In-Depth

Database Auditing Gets Serious

Why database-auditing software is critical to protecting your company’s assets

Modern information workers can experience some of their forefather’s trepidation to a similar announcement by saying, sans horse and tri-point cap, “The auditors are coming! The auditors are coming!” Fortunately, several companies make database auditing or database activity-monitoring software that may change the reflexive emotion response to the word “audit” from four-letter stigma to reassuring comfort.

Last month Oracle and Lumigent unveiled new and revised products (respectively) that give enterprises and institutions a better handle on their electronic crown jewels.

Take the acronym or hyphenated-proper-name regulatory standards that cover your entity, be it an enterprise, an institution, or a government agency. Protecting sensitive information is part roadblock and part watchdog. The right people need access to the data and the wrong people must be blocked, but that protection also must help ensure the right people who can work with the data don’t do the wrong things.

That’s the dual role of database-auditing software, which monitors access to sensitive information both for compliance to standards and for potential threats. That threat can be outsiders hacking in, malicious insiders twisting transactions, or good people doing the wrong things. The results of this software shouldn’t be just checking a box on a regulatory form; the results should be an integral part of many IT departments.

Last week, Oracle announced its new Audit Vault. It collects audit data from Oracle 9i R2, 10g, and 10g R2 databases, operating system trails, and the pre- and post-transaction values using transactions logs. The collected data, which is obviously stored in an Oracle database, forms the basis for a standard bevy of stock or customizable audit reports covering privileged users, account management, role/privilege assignment, object management, and system management across the enterprise.

Just as importantly, Audit Vault monitors the incoming audit stream and can launch alerts based on suspicious activity triggers such as application table changes, role grants, or privilege user creation.

In many aspects, Lumigent one-ups (or even two-ups) Oracle’s first version product with its Audit DB 6.0. Lumigent offers canned reports for a larger number of regulatory needs and does a flasher job of reporting. The product makes a broader examination of the database for patches, vulnerabilities, and exposures, and ties the listing to CVE advisories. Like Oracle’s product, Audit DB can launch real-time alerts for policy violations or other triggers.

Unlike Audit Vault, Audit DB can use either MS SQL Server or Oracle to store the data. Audit DB does a triple take, able to monitor network traffic in addition to reading both transaction logs and the native audit tracks of databases.

While price is only a portion of TCO, Oracle more steeply discounts its product. However, the MSRP for Oracle is $50K per processor and $3K per agent. Lumigent’s MSRP is $10.5K for up to a 4-CPU server plus the cost of other agents. Figure a couple of weeks for either to be fully implemented.

Database Heterogeneity and the Real World

While Oracle does Oracle 9 R2 and 10, Lumigent does IBM DB2, MS SQL Server, Sybase, and Oracle 8, 9, and 10. Therein lies a major difference.

If you are strictly an Oracle shop, and that means only 9i R2 and later, then Audit Vault may appeal to you. However, most corporations and institutions I know have a “Heinz 57” collection of database software. It can be through merger and acquisition activity. It can be organically grown from different parts of the house. It can be a major application whose database is shoved down the purchaser’s throat.

Whatever the reason, in most cases and most entities, heterogeneity rules, and that’s where Lumigent is the hands-down winner of the two.

Recall that Lumigent isn’t the only player in town. Rich Mogull, research VP at Gartner Group, ticked off the names of Impreva, Guardium, Application Security Incorporated, and Tizor as other majors in the database-activity monitoring arena.

His shopping list hot-buttons: make sure the product is compatible with the existing database structure and the actual databases you use; ensure the product can make performance requirements and, if needed, move the load off the existing database host to a monitoring host; if the software is a network-based tool, make sure it monitors local database server logins and activity; set up policies and proactively monitor use to quickly alert operations and security groups when users do something they shouldn’t.

From an outsider threat, a company such as TJX would have seen their problems if a database monitor had been deployed. Fraud isn’t the only insider threat these products can spot. One company found some of its developers running untested code on production databases, a practice most IT departments view as “not good.”

In the past, most companies have been bought into the game when their auditors reported a deficiency or stated, “You have to have it.” Others, such as the financial or medical industries, are buying in because regulations virtually demand it. Even researchers working with confidential data from the Department of Defense, Department of Energy, or big pharma may find their agreements require audits and become candidates for the software.

As for the rest, Judith Hurwitz, president of analyst firm Hurwitz and Associates, offers a pragmatic approach. “It’s about risk and it’s like insurance. It’s about how safe and secure is the data, what and who can touch what data, [and] how confidential is the data to clients and customers.”

Hurwitz also notes, “You don’t have to be a Fortune 500 company to be audited. If you don’t have a database auditing product and can’t produce the needed data, the auditing firm will happily charge hundred of dollars an hour for a junior member to compile that data. Then the senior auditors get involved.”

Both Hurwitz and Mogull share the same thinking: database-auditing software is complimentary to security information/event managers (SIMS/SEMS), but there is little overlap. One focuses on networks and systems activity, the other on database and application activity.

While real-time reporting has a place, most companies can be well-served by overnight reports. In fact, one CSO comments there are no more monthly or quarterly audits; it’s a daily task mainstreamed into everyday (actually, overnight) operations.

If your company doesn’t have a database monitor in place, you must assess your level of risk. With risk comes need. If you have confidential information or are subject to regulatory audits, you are better off proactively turning auditing into an assurance rather than facing a firing squad of deficiency reports fired from an auditor’s pen. It can keep a company off the front page of the Wall Street Journal and allows CxOs to rest better at night.

Must Read Articles