’s defined policies. SecureSphere presented the audit information in an
easily understandable format, impressing the company’s external auditors.
In addition to reducing the time dedicated to compliance audits, SecureSphere gave the Bank better visibility
into their database environment. Security officers gained visibility into previously elusive DBA and super-user
activity and stored procedures. SecureSphere was able to provide a completely independent system of record
that could not be compromised.

Imperva White Paper < 9 >

The Business Case for Database Security

Finally, SecureSphere allowed security personnel to go beyond compliance monitoring and secure critical
applications by blocking malicious activity. The network security team wanted to prevent users from accessing
critical systems from unauthorized locations and at atypical times of the day. The security and audit staff realized
that security and compliance go hand in hand. By extending SecureSphere to proactive protection, the Bank
could avoid the incredibly high costs of a data security breach. With SecureSphere, the Bank gained the ability to
prevent malicious activity before it could impact the business.
The Bank wanted a turnkey solution that could be deployed in time to meet looming compliance requirements.
SecureSphere was deployed and fully operational in a few hours without requiring any manual set up. Database
and application administrators were not affected by the deployment and have not witnessed any degradation
on performance.
SecureSphere is currently monitoring and protecting all of the Bank’s customer and financial databases. The
audit staff and company executives can now obtain quick answers to their compliance questions in a language
and format they can easily understand. And the audit staff no longer fears visits from external auditors. With
SecureSphere, they have easily passed all of their compliance audits.

Summary
As compliance regulations become more stringent and database threats escalate, the need for database security
has become imperative. At the center of this perfect storm are a host of regulations that mandate database
protection and enforce incident response. Initiatives such as the PCI Data Security Standard set forth database
security and monitoring requirements. Other regulations, like SOX, require that businesses implement and
validate controls over financial data. A dedicated database security solution not only satisfies these compliance
requirements, it also lowers the recurring costs associated with manual audit and reporting.
A dedicated database security solution also safeguards database assets from attack and compromise. It provides
a level of comfort to senior management that the organization is mitigating internal and external threats and
managing overall risk. A database security solution assures an organization’s stakeholders that the organization’s
most sensitive and strategic information is safe.
When compared to alternative solutions such as native database auditing or network firewalls, SecureSphere
Database Security Solutions are the only sensible and effective choice. SecureSphere delivers a comprehensive
and independent auditing solution that is easy to deploy and manage. With SecureSphere, organizations can:
» Lower the cost of database auditing while implementing separation of duties
» Automate compliance reporting
» Monitor and protect sensitive database data
» Discover databases and sensitive information
» Assess databases for vulnerabilities
» Achieve user accountability, even in multi-tier environments
With its indisputable value, it is not surprising that the SecureSphere has become the market leader in
application and data security. Trusted by hundreds of leading organizations around the world, SecureSphere is
the practical, cost-effective solution for database auditing and security.

Imperva White Paper < 10 >

Imperva
Americas Headquarters International Headquarters
3400 Bridge Parkway 125 Menachem Begin Street
Suite 101 Tel-Aviv 67010
Redwood Shores, CA 94065 Israel
Tel: +1-650-345-9000 Tel: +972-3-6840100
Fax: +1-650-345-9004 Fax: +972-3-6840200

Toll Free (U.S. only): +1-866-926-4678

www.imperva.com

© Copyright 2009, Imperva

All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva.
All other brand or product names are trademarks or registered trademarks of their respective holders.
#WP-BC_DATABASE_SECURITY-0709rev2