FREE DM Review Site Registration!
Sign-up today and access DM Review on the Web!

Your FREE registration entitles you to:
FREE email newsletters

FREE access to all DM Review content

FREE access to web seminars, resource portals, our white paper library and more!

   

You've Got Policies - But are They Working?

Database Risk and Compliance Adviser

In managing risk and sustaining compliance around corporate databases, a key step is defining the appropriate policies. These provide clarity and serve as yardsticks against which to measure corporate performance. Enterprises typically do a good job at identifying policies for database protection (including security, change management and other operational issues) - but that is the easy part. The greater challenge is presented in turning those written guidelines into automated and actionable activities. Only then can database managers and C-suite executives have peace of mind that database users are doing what they're supposed to do. This also supports another major challenge - providing proof to auditors that users have in fact complied with policies (in order to show compliance with industry, federal or internal regulations).

Why is it important to automate policies? For two reasons. First, validation: in order to provide assurance that policies are effective, all user activities must be examined against the associated policies. Second, reporting: different stakeholders need different views into the operation of the organization and the adherence to policies. Traditionally, both validation and reporting have been a manual affair akin to searching for the needle in the haystack based on whatever information the underlying system happened to provide. IT auditors and technical managers manually search through available security log files to verify that activity is legitimate or to identify abnormal activity. This approach often results in frustrated employees and C-level executives that are not comfortable with their compliance and security programs. Add to that the skepticism of auditors reviewing a manual validation process, which is typically slower, more cryptic and less reliable than an automated one.

Policies provide a framework for accountability (Who did what when? Was it approved?) and visibility (Are security and business policies being followed? Has anything significant changed?). How can enterprises institute the right IT tools to turn written security policies into automated, actionable policies? Here are things that every organization should remember when shaping and implementing data protection policies.

Identify the Right Policies

Comprehensive policies are a necessary first step. Typically, IT and compliance staff will review the list of regulations and industry best practices that the company should follow and determine the implications on the IT infrastructure and its operation. Next, they must translate the resulting policies, typically in English and at a high level, into technical terms and requirements that can be implemented in the IT environment. For example, "all changes by privileged users must be validated" might be translated into a requirement that all DBA DDL and DML activity be captured, examined and approved. Some policies will be about what users are allowed to do (e.g., ensuring the principle of least privilege), and some will be about validating their activity.

One of the challenges is that policies typically reflect a moment in time. Elements within the organization will change over time - whether it be a business process, new products or new target markets - and these changes can have an impact on the policies required. Nonetheless, many of the policies related to database protection are relatively generic and provide visibility and oversight even if the business context changes.

Pick the Best Solution

Once the policies are defined, it is important to invest in automation, to bring the policies to life and to provide ongoing accountability and visibility. For databases, this means finding a database auditing system. Two key factors affect the choice of an automated solution: credibility and efficiency. Credibility refers to the degree to which the audit system and information is trusted. Efficiency refers to the ease with which one can implement a solution within one's IT environment.

To illustrate these points, let's focus on a key part of policy automation, namely, capturing database activity so that it can be reviewed and, if needed, acted upon. There are three ways to capture user activity on a database. Each one has merits and each has its own champions. The three different methods of activity collection are: 1) capturing traffic as it flows across the network, 2) analyzing log files of actual database transactions or 3) relying on the database's native auditing capabilities. Historically, vendors specialized in one of these approaches. Organizations have had to fall back on one approach based on business needs (e.g., preferring to source a single vendor), cost or IT constraints (e.g., native audit imposes too high an overhead on a key production system). The downside of selecting a single approach has been that companies are not able to realize the benefits of the other two approaches and potentially create coverage gaps in their systems (e.g., network capture does not identify the actual impact on the underlying database). This reduces the credibility of the implemented solution.

There are now software solutions that combine the three approaches to activity capture, so that organizations no longer need to choose one approach over the other and can, for the first time, mix and match the three approaches as dictated by IT or regulatory requirements. Some organizations' needs fall clearly into one camp over another, but many users are best served by having all three options available. In combination, or used for different purposes, these three weapons do an excellent job of watching database activity and warning when there is a policy breach.

For example, do you need to monitor and protect a real-time financial trading system in a giant brokerage? Then combine network activity collection with transaction log information to provide the most complete view without touching the production systems. To protect the integrity of back-end reconciliation systems or back-office applications in the same brokerage, one could use log analysis to have a definitive record of what actually happened to the data in the database. The flexibility of multiple approaches leads to greater credibility and efficiency.

It's a Process, not an Event

Customers in highly regulated industries have told me that they are basically in a constant state of audit since, with the ever-increasing number of industry regulations, they are essentially dealing with one audit after another or even overlapping audits. So, audits are not really one-off events as they were in the past. It is a continuous state of being, so to speak. Many stakeholders are deeply interested in how well a company is keeping track of its most valuable data. There are any number of angles from which a compliance requirement can come at a business - Sarbanes-Oxley, privacy and PCI requirements, privileged user monitoring, fraud detection and database forensics might all bring auditing requirements to the door.

Again, automation of policies serves the organization well - companies can work toward an ongoing, sustainable state of compliance by implementing a comprehensive database auditing solution. This permits the organization to reduce the IT personnel costs associated with compliance, reduce audit scrutiny, have better forensic and investigative information, avoid ad hoc fire drills associated with producing audit reports and so on. The right policies combined with the right automation - a match made in compliance heaven.


Dr. Murray Mazer is co-founder and vice president of Lumigent, a leading software company specializing in database auditing for compliance, security and risk management. Mazer works with Lumigent's most strategic partners and customers. He contributes thought leadership on compliance and best practices to the IT compliance and security communities through presentations, articles, interviews and other activities. A former Rotary International Scholar and reformed thespian, Mazer received the Ph.D. in computer science from the database group at the University of Toronto, where he was elected Junior Fellow at Massey College and Trinity College. You can reach him at murray.mazer@lumigent.com

For more information on related topics, visit the following channels:



Industry Vendors