Compete Guide: IBM Guardium Data Protection for Databases

By Matt Flynn | Last Updated: 15 July 2020

Contributors: Russ Lowenthal, Ashok Swaminathan

Contents:
▪ Executive Summary
▪ Positioning Against IBM Guardium Database Activity Monitoring
▪ About IBM Guardium Data Protection for Databases
▪ About the Extended IBM Guardium Portfolio
▪ IBM Company Information
▪ Sources and Additional Information

Executive Summary
The IBM Security Guardium brand offers a portfolio of data security solutions that extend beyond database monitoring. IBM
Guardium Data Protection for Databases, the Guardium component that provides Database Activity Monitoring (DAM), is often
positioned against Oracle Audit Vault and Database Firewall (AVDF). Guardium DAM requires a costly, complex infrastructure and
lacks AVDF’s strong reporting capabilities.

When we encounter IBM in competitive opportunities for AVDF, we should understand that the biggest overlap for AVDF is with
IBM’s DAM capabilities. However, as mentioned above, IBM DAM is sold as part of the larger Guardium solution so we should
address the full range of capabilities by positioning Oracle Database’s native security features as well as Oracle’s peripheral security
capabilities. Specifically, Guardium delivers sensitive data discovery and database security assessments. So, be sure to highlight
Oracle Database’s native transparent sensitive data protection or Oracle Data Safe’s Data Discovery (for cloud databases) and
position the Oracle Database Security Assessment Tool (DB SAT) or Data Safe’s Security Assessment features.

IBM Guardium DAM is functionally inferior to AVDF. So, we should encourage a hands-on comparison to demonstrate AVDF’s
advantages and leverage the information in the section titled Positioning Against IBM Guardium Database Activity Monitoring to
highlight AVDF’s strengths and advantages.

Positioning Against IBM Guardium Database Activity Monitoring

Oracle Audit Vault and Database Firewall (AVDF) consolidates activity audit data from Oracle and non-Oracle databases, operating
systems, and directories, and provides security and compliance reports. Additionally, AVDF supports network-based SQL monitoring
using the Database Firewall to provide a comprehensive DAM solution. There are several reasons to choose AVDF over other
Database Activity Monitoring (DAM) solutions. AVDF offers better results than competitors with unparalleled accuracy and
completeness, reduced effort via easier administration, and superior value with a comprehensive and flexible solution.
IBM Key Strengths IBM Key Weaknesses

▪ IBM global sales and services teams build strong
customer relationships.
▪ IBM’s Guardium portfolio generally offer strong
heterogeneous support that, in addition to
numerous database systems, includes support for
file systems, big data, SharePoint, and
mainframes.
▪ IBM bundles numerous functions including
sensitive data discovery and classification, activity
▪ Guardium’s multi-tiered architecture is expensive
and complex for typical enterprise deployments.
▪ Guardium requires significant management
overhead and effort associated with data
management.
▪ Guardium offers diminished security value; IBM
typically recommends against blocking activity
due to performance issues related to the agent-
based architecture.
 monitoring, and analytics – across brands and
platforms.
▪ IBM offers several mechanisms for user
identification.
▪ IBM Guardium enables dynamic masking from
within DAM policies.
▪ Active Threat Analytics enables user risk scoring
and anomaly detection.
▪ IBM typically offers strong customer references.
▪ Guardium’s reporting is weak as compared to
AVDF. This is critical as the goal of DAM solutions
is to quickly provide answers on database activity.
▪ Guardium lacks AVDF’s ability to capture before
and after values via GoldenGate and instead
relies on database triggers which are more
complex and may impact performance.
▪ AVDF’s host monitoring agents are fully tested
and supported by Oracle. Guardium’s kernel-level
agents are not supported by Oracle.
▪ Guardium lacks AVDF’s SQL Grammar Analysis
relying instead on a pattern matching approach.
▪ Guardium lacks AVDF’s insight into Database
Vault activity.
▪ Guardium’s reporting is not as powerful or as
flexible as Oracle AVDF.

Better Results Than Competitors: Superior Data Accuracy & Completeness

AVDF offers unparalleled accuracy and completeness for a reliable detective and preventive security.

▪ Audit Vault offers support for audit sources beyond databases including OS logs, Active Directory logs, and a custom collector
with application tables, JSON data sources, REST APIs, or XML file audit collection support (enables support for cloud audit
trails and application-tier auditing). Most DAM solutions are limited to database activity. IBM DAM is limited to database
activity.
▪ Audit Vault captures Before and After data value changes leveraging the REDO logs via Oracle’s modern GoldenGate
technology (license included) with no impact on the target databases. This is the most accurate source, offers highest
performance, supports multitenant databases, and is fully supported by Oracle. Note that Oracle Streams have been
deprecated and memory scraping techniques are unsupported and unreliable. IBM captures before and after values via value
change auditing leveraging database triggers, which are more complex to manage, intrusive, and impact database
performance. Also, values captured by IBM’s triggers are written to an audit data table and are only periodically written back
to the Guardium servers for reporting. So, there’s a delay between when the values are changed and when the change data is
available to Guardium.
▪ Audit Vault provides a complete picture capturing data activity as well as changes to entitlements and stored procedures.
▪ Audit Vault captures entitlement changes directly from the database catalog to provide information about the users, roles,
profiles, and privileges configured within the database. It also enables snapshots of entitlement data at specific points in time
that can be grouped and compared via AVDF reports to track changes over time. IBM enables reporting and optimization of
database entitlements but they do not document an ability to capture entitlement changes. Optimization reporting provides a
report on weekly changes and recommendations for limiting unused access.
▪ Audit Vault integrates with Database Vault to capture privileged user activity. IBM does not have this insight.
▪ Database Firewall (DBFW) leverages advanced allow-list and deny-list techniques to detect threats. It’s SQL Grammar Analysis
understands the intent of SQL and can apply policies accordingly, before it is executed in the database. This provides much
stronger security than IBM’s approach which is based on pattern matching.
▪ DBFW can be trained to learn normal application SQL patterns and capture those into SQL cluster sets that can be used in
policies. The SQL grammar engine ensures that a firewall policy defined on a SQL statement is applicable to equivalent SQL
statements, making it easy to develop robust policies vs building hundreds of rules for each SQL variant. IBM requires
administrators to manually create policies based on SQL code matching.
▪ DBFW blocking leverages SQL substitution which avoids application and database errors. IBM provides similar functionality
based on its query rewrite feature which is available for a limited subset of data sources (inc. Oracle Database). However, IBM
cautions that the query rewrite process “is asynchronous and introduces latency between the sniffer and S-TAP” and should
be avoided for “performance-sensitive or trusted applications.”
 ▪ DBFW provides multi-stage policies that offer multiple levels of protection and superior flexibility in establishing policies.
Within a policy, rules can be configured for session context (IP address, database/OS user, program name), SQL Statements, or
the database tables being accessed. This enables comprehensive protection and even complex policies can be easily enhanced
incrementally as needed. IBM offers similar support for context. However, policies are interpreted sequentially so each new
policy adds latency and policies are more complicated to manage over time.
▪ DBFW supports encrypted traffic via Oracle Native Network Encryption (NNE) when DBFW is deployed between the
application tier and the database tier. Note: Environments using SSL/TLS or non-Oracle Databases would require a third-party
TLS termination solution to terminate SQL traffic before it reaches the DBFW. IBM does not support NNE. Customers who are
interested in evaluating encrypted database traffic would have to use TLS and would need to configure support for TLS via
Oracle Connection Manager (CMAN) or a third-party TLS termination solution.
▪ DBFW offers a complementary approach to native database auditing with minimal performance impact to the database.
▪ AVDF provides powerful reporting capabilities with easy search and analysis on user activity. Reports are categorized by type
for quick navigation (activity, database settings, entitlements, stored procedure changes, Database Vault activity, etc.) and can
be scheduled for automated delivery (in PDF or XLS format). AVDF reports are easily customized and extensible without IT or
SME assistance. AVDF provides an open schema enabling easy integration with third-party tools and all reporting capabilities
are included and built-in. IBM includes many predefined reports and enables customers to build custom reports and/or to
modify existing reports.
▪ AVDF provides out-of-the-box reports for security and compliance to help customers meet compliance requirements such as
GDPR, PCI, GLBA, HIPAA, IRS 1075, SOX, and UK DPA. These reports were designed by compliance experts providing built-in
expertise. IBM appears to offer a few compliance-related reports but the selection is limited (PCI, SOX, Data Privacy) and
details are not provided.
▪ AVDF enables flexible and customizable rule-based alerts on activity that can be emailed or written to syslog. IBM also
enables custom alerting that can be distributed via e-mail, SNMP, syslog, or user-written Java classes.
Reduced Effort: Improved Ease of Use and Simplified Ownership
AVDF offers easier administration requiring less effort and reduced ownership costs.

▪ AVDF can be monitored and managed via Enterprise Manager Cloud Control providing a single pane of glass for all
provisioning, management, monitoring, and reporting of Oracle Database environments. IBM Guardium is a third-party
solution that introduces an additional management interface and skillset.
▪ AVDF provides preconfigured audit policies based on best-practice recommendations for Oracle Database. For example,
prebuilt audit policies capture critical database activity (create users, create roles, alter database, etc.), logon events, and
schema changes. Prebuilt DBFW policies capture activities by users with admin privileges. Administrators can also use the
AVDF UI to enable Oracle Database Unified Audit pre-defined audit policies as well as user-defined custom audit policies that
have been created for the database instance to capture, for example, account management activities, database parameter
changes, database vault activity, and to enable custom policies like privileged user activity (DML) on sensitive tables. This
reduces effort and time-to-value making it very easy to get started with auditing for Oracle Database. IBM does not document
any prebuilt policies or monitoring functionality. Policies and rules must be manually configured which can be confusing and
time-consuming.
▪ AVDF audit agents can be automatically updated. This reduces management effort. IBM provides a manual process for
updating agents and the process differs depending on the OS, agent type, and configuration. This increases effort and
complexity. The Guardium Installation Manager, which requires a client to be installed on each database host, can be used to
keep agents updated but it introduces an additional layer of complexity and overhead.
▪ AVDF enables automated archiving of audit data. This reduces management effort. IBM provides a manual process for data
archiving which requires careful consideration and increases effort and complexity.
▪ AVDF provides integration with SIEM solutions via Syslog for unified operations monitoring. IBM also natively supports syslog.
▪ AVDF supports Active Directory or LDAP authentication. This simplifies management of access to AVDF. IBM Guardium relies
on users and roles that are defined within the system. Customers can import users from an LDAP source but they are not
managed on an on-going basis and imported users must set and manage a new, Guardium-specific password. This is not a
seamless management experience and creates another identity silo that needs to be managed.
▪ AVDF supports hybrid environments providing a single solution for on-premises and cloud deployments. Components of
systems configured with IBM External S-TAP agents can be deployed on-prem, in the cloud, or in combination.
Superior Value: Infrastructure and Total Cost of Ownership
AVDF is an all-inclusive, robust, scalable, and flexible auditing and monitoring solution.

▪ AVDF offers three operating modes for optimal flexibility that are easy to understand and configure:
 Proxy: All client connections go through the firewall, including return traffic; this enables blocking.
 Host monitor: An AVDF agent runs on each database host listening to incoming traffic. This is ideal for environments
where only monitoring is needed, there are numerous network paths for accessing the database, and it’s easier to
deploy the agent on the host machine.
 Out-of-band: Monitors database traffic sent to it via a network span port.
IBM offers several deployment options with varying support for data sources and functionality. S-TAP agents can be
configured to monitor traffic via several mechanisms including K-TAP and A-TAP with a variety of options (local traffic only,
local and network traffic, shared memory, monitor only, monitor and bock, etc.) The mechanisms available vary by OS and
database version. The result is a confusing array of configuration options which produce varying results.
▪ AVDF is delivered via a full-stack software appliance complete with a secured and scalable audit repository, a restricted use
license for Oracle GoldenGate (to capture before-and-after values for Oracle Databases), management and reporting tools,
and everything you need to run securely in production including High Availability – with no additional deployments or
software licensing required. The appliance is easy to manage with a unified upgrade process that upgrades the database, OS,
and application. AVDF’s audit repository is encrypted and secured with Oracle Database Vault to restrict access to data and
provide separation of duties between the administrator and the auditor. IBM Guardium is deployed via three tiers of
appliances: collectors, aggregators, and central managers and requires a separate, external system for archives. Appliance cost
and complexity can grow significantly depending on the size and complexity of the environment. Guardium also has the
concept of Data Marts for storing data outside of the typical purge and archive scenarios. But the Data Mart targets are not
included and must be configured and secured separately.
▪ AVDF provides High Availability with multi-path fiber channel support.
▪ AVDF is network- independent increasing flexibility and reducing cost. AVDF’s support for multiple NIC cards enables high
availability and performance. IBM also supports multiple network interfaces.
▪ AVDF’s non-intrusive agents (remote or local) collect native audit data with minimal overhead or support issues. IBM’s
primary mechanism for monitoring Oracle are S-TAP agents with K-TAP enabled. These are kernel-level agents that hook into
the communication between the database client and the server. Kernel modules are not supported by Oracle and internal
operations are always subject to change. Oracle does not support or certify any third-party agents and Oracle support will
request removal of agents to troubleshoot any I/O issues related to the database. This may introduce a security risk as traffic
will not be monitored if the agent is removed or disabled. Customers should also consider whether S-TAP agents will impact
the speed at which they deploy database patches and upgrades since it may take time for IBM to test and issue updated
agents. Will they be waiting for IBM to certify their agents with the latest versions? Will the agents’ approach to listening be
impacted by changes to internal database operations?
▪ AVDF supports Oracle Real Application Clusters (RAC). RAC support is enabled and configured from within the UI. DBFW even
supports connecting clients with RAC instances in a different subnet leveraging separate NIC cards for each subnet. IBM’s
support table also indicates support for RAC.
▪ AVDF supports extremely high performance with support for NIC bonding for increased throughput and redundancy. IBM also
supports NIC bonding.
Potential Weaknesses for AVDF
It’s important to understand and counter AVDF’s potential weaknesses which could be exploited during the sales process.

▪ Auto-discovery: Competitive DAM solutions, including IBM Guardium, scan the network to automatically detect databases.
This simplifies initial deployment. However, auto-discovery lacks the intelligence to understand complex database
architectures like Oracle Real Application Clusters or Data Guard. While AVDF may require a little additional effort at
deployment time, it’s intelligent understanding of the Oracle ecosystem yields improved accuracy and easier maintenance
over time. For example, in Oracle multitenant databases, AVDF allows audit collection at the container database (CDB) level or
at the individual pluggable database (PDB).
▪ Non-core features: Competitive DAM solutions, including IBM Guardium, commonly include non-DAM features such as
database vulnerability assessments and sensitive data discovery. While these additional features may add value for some
 customers, they should not be evaluated as part of the DAM solution. In the case of vulnerability assessments, Oracle offers
free tools that enable security assessments of Oracle Database including the Oracle Database Security Assessment Tool (DB
SAT) and Oracle Data Safe’s Security Assessment features. For sensitive data discovery, position Oracle Database’s native
transparent sensitive data protection or Oracle Data Safe’s Data Discovery features. We don’t position these free solutions as
part of AVDF but they are available for all Oracle Database customers. AVDF also includes features that are typically not
considered part of a DAM solution including entitlements reviews and auditing of stored procedures.
▪ Support for TLS encrypted traffic: For customers who are interested in evaluating encrypted database traffic, IBM documents
how to support TLS via Oracle CMAN. Oracle DBFW lacks native support for TLS and would require a third-party TLS
termination solution to terminate SQL traffic before it reaches the DBFW. However, AVDF supports Oracle’s native network
encryption (NNE) which is more commonly used in Oracle Database deployments and is easier to manage than TLS. Guardium
lacks support for Oracle NNE and customers are forced to rely on TLS for encrypting data in motion.
▪ User Identification: Guardium provides several methods to identify application users, when the actual database user is not
apparent from the database traffic. Some commercial applications, including Oracle E-Business Suite, offer Application User
Translation enabling Guardium to automatically identify users. They can also leverage application APIs and Stored Procedures.
Architectural Issues for IBM Guardium Data Protection for Databases

Description of Issue Business Impact and Positioning

Significant Hardware Requirements and Complex Appliance Architecture
Guardium’s architecture requires numerous layers of
appliances and agents that have scalability issues and
significant management overhead. Guardium typically
requires numerous collector and aggregator appliances
which can grow to become quite expensive.
▪ Collector appliances are typically deployed at a
ratio of 10 databases per Collector. Another
sizing method calls for 4000 PVU’s per collector.
(4000 PVUs is roughly ~40 DB CPU cores per
collector). The maximum recommended number
of PVUs per collector is 8000 (~80 CPU cores) and
that requires that the solution is configured for
limited selective auditing with no blocking
enabled. IBM recommends an additional 50% for
virtual appliances (20 DB CPU cores per collector)
and yet another 50% if S-GATE blocking is
enabled (10 DB CPU cores per collector).
▪ Collector drive space disappears quickly. In
response, IBM typically recommends keeping
data on the collector for only around 7 days.
▪ Aggregator appliances are deployed at a ratio of
about 1 to every 8 Collectors and require 40%
free disk space.
▪ Central Manager appliances are required to
manage multiple Aggregators.
▪ Additional Collectors may be required to
accommodate multiple disparate geographies or
business units even in smaller environments. In
this scenario, data must be collected (via bulk
data exports) from all Collectors to a single
Aggregator for unified reporting. A dedicated
Aggregator may be required for this purpose to
avoid space limitation issues.
▪ IBM’s solution is quite expensive in large scale
environments due to hardware requirements and
scale limitations.
▪ IBM’s solution is complex to deploy and manage
requiring significant administrative overhead on
an on-going basis.
▪ IBM requires a manual import/export process to
gather audit data into a separate data warehouse
(not provided) for centralized reporting.
▪ Guardium customers frequently report missing
data due to agent overload, collector overload,
aggregator hardware or software failure, and/or
network outages.
▪ Typical operational modes allow some disallowed
traffic to continue before responding.
▪ Customers report a mismatch between IBM pre-
sales and IBM post-sales services. The services
team almost never recommends blocking and
typically requests more collectors than sales
advised to meet performance expectations.
▪ In environments with comprehensive log
requirements, IBM recommends highest capacity
sizing with lowest level of auditing enabled
(privileged user and selective auditing only).
Otherwise, the solution may encounter scalability
issues with Collectors filling up quickly and
significant packet loss.
▪ AVDF offers a simple soft-appliance-based
architecture that is highly scalable, with an
included high availability mode. A single Audit
Vault server can consolidate logs and events from
thousands of databases.
 Description of Issue
▪ Guardium relies on an internal MySQL database
that requires a minimum of 50% free disk space
(>80% recommended).
▪ Requires a separate collector to recover data for
forensic reporting. Collector appliances cannot
simultaneously store online data and forensic
data.
▪ There is no ability to add disk space to Guardium
appliances without a complete rebuild of the
appliance.
Agent Reliability
Guardium’s S-TAP agents contain kernel-level modules.
Monitoring is performed at the OS kernel as the OS
root user via an unsupported interface. There is no
guarantee that relevant data will be captured. This
approach introduces risk of destabilizing the database
server. Also, there is no high availability option for S-
TAP agents, which represent a single point of failure.
Guardium v11.1 introduced support* for Oracle Unified
Audit via S-TAP agents deployed with the Oracle Instant
Client. This approach should minimize agent issues but
may also limit functionality. * Limited to 64-bit x86
Linux platforms.
▪ Ex-IBM employees report that customers should
expect at least 20% packet loss from Guardium’s
S-TAP agents.
▪ If an S-TAP agent is down, there is no event
buffering and therefore activity is not recorded
until the agent is fixed.
▪ Data loss occurs during agent upgrades which
typically last several hours.
▪ In the event of network interruption, there is a
small buffer (50 MB). IBM does not recommend
increasing the buffer size due to known
performance issues. Data loss is expected during
network outages and/or periods of heavy
network traffic. Also blocking is not functional
during network interruption. Attackers can
unplug or interrupt collector to breach security.
▪ S-TAP kernel components may cause system
panics and they create significant traffic latency.
▪ IBM Guardium agents are not supported or
certified for use with Oracle Database or Oracle
Engineered Systems (Exadata or Oracle Database
Appliance).
Business Impact and Positioning
▪ AVDF supports data retention policies on a per
source basis, supporting virtually any internal or
external compliance requirements without
manual bulk data management.
▪ AVDF audit data is secured using Oracle Database
Vault to protect audit data from administrators
and Oracle Advanced Security TDE for complete
encryption of data in transit, at rest, and on
backups.
▪ IBM customers often find that critical information
is missing from reports. This often includes the
database username and the SQL query.
▪ IBM’s policy enforcement approach will generate
more false positives vs AVDF’s allow-list
approach.
▪ Questions to ask:
 How might false positives impact your ability
to respond? Who will follow-up on alerts?
 Can you trust a pattern-matching approach
to block activity?
 Would you actually implement preventative
policies if you selected Guardium?
 Are you willing to narrow the scope of
monitoring to accommodate for performance
issues?
▪ AVDF agents are reliable, having been tested and
certified to run with Oracle Database
technologies, including Exadata and other
Engineered Systems.
▪ AVDF leverages native audit data providing a
complete view of database activity along with full
execution context irrespective of whether the
statement was executed directly, through
dynamic SQL, or through stored procedures.
▪ In addition to consolidating audit data from
databases, operating systems, and directories,
the Audit Collection Plugin can be used to collect
audit data from application tables, JSON, or XML
files, or using REST for audit collection, and
transfer them to the Audit Vault Server.
▪ AVDF audit collection agents are non-intrusive
and do not require OS kernel modifications or
drivers to be run on the database servers.
▪ AVDF includes Oracle Database Vault database-
resident security that cannot be circumvented via
network interruption or unplug of security
appliance.
 Description of Issue
Data Accuracy
▪ IBM Guardium DAM monitors database activity at
the OS kernel level relying on heuristics and
regular expressions.
 IBM’s signature detection approach
generates false positives.
 IBM’s heuristic-based approach is inaccurate
while learning, error-prone, and results in
disruptive false positives.
 IBM is unable to parse complex or
obfuscated SQL. Ex) SQL Server supports
hex-encoded SQL.
Auditing
▪ Prior to Guardium v11.1, IBM Guardium DAM did
not provide native database auditing. Instead, it
relied on agent-based activity monitoring only.
▪ Guardium v11.1 introduced support* for Oracle
Unified Audit via S-TAP agents deployed with the
Oracle Instant Client. This approach should
minimize agent issues but may also limit
functionality. This approach is only available for
64-bit x86 Linux platforms where OUA is enabled.
▪ IBM’s distributed, multi-tier architecture impedes
the ability to perform centralized analysis and
reporting.
Reporting
▪ IBM Guardium does not provide an open schema
for custom reporting.
▪ Typically, reports must be run against distributed
appliances with a multi-tier architecture.
▪ Reports can be unacceptably slow in larger
implementations.
▪ IBM provides limited control over access to
reports.
Business Impact and Positioning
▪ False positives and lack of confidence may lead
customers to disable blocking thereby reducing
the solution’s security and business value while
increasing manual effort in the process.
▪ Attacks delivered via complex or obfuscated SQL
will not be detected.
▪ AVDF’s patented SQL Grammar Analysis
categorizes SQL into clusters for unparalleled
accuracy & performance regardless of the SQL
syntax or complexity.
▪ Guardium typically requires an additional
investment in a data repository for analysis and
reporting.
▪ Guardium customers must manage the bulk
transfer of data from typically several Aggregator
appliances.
▪ In environments leveraging Guardium agents,
IBM does not have visibility into several SQL
types including: SQL Synonyms, Dynamic SQL,
and SQL Server RAW mode. Guardium v11.1’s
support for Oracle Unified Audit eliminates this
blind spot but may introduce other limitations
such as event blocking. And it’s only available in
some environments.
▪ AVDF collects complete native database audit
trails into an included secure, centralized audit
data repository.
▪ AVDF leverages native audit data providing a
complete view of database activity.
▪ AVDF accepts audit logs from additional sources
including Active Directory, operating systems, file
systems, and applications.
▪ IBM Guardium customers are less prepared to
respond to compliance audits due to more
complex reporting.
▪ Report customizations require more time and
effort and may require specialized skills.
▪ Due to architecture and bulk data export
requirements, reporting on Aggregators is often
subject to 24-hour delay.
▪ AVDF built-in reports were designed with audit
experts and customer input to meet most auditor
needs with minimal customization.
 Description of Issue
Blocking Issues
▪ Due to technology limitations, IBM generally
recommends against enabling blocking. IBM’s
post-sales implementation team almost always
recommends against enabling blocking.
▪ Enabling S-GATE (firewall feature of S-TAP)
significantly increases S-TAP CPU usage, network
bandwidth usage, and latency. Enabling S-GATE
ON (closed by default) is never recommended
due to severe latency issues. Enabling S-GATE
OFF (open by default) misses initial actions and
generates unpredictable results; this is very
common in Windows.
▪ None of Guardium’s blocking methods provide
high-performance and predictable blocking of all
unwanted traffic.
Before and After Values
▪ IBM Guardium’s default method of collecting
before/after values is based on intrusive method
of creating triggers in the target DB that write
data to a Guardium audit database (requires
database user, maintenance, etc.) The collected
data then needs to be bulk uploaded to collectors
for reporting.
▪ For Oracle database targets, IBM was able to use
Oracle Streams. However, this feature is not
recommended in production and Streams has
been deprecated by Oracle as of Oracle 12c.
▪ Enhanced features are provided by IBM’s Change
Data Capture (CDC) product, which requires
separate licensing. IBM recommends limiting this
feature to only 1 or 2 tables in production
deployments.
Data Security
Business Impact and Positioning
▪ AVDF provides an open database schema storing
audit and network SQL traffic data. Reports are
easily configured by auditors with no IT
assistance. And AVDF customers are not locked-in
to Oracle’s reporting solution; they can use the
reporting tool of their choice.
▪ AVDF’s powerful, high-performance reporting
engine is built on included runtime Oracle BI
Publisher and backend Oracle database
technology.
▪ AVDF enables fine-grained control over access to
reports so line-of-business auditors are restricted
to reporting on relevant applications.
▪ Without blocking enabled, the solution is
categorized as a reactive rather than preventative
solution and data is less secure.
▪ IBM’s SQL query rewrite feature cannot be used
with blocking and creates similar latency issues.
▪ AVDF SQL Grammar Analysis and allow-list
approach increase accuracy and encourages use
of AVDF as a preventative solution
▪ AVDF SQL Substitution option provides safe, high-
performance preventative protection without
app errors or requiring dropped sessions.
▪ IBM’s Value Change Auditing requires significant
effort and/or expense. Customers must choose
between omitting critical data (less secure) or
incurring the additional cost and effort.
▪ IBM’s trigger-based approach increases
complexity and maintenance overhead. It also
creates an additional database to be secured and
that may be in-scope for regulatory audits.
Report data and alerts are delayed due to bulk
import schedule.
▪ AVDF leverages Oracle GoldenGate technology to
collect before and after values for Oracle
databases. Oracle streams have been deprecated
so IBM does not have a path forward for their
before/after value collection methodology
beyond reverting to triggers.
 Description of Issue
▪ Guardium offers no at-rest encryption for audit
data and even in-motion encryption (SSL/TLS) is
discouraged to avoid latency.
▪ Guardium doesn’t support incremental backups.
Only full automatic backups are available where a
single encrypted file is moved to a SCP or FTP
location. IBM recommends weekly backup for
Aggregators. Collectors are not backed up.
▪ Guardium does not support Oracle native
network encryption.
Business Impact and Positioning
▪ IBM’s audit data is less secure and could lead to
audit failures or data breach events.
▪ Data may be unavailable in the event of an
outage or disruption.
▪ AVDF provides a secure data warehouse with TDE
encryption enabled.
▪ Oracle leverages native network encryption by
default and offers seamless integration for Oracle
Database traffic.
For non-Oracle databases, an SSL termination
solution may be required for Database Firewall to
enforce protection policies in-line.

High Availability
▪ IBM’s load balancing option uses two collectors
that each get partial activity. This approach
makes it impossible to provide unified reporting
without implementing a batch process for data
aggregation.
▪ IBM’s mirroring approach requires twice the
amount of appliance hardware and requires
double-size specs for all Collectors and related
expenses (space, storage, cooling, power, etc.)
▪ IBM’s solution offers no good solutions for high
availability and offers poor scale/performance
options.
▪ AVDF includes a secure data warehouse with a
built-in high availability mode. AVDF’s highly
scalable architecture support thousands of
databases and high traffic volumes.

Additional Considerations
In addition to the points raised above, use the following points to position Oracle AVDF against IBM Guardium Data Protection for
Databases:

▪ Policy Enforcement: Guardium evaluates policies in a serial order (one after the other). This serial method of applying policy
rules causes an exponential impact on performance with each new rule that needs to be evaluated. AVDF’s SQL Grammar
Analysis breaks inbound queries into grammatical chunks and evaluates each rule simultaneously for numerous conditions
with limited impact on performance. This is easier to manage and offers higher performance.

▪ User Entitlements Reports: IBM’s User Entitlements Report requires upload of user and rights data into the Guardium
appliance and then provides reports on who granted what rights to whom. Customers commonly complain that these reports
are very difficult to understand. AVDF’s entitlement reporting is easier to understand, and AVDF offers optional differential
reporting, showing only what has changed since a previous report.

▪ Vulnerability Assessments: IBM Security Guardium Vulnerability Assessments can be licensed together with the DAM solution
but requires a separate appliance. It’s not an included feature of Guardium DAM despite commonly being marketed together.
Oracle provides free tools to help identify areas where your database configuration, operation, or implementation introduces
risks and recommends changes and controls to mitigate those risks. Position Oracle Database Security Assessment Tool (DB
SAT) or Data Safe Security Assessment (for cloud databases) to address security assessment requirements.

▪ Multi-Version Support: Guardium offers limited support for mixed version environments. Upgrades generally require a
rebuild of all appliances. Customers often can’t leverage the latest updates without significant cost and effort.

▪ Data Redaction and Query Rewrites: IBM positions Guardium’s query rewrite feature as providing fine-grained access control
via dynamic masking of data. This is positioned as a solution to limit returned data. However, each rewrite query must be
specifically crafted per SQL Statement and is easy to break or bypass using complex SQL. Oracle AVDF’s SQL Substitution and
ASO Data Redaction are stronger solutions for protecting data as it’s being returned from the database.
 ▪ Network Traffic: Guardium agents send all data not specifically marked as trusted to the Collectors which then filter activity
based on policies. This creates a significant quantity of traffic as data is sent across the network in real time.

▪ Designed for On-Premises: Guardium does not offer a true hybrid cloud solution. It offers an on-premises solution that can be
hosted on a cloud platform to operate within that platform. This may require multiple solution instances to address hybrid
environments.

▪ Exadata Support: Guardium offers agent-based or network-based deployments as well as a hybrid approach. Some features,
however, require local agents to be deployed on the target servers. This includes its S-GATE preventative security (blocking).
Oracle does not certify or support third-party agents and agents should not be deployed on Exadata systems.

▪ Stored Procedures: Guardium does not support reporting on SQL activity within Stored Procedures. IBM notes that “this is
expected due to the nature of stored procedures. The content of the procedure is defined when the procedure is created, but
not actually executed each time the stored procedure runs. Hence in Guardium report you will see the execute procedure
command but not the commands that are within that procedure.”

About IBM Guardium Data Protection for Databases

IBM Guardium Data Protection for Databases is a hardware or virtual appliance-based solution that provides automated sensitive
data discovery and classification, real-time activity monitoring, and analytics to discover unusual activity around sensitive data. IBM
claims that the solution learns user access patterns and provides alerts when suspicious activity is detected. Guardium can respond
to threats by dynamically masking data, by terminating user sessions, or by quarantining users. This functionality is available across
numerous databases including, but not limited to: Oracle, IBM DB2, Sybase, Microsoft SQL Server, IBM Informix, mySQL, Teradata,
IBM PureSystems, IBM InfoSphere BigInsights, PostgreSQL, MongoDB, and SAP HANA.

IBM Guardium Data Protection for Databases is part of the broader IBM Guardium portfolio which also includes vulnerability
assessments, encryption solutions (OEM’ed from Vormetric), and additional analytics.

Architecture
The IBM Security Guardium Data Protection for Databases solution is comprised of several core components:

▪ Collector Appliances: Real-time capture and analysis of database activity, captures logs for further analysis and use in alerting.

▪ Aggregator Appliances: Collect and merge data from multiple collectors and optionally from other aggregators. Aggregators
can be used to generate enterprise-level reports, assessments, and audit processes in large, distributed environments.

▪ Central Manager Appliances: Aggregator Appliances with management features enabled to control and monitor the
Guardium environment from a single console.
 ▪ S-TAP Agents: Lightweight software agents installed on database servers to perform data collection tasks. S-TAP agents
monitor activity between the client and the database and forward that data to the Collector. Database traffic is then logged
based on criteria specified in the security policy.

▪ External S-TAP Agents: Agents deployed outside of the database host that can intercept traffic between clients and the
database server, and will then forward a copy of the traffic to a Guardium collector for analysis and policy application.
Components of systems configured with External S-TAP agents can be deployed on-prem, in the cloud, or a combination.

Note: There are several other Guardium components that get deployed to database servers but these are less material to our
understanding of how Guardium operates. These include the Guardium Installation Manager agent, the Change Audit System agent,
the instance discovery agent, the datasource, and inspection engines. These are covered in more detail in the documentation.

Here’s an illustration of a typical deployment model for Guardium Data Protection for Databases:

Note: Large environments may require dozens of Collectors and multiple Aggregator appliances. As a general rule of thumb, you
might expect to require a Collector appliance for every 10 database instances and an Aggregator for every 8 Collectors. The ratio
increases by ~50% in blocking scenarios or on slower hardware.

Agent Options

S-TAP agents can be configured to monitor traffic via several mechanisms including K-TAP and A-TAP with a variety of options (local
traffic only, local and network traffic, shared memory, monitor only, monitor and bock, etc.) The mechanisms available vary by OS
and database version. IBM provides a support table to help customers understand the available options for each OS and database
version. IBM provides the following order of preference for mechanisms: Exit Libraries, K-TAP, A-TAP, PCAP

▪ Exit libraries are IBM’s preferred monitoring mechanism offering the best performance, support for both local and network
traffic (encrypted or not), and they always capture DB_USER. However, they’re not available for Oracle Databases.
▪ K-TAP observes access to a database server by hooking the mechanisms used to communicate between the database client
and the server
▪ A-TAP sits in the application layer to support monitoring of encrypted database traffic, which cannot be done in the kernel by
K-TAP. A-TAP is required when DBMS encryption in motion is used, but there may be other internal database implementation
details such as shared memory that require it.
▪ PCAP is a packet-capturing mechanism that listens to network traffic from and to a database server. In a UNIX environment,
since the K-TAP captures all network traffic, PCAP is rarely used. PCAP is used to capture local TCP/IP traffic on the device.
In addition to OS-specific S-TAP agents, IBM External S-TAP agents operate without installing an agent on the database server and
are able to intercept traffic between clients and databases. They forward a copy of the traffic to a Guardium collector for analysis
and policy application.

Note: Guardium v11.1 introduced support* for Oracle Unified Audit via S-TAP agents deployed with the Oracle Instant Client. This
approach should minimize agent issues but may also limit Guardium’s advertised functionality.
* Limited to 64-bit x86 Linux platforms.
Policies and Rules

Guardium uses the concept of policies to identify high-risk activity and to enforce security rules. Each policy contains an ordered set
of rules that is applied to all observed database traffic. Rules may apply to inbound requests or to outbound responses. Multiple
rules and multiple policies can be applied at the same time. Each policy rule defines a conditional action that can trigger events
(such as alerts, logs, or blocking actions) if the condition is met. Conditions may be based on user, IP address, source program, time
of day, etc. Because of this serial method of applying policy rules, there is an exponential impact on performance with each new
rule. Oracle AVDF’s SQL Grammar Analysis breaks inbound queries into grammatical chunks and evaluates each simultaneously for
numerous conditions with limited impact on performance. More on this topic.

Blocking Actions

Guardium offers several blocking actions that can be taken when a rule is satisfied.

▪ S-TAP Terminate: This approach terminates the database connection and prevents additional requests on the session. As
noted in the documentation, “the triggering request usually will not be blocked, but additional requests from that session will
be blocked (on high rate, sometimes more than one request may go through before the session is terminated).” Also, dropped
connections may impact valid user sessions and/or cause application or database errors.

▪ S-GATE Actions:
 Attached Mode (S-GATE ON): This is database firewall mode. All database requests will be held and evaluated before
allowing traffic to proceed. This is the safest way for Guardium to assure that rogue requests will be blocked.
However, significant latency is expected. If setting to ON only when a policy condition is met (which is often
recommended), numerous access requests may get through before any blocking actions are taken.
 Detached Mode (S-GATE OFF): With the S-Gate in detached mode (or ‘off’), Guardium passes all requests to the
database without introducing latency. This should only be used in sessions that are considered safe or that cannot
tolerate the product’s latency restrictions. It’s unclear how customers should determine that sessions are ‘safe’
without proper monitoring and rule enforcement in place.
 S-GATE Terminate: Only available for sessions with S-Gate ON, this setting will drop the reply which typically
terminates the database session. This approach may impact valid user sessions and/or cause application or database
errors.

Note: Guardium S-GATE actions are not supported on Oracle encrypted traffic.

Guardium also offers a Query Rewrite feature which can modify inbound SQL to restrict the query results by policy. Query Rewrite
cannot be used if S-TAP is configured with S-GATE ON. As noted in the documentation, “When query rewrite is watching a session,
the sniffer is required to send engine verdicts to the S-TAP for each SQL request in the session. This process is asynchronous and
introduces latency between the sniffer and S-TAP. Create query rewrite rule conditions that avoid attaching to sessions for
performance-sensitive or trusted applications.” More on this topic.

Value Change Auditing

Some customers find Guardium’s Value Change Auditing feature to be compelling. This feature tracks changes to the values in
database tables. Each table that requires value change auditing requires specific configuration. Triggers are added to the database
to write value changes to a newly created audit database. Data is then bulk uploaded into Guardium appliances on a scheduled
basis. Once uploaded, Guardium’s other reporting and alerting features are available. This trigger-based approach increases
complexity and maintenance overhead. It also creates an additional database which needs to be secured and may be in-scope for
regulatory audits. Also, report data and alerts are delayed due to bulk import schedule. More on this topic.

Pricing
IBM Security Guardium Data Protection for Databases is offered via two pricing models: Resource Value Unit (RVU) and Processor
Value Unit (PVU). Additional features such as Data Encryption, Vulnerability Assessments, and support for Big Data or Files require
additional licensing and cost. Guardium deployments also require the purchase of hardware- or virtual- appliances. Alternatively, if
deployed in the cloud, cloud IaaS vendors’ charges for running Guardium virtual appliances will apply.

Resource Value Unit (RVU) Pricing: RVU pricing is based on the number of target servers. A resource, in this case, is defined as a
Managed Virtual Server (MVS). So, pricing is based on the quantity of virtual machine hosts that will be monitored by the solution.
Note that the quantities of database instances and physical servers are not relevant for RVU pricing.
IBM Security Guardium Data Protection for Databases RVU pricing is approximately $17K/RVU (via GSA; likely includes a ~20%
discount).

To estimate pricing, multiply the number of in-scope virtual machine hosts by the per-RVU cost.

Ex) 120 databases running on 80 VMs: 80 (quantity) x $17k (cost per RVU) = $1,360,000

IBM Security Guardium Data Protection for Databases is also available via a monthly RVU subscription license. Pricing is
approximately $872/RVU per month (via GSA; likely includes a ~20% discount).

To estimate pricing, multiply the number of in-scope virtual machine hosts by the per-RVU cost.

Ex) 120 databases running on 80 VMs: 80 (quantity) x $872 (cost per RVU) = $69,760/mo.

Processor Value Units (PVU) Pricing: IBM Security Guardium Data Protection for Databases PVU pricing is approximately $35/PVU
(via GSA; likely includes ~20% discount).

PVU pricing is based on IBM’s PVU value which is tied to specific hardware. Leverage IBM’s PVU calculator to calculate the precise
value for given hardware. Examples:

▪ IBM Power8 processors: PVU value = 120

▪ Dell PowerEdge Intel Xeon multi-core model 5000: PVU value = 50
▪ Dell PowerEdge Intel Xeon 4 socket multi-core model ES-4600: PVU value = 100

To estimate pricing, multiply the number of CPU cores by the PVU value and then multiply by the per-PVU cost.

Ex) 320 (quantity) IBM Power8 CPUs x 120 (PVU Value) = 38,400 x $35 (price per PVU) = $1,344,000

IBM Security Guardium Data Protection for Databases is also available via a monthly PVU subscription license. Pricing is
approximately $1.15/PVU per month. (via GSA; likely includes ~20% discount.)

To estimate pricing, multiply the number of CPU cores by the PVU value and then multiply by the per-PVU cost.

Ex) 320 (quantity) IBM Power8 CPUs x 120 (PVU Value) = 38,400 x $1.15 (price per PVU) = $44,160/mo.

Appliance Pricing: IBM Security Guardium solutions also require the purchase of hardware- or virtual- appliances on which the
Guardium solutions run. Review the Virtual Appliance Technical Requirements for guidelines on what hardware can be used for
virtual appliances. IBM also supports deployment of Guardium solutions to cloud IaaS platforms (including Oracle, AWS, Azure,
Google Cloud, and IBM Cloud).

IBM Security Guardium solutions require two types of appliances:

▪ Collector: monitors database activity to provide continuous fine-grained auditing and reporting, real-time policy-based
alerting and database access controls.

▪ Central Manager/Aggregator: Single point of management for the IBM InfoSphere Guardium deployment. Customers can
define enterprise-wide policies, alerts, queries and reports, install patches, push configuration and perform a variety of other
administrative tasks from a single console. Data from multiple collectors can be aggregated to the Aggregation Server to
provide holistic views and generate enterprise-level reports.

For every 100 database instances, you can expect to require 10 Collector appliances and another 1-2 Aggregator appliances.

IBM Security Guardium appliance pricing (GSA pricing likely includes ~20% discount):

▪ x2264 IBM Security Guardium Collector (D1PCULL): $9.5K (via GSA)

▪ x2264 IBM Security Guardium Aggregator (D1PCYLL): $11K (via GSA)
▪ x3164 IBM Security Guardium Collector (D1PD4LL): $16.5K (via GSA)
▪ x3164 IBM Security Guardium Aggregator (D1PD8LL): $19K (via GSA)

More Info: Software Announcement on new Guardium appliances (Oct. 2016)

Sizing notes:
 ▪ In the Deployment Guide for Guardium (March 2014), IBM advises that the quantity of Collectors required is based on the
required monitoring level (audit mode), the type of physical or virtual collector appliance, and the capacity of the database
server (measured by its PVU).
▪ Where there is not enough information to properly size the quantity of Collectors needed, IBM advises to “consider a ratio of
ten (10) database servers per collector appliance as a good starting point.”
▪ IBM further advises to deploy one aggregator for every 8 collectors.
▪ The Virtual Appliance Technical Requirements doc notes that in order to use mechanical disks that operate at 7200 RPM
(instead of 15,000 RPM), customers should scale back the sizing ratio by 70%. For example, if sizing estimates call for using a
Collector per every 10 S-TAP agents (database instances), the customer should deploy a Collector for every 3 S-TAP agents to
accommodate for the slower disk speed.

For more information on appliance requirements, see software technical requirements

About the Extended IBM Guardium Portfolio

IBM offers several data security solutions under the IBM Security Guardium brand. IBM offers Guardium security solutions for
databases, file systems, mainframes, big data, network attached storage, SharePoint, and more. For some customers, purchasing
several Guardium products together will be compelling for securing a heterogeneous environment that extends beyond databases.
So, it may not be enough to position against Guardium Data Protection for Databases. It’s worth also being aware of other offerings
in the Guardium portfolio, which include:

▪ IBM Security Guardium Data Protection for Databases: (covered above)

▪ IBM Guardium Multi-Cloud Data Protection: This solution provides the suite of IBM Security Guardium solutions delivered via
cloud-ready virtual machine images that can be hosted on popular IaaS platforms (including Oracle Cloud, AWS, Azure, Google
Cloud, and IBM Cloud). It includes data discovery and classification, vulnerability assessment, data and file activity monitoring,
risk analytics, data masking, encryption, blocking, alerting, and quarantining. The solution supports Guardium’s functionality
for databases, file systems, mainframes, and big data. This offering does not have separate documentation. Version support
appears to differ by cloud platform and customers bring their own licenses. [Sales Manual]

▪ Guardium Analyzer: SaaS offering that attempts to identify and categorize sensitive data as well as database vulnerabilities
and misconfigurations. This solution supports up to 100 databases and requires manual connection to each database via a
web form. It then scans the databases and provides a dashboard with drill-down into prioritized findings. This service requires
a Windows Server for the data connector and is priced at either $29/month per scan (job) or $50/month per database.
[Product Documentation]

Oracle Database Security Assessment Tool (DBSAT) is a stand-alone command line tool that provides security analysis for
Oracle Databases at no additional cost. It identifies security configuration issues and provides details on how to remediate the
issues. It also identifies users and entitlements and the location, type, and quantity of sensitive data.

▪ Guardium Vulnerability Assessment: On-premises appliance-based solution that scans data infrastructures (databases, data
warehouses and big data environments) to detect vulnerabilities and suggest remedial actions. The solution attempts to
identify exposures such as missing patches, weak passwords, unauthorized changes, and misconfigured privileges. Full reports
are provided as well as suggestions to address all vulnerabilities. The solution also attempts to detect behavioral
vulnerabilities such as account sharing, excessive administrative logins and unusual after-hours activity. Pricing is not
published. [Product Documentation]

▪ Guardium Data Encryption: Provides file- and volume-level encryption and associated key management for on-premises,
cloud, and hybrid environments. This solution is based on Thales Vormetric Transparent Encryption. IBM offers two versions of
this product (with or without live data transformation) and offers two pricing models: By PVU (based on the number of
processors on the target systems) or by RVU (based on the number of VMs on which encryption agents will be installed.) [IBM
does not offer product documentation on this solution. Thales provides documentation for customers only.]

Encryption at the volume is less secure because it does not follow the database if the file is copied or moved to another
volume. It also doesn’t encrypt database backups or archives that are written to unprotected volumes. Positioning against
Thales / Vormetric Transparent Encryption is covered in more detail in this compete guide.

▪ IBM Security Key Lifecycle Manager: Provides KMIP-based central key management.
 This solution does not support Oracle Wallets or Keystores. So, it can only operate in a connected mode. If the connection
between KLM and the database server is interrupted, the database server will not be able to boot. It also doesn’t support
distribution of keys in RAC environments or encryption of Oracle databases archived via RMAN. Oracle Key Vault (OKV)
enables seamless integration with Oracle database technologies including Wallets/Keystores, RAC, RMAN, and more.
Positioning OKV against competitive Key Management solutions is covered in more detail in this compete guide.

▪ Guardium Insights: provides monitoring across hybrid cloud environments by centralizing data from Guardium Data
Protection's connected data warehouses, databases, big data platforms, and unstructured and z environments. It provides a
centralized console for viewing data security and audit data across Guardium’s supported platforms. IBM claims that the
service provides risk-based views and alerts, as well as advanced analytics based on proprietary Machine Learning technology
to uncover hidden threats.

Oracle Audit Vault provides a built-in secure data warehouse for centralized data storage, managing retention, and enabling
analytics. IBM requires this additional component (or an external data warehouse) to centrally store and analyze data
collected across its numerous appliances. Oracle also offers big data solutions that enable customers to create data lakes for
machine learning and analytics.

▪ Guardium Data Protection for Big Data: Automates sensitive data discovery and classification, real-time data activity
monitoring, and cognitive analytics for Hadoop and NoSQL environments. The solution leverages heuristics to identify normal
usage patterns and to attempt to provide real-time alerting of suspicious or anomalous activity. Upon detection of an
apparent attack, the solution can block access and/or quarantine users. This is essentially a data collector for the core
Guardium monitoring solution; not a separate product. [Product Documentation]

Oracle offers several big data solutions including Big Data SQL which enables use of familiar Oracle database security
approaches for Hadoop and NoSQL environments.

▪ Guardium Data Protection for Files: Provides automated discovery and classification of unstructured data in files and file
systems including NAS, SharePoint, Windows, and Unix. It also supports file activity monitoring across files and file systems
and attempts to detect unusual activity around sensitive data. [Discovery and Monitoring Documentation]

▪ IBM Data Risk Manager: helps to uncover, analyze, and visualize data-related business risks. The solution enables
practitioners to communicate business risk via data visualization and executive-friendly language. It leverages data generated
by other Guardium solutions to provide risk scores and business-friendly visualizations.

▪ IBM CloudPak for Security: In November 2019, IBM introduced this new service to help secure hybrid, multi-cloud
environments. While not part of the Guardium brand, the service is a core part of IBM’s security messaging. The service is
based on open source technologies and integrates with existing security tools such as AWS, Carbon Black, QRadar, and Splunk
to offer deeper threat insights. Connectors are pre-built for quicker configuration, but options may be limited. It enables
search, threat investigations, and case management across several security solutions at once via a centralized user experience.

IBM offers additional IBM Security Guardium product offerings that are not covered in this section. These include: IBM Guardium for
Teradata Encryption, IBM Guardium Encryption for DB2 and IMS, IBM Guardium Data Protection for NAS, IBM Security Guardium
Data Protection for SharePoint, and others.

IBM Company Information

IBM is among the world’s largest technology providers with $77 billion in revenue for FY 2019. The company does not report on
security revenue. IBM security revenue is reported as part of the company’s Cognitive Applications segment, which earned $5.8
billion (+4% y/y @cc) for the fiscal year 2019.

IBM has 500,000+ employees (LinkedIn).

Sources and Additional Information

▪ Oracle Audit Vault and Database Firewall | Documentation
▪ IBM Security Website | IBM Security Intelligence
▪ IBM Security Guardium | Documentation | Virtual Appliance Technical Requirements
▪ IBM Security Guardium Sales Manual
 For published Competitive Intelligence on Security:
Cloud Security and IAM | Database Security

Please rate my content!

Use the Sales Central rating feature to rate assets and provide feedback or suggestions.

Encourage your team members to subscribe to the BeeHive group CI_Security_GRP

for CI updates on Cloud Security, Database Security, and Identity & Access Management.

Join this Slack channel for quick updates on M&A and other news: #cbg-ayeung-security

• Email questions or comments about this document to matthew.flynn@oracle.com.

• Go to Competitors portion of Sales Central to access compete assets (e.g. cheat sheets, battle cards, compete guides, analysis, field training,
First Takes, field response docs, rebuttals, landmines, objection handling, SWOT, etc.).
• Click here to subscribe to Oracle Market and Competitive Intelligence’s compete communications/capabilities.
• Contact the compete specialist covering your area in any competitive deal situation.