IT Security the Gartner Way...

Sitting here at the Gartner IT Security Summit in National Harbor, MD, something occurred to me. No, its not that the Gaylord Center is perhaps the nicest, most expansive conference center I’ve ever been to. And no it’s not the fact that I was able to book a $300 last-minute ticket into National, previously unheard of before this economic meltdown.

 

Nope. It’s the fact that the sun is out. And it’s shining on IT Security. OK bad segway.

There’s some considerable buzz here, and a few prevalent themes. Generally speaking, there was the usual buzz about cloud computing and securing those applications.

 

There was also a major buzz around the capabilities that come out of data-centric security applications like DLP, IAM and SIEM. From a world events perspective, Obama’s appointment of a cybersecurity czar was referenced more than a few times.

The one thread that really fed through every panel, both from vendors and analysts, was embarking on collaborative efforts between security and compliance – and then, proving an ROI to your management team from programs and spend.

Here are some of the session highlights to those I attended. (more on this in Part II as I report on some of the analyst prezos)  

First off, one of the keynotes brought up some interesting issues. The session My Role in Information Security was interesting because thy paired an interesting cross-section of panelists: a security engineer, an auditor, a CIO and a CISO.

Keynotes:

Ken Mory, the Chief Auditor for San Diego County was an especially interesting panelist. As the others debated security-centric stuff, I’ll paraphrase Ken here.

1. Compliance drives budgets – speaking from his own experience at the state level, compliance initiatives help drive security budgets. You need to meet a particular mandate? Well, that opens up spending, period. This was backed up by Daniel Nunez who said the same thing in a SecureWorks-sponsored session – when you have regulatory initiatives like PCI smack you in the face, all of a sudden there’s money.
2. Ken also commented that compliance helps managers keep their jobs – learn how to get away from security-centric speak and communicate a clear ROI – and you will get what you need.
3. Lastly, and most interesting was that he sees the IT department as the biggest threat to organizations – no, not external attacks, no not malware, but the IT department itself. Great stuff Ken, its refreshing to hear it stated so cut and dried. Now, why isn’t every CISO up all night worrying about compliance?

Great stuff Ken, its refreshing to hear it stated so cut and dried. Now, why isn’t every CISO up all night worrying about compliance?

 

The other guys had some good points too – Eric Cowperwaithe, CISO, Providence Health and Services, made a point saying, security really is the ultimate centralizing force within an organization where every other department is fragmented and decentralized. Basically, he’s saying that if you embrace this, you can win this battle.

Another interesting point in this keynote came up based on an audience question, which was around securing the cloud. Jeff Goeke-Smith, a security engineer from Michigan State, said that essentially, from the security operations side of the house, all that means is just sticking a whole bunch of apps in someone else’s data center.

Good stuff for a keynote, when typically these are too high-level for their own good and don’t accomplish much. Have another post coming I’ll review a few analyst and vendor presentations. Stay tuned.

Healthcare System Going HITECH

There’s been no shortage of announcements on data security out of the Obama administration since he took office. It’s good to see data security’s a priority, but there’s a slew of new initiatives we could probably write a book on at this point.

 

One particularly interesting initiative that was part of the Reinvestment Act is the HITECH Act, otherwise known as the Health Information Technology for Economic and Clinical Health (HITECH) Act. Essentially, incentives have been put in place for healthcare providers and hospitals to digitize their health records.  And never before has HIPAA compliance come to the forefront of importance as it is now.

 

Under HITECH, the economic stimulus program provides nearly $20 billion in funding for HIT, including:
– Up to $44,000 per physician for organizations that implement certified EHR systems
– Potentially more than $10 million for hospitals that implement certified EHR systems

 

Incentive payments are highest for physicians or hospitals that implement (and demonstrate meaningful use of) systems by 2010 and decline each year until 2014, after which time penalties begin to accrue for non-implementation.

 

AppSec presented a webinar with KPMG on this topic last month to resounding reviews. We haven’t seen many vendors focus on this topic, but its possibly one of the most critical data protection and privacy issues organizations have had to contend with in some time, relative of course to electronic health records.

 

What no one is discussing is the migration to EHI on a such a potentially massive scale. Are some IT organizations going to skip steps along the way? Will the incentives blind them so that they don’t take the necessary steps to protect that data and comply with HIPAA? And will it make patients more vulnerable if their data isn’t secured?

 

To demonstrate the increasing importance of HIPAA compliance to protect health information, our own research study showed that a third of respondents failed a security audit of some type, but that almost 40% specifically failed a HIPAA audit. 

 

This points to just how critical HIPAA compliance has become for organizations, and it also speaks to how stringent the standards within HIPAA are.  If you look at the fact that over the past 2-3 years over 40% of respondents have failed a compliance audit, it demonstrates that organizations aren’t prioritizing their security and compliance needs, and most aren’t implementing the required levels of protection.

 

With only a quarter of providers and hospitals currently classifying records electronically, what if only a fraction of providers nationwide skipped steps on their way to going digital?

It’s worth mentioning that organizations found in violation of HIPAA-mandated security measures will incur penalties and collateral damages 10-20 times higher than the cost of HIPAA security compliance. This is important as those entities migrating to electronic records will also be held accountable to HIPAA mandates under the HITECH Act.

 

Application Security, Inc. also took a poll of customers and prospects on their feelings on the HITECH Act:

 

Could the HITECH Act be the catalyst, given the incentives, to make data security a much bigger priority on a global scale?

• 65% - Yes – protecting data will become a global priority as a result
• 10% - No – it won’t make a difference
• 26% - the catalyst will be a large-scale data breach

Will steeper fines set forth by the HITECH Act in accordance with HIPAA get more organizations to comply?
    Yes – 87%
    No – 13%

 

Would you say the HITECH Act will:

• Benefit rather than be a hindrance to IT organizations at hospitals - 46% yes
• Become an obstacle and cost hospitals/physicians more in terms of infrastructure build-out - 49% yes
• Actually make sensitive health information more secure when providers are in full compliance -49% yes

Application Security, Inc. and KPMG have posted some additional resources that will help guide your organization through some of the finer points on the HITECH Act, as well as what you should be looking at relative to the database layer.

 

Is moving toward EHI a good thing? Absolutely. But there’s going to be a lot of data to secure, and to ensure compliance with much stricter HIPAA requirements. We plan to stay on top of this issue and will post more resources soon. Data HAS to be more secure electronically than it is on a piece of paper in a manila folder!!

Obama Administration Cybersecurity Plan Announced

Just to add to this post - the shortlist of candidates to take the cyber-czar position have been announced.

So at RSA we all knew it was coming. And then, BAM!! There it is smacking us in the face with all its might...the Obama Administration Cybersecurity Plan. So, are we all supposed to think that we’ll all be a little more safe from the universe of cyber criminals who stalk consumers and organizations everyday?

Well, no, but there actually, maybe, could be, possibly...hope. What the plan outlines, which is probably most important, is the collaboration between the federal and the private sectors. This has long been a difficult place to seek alignment of ideals, concepts and whoa, maybe technology?

Forrester’s Andy Jaquith has an excellent synopsis of the plan’s announcement. What Jaquith points out is that FISMA policies and regulations are in many ways inadequate. (not just because it doesn’t explicitly call out the database either) But that the focus on compliance has really hampered the effectiveness of these guidelines, based on recent attacks on government systems like FAA.

But the plan is much more about elevating the level of importance of cybersecurity, and essentially overhauling who is responsible and give someone the authority to make the changes necessary to enforce new security standards.

What many pundits of the plan have argued might be a stumbling block is that the new cybersecurity czar who’s yet to be named officially has to report to two agencies - the National Security Council and National Economic Council.

With both agencies pushing dual agendas that ultimately align in many respects, progress is likely, based on the state of the economy and the havoc that massive data attacks can wreak on individuals and organizations.

As the plan outlines the need for increased education, you tend to scratch your head…but with incentives for private sector innovation, this is where the plan gets serious because we all know that innovation is driven out of the private sector – and this helps everyone.

You’ll see that a number of media outlets covering the announcement of the plan looked to AppSec, not surprisingly, for some valuable commentary, including USA Today and New England Cable News. AppSec will continue to support the government's efforts in their acknowledgement of the state of cybersecurity...

Infosec Europe - The Highlights

Just a few short days after RSA, we hit Infosec Europe 2009. A little better facility in Earl’s Court than last year’s Olympia (and the roof doesn’t leak).

Similarly to RSA, there didn’t seem to be one dominant topic threading through the conference, but a few that sparked some conversation. Future attacks was right up there, along with securing the cloud.

For starters, we saw that fear is alive and well overseas as former UK home secretary David Blunkett warned of massive cyber attacks on an unprecedented scale at the 2012 London Olympics. He certainly got things going, saying people defending disparate systems could be outsmarted by a coordinated attack on those systems, due to the distribution and number of different technologies that need to be defended.

Specifically he warned of hacks on ticketing systems, the transport system, hotel bookings and communications that could result in "chaos." Could this be a case of actually inviting hackers to the table by referencing all the different systems they could potentially penetrate? On the other hand, it’s probably just another day in the office for attackers.

Security pundit Bruce Schneier got some face time at Infosec, saying that, among a few things, security is headed to a services model – essentially outsourced. This dovetails into the cloud discussion where a lack of standards around cloud computing means a lack of standards around securing the cloud. But he warned that this shift toward the cloud was inevitable for organizations globally because of the massive cost savings that cloud computing offers.

Sophos was toting their survey that found that a quarter of companies have fallen victim to spam, phishing or malware attacks via these sites. They were also stating that individuals are responsible for TMI (too much information) being shared on social networking sites. That’s all well and good, but to be honest, other than rumors and tiny bytes of data, I don’t think any attacker is looking at information on Facebook and thinking, ‘Oh yeah, I can sell this.”

No sightings of the Queen, Amy Winehouse, or Gordon Ramsay unfortunately. But all in all, a decent forum for security vendors.

RSA 2009 Ramblings (Days 2 & 3)

More on RSA 2009…

As RSA continued through Wednesday and Thursday, an air of optimism seemed to be resonating with most of the vendors and end users that IT Security still has a place in the budget at most organizations. Its great news for all, and we heard from quite a few folks that they were having the most qualified conversations with buyers in a long time at a trade show.

Although, it’s safe to say that there were a few folks who quipped to me after I had asked the obligatory - so ‘how’s RSA going for you’ question that things were slow. Well, that my friend could be because you are selling encrypted USB drives. Or you were trying to sell security solutions with booth babes (yes, companies still do this, even at security shows).

In fact, it would probably be fascinating to sit in on the post-RSA meetings for the companies who did hire booth babes. “So did our message come across to buyers? Did they understand our value proposition?” Either there was consensus that these were times of desperation and they needed sex to sell, or it was April 19th and they scrambled to hire some modeling agency. Maybe they should have just staged a mock protest instead.

  OK, of real importance at RSA, days 2 & 3…

The much-anticipated Melissa Hathaway keynote, although encouraging in many ways, wasn’t as detailed as some would have liked because it was expected that she’d lay out the Obama administration’s plan to address national cybersecurity issues. What she emphasized most was that the commercial, government and academic sectors would have to come together to effectively mitigate the seemingly insurmountable threat environment.

She challenged the vendors at RSA to help come up with innovative ideas and solutions. She challenged government officials not to ignore this problem, especially in the current economic climate. It appears they’ll be creating a new Pentagon cybersecurity command station, and they’ll unveil the overall US cybersecurity plan this month sometime. So while it left folks wanting more, we’ll see what the plan addresses in depth soon…

Also there was a little more banter around cloud computing and virtualization and being able to secure those frameworks. Virtualization was the buzz last year, and the discussions haven’t gone away. 

Anyway, a decent set of recommendations from the Cloud Security Alliance was unveiled that should kick start a framework for organizations to follow in security their cloud environment.

Kaspersky is behind a new media model/content aggregator that could pave the way for other vendors to follow suit. Threat Post is headed up by former eWeek writers Dennis Fisher and Ryan Narraine, with ‘punditry’ content coming from a slew of security vets. Kaspersky isn’t branding this at all, but it seems like an interesting concept that will challenge the trade publications in reporting styles and content delivery.

Lastly, the McAfee party rocked, again. And it wasn’t just the free beer. If you like rock and roll, it was impossible not to like Anthem, a classic rock band that literally lugged stadium-level sound equipment into a small club Mezzanine that surprisingly didn’t shatter windows from the extremely high decibels they were playing at. Stairway to Heaven, check. Hot Blooded, check. Bohemian Rhapsody, check. All this while they had their own music videos for each and every song projected onto one wall of the club, synched precisely with the live performance. Brilliant marketing. I probably need a hearing aid now though.

The bar has been set pretty high to top RSA 2009 next year...

 

RSA 2009 Ramblings

It’s that time of year again…the trees are budding, folks are exiting the winter doldrums and the RSA conference is back again. Yep, every IT Security vendor from New York to Norway, Boston to Budapest and California to Canada is trying to tell you how their solutions will help your organization secure something. 

Some observations from Day 1…

First off – the major news publications are paying attention to our announcement of AppDetectivePro 6.0 User Rights Review.

Oracle acquiring Sun somehow has dominated the conversations on the exhibit floor and briefing rooms. With this announcement, Oracle has managed to dominate headlines at RSA, and its not exactly a security play.

However, there was definitely some banter on the Pentagon hack of their F-35 Lightning II jetfighter project data. What had some folks buzzing was the Journal article’s startling statistic that the government has experienced 18,050 breaches last year.

Compliance is king. We’ve been saying it at AppSec for quite some time now – but honestly organizations MIGHT be getting it now. You can’t silo compliance and security separately – smart companies get this, like us! But it never ceases to amaze when companies integrate half-baked compliance language into how they position themselves…

We met with Byron Achiodo of USA Today/Last Watchdog blog today – if you aren’t reading his articles (or his book) you are missing out. http://lastwatchdog.com/  Its interesting listening to what he’s working on because he is a guy who wants to get inside what is REALLY happening in the hacker universe – what are they doing, how, and how the heck to we stop them? (Um, protect your database environment.)

There’s a lot of anticipation for Melissa Hathaway’s keynote tomorrow on her review of President Obama’s cybersecurity plan. There’s a lot at stake to determine the key areas of focus, not to mention the $$$ supporting this plan.

Flower power - FaceTime staged mock protests across the way from our booth complete with sit-in’s and a guy strumming a guitar. When did the Moscone Center become part of the Haight?

 

Patch 'em up, Patch 'em up....

By Josh Shaul

Every couple of weeks I hear a complaint from a DBA that they have been flagged for a security violation for not running the latest database patch. It usually goes something like:

“I got written up for a high-risk vulnerability because I’m running one or two patches behind the database vendor. I think it’s unfair and more to the point just plain wrong. I checked out the readme files for the missing patches, and there is no listing of any security fix at all, or at least not one that applies to my system.” 

At first glance, this sounds like a pretty solid argument. Why should someone get written up for a serious security violation for missing a patch when it appears that the patch has no security implications? The problem is, sometimes a patch is more then it appears or claims to be. Database vendors, actually nearly all software vendors release patches for their software periodically. Generally there is some description of the patch, what it’s for, etc…. The part that most folks don’t realize is that software vendors make no promises about fully disclosing what changes go into each patch. Some companies choose to document all changes, however most choose to document only the changes that are directly related to issues reported by customers. Issues uncovered internally are generally patched without any notice. This includes both functional bugs and security vulnerabilities.

There was recently a good example of this with an Oracle July 2008 CPU. In that CPU at least one undocumented issue was fixed, a flaw with Database Vault that allows a DBA to bypass the vault protections and gain access to all the data in the system. If you’re not familiar with database vault, it’s a special kind of Oracle database designed to segregate database management from the data being managed. Basically it’s a tool to keep DBAs from looking at sensitive data in the database. The flaw that Oracle corrected made it trivial for anyone with DBA rights to gain access to any data in the database. 

This is important to know about. The vulnerability Oracle fixed is a fairly big one….but it only impacts data vault. In the grand scheme of things, for the database community at large this was a fairly minor issue. Maybe that’s why Oracle chose not to document it. Not enough deployments of database vault to make it worth their while? Embarrassing to fix a vulnerability in a security bolt-on for the database? Who knows. Thing is, if you’re running database vault to protect your organization’s crown jewels, I’m sure you would want to know about this issue. Otherwise you may choose to skip the patch….and that’s really the point of this post. 

Those complaints that I get about missing patches causing security violations always get the same response: “You can’t trust the vendor to fully disclose what a patch fixes, so you should assume the worst case and patch if you want to ensure your systems are protected.” That’s the bottom line. Missing patches, no matter what the readme docs may say, should always be viewed as a security violation. Not doing so leaves you open to get bit on the you know what……. 

So if Oracle didn’t disclose the vulnerability or the fix, how do we know about it? Well, there is the folly of the partial disclosure approach. Some smart security researcher  (Alex Kornburst) found the vulnerability on his own. He reported it to Oracle, and they responded by telling him that this was a known issue that was (silently) fixed in July 2008 CPU. Oracle is getting better about this kind of stuff, but they still have some room for improvement. I hope that as their security processes continue to grow, that they’ll become much more open about what security issues they are fixing with each patch.

It’s got to be a little embarrassing when one of these “secrets” gets out. Oracle has taken so many big steps to improve their perception about being very serious about security (no doubt Oracle is VERY serious about security)…but when this kind of thing happens, it reminds folks of the dark days when security issues were swept under the rug, and that’s not good for anybody…… 

Interested in learning more? Check out Alex’s blog post about this and another issue with database vault:

http://blog.red-database-security.com/2008/11/21/oracle-database-vault-privilege-escalation-exploit-published/ 

Happy New Year everyone!

 

 

 

And the Survey Says......

By Josh Shaul

This week we released the results of our “Database Security Controls” research study, which was run for us by the analyst firm Enterprise Strategy Group (ESG). We sent ESG off to interview global IT decision makers located in North America. They met with 179 companies and asked a set of questions around data and database security. The responses were collected and aggregated for the report. The results are simply astonishing.

A whopping 84% of respondents believed that they have adequate protection in place for sensitive data.

With so many data breaches reported this year, we were surprised to hear that so many folks felt comfortable with the controls they have in place….but if 84% of companies really have adequate data security, we’re all in pretty good shape….Right?

The survey then drilled down into more specific questions. Have you failed an internal audit? Have you failed a compliance audit? Have you experienced a data breach recently? The answers to the specific questions painted a very different picture. More than 50% of the organizations surveyed experienced a data breach in 2008. I repeat, more than 50% experienced a breach this year, while at the same time, 84% claim to have adequate security. Adequate means enough to get the job done…..Right?

And it’s not just data breaches.

48% failed internal audits. 42% failed payment card industry audits. 38% of federal agencies surveyed failed FISMA audits. The number of failures present a huge problem on their own, but couple that with the false sense of security that the IT community has built around its data, and we really have something to worry about. The amount of data at risk is staggering. For those of you who have experienced a data breach this year, or who regularly fail key components of your audits, stop feeling secure. If you haven’t done something drastic to correct the situation, you’re likely a soft target just waiting to be spotted.

There are signs of hope.

There were some real signs of hope within the survey results. 76% of the organizations we spoke with said that they plan to place purchasing priority on database security solutions in 2009. Wait, didn’t 84% say they already had adequate security?? Maybe folks aren’t burying their heads in the sand after all.

Grab a copy of the survey results from our webpage.

Beanbags and Database Security. A discussion at CSI 08.

By Josh Shaul.

The week before Thanksgiving I led a session at the CSI 08 conference in Washington, DC. It was setup as a group discussion in a small room with bean bags instead of chairs. It was a relaxed atmosphere designed to foster a philosophical discussion. In reality, there was one row of chairs at the back of the room. Everyone except one or two folks sat on chairs. The bean bags were a little intimidating. Once you sit in one of those things, there is no telling if you’re ever getting up. 

Decision Making - The Stakeholders

Our discussion was an exploration of who the stakeholders and responsible parties are in a typical corporation’s database security program. We started by reviewing a few recent data breaches, discussing how they happened and could have been prevented. With an understanding of the mechanics of a data breach, we began on discussion on responsibilities. 

It quickly became clear that not everyone in the audience knew of a database security program at their office. Some even came clean, admitting that they have no such program or effort. Those who did have a plan in place discussed radically different approaches and experiences.  

Group Authority?

A security manager at a large retailer described how his team was responsible for ensuring that databases and other applications are configured securely; in accordance with the requirements of internally developed standards. That was the good news. The bad news was that his group was not responsible for making sure databases had security patches applied. That was someone else’s responsibility. His group was also not responsible for auditing access to databases or monitoring for attacks. Those activities would also fall into other groups….if they were in place at all…he wasn’t sure.

Split up Responsibilities

Another member of the audience described that they have a policy that mandates some basic database security requirements such as strong passwords and access controls. The policy is fairly solid, but there is no one responsible for ensuring that the policy is implemented. Some systems are likely in compliance, others are not. The only people who have a chance of knowing are the system owners, and the scope of their knowledge is very narrow, they only know about the systems they personally own and manage. 

Clear ownership, No ownership

We also heard from a utilities company where there is clear ownership of policy development, and database assessment and auditing, but nobody responsible for remediation or risk reduction. This group made an investment in technology and processes to measure their security posture, but gain very little return from that investment because they rarely fix the problems they find. 

Does anyone own database security? 

According to the group I met with, no one person ultimately does. It boils down to a shared responsibility between operations teams (database admins), IT security teams, and often audit / compliance teams. The group agreed that picking a vocal leader for each of the major functions of a database security program (policy development, assessment, auditing, monitoring, and remediation) is a critical step.

Ensuring that the leaders communicate and cooperate, and are held accountable when their functions don’t deliver is the ultimate key to a successful program, but is often the biggest hurdle to overcome.

Kidnapping your Data

Why do people rob banks? According debonair American bank robber Willie Sutton, “because that's where the money is."

Cybercriminals think the same way about the enterprise database, and they do not need a gun.

The Cyberextortionist Case of Express Scripts
There are different ways cybercriminals can attempt to monetize their theft. In a current case involving St. Louis-based Express Scripts, a breacher is demanding an undisclosed ransom for the company’s data. Express Scripts has put the pressure back on the thief by offering a $1 million dollar reward for his or her capture.

How did Express Scripts find out about the breach? According to its web site, the extortionist sent Express Scripts a letter with a sample of 75 customer records back in October of 2008. The letter also threatened to publicly expose millions of the company’s members’ records if an extortion threat was not met.

Read the Full Story

Lessons Learned
It is unclear which data security policies were in place at Express Scripts. No security system is perfect. As a best practice, this story paints a picture of why organizations can't be proactive enough about assessing data vulnerabilities and monitoring for breaches.

By assessing vulnerabilities, enterprises can see where the security holes exist. You can bet that when a bank robber is looking for the easiest way to rob a bank, he or she looks for the weak spots. A data thief does the same thing. And by monitoring for threats, organizations can be alerted about any breaches as it happens.

As a side note, I wonder where Willie Sutton would focus his efforts today.

Getting Back to Fundamentals – Shouldn’t That Mean…Prioritizing the Database?

I recently read a post on ZDNet by Adam O’Donnell where he offers up some predictions on the IT Security sector in the wake of the broader economy struggling.  Sorta got me thinking about how people view security in general, and from his perspective, where the thinking around security integration is headed.  That is, integrating  sound security practices and solutions into an overall framework designed to protect your core assets – your data. 

We’re seeing a whole lotta ‘well this is what will happen next year’ arguments, as well as too many ‘well what we REALLY need for 2009 is’ arguments…Fundamentally, O’Donnell is suggesting that as we face an uncertain economy, security solutions had better be able to address real problems for organizations – I agree.  But in the same breath, he suggests that technologies like spam filters and AV software are pretty much recession-proof, hinting these will always be important. 

OK, kinda-sorta, but then he goes on to say we don’t need another database security solution.  So that was where it seems like Adam needs a little reality check.  First and foremost, as of today, since 2005, we’re up to 245,133,370 data records breached, according to Privacy Rights.  To me, the notion of protecting data where it resides on the majority of enterprise networks – you guessed it, in the database – seems like a higher priority for global companies than making sure my spam filter works. 

Second, Adam points out that an economic downturn is a perfect opportunity for hackers, particularly unpatched systems.  Well, elevating the discussion to the enterprise level, this is typically a time when attackers are looking for data, and they are looking to break through whatever they can to get at that data in the database, probably not an email server. Its clear he's missing the boat - Gartner recently reported that database activity monitoring (one component of the overall db sec market) has seen 100% YOY growth in 2007 and that they expect that trend to continue.

If I’m make purchasing decisions for the IT environment at a global company based on my security and compliance priorities for 2009, particularly with less money to spend nest year, you can bet I will a) look at what technologies will help me comply with relevant regulatory initiatives that are pertinent to my organization and b) I’m going to look for a cost-effective solution to secure my database environment.

ZDNet is a well-respected media outlet, where the reporting is relevant, but also quick to report important technology news.  But I am questioning some of the contributed commentary.  You can’t dog the database security niche in an attempt to score some ink around a broader trend – it’s counter-intuitive to the overall argument and it speaks volumes about the misunderstandings of business-critical markets like db sec. We have more educating to do in 2009…Did I forget to mention the author works for Cloudmark, which secures messaging apps?