Why Applications with DAM are Still Blind

SecuPi_Mask

SecuPi_Maskby Alon Rosenthal – A few years ago, I invented Dynamic Data Masking. I used an SQL proxy that could apply SQL rewrite in real-time in order to change the ‘select’ request for returning masked sensitive data for SQL development tools, such as Toad and SQL Navigator. I implemented application security solutions to Fortune 1000 customers worldwide. During these years, I have worked closely with all leading DAM solutions, and I found that they rarely deliver application user activity monitoring.

Here are some eye-opening shortcomings about DAM implementations for enterprise application protection.

1. DAM solutions are installed either on the database (as an agent) or as a sniffer between the app server and the database. They do not monitor the activity performed on the app server (like a black box for DAM). Thus, they can only observe what the application queries the database. This hides activity and user context from DAM, as in the following cases:

a. Application server caching (as no SQL request is sent to the database). Disabling application cache can cause performance degradation and is not recommended by the application vendor.

b. Applications using stored procedure calls to the database.

c. Database network encryption.

d. Application using EAI/API calls for data (e.g., many banks use EAI solution such as Tibco and without submitting SQL requests), causing DAM solutions to be inefficient.

2. User identification – app servers connect to the database with a single admin user and not with the individual end-user, which only the application server knows. DAM tools see the admin user, but not the end-user credentials.
To provide this end-user visibility, DAM asks the application owner to add a remark to each SQL request, which in many cases requires source-code changes.

3. Tedious and long implementation – implementing DAM requires in-depth visibility to the application’s database and classification of thousands of sensitive tables, views, snapshots, materialized views and columns, all containing sensitive and personal information. Building this definitive sensitive object list is a daunting work for the organization and requires assigning resources outside of the security department (DBA’s, application architects), which makes this effort fall flat on its face.

DAM tools are rarely user for application security because of these main limitations as well as others.  Therefore a superior solution is required.

Source link