Documente Academic
Documente Profesional
Documente Cultură
Introduction
Databases are the most strategic asset of any organization
because they store extraordinarily valuable information:
White Paper
customer records, financial data, and partner information.
Because databases house such sensitive data, government
and private industry have enacted a raft of regulations that
force organizations to audit and secure their databases. With
new regulations enacted every year, IT staff is saddled with
a mushrooming number of compliance reporting processes.
This paper examines the database security and compliance
requirements imposed on today’s organizations, including:
» Monitoring access to sensitive data
» Auditing changes to financial records
» Protecting databases from attack and internal abuse
» Demonstrating compliance through clear, comprehensible reports
As shown above, government and industry regulations force organizations to track changes to sensitive
information. Data governance laws require that organizations implement database controls and that they
maintain database audit trails that are independent of the individuals being audited. While data protection laws
focus on securing data, they often stipulate that companies monitor sensitive data activity to ensure that data
has not been compromised. For example, the PCI Data Security Standard (PCI DSS) requires that merchants track
all access to credit card data. Section 10 in the PCI standard lays out over two dozen auditing requirements,
including tracking individual access to cardholder data and protecting audit trails from unauthorized
modifications.
All businesses that process, store, or transfer credit cards must comply with the PCI standard or be subject to
fines of up to $500,000 USD per incident. Merchants that fail to comply may lose the right to process credit
cards altogether. For many merchants, processing credit cards is not optional; it is a fundamental business
requirement. Like PCI and SOX, violating dozens of other regulations can lead to fines and government
sanctions. Other requirements, such as ISO standard certification, may be necessary to retain business partners
or customers. The financial consequences of non-compliance can include lost revenues and brand damage.
Tackling compliance head-on by establishing well thought out, comprehensive processes and initiatives will not
only achieve efficiencies, it will ensure long term business viability.
Demonstrating Compliance
Besides complying with numerous mandates, organizations today must document and demonstrate compliance
to external auditors and governmental agencies. Organizations must prove that compliance processes
are in place and obeyed. Lastly, they must collect pertinent audit and security data and present it in clear,
understandable reports. Since compliance reports are an unnamed, but nevertheless essential, requirement for
governance, any compliance initiative must include:
» Compliance Reports – Organizations must produce multiple reports for each compliance initiative, including
reports documenting security events, user activity, change management, vulnerability assessment and system
administration.
Many regulations stipulate that compliance reports should be distributed, reviewed and approved by key
stakeholders. To meet regulatory and internal security and auditing requirements, compliance reports must
often be reformatted and distributed to internal and external audiences.
Again, like database auditing, reporting requirements can drive up operational expenses, especially when
reporting processes are manual. Businesses should seek to optimize and automate reporting processes to reduce
operational overhead.
1
Privacy Rights Clearinghouse, “A Chronology of Data Breaches”
2
Ponemon Institute, “U.S. Cost of a Data Breach Study”, 2008
» Vulnerability Assessment – Organizations should assess their databases for the configuration flaws and
vulnerabilities that could lead to a data breach. Assessment tests should identify and present discovered
vulnerabilities, their severity level, and vulnerability mitigation steps in clear, comprehensible assessment reports.
» Database and Application Attack Prevention – To protect database data, organizations should monitor and
block attacks to databases. Due to the unique nature of database attacks, a security solution must recognize
known database exploits, but it must also identify changes in user activity that could signal insider abuse. Since
many database attacks are launched through Internet-facing Web applications, organizations should fortify their
Web applications against application attacks. An intelligent Web application firewall can provide the first line of
defense against database attacks.
» Database Activity Auditing for Forensics – If unauthorized activity does occur, organizations must be able to
track the source of the data leak. Comprehensive database auditing enables organizations to reconstruct past
events and determine the extent of a compromise. An auditing solution helps reduce the scope of a data breach
and limit liability by identifying the individual records that may be exposed, rather than the entire database.
database auditing. Because corporate databases perform such a fundamental role to the business, organizations
must maintain optimal database performance, typically by purchasing additional database software and
hardware. Native database auditing entails hundreds of thousands or even millions of dollars of capital expenses.
Making it Manual
In addition to the performance impact, organizations that use native database logging tools must invest money
on personnel to manage, collect, and review log data and to produce meaningful compliance reports. With these
operationally-expensive manual processes, it is not surprising that U.S. businesses spent over $2.5 billion USD
on head count costs for SOX compliance in 20073. These compliance expenses escalate disproportionately every
time a new regulation is introduced. For many businesses, the decision to “do nothing” and follow a status quo of
native logging tools and manual compliance processes is an extremely expensive proposition.
3
AMR Research, “With GRC Spending at an All-Time High, What Happens to SOX?”, 2008
» Independence and Separation of Duties – To ensure integrity, database audit trails should be managed by
individuals outside of the database administration team. SecureSphere enables separation of duties and it can be
deployed without database privileges. It can be operated by compliance or security staff without DBA expertise. In
addition, audit logs can be digitally signed and encrypted to prevent tampering.
» Material Variance in User Activity – SecureSphere’s Dynamic Profiling technology automatically creates and
maintains a baseline profile of each user’s activity. Database traffic can be compared to the assessed baseline or to
job function or regulatory requirements. By learning database users and query groups, SecureSphere reduces the
time required to configure audit rules and security alerts from weeks to just minutes.
» Database and Sensitive Data Discovery – SecureSphere scans a network IP range to detect all existing
databases including rogue databases. Then SecureSphere searches each database for sensitive information such
as social security numbers, credit card numbers and national ID numbers. With SecureSphere, customers obtain a
clear and accurate report of all sensitive databases in their network.
» Vulnerability Assessment – SecureSphere delivers both configuration and behavior assessment. With over 500
assessment tests, SecureSphere can accurately uncover a myriad of vulnerabilities and poor business practices.
Assessment results are presented in clear, actionable reports that prioritize risk and describe mitigation steps.
» Database Protection – SecureSphere’s integrated Intrusion Prevention System (IPS) detects and blocks database
attacks and SQL protocol exploits. With up-to-date policies from the Imperva Application Defense Center (ADC),
SecureSphere enables DBAs to apply database vulnerability patches on their own schedule.
» Web Application Protection – SecureSphere can protect transactions from the end user through the Web
application to the database. With a simple license upgrade to the SecureSphere Data Security Suite, SecureSphere
can not only protects databases, but also safeguards Web applications. SecureSphere leverages multiple defenses
to accurately block SQL injection, XSS, session hijacking and other Web application attacks. SecureSphere protects
more Web sites than any other commercial Web application firewall.
4
SecureSphere Database Activity Monitoring provides the same discovery, assessment, auditing and reporting capabilities of the Database
Firewall, but it cannot block attacks or unauthorized transactions.
Imperva White Paper < 8 >
The Business Case for Database Security
SecureSphere’s comprehensive audit data boosts forensics efforts. By recording every query to sensitive tables,
SecureSphere can enable IT staff to track suspicious transactions after a security event occurs and accurately
assess the scope of a security incident, limiting overall liability.
SecureSphere Database Security Solutions provide additional benefits such as enforcing separation of duties for
database audits and eliminating the human error in compliance reporting processes. Considering the auditing,
reporting, and security cost savings that SecureSphere offers, organizations can follow the lead of hundreds of
the world’s top businesses by selecting SecureSphere to audit and protect their databases.
Finally, SecureSphere allowed security personnel to go beyond compliance monitoring and secure critical
applications by blocking malicious activity. The network security team wanted to prevent users from accessing
critical systems from unauthorized locations and at atypical times of the day. The security and audit staff realized
that security and compliance go hand in hand. By extending SecureSphere to proactive protection, the Bank
could avoid the incredibly high costs of a data security breach. With SecureSphere, the Bank gained the ability to
prevent malicious activity before it could impact the business.
The Bank wanted a turnkey solution that could be deployed in time to meet looming compliance requirements.
SecureSphere was deployed and fully operational in a few hours without requiring any manual set up. Database
and application administrators were not affected by the deployment and have not witnessed any degradation
on performance.
SecureSphere is currently monitoring and protecting all of the Bank’s customer and financial databases. The
audit staff and company executives can now obtain quick answers to their compliance questions in a language
and format they can easily understand. And the audit staff no longer fears visits from external auditors. With
SecureSphere, they have easily passed all of their compliance audits.
Summary
As compliance regulations become more stringent and database threats escalate, the need for database security
has become imperative. At the center of this perfect storm are a host of regulations that mandate database
protection and enforce incident response. Initiatives such as the PCI Data Security Standard set forth database
security and monitoring requirements. Other regulations, like SOX, require that businesses implement and
validate controls over financial data. A dedicated database security solution not only satisfies these compliance
requirements, it also lowers the recurring costs associated with manual audit and reporting.
A dedicated database security solution also safeguards database assets from attack and compromise. It provides
a level of comfort to senior management that the organization is mitigating internal and external threats and
managing overall risk. A database security solution assures an organization’s stakeholders that the organization’s
most sensitive and strategic information is safe.
When compared to alternative solutions such as native database auditing or network firewalls, SecureSphere
Database Security Solutions are the only sensible and effective choice. SecureSphere delivers a comprehensive
and independent auditing solution that is easy to deploy and manage. With SecureSphere, organizations can:
» Lower the cost of database auditing while implementing separation of duties
» Automate compliance reporting
» Monitor and protect sensitive database data
» Discover databases and sensitive information
» Assess databases for vulnerabilities
» Achieve user accountability, even in multi-tier environments
With its indisputable value, it is not surprising that the SecureSphere has become the market leader in
application and data security. Trusted by hundreds of leading organizations around the world, SecureSphere is
the practical, cost-effective solution for database auditing and security.