IBM Security Guardium Data Protection Reviews

• Monitors database activities of end users who are connected to databases (DBAs and developers)
• Classifies critical objects on the databases
• Discovers databases on your network
• Finds vulnerabilities of your databases
• Blocks critical activities

• Helps us define and monitor critical data in the environment, even when stored in RDBMS, big data, or unstructured files.
• Helps us to pass compliance audits, such as like HIPAA, SOX, and PCI.

The blocking and dynamic data masking features need improvement.

I am working as an IBM partner. We have provided solutions for nearly 50 customers for five years. Most of our customers are banks and telecoms.

IBM Security Guardium is a mature product. Although it needs agents on the server to monitor their database or file traffic, we did not encounter serious issues so far.

IBM has three layers for Guardium support. In critical cases, technical support analyzes the issues very quickly to find a solution.

I did not use another solution before this one.

The setup is straightforward. There is an ISO file that is developed by IBM that contains all of the OS and Guardium application files. All that remains to be done is to configure the post-installation settings.

Licensing is the worst part of the product. This is because IBM uses Processor Value Units (PVUs) to calculate the license. The customers complain about this.

In the latest version of the product, there are four types of licenses:

• DAM (Database Activity Monitoring)
• DAM Advanced
• FAM (File Activity Monitoring)
• FAM Advanced

If you only need database activity monitoring, then DAM is enough.

If you need blocking and masking features, you will need the DAM Advanced license.

I did not evaluate other options. I am an IBM partner.

There are three main steps when implementing a Data Activity Monitor (DAM) solution.

1. Discover and Classify: Find your databases in your environment, and decide which one of them has confidential data that you need to monitor. Classify your data in your database if it includes critical data like personal ID, credit card, or IMEI numbers.
2. Monitor Activities: Monitor all end-user activities while developing your policy rules and critical activities.
3. Block Critical Activities: Define and block critical activities to prevent data leakage.

All the features are useful for the customer and they have many use cases, especially for DB protection.

They have a module called Redaction. For query rewriting, it can protect some data stored in the table by the DB admin to return the masked data, in case he tries to view our customer personal information such as phone numbers,names, account number etc.

In some cases it blocked the bad user from deleting or copying data , For example, in use cases to block creation of the users on the DB without filing forum/ following the company policy.

It provides the customer to help secure the DB, especially for the multi-DB environments. It also provides visibility for the DB activity, secures the customer information in the DB, from any privilege misuse by an insider.

The FAM module needs to be improved. This module is for file activity monitoring and here if IBM would focus on marketing this part, it will be good as the end-user can monitor any configuration file in servers and not only the DB.

I have used this solution for around six years.

Some issues have been experienced but no big issues as such. The solution is 90% stable.

We have not encountered any scalability issues.

I would give the technical support a 9/10.

The setup was very easy. It took us around one day to set it up and running.

You should make sure of the DB size before you buy the product. It is also important to define the requirement very carefully as it could affect the sizing. You should make sure of the monitoring mode that they would like to apply.

We looked at the Oracle and Imperva solutions.

Take care of the scope and the monitoring mode. Also, if the size of the DB is high then do not do it over virtual.

Heterogeneous support for data activity monitoring. I have not been able to find any other product that can monitor as many platforms from one application. Guardium can monitor Windows servers, Linux, Unix, mainframe, and big data environments from one policy. Guardium captures data access activity across networks and local connections.

We now have one go-to application for all data monitoring. This has decreased the number of skills needed and enabled a faster route to compliance. Reporting is automated and activity alerts are routed to the appropriate responders.

While Guardium is great at structured monitoring (DAM), the product is lacking features on the file activity side (FAM). We would also like to see tighter integration with Active Directory and Exchange monitoring.

I have been using Guardium for seven years.

We had some minor issues with earlier versions around agent compatibility. These were solved through support.

Guardium scales easily. Simply add another collector appliance and the system will balance the load across all available appliances.

IBM support has been responsive and we rarely need to escalate.

Previously, we were using home grown scripts and native database tools. The issue with this approach is the need for expertise on every platform and ending up with dozens of tools to manage.

Guardium is an enterprise class product and, with that, does require some training. I would suggest any enterprise looking to implement Guardium to purchase some amount of services. There is an option for Quickstarts. Once you understand how the agents work and have setup the first few, the rest are relatively simple. The real work is aligning your business goals with the Guardium policies you create. We often know we need to monitor a system but are not exactly sure what policy is needed. There has to be collaboration between IT, business owners, and compliance.

Previously, Guardium fell under the IBM PVU license model. This was complicated to license and costly. The new license structure is per server and includes all features. Now we simply count the number of servers to monitor and purchase accordingly.

Besides native database auditing, which is very resource intensive, and homegrown tools, there are not a lot of options out there. The closest competitor is Imperva. Imperva is a close second. We chose Guardium over Imperva based on the ability for greater custom reporting, more platform support, and better integration with other IT tools.

Buy services. You do not need to have services for the entire implementation, but, at a minimum, invest in the Quickstart option to get up and running and to provide knowledge transfer. Once Guardium is installed on a few systems, it is very easy to add and manage.

It captures all data requests regardless of the source and consolidates them for analysis.

The ability to audit across multiple data environments led to a greater understanding of the data traffic and the potential weaknesses in the access controls. This eased the creation of audit trails for customers.

Reporting has always been a weakness, but it has improved across the versions. In early versions, the reporting always seemed like a late add-on, and the graphics were poor. This has improved over the years and the reporting is a lot better now, with greater filtering and display options.

I have used this solution with various clients for ten years.

There were issues with stability of the agent software in previous versions, but it is less of an issue now.

The only issues are when users have not maintained the collection policies or the archiving and aggregation policies correctly. Units can fill up if not maintained and managed.

Over the years, it has changed many times, but the US support is very good.

I have often replaced internal database auditing features with Guardium. The main reason for the switch was to segregate the auditing from the database administrators.

It is very dependent on the environment in which it is being installed. It can be complex if users do not take the time to build their policies carefully.

Take your time. Think about the elements you want to audit. Don't just audit everything. Understand the normal traffic, so you can focus on the abnormal traffic.

The main features are database activity monitoring and firewall feature blocking.

I'm working as a consultant for security products. I'm not a user of this product. Guardium is helping customers to get insights into who is accessing company data, when they are doing it, and from which location.

Guardium can block malicious connections to the databases. For example, if someone is accessing sensitive data in a production database during non-working hours, Guardium can block this connection.

I would like to see a better GUI. IBM is working on GUI improvements with every new release.

I have used this solution for five years.

I did not encounter any issues with stability.

The system is scalable.

Technical support is fast and responsive. The typical response time is less than two hours.

The initial setup is relatively simple. It depends on how many collectors and aggregators are in the setup and the number of databases included in the monitoring solution.

After the initial setup, the level of complexity depends on the customer’s needs.

Ask for a PoC project and then decide.

It’s available as a hardware appliance as well as software. This provides flexibility as to how you want to deploy the tool.

It can automatically locate DBs, as well as discover and classify sensitive data.

Data Activity Monitor covers what appears to be every DB imaginable, even data warehouses and file shares.

It allows administrators to enforce trigger alerts built around predefined policies, so that any access to sensitive data can be tracked and blocked if necessary.

It helped control excessive administrator rights to databases and automated the compliance auditing process.

It located/discovered unknown databases and the sensitive data that existed in those databases.

There was a slight performance tax on the system and load balancing could be better. We would also like more robust reporting.

I have used Guardium for six months.

Once it was installed and implemented, it seemed to be a very stable product.

This is definitely a scalable product. You can build out a basic stand-alone architecture with one collector all the way to enterprise wide architecture that covers multiple datacenters and continents.

I never interacted with tech support.

No previous or different solution was used.

If I remember correctly, the setup was a bit complex; not so much the installation, but a lot of tweaking and tuning of policies, setting up traffic filters, whitelisting the traffic, and so on.

I was not privy to this information.

I wasn’t part of the evaluation for the tool.

Try to have a dedicated team. There are a lot of moving parts and you need take a hands-on approach. It doesn’t come configured out of the box.

The Data Activity Monitor is the most valuable feature of this product.

It has the capability to capture database queries and is using policies to feed SIEM tools for deeper correlation and for analysis of cyber security concerns on monitored databases.

It provides our organization with an integrated and tamper-proof audit of logged data to ensure that the database activities are checked and operating according to the industrial best practices.

The maintenance and support aspects of the product need improvement.

Probably, it should be more related to the product patching method. Even though the support service was great, the resolution doesn't comes quick enough to address the client's issue. We understand those resolutions only exist in the next patch version after quality testing. However, till that release comes out, we have to suffer in silence with the bug issues.

I have used this solution for around two and half years.

We have encountered issues with stability.

We have encountered issues with scalability.

I would give the technical support a 7/10 rating.

We were not using any other product prior to this one.

The setup was not straightforward. There was some level of complexity in setting it up.

Ensure what you want to protect, since it is charged as per the database instances.

We evaluated a couple of other options.

I would not like to discuss this much as it affects the other companies' image and integrity. The competitive products have their own good and bad.

You need to know what you want to protect very well.

• Detailed and customizable reports with real-time alerts for the full vision of database/files activity.
• Versatile rules for access control in real-time including blocking, masking, etc.: These rules are really helpful to fulfill enterprise security specifications. With them, you could divide roles, creating safe access zones; manage credentials; and access rules. The rules are easy to develop and customize.

• UI: Version 10 of Guardium was introduced with a new UI that was completely redesigned. Some fast-access functions and options are not easy to find in the new UI.
• Real-time masking is a bit simple and doesn't allow you to create complex masking rules.

I have about one year of hands-on experience.

I have not encountered any stability issues.

I have not encountered any scalability issues.

Technical support is 9/10. I participated in communication with tech support only once.

I did not previously use a different solution.

Initial setup is straightforward. All the commands are simple to understand. The installation guide is simple and comprehensive.

Before choosing this product, I evaluated Imperva products.

This product could by easily used with other security products; for example, SIEM products such as IBM QRadar and ArcSight.