|
|
|
Features
< Back
Sarbanes Oxley : Technology : Database
A Gaping Hole In Compliance Efforts
By
Rob Gardos
|
|
Rob Gardos
CEO
GridApp Systems
|
Thanks to Sarbanes-Oxley and other compliance regulations, companies have gone to great lengths to ensure they?re not breaking the law when it comes to information security and reporting.
But in spite of their best efforts, the vast majority of organizations have left a gaping hole in their compliance efforts by ignoring the database and database administrator (DBA).
At the heart of this issue is a very important question that many CIOs, CFOs and CEOs of large enterprises should be asking, but aren?t: Who controls the data? If they were, they would realize that the person with the greatest unimpeded power over their data integrity is the administrative-level DBA.
Currently, most efforts to comply with Sarbanes-Oxley have concentrated on monitoring at the application level, leaving the database to be managed manually by individual DBAs.
Control of the database is a powerful thing. The disturbing rise in internal security breaches confirms the problem that even seemingly secure organizations have in controlling their database infrastructure. Case in point: the U.S. Air Force. This summer, the Air Force reported that a malicious user obtained access to an assignment and career database using a legitimate user's login.
The information contained in the database included the birth dates and Social Security numbers of nearly 33,000 high-ranking personnel. These types of intentional (or unintentional) breaches of security not only compromise an organization?s strongest compliance efforts, but call into question the privacy and validity of all information tracked.
Lack of Control ? How Did We Get Here?
The degree of an organization?s vulnerability to rogue DBA activity or DBA errors is alarming, particularly as the penalty for non-compliance can mean jail time. The reality is that very few enterprises have installed software or hardware controls that monitor DBA activity, empowering the DBA to circumvent controls by connecting directly into the database. As a result, DBAs have the power to change, delete and alter data ? virtually unchecked.
Auditors and accountants can spend countless hours and precious resources ensuring the integrity of data and investigating potential rogue activity, but if the data is manipulated at the system level by people who have an inside understanding of the data model and an ability to modify the audit trail, reporting and validating methods become largely ineffectual.
Manipulation aside, what about common data entry mistakes that inevitably occur? And how do we differentiate between rogue activity and an honest mistake?
DBAs typically have direct access to the inner workings of an application?s data repository and are tasked with keeping the motor running smoothly. When it comes to looking at data, changing data and even deleting data, they need a great degree of power and control to get their jobs done. That said, no employee within an organization should have such unfettered abilities to compromise data, especially in light of the following facts:
? The number of databases and amount of data tracked is growing. Fast.
Database environments are getting more complex as the number of databases - and the amount of data within those databases - continue to increase. Moreover, the ongoing need to implement hundreds of different patch levels, as well as the introduction of new versions and security updates, are serving to tax DBA resources more than ever.
? The DBA is a high turnover position.
Nearly half of all DBAs will leave their job within 24 months. Additionally, the DBA is one of the most difficult positions for an organization to replace.
? Enterprises are increasingly reliant on DBAs.
The number of working DBAs has grown significantly faster than other IT-related jobs, jumping 10% from a year ago and 36% since 2001. The demand for database administrators is expected to continue with Labor Statistics projecting a 66% growth in jobs through 2010. This is a clear sign of how enterprises are becoming increasingly reliant on DBAs.
Increasing complexity, rotating bodies and inadequate auditing translates into more opportunities to compromise data security. It?s not merely about conscious vindictive behavior. It?s about the large number of reports that ultimately feed a company?s final financial documentation ? documentation upon which the careers of CFOs and CEOs are riding.
Database Automation ? Plugging the Hole
But what options do we have to get a handle on both the growing data beast and its tamer? The one currently most favored within enterprises is to throw more bodies at the problem. Theoretically, if everyone serves as a watch-dog and monitors everyone else, legitimate and illegitimate mistakes can be identified and averted. Although this certainly helps mitigate this issue, it is an incredibly expensive approach that is still error-prone.
What the enterprise needs is a centralized, automated mechanism to track DBA behavior that is both manageable and irrefutable. When DBA and database monitoring is systematized and automated, data integrity can be reliably ensured even as the IT architecture grows in size and complexity. The good news is that databases are already capable of providing users with just the sort of information they need to ensure compliance and monitoring, so addressing this problem is simpler than most CIOs - or even DBAs - may realize.
What Should be Audited?
The degree to which an organization audits its database operations will vary, depending on the organization. At a minimum, anomalous behavior should be the first to be examined. Other items include data structure and configuration modifications, since changing schema could have dramatic effects on data collection.
To make the data useful, it must be filtered based on relevant rules that are put in place to handle the problem of information overload. Finally, this information must be tracked in a protected data store where transactions are signed to guarantee authenticity at the database system level, rather than the application level where many auditing tools reside.
Tools which are limited to guaranteeing authenticity at the application level are not tamper-proof and can be easily circumvented. By contrast, authenticity that is guaranteed at the database system level cannot be altered by even the highest-ranking DBA, thus providing the highest level of assurance and due diligence. This can be accomplished simply and without limiting the effectiveness or productivity of the DBA.
Enterprises need to understand that this threat to their compliance is real and present. Take for example one large pharmaceutical company that was given a mandate by its auditors to log all data model changes and delete activities on its more than 1,000 Oracle and SQL Server databases.
The company proceeded to create a Data Compliance database, aggregating application and database audit information onto a separate database. They believed reporting on this information would provide the necessary information and meet their compliance needs.
But the auditors rightly questioned the DBAs ability to manipulate the Data Compliance database, essentially asking, ?who is watching the watcher?? Additionally, by simply aggregating information, the size of the new database made it slow and cumbersome.
By embracing a solution that could guarantee the tracking of transactions at the database level - as well as filter this information to prevent data overload - the company was able to comply with its auditor?s request and get a better handle on its data integrity.
Ultimately, it comes down to the fact that organizations must have one reliable and automated source of truth at the database level to ensure compliance. Without it, businesses are betting their futures on the competence and integrity of every DBA they employ, which is at best overly optimistic and at worst negligent.
Remember one thing: though DBAs might have the power to compromise data security, the ones who will ultimately pay the price for non-compliance are the officers who employ them.
Rob Gardos
CEO
GridApp Systems
Robert Gardos is the President and founder of GridApp Systems. Over the past twelve years, Mr. Gardos has held numerous senior management positions in technology driven organizations. He has a wealth of experience developing efficient and cost effective technology solutions to meet the demands of customers.
Mr. Gardos was formerly the Chief Technology Officer and General Manager of Register.com (RCOM), an Internet organization specializing in domain name registration. Mr. Gardos joined RCOM as the ninth employee in June 1998 and helped grow the company to a publicly traded and profitable entity, increasing annual revenues from $1 million to $125 million. At RCOM, Mr. Gardos pioneered a new standard in the domain industry, shifting name management to the customer through an easy to use Web–based application. This served to improve consumer satisfaction and reduce maintenance costs, an approach that was subsequently adopted by the entire industry.
Robert Gardos was co-founder and CFO of TouchLink Communications (TLC), a startup company specializing in public Internet kiosks. Prior to that Mr. Gardos worked as a Senior Consultant at Ernst & Young, focusing on system selection and implementation projects.
Mr. Gardos graduated from the Wharton School of Business at the University of Pennsylvania in December 1993 with a Bachelor of Science in Economics and concentration in Finance.
|
|
|
|
|
