Application security outfit Imperva says its security gateway can now log and block user access to databases by pulling user identity information out of an SQL connection.

According to Imperva, the SecureSphere Database Monitoring/Security Gateway acts as a kind of UTM or firewall for databases. It can already control access via web applications - for example, to block SQL-injection attacks - and now it can also control access via packaged applications that use SQL, such as Oracle and SAP.

Security standards such as PCI require data users to be individually identified. Imperva claimed that pulling identity data out of SQL means this can be done transparently, even where users share a pooled connection to the database.

The gateway does two things, claimed Imperva boss and co-founder Shlomo Kramer. First, it stops people stealing data from the database by profiling "normal" behaviour, then flagging and blocking attempts to pull out information that they are not entitled to, and second, it tracks database access for compliance purposes.

The latter reflects the changing picture of security, he said. It is not enough now to protect against hackers and crackers - you must also defend yourself against auditors and regulators.

"The basic compliance question is 'Who did what to my data?', and we are now able to provide that information for auditing," said Kramer. "It will be very relevant if you have to reveal a data loss or breach."

Imperva's first step is to locate your databases and automatically classify them for sensitivity, for example by spotting credit card numbers. Then, a scanning program looks for vulnerabilities such as shared accounts, weak passwords, missing software patches and so on - called Scuba, this scanner is available for free download, Kramer said.

After that, the administrator is ready to start setting controls, audit trails and alerting, he said.

"We sit on the network and monitor traffic to build a profile of how people access and use data - we call it Dynamic Profiling," he explained. "The aim is to identify where your access deviates from the norm, for example if you decide to steal information, you'll access different areas of the database and different information.

"The concepts are the same as those behind the web application firewall, but where those companies see themselves as protecting the web, we see ourselves protecting the database."

The SecureSphere gateway typically costs between $30,000 and $180,000, depending on the size of the network to be protected, Imperva said.