IBM Security Guardium Data Protection Reviews

I like Guardium's document protection features.

Guardium's storage capabilities could use some improvement. I'd also like to have some better integration using digital technology or a connector.

Guardium is scalable. I've been able to integrate it with other solutions.

I have initiated tickets for various reasons, and IBM support was very good.

Setting up Guardium was easy and straightforward. 

It's an enterprise license.

I rate IBM Guardium nine out of 10. I would absolutely recommend the solution to others.

We are a solution provider and IBM Guardium is one of the database products that we implement for our clients. Our customers for Guardium are mostly banks and they use it for PCI compliance.

The most valuable features are the reporting and data-level access control.

The interface is easy to use and the learning curve is not very steep.

The price of this solution is quite high for smaller organizations, so they should release a version that is affordable for small and medium-sized businesses.

I have been working with IBM Guardium for about a year and a half.

The stability depends, in part, on how much the client can give the appliance in terms of resources. Overall, I think that it's a really stable appliance, as long as you keep it up to date with all of the patches and updates.

I have done at least one really large-scale deployments and my impression is that it scales really well. 

I have not personally interacted with IBM's technical support. Normally, my seniors in the company would do that.

The initial setup is straightforward. It took about a month for me to get started on it. I used the resources from the security learning academy to begin.

The length of time required for deployment depends on the scale and the internal processes. The largest that I have done took more than a year to complete, although these clients have lots of stuff happening in their environment that had to be taken care of. At times, things like this put us off of our schedule.

We implement and deploy this solution for our clients. People from the client's side are also required. We have the Guardium Administrator, who is usually the project lead. The client will have database administrators, network administrators, IT staff to set up the appliance, and somebody from information security.

My advice to anybody who is implementing this solution is to start small, with a test environment, and then scale it up. This way, if there is a fault at the beginning then it won't be multiplied by the time you have a larger deployment and are fully integrated. In this way, you will see if it meets the requirements.

Overall, this is a wonderful product.

I would rate this solution an eight out of ten.

We deal with a range of customers and lately the issue of data privacy and user identity has become very important and many companies are now seriously evaluating tools like Guardium. Companies want to know who is accessing database applications and what they are doing. This product is geared towards medium and large size enterprise companies. We're partners of IBM and I'm a company Vice President. 

The ease of deployment is a key feature of this solution. 

With these solutions, flexibility is always an issue and that applies to Oracle and other similar products. Integreon, which is much smaller in size, is likely to be more flexible than IBM. 

There is a big concern here in India about deploying on cloud so the one thing I would like to see in the next release is a fast option from IBM that is hosted from their India cloud data center.

I've been using this solution for a few months. 

I think this is a stable solution. 

It's easy to scale this solution. 

Technical support is good. 

The initial setup is a little complex and requires some effort. It generally involves some customization and configuring and will require good online support. If you have a fair idea of the customer environment I don't think it takes a long time. There is very little, if any, maintenance required if the solution has been configured properly.

This is one of the core applications for customers and is not something like an endpoint security or perimeter security. It's a specialized use case. This is a textured product and the brand equity of IBM means it's reliable. I have long-term relationships with my clients and wouldn't like to deploy something that gives me problems. This is a good product. 

I would rate this solution an eight out of 10. 

The primary use case is for ensuring compliance with databases. It allows monitoring of what kind of statements and alterations are going on, as well as who is accessing what data.

IBM Guardium is useful for organizations that require compliance such as banks, insurance companies, and pension plans. Having it available allows us to focus on those clients.

The most valuable features are data loss prevention and data protection.

From the perspective of analysis and prevention, this product is pretty accurate.

Sometimes the connectors to the databases need to be manually updated and we have to configure them again, which is something that should be improved.

I have been working with this solution for one year.

This is a reliable product.

It is easy to scale. There are more than 5,000 users in total, although it does not run on all of the servers or user workstations.

The technical support from IBM for this solution is pretty good. Support via email is available and overall, it is reliable.

This is the first database security solution that I have worked with.

I found the initial setup to be complex. There are a lot of connections between different components and it is not straightforward. Our deployment took approximately three days.

We had the assistance of a system integrator.

From my experience, I find that IBM Guardium is pretty good and I would recommend it.

The monitoring and analytics capabilities make it a very good product, although we have had intermittent problems with our database connectors so it is not perfect.

I would rate this solution a nine out of ten.

This solution is for database security and protecting the core of the data. It allows us to put in controls to make sure that only the right persons access the proper records in the database. It prevents unauthorized access.

For example, a customer may want to restrict the database so that it is accessible only from within a specific application. This means that the database administrator will not be able to access the data from outside of the application, as is normally allowed by their administrative rights. It can prevent the administrator from seeing or modifying any data for which they are not allowed to do so.

It is also possible to set specific permissions, such as restrictions on the field, table, or record level of the database. Only people with explicit permissions can view or modify the data.

One of our clients is a passport authority, and they were able to successfully apply this solution to detect corruption within their organization. There had been some employees who had been illegally changing the status of some residents in return for money. Once this solution was deployed, they detected that somebody was making those changes in the database, caught the people, and stopped it from happening again. It was a big finding.

This solution has a lot of functionality and there are hundreds of use cases for it. We are talking about the database, which is the main business core for the company that holds all of the data. The features used by any one customer are dependent on their requirements and the relevant regulations.

That said, IBM Guardium has a lot of capabilities, even compared to other solutions on the market. It can do everything from detection to prevention, and it provides reports about this as well.

The biggest complaint that I hear from customers and users is that using this solution requires database skills, yet it is a security and monitoring tool. Specifically, it is a tool that is used for monitoring the database administrator. The database expert will not want you to implement control on top of him, so you instead need to utilize a person from security. However, security people do not have a complete set of database skills. So, there is always a gap in the administration and the person who is going to manage this tool. As such, the person using this tool feels that it is complicated, doesn't know where to go and what to do.

I have heard that the latest version has better support, with better access, and a better GUI that is easier to use than before. At the same time, this is still one of the main concerns that I always hear from the customers.

The second most common complaint that I hear is in regards to the support from IBM. Some of the cases are open for a very long time because they do not have local engineers to come and look at the issues. In our region, my company is providing 24/7 support to help close these gaps. This has strengthened our presence in the market, but in other regions, this is still a complaint that customers have.

The feedback that I have heard from customers, and my team, is that the solution is very stable. It does not require a lot of things after it is set up for the first time. Once it is fine-tuned, you do not need to do much other than generate and show reports.

At the same time, I do still hear complaints directly from customers about stability. Specifically, it has to do with making changes. If there is an S-TAP agent installed on the service then sometimes the configuration needs to be changed. This might be by adding a new rule or policy. After this, the server needs to be restarted. It is impossible to frequently stop and restart a service when it is in production.

My team justifies this by saying that it only happens infrequently, at a rate of perhaps once a year. However, the customers still see it as a very difficult task that makes their lives tough. Other than this, I have not heard any complaints about stability.

This is a highly scalable solution, but it requires a lot of resources.

For example, I know of a big bank that has been a long-time user of this solution, but they were looking to replace it because they need forty-four Guardium severs in order to monitor their entire database farm. They feel that this is too much and will cost a lot. They do not have a new solution at the moment, although they are looking at other options.

Before this solution existed, people did not have really have anything in place. It was a new concept and it became critical when people came to understand database risks. In 2011 or 2012, many banks started to use Guardium, and since then, it has been spreading to other sectors such as government, transportation, and healthcare.

The complaints that we have heard are about IBM support in general and are not specific to the Guardium solution. There are gaps because they do not offer local support in every region. 

I cannot recall an instance where a customer switched to this solution from another one that they already had in place.

We have been assisting people with migrating from earlier versions to the current version.

The installation of the database, itself, is very easy and straightforward. 

The initial setup involves configuring the database connection with Guardium so that it monitors it correctly. It also depends whether you want to deploy the protection method or not, which means that you need to deploy the S-TAP agent on the service where the database resides.

Beyond that, most of the configuration is in the policy, itself. This changes based on what you would like to monitor, what you want to prevent, and what kind of queries you want to block. For me, fine-tuning the policy is one of the most important elements of the implementation. It also depends on the customer's knowledge, and whether the customer knows exactly what he needs. Some customers want you to not only deploy the system but also to create the policy. You have to translate their internal policy into a configuration, which can really take a long time.

When you deploy using the basic implementation, it is usually only a week or two before you get complaints from the customer. They don't see the value in the solution because they are overwhelmed. So, fine-tuning the policy takes time, and it should be taken very seriously and with care.

If the customer knows exactly what he needs then the deployment can be done in two weeks.

In terms of maintenance, it does not require a staff member full time. One person can dedicate perhaps three hours a day for monitoring, reporting, and doing a health check of the system. We sometimes offer visits to customer sites daily or weekly. For example, we can assist the customer for two hours per week to monitor the system and ensure that everything is working properly. It really doesn't require much work.

Because we are a distributor, we work between the partner and the vendor. When it comes to implementation, we can either assist the partner or work with the customer directly, based on what the customer wants.

Our Guardian expert is dedicated to that product, and will either visit the customer to perform the implementation himself, or he will align with a partner and they will go together. Most of the implementations are handled by ourselves.

I have not specifically calculated the ROI for any of our customers. However, I have shown them general ROI. For example, one incident of losing one record, either by mistake or intentionally by one of the admins, will cost you a certain amount. Moreover, it is important to consider how much you will pay to not have this happen again. These types of losses in the database may be critical data and can affect the company's reputation.

In general, deploying this solution will cost very little compared to the cost of losing data.

In the past, the pricing of IBM Guardium was very complex. It was dependent on the number of CPUs and other things to support the servers. Nowadays, things have changed. Pricing is dependent on the number of databases and the number of servers.

The licensing fees are paid yearly. One of the deployments that I know of had three databases, and the yearly fees are approximately $50,000 USD.

There are some additional add-ons that are available, but I do not see many people taking them. There is encryption, and there is a Guardium Inspection license, but I am not sure of the costs.

The main competitor in the market is Imperva. They were originally not allowed in the Kingdom because of their country of origin, but they now have a local Saudi team. Some customers were approached by Imperva and did not know of Guardium, and simply went with that solution.

There is also a phenomenon in the market that is quite common when a new technology comes from the outside. Even if people don't have the full picture or details about the existing one, they feel that it is "old". Everybody has it, and they need something new. Because of this, we see a lot of people making the choice to go with Imperva. 

When it comes to implementing this solution, it is important for people to know exactly what they need to do. This includes what they need to monitor, what they need to protect, and what kinds of queries they want to prevent. They shouldn't rely on having this tool teach them what they need to do.

Next, people need to make sure that they are getting proper support. This can be from the vendor, by having an advanced SLA for example, or a strong local partner to help them. If they have any trouble, especially something urgent, then they want to have this support in place.

The third thing is to have somebody who is trained to take care of the system. Assuming that it is easy and that anybody can handle it will be the start of a larger problem. It will not seem too much at the beginning, but after a year they will be unhappy with the product.

It is important to recognize that there are several milestones for any Guardium project. Our consultant, for example, is an expert in that domain. He usually submits a project plan showing the implementation stages for the project. There are prerequisites that have to be put in place and verified, then Guardium deployed on the server. This can be either a physical or virtual server. Then the database configuration begins, which is followed by the fine-tuning phase. Finally, all of the appropriate documentation for these aspects has to be compiled. The length of time required for all of this depends on the requirements.

I would rate this solution an eight out of ten.

As a registered IBM Business Partner, our main interaction is to deploy Guardium at client sites.

• Audit Process Builder – Workflow generator to enhance audit tasks and compliance workflows.
• Compliance Quick Start – Quick, GUI, step-by-step guide to automate compliance and give the customer a quick ROI.

Needs easier integration with custom applications.

I would give the product a score of eight out of 10. This is due to its deep level of granularity and guided process/audit workflow generation.

Guardium is used based on our Manual of Internal Procedures (MPI), and its uses range from creating a rule to generating customized reports. The main use case is the procedure "Investigate Incidents Recorded by Unauthorized Access," with action "notify by electronic message the manager and/or leader of the area."

Improved security through the visibility and control of all access to the databases.

The most valuable feature is using the capture operation mode “S-TAP/K-TAP agent”, because all activities in the database are captured, including direct access to the database server by privileged users. This is useful because, even if the database server logs were deleted, the Guardium Collector has already stored such data to enable traceability of access.

I have already mentioned to IBM that a primary need is to improve the number of records in the reports above 65,535.

Depending on the policy and rules applied, there is a need to increase the minimum requirements (RAM and storage - HD) for better operation and not to experience hardware slowdowns due to the high flow of traffic. IBM brings the "minimums" and "recommendation." From experience in versions 9x and 10x, when installing Guardium, it's important to verify the "recommendation" requirements of IBM for stability. It is worth mentioning that the requirements (minimums or recommendation) are different for Collector and aggregator.

The two major Database Audit and Protection (DAP) solutions are IBM Guardium and Imperva SecureSphere. There are two modes of operation of these solutions: remote agent and sniffer (out-of-band). I recommended using the remote agent to obtain direct access captures on servers. 

Note that in non-mainframe environments, both solutions are scalable. For the mainframe environment, Guardium has updated installation agents with the latest kernels and releases. This makes a big difference in companies with mainframes, so it is necessary to keep the technology pack updated.

Regardless of the mode of operation, when increasing the number of servers monitored it is important to re-evaluate or perform new sizing. The possible number of databases and database servers which can be monitored by Guardium is high. For me, this is a differentiator of IBM.

On a "bad, good, and excellent" scale, I rate it as good.

Initially, there were two solutions to be evaluated: Oracle and Imperva. Oracle DAP was not evaluated because it does not monitor Linux or Windows Server-only environments. 

I evaluated Imperva and got good results. However, there is a delay by Imperva in creating updated agents for Linux and Unix, including for mainframe. For me, this is a problem because it is necessary to always keep the environment up to date. If you update the kernel or release of mainframes and do not have the agent upgraded, the DAP will not monitor.

For those who do not have experience, it is complex. There are several configurations to be made, from the configuration of NTP, IP, Mask, registration of the Collectors in the Central Manager, integration with other tools like storage (backup), LDAP, SIEM, through to the application of the policies and customized rules. Note: There are some pre-set rules that can also be customized.

The price of Guardium is higher than the main competitor, Imperva. In addition, it's complex as the calculation of the licensing is done by Processor Value Unit (PVU).

However, before purchasing a DAP solution, it is important to analyze specific points to evaluate the cost-benefit of each tool. For example: Does the environment to be monitored have mainframes? If so, it's a point for Guardium. If not, a point for Imperva. Note: IBM is looking into a new licensing policy and reducing the price of Guardium.

1. Read important articles related to DAP such as the "2017 Planning Guide for Security and Risk Management."
2. Gather information from the servers (operating system with version and database types with the versions) of the environment to be monitored.
3. Check which DAP solutions can monitor the environment.
4. List the “mandatory requirements” and “non-mandatory requirements.” It is important to have in mind which points will be evaluated.
5. Request PoCs with the main DAP manufacturers (IBM, Imperva, and Oracle).
6. Do the sizing with the topology to get an idea of the requirements and cost of the project.

Database encryption.

• Encryption
• Data activity monitoring
• It has a set of modules.
• I compliment with Optum for a data masking solution.

An integration with Optum. Optum is another solution, but it is a segmenting software, portfolio not security. However, I am selling them together as one solution, Guardium and Optum.

I am dependent on my team for support of this product.

My main solution was Micro Focus voltage data encryption solution, but it was too complicated. 

Encryption is not straightforward, but Guardium made the setup easy for us.

Most important criteria when choosing to partner with a company: I started working with IBM only one year back. When I started a partnership with them, IBM had the security portfolio which covered most of the region where my customers were. IBM has a name with the support along the quality of its products.