Comparing the total cost of ownership of native database auditing vs. Imperva SecureSphere Executive Summary To achieve compliance for regulatory mandates, many organizations turn to the free auditing tools within their database servers. These tools, they assert, are an easy and inexpensive solution to address the growing need for database monitoring. In reality, this misconception may be costing businesses a significant amount more than other, independent tools such as the SecureSphere Database Gateways from Imperva. In addition to their hidden monetary costs, the native auditing mechanisms leave basic audit requirements unfulfilled and expose businesses to a host of risks and vulnerabilities that leave sensitive data unprotected. This is true for any of the commercially available databases on the market today. This paper presents the true costs associated with an organization s decision to implement native database auditing. To illustrate the costs, a scenario is presented in which a medium sized business is hit with hidden costs of $2 million when the business implements native database auditing. Surprisingly, 80% of that expense went directly to the database vendors to purchase additional software licenses. In contrast, Imperva s SecureSphere database auditing solution would fulfill the organization s compliance requirements at a fraction of the cost while providing more rigorous data security and auditing capabilities.
White Paper Cutting the cost of Database Auditing Government regulations and industry standards are driving organizations to expand their audit procedures to include sensitive information stored within corporate databases. Corporate executives, auditors and information technology professionals must work together to prove that their business applications like Oracle E-Business Suite, PeopleSoft, SAP, and others meet regulatory data controls and industry security requirements. Auditing must encompass both access from external and internal users to comply with policies, standards and controls. Unfortunately, monitoring mission-critical databases is an expensive undertaking. Corporate reliance on various business applications means these systems must serve a wide range of users without compromising the speed or continuity of the business. Until recently, enterprises have looked toward the native auditing capabilities built-in to their databases for a solution that fulfils their current audit requirements. However, the native mechanisms bring considerable IT infrastructure prerequisites, significant impact to application performance, and very high initial and ongoing operational costs. Businesses are discovering, often the hard way, that effective, cost-efficient database auditing is not achievable through built-in database auditing. Database Auditing Done Right Meeting stricter requirements With the increase in regulation, requirements for database auditing have become stricter and more structured. Historically, database audit involved monitoring a few select tables and/or users, with virtually no prior planning and no oversight. As audit requirements get stricter, specific demands are coming from executives who fear losing their jobs or worse, directly from audit and regulatory bodies who wish to increase the integrity of financial reporting and decrease sensitive data theft. Organizations are therefore learning that the old, imprecise and loose methodology is no longer sufficient. For database auditing to measure up to the new yardstick, it needs to satisfy the following five requirements: 1. The audit process must be independent of the audited systems instead of being tied to, or a part of the audited databases; 2. The audit trail must clearly establish user accountability, even over pooled connections, rather than identifying only the application; 3. The audit logs must provide sufficient detail into database transactions, including query and response details; 4. The audit mechanism must be able to separate suspicious behavior and material variances from all the other normal activity, instead of simply providing mounds of unintelligible recorded logs; and 5. The scope of the audit must be broad enough to cover the entire database and database infrastructure, rather than focusing on some databases, tables, columns and/or users. Organizations with a handful of business critical databases can be challenged to meet these requirements. Enterprises that rely on greater numbers of databases often find these challenges are significantly compounded. Page 2 Imperva
White Paper The Hidden Costs of Free Database Auditing How Does Native Database Auditing Stack Up Unable to meet requirements Given today s demanding governance environment, native database auditing falls short. Most of the requirements are simply not possible with native database auditing, and those that are can only be fulfilled with the purchase, installation, configuration, and management of expensive add-ons to the core database or through extensive reconfiguration and redevelopment of applications. Specifically, native database auditing mechanisms are insufficient to meet compliance requirements in the following ways: 1. Using the audit functions of the native database violates the concept of independent audit because the audited personnel are needed to configure and manage the audit system. 2. Uniquely identifying the end user is not possible for all applications because databases typically do not interact directly with the end user. Instead, queries and responses go through application and/or Web servers, and hence, the native audit mechanism identifies the application but loses visibility into the identity of the user. 3. Performance considerations prevent native database auditing from capturing the full request/response details of database user activity. 4. Native database audit mechanisms cannot separate legitimate activity from suspicious behavior, and hence the audit function relies on sifting manually through mounds of unintelligible logs. This system requires extensive man-hours and additional technologies to parse the data and place it into context in order for humans to make sense of the data collected. 5. Performance considerations limit the scope of the auditing mechanism to include only the perceived critical tables/columns/users when using native mechanisms. An expensive proposition While it may seem easy and cost effective to simply turn on native database auditing, there are two major factors that make this option extremely expensive. The first is the expense related to solving the performance impact to the database servers. The second bucket for high expenditures relates to the ongoing maintenance required in order to keep native database auditing rules up to date within an organization s ever-changing database and application environment. Built-in database auditing is usually implemented through the use of triggers. These cause the database load to increase by 30% to 50% even when optimized through the use of query optimization and logical separation of the database. This usually means that as part of an audit implementation, new hardware and software licenses must be purchased just to keep the application running at the same performance level. The process of setting up and maintaining database auditing rules is highly complex and requires a certain amount of expertise and communication between developers, DBAs, and security staff. Typically, this process diverts already-stretched DBA resources from their core functions, which proves to be extremely expensive on an ongoing basis. Given the complexity of applications in use and the number of people using them, the auditing rules must be constantly updated in order for the auditing mechanism to remain effective. Typically, this means that the scope of the audit is limited to a small subset of the full database environment. This limitation of scope may prevent an organization from passing a compliance audit. The challenges identified above translate to real dollars lost. A medium sized business that employs native database auditing can expect the following financial scenario. Let s assume that this business relies on fifty databases running on commodity hardware, and these databases are managed by two or three DBAs. As this paper demonstrates, this business believes it is taking advantage of free auditing tools, but in reality it can expect to spend between $1.5 million and $2 million. Imperva Page 3
White Paper SecureSphere The Clear Choice Meeting the rigorous demands of modern database audits SecureSphere provides companies with an effective and practical solution to meet their auditing requirements. SecureSphere installs as a fully-contained appliance with no impact to the database, application, and network environment. Additional hardware and software is not necessary. With SecureSphere, the databases and servers are unaware that a new audit mechanism has been installed, making SecureSphere cost efficient, secure, and independent of the systems being audited. SecureSphere is easy to install and maintain on an on-going basis. Audit rules are built automatically without the need for manual intervention. This allows organizations to implement an audit solution in a matter of hours instead of weeks. Audit rules are updated automatically based on normal changes to the database environment, making the on-going maintenance very simple. Expensive, highly skilled resources do not have to be diverted from their primary responsibilities to manage the audit mechanism. Minimizing the cost of auditing In addition to meeting all of the auditing requirements and providing significantly greater automation and data security, SecureSphere is also a much more cost effective solution than native database auditing. Using our example, we illustrate the cost savings that can be achieved by using SecureSphere instead of a built-in database auditing mechanism. As described earlier, the first major expense related to native database auditing is the cost of additional infrastructure. With a conservative estimate of 30% performance degradation, the up-front cost of new infrastructure come out to be approximately $1.6 million. While built-in database auditing is advertised as free by the database software vendors, the hidden costs are significant. What is surprising is that approximately 80% of those hidden costs go directly to the database vendor in the form of additional per-cpu database software licenses and related support costs. A small portion of the initial cost of implementing a native database auditing solution comes from the purchase of required additional server hardware. However, this hardware cost could be significantly higher if the organization s data center relied on expensive proprietary hardware instead of commodity servers, as we have assumed in our cost analysis example. In addition to hardware and software, the medium sized business in our example can expect to pay an additional $250,000 annually to set up and maintain the database auditing rules and mechanisms. While this is not as significant as the infrastructure costs, over time, it consumes significant budget dollars and diverts expensive resources from their core database management duties. The addition of a single DBA may mean an increase of 25% to 50% in head count for the IT department just to turn built-in database audit on. In contrast, the cost of implementing SecureSphere in this example environment is much lower. The first year cost for SecureSphere includes the cost of the appliance, annual support, and licensing, totaling $60,000. Ongoing maintenance of the implementation is also lower than the amount spent on maintaining the native mechanisms, coming in at approximately $20,000 a year. Unlike the built-in auditing mechanisms, the management of SecureSphere does not require any specialized skills. Page 4 Imperva
White Paper The Hidden Costs of Free Database Auditing The Comparison The following table illustrates the costs associated with native database auditing and SecureSphere over a five year period of time. SecureSphere Financial Model Results Five Year Costs Pro Forma for Native DB Audit Year 1 Year 2 Year 3 Year 4 Year 5 Additional Hardware Purchase $62,500 Additional Software Licenses $1,250,000 Additional Support Costs $250,000 $250,000 $250,000 $250,000 $250,000 Manual Maintenance Costs $60,000 $60,000 $60,000 $60,000 $60,000 Total $1,622,500 $310,000 $310,000 $310,000 $310,000 Five Year Costs Pro Forma with SecureSphere Year 1 Year 2 Year 3 Year 4 Year 5 SecureSphere Purchase $50,000 SecureSphere Software/Main Support $10,000 $10,000 $10,000 $10,000 $10,000 SecureSphere Administration Labor $20,000 $20,000 $20,000 $20,000 $20,000 Total $80,000 $30,000 $30,000 $30,000 $30,000 Total Cost of Ownership and Savings Present Value of Native DB Audit $2,180,472 Present Value of SecureSphere $144,043 Cost Savings $2,036,430 % Cost Savings 93.4% Imperva Page 5
White Paper Summary Intuitively, organizations would expect native database mechanisms to be an economical way to achieve database auditing because the software comes with the database servers. As this paper has shown, the reality is that this is a serious and costly misconception. With the hidden costs, the free native auditing mechanism ends up being extremely expensive and cumbersome. With the lure of an inexpensive solution, the database vendors capture follow-on revenue with the sale of additional database software licenses. Furthermore, the complexity and overhead associated with the set up and maintenance of a native solution typically relegates an organization s database auditing activity to a small portion of their actual infrastructure. This leaves most of the enterprise unmonitored, which can be a costly decision from a risk management perspective. In contrast, Imperva s SecureSphere provides a comprehensive and independent auditing solution that is easy to deploy and manage. SecureSphere is a practical, cost effective solution for businesses with database auditing requirements. If you would like to apply this TCO analysis to your own organization, please call Imperva at +1-866-926-4678 or send an e-mail to sales@imperva.com. For More Information For more information on Imperva SecureSphere Database Monitoring Solutions, see the following link. http://www.imperva.com/products/securesphere/database_monitoring_gateway.html. US Headquarters International Headquarters 950 Tower Lane 12 Hachilazon Street Suite 1550 Ramat-Gan 52522 Foster City, CA 94404 Israel Tel: +1-650-345-9000 Tel: +972-3-6120133 Fax: +1-650-345-9004 Fax: +972-3-7511133 2007 Imperva, Inc. All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders. WP_HC-FDBA0101.01 Page 6 Imperva