|
|
|
Features
< Back
Sarbanes Oxley : Technology : Database
Conquering Five Top IT Control Weaknesses In a Sustainable Manner, with Database Auditing
By
Dr. Murray Mazer
|
|
Dr. Murray Mazer
Co-Founder and Vice President
Lumigent
|
The Sarbanes-Oxley Act, coupled with other regulations and increasing business requirements to protect sensitive data, have placed the effectiveness of IT controls under increased auditor scrutiny. At the center of this maelstrom are the IT executives who must ensure that the requisite general computer and application controls are adequately designed to satisfy the regulations that apply to their business.
In addition, they must demonstrate to auditors, information security managers, and executives that these IT controls are operating effectively. IT executives must also ensure that the controls are sustainable from a cost, personnel, and process perspective. Information security executives in turn must support the business by working collaboratively with IT to ensure the integrity and security of sensitive information.
From Manual to Automation
During the first year of Sarbanes-Oxley (SOX), organizations realized that, among other things, compliance has a hefty price tag associated with it. Indeed, figures as high as $6 billion have been estimated as the cost to corporations for the first year of SOX. IT organizations were forced to divert existing resources from their core responsibilities and acquire new staff to focus on supporting compliance efforts. And much of the effort in year one was manual and unsustainable ? indeed, AMR reported about 70% of the SOX spending went to internal headcount and external consulting. Understandably, SOX was seen to score poorly on a cost-benefit analysis.
As organizations moved into post-year-one SOX, they began seeking ways to build a sustainable approach to compliance that was efficient, cost-effective, and leveraged SOX as a process that adds value to the business. And they were willing to make investments to do it. Of the $6 billion cost estimated by AMR referenced earlier, approximately 28% would be earmarked for technology, with this figure rising to help achieve higher quality controls with reduced manual components.
In other words, passing audits is essential, but for many firms the objective has evolved from ?just passing the audit? to creating an efficient, sustainable compliance effort. Many firms, especially in highly regulated industries such as financial services, face several audits during the year ? some Wall Street firms face over 20 audits per year-- a situation that demands an audit process that is as efficient and cost effective as possible. Organizations are also seeking ways to answer the question, ?How can I leverage the cost of compliance to benefit my business??
Technology alone is not the solution to SOX. But it is a key enabler to the people and processes associated with compliance management. The value of technology is realized in large part through the resultant automation of otherwise heavily manual (and potentially error-prone) processes. From an information security perspective, automation plays a large role in reducing costs associated with compliance and enabling key technical staff to focus on core responsibilities more effectively within their expertise.
Automation Helps
Benefits of automation include:
• Efficiency/productivity of people: staff can be redeployed from the manual activities required to pass the audit or support compliance to work that adds value to the business, uses their expertise, and provides more job satisfaction.
• Complete coverage of systems and activity: manual compilation and analysis of audit-related information is time-consuming, difficult, error-prone, and scales poorly with a large or growing organization.
• Credibility: manual analysis of audit-related information provides less reliable results in a much longer timeframe and leads to greatly increased scrutiny by external auditors.
Protiviti, a leading risk consulting organization, identifies three imperatives for CIOs in optimizing their IT environment for SOX. One imperative is to ?increase effectiveness of and reliance on automated controls.? Gartner Research?s advice to IT executives includes the use of automation among their 10 best practices for SOX.
And it pays. According to Aberdeen?s ?The Insider Threat Benchmark Report,? among organizations using technology to address the insider threat, a 17.5% decrease in IT labor costs was realized. Further, they noted that the use of technology is associated with those organizations cited as best-in-class for data protection.
Automating Five Top IT Controls with Database Auditing
Database auditing is the continuous assessment and monitoring of all user activity on the databases where critical information is stored. It essentially enables organizations to reconcile what users could do to data, with what they actually did. Effective database auditing captures this activity at the database itself, in order to ensure that all access and activity is captured, as well as providing the necessary information to provide context for activities that require investigation. Using an automated database auditing approach can remove costly, manual controls for monitoring insider activity against corporate security and control policies.
My database auditing organization has worked with more than 470 enterprises to ensure the integrity of critical information to address compliance, security and risk management requirements. Based on this knowledge and practical experience, the company has identified 5 IT control weaknesses most often cited by auditors. These findings have been validated with auditors, analysts, customers, press and other industry experts alike.
We?ll discuss each of the IT controls and the role database auditing plays in avoiding and/or remedying weaknesses in these controls in an automated fashion.
1. Auditing privileged users
2. Effective management of user accounts and permissions changes
3. Segregation of duties
4. Adequate review of audit logs
5. Timely identification of anomalous activity
1. Auditing Privileged Users
Even before Sarbanes-Oxley shone a spotlight on the ?insider? issue, IT executives understood that privileged users represent an inherent risk to the organization. Privileged users must have extraordinary access to data and systems in order to carry out their job functions; however, this also allows the insider to carry out inappropriate actions without any accountability, traceability, or visibility to other parties. According to Deloitte, insider attacks constitute a far greater threat to financial institutions than do external threats . The Association of Certified Fraud Examiners reports that, on average, U.S. businesses lose 6 percent of their gross annual revenue to actions of insiders, translating to an impact on the economy of over $400 billion . In a study of ?illicit cyber activity? in the financial services sector, 78% of incidents were carried out by authorized users.
While some managers of database administrators (DBAs) and other privileged users have confidence in the integrity of their data because they ?trust their employees,? auditors are asking whether they can prove it. This is a good question, considering that 60% of data loss and corruption is caused by human error - not necessarily malicious intent. Malicious and accidental actions by privileged users represent business risks that are simply too great to ignore, as examples of financial loss and damage to a brand continue to make the news. ?Trust but verify? must be the new watchphrase for IT and security management.
Database auditing helps validate activities of privileged users
Auditing privileged users? activity on databases storing sensitive information is a critical IT control required to maintain the integrity and security of business-critical data, helping to mitigate the risk of internal data breaches. Database auditing offers a complete ?who-what-where-how? record of privileged user activity. With database auditing, IT and security teams have the information needed to validate the activities of privileged users, but also importantly, the context with which to perform forensics and understand the root cause for how certain actions occurred. This may include:
• Identifying user rights ? insight into the access paths and resources available to privileged users
• Validating changes to access, permissions and roles
• Knowing what data was changed, including the before and after values
• Reviewing system configuration changes that may impact adherence to information security policies
Organizations need to use an automated database auditing approach that provides this context. Otherwise, it takes considerable time to collect forensic-level information manually. Attempting to do this manually exposes the organization to greater risks -- ineffective auditing, results that are not credible, a process that cannot scale, a cost-prohibitive and non-sustainable control, and so on.
2. Effective management of user accounts and permissions changes
In large organizations employees are hired, change functions, or leave the company every day. As a user?s role changes, so should the user?s rights and privileges. Failure to manage the user entitlement process from end to end leaves the organization vulnerable to compromised data, business risk, and failed audits.
Effective entitlements management turns out to be a very common and difficult challenge. The problem for most organizations isn?t the lack of desire to update user access, but the manual nature of the process to do so. For example, many IT managers conduct regular reviews of access to applications and databases, by distributing a listing of who should have access to the database owners for review. This is then reconciled with the actual user list and roles mapping; if discrepancies exist, they must be corrected.
It?s easy to see that, particularly for large organizations, this approach doesn?t scale and is simply untenable. It can take a database owner several hours to evaluate the various roles, types and levels of entitlement, and objects, and reconcile them against an approved baseline. One client had to contend with more than 30,000 employee status changes each year. Imagine the resources involved in managing this volume of account changes across a large landscape of databases and other servers.
Database auditing helps with accounts & entitlements management
Database auditing provides automated and continuous identification and management of obsolete accounts across the enterprise. Database auditing automatically identifies database assets, identifies the objects to which users have access, and validates the findings against policies and baselines. With centralized visibility and control, a security officer can make fast decisions regarding access (e.g. terminate, restrict, change, etc.) and validate previous control changes. Reports can quickly show questionable security entitlements, based on deviation from baseline, and identify orphaned accounts. Integration with HR applications, help desk systems, and corporate directories supports an automated process for employment status changes.
Equally important, automating entitlements management supports the objective of gaining operational efficiencies and allows redeployment of DBA resources to core responsibilities.
3. Segregation of Duties
Ensuring that ?the fox isn?t guarding the hen-house? has long been a tenet of good business practice. With regulatory focus on the integrity of financial, customer and other sensitive data, this principle now has implications for IT as they are responsible for the systems which manage this sensitive information. Auditors expect, for example, that the person who creates a new account isn?t the same person who assigns and approves the roles associated with that account. For the IT organization it also means ensuring that the people who manage the database audit reporting and monitoring controls are not the DBAs who manage and use the production database environment.
How database auditing supports segregation of duties
An effective database auditing solution is continuous, automated, and enables the auditing responsibility to be segregated from that of the DBA. The solution will store audit data in a separate and secure repository with access and privileges defined such that the capabilities of production DBAs and reporting staff can be restricted according to their role. This mitigates the risk of tampering with audit logs.
An effective database auditing solution also needs to support credible and sustainable control. For example, using native tools DBAs have traditionally cobbled together collections of scripts and routines and deployed stand-alone auditing controls for each individual database and database type. This has resulted in a hefty long term maintenance obligation and obvious separation of duty problems for the DBA as the author, owner, and subject of the audit. For this reason, it is critical to use an automated database auditing solution that supports separation of duty and audit data, without relying on complex manual processes that can be subverted and cannot scale with the organization or new control requirements.
One money management and advisory firm client, with more than $1 billion in investments, previously used native tools. Each time the IT staff would change a database schema, it would be necessary to manually modify the associated triggers or applications, creating more work and time away from other essential tasks. And it still was not a credible solution to the auditors. In just the first few months after installing database auditing software, the organization saved three months of staff development time and made it past the auditor?s scrutiny.
4. Adequate review of audit logs
Until recently, many organizations did not create and maintain audit logs, and for those that did so, it sufficed to have an audit trail as insurance?a ?we?ve got it if they ask? mentality. No longer?auditors not only ask whether audit logs exist, but also seek proof that the logs are being adequately reviewed. This requires that organizations adopt a process orientation that covers the entire audit lifecycle beginning at the deployment of logging technology through audit event collection and interpretation and finally to an actionable result.
With management asking how audit information can be leveraged for business benefit, IT needs to deploy an automated solution that enables large amounts of low level audit data to be presented in a business-friendly and digestible format while maintaining and facilitating on-demand access to the low level forensic details of audited events.
As if managing audit logs is not enough of a challenge, an adequate and sustainable audit solution requires the management of contextual data that relates to audited events and the process through which it is used within the organization. Information that details what activity is being logged and on what databases must be maintained. A record of who has reviewed audit data must be maintained, in some cases, along with an acknowledgement of review. The totality of this data that makes up the audit context must also be managed in compliance with archival and retention policies by which the organization is bound.
Database auditing enables effective review of audit logs
By its nature, automated, database-level auditing provides trusted, detailed audit logs of user activity and security configurations. Successful logging and monitoring controls are enhanced through automation and exception-based reporting. A database audit system allows filtering of raw audit logs to provide relevant and precise data. It also collects relevant contextual data such as user properties and entitlements that enable an audited event to be more easily interpreted.
The presentation of audit data must support the needs of the individual reviewers. A reviewer responsible for many databases needs a console or dashboard presentation of data that delivers an ?at a glance? understanding of activity and compliance. Problem areas identified at the 50,000 foot level can be further analyzed via drill-down to root cause details without requiring the use of additional tools or requiring additional costly queries to the database(s) in question.
Through automatic consolidation of enterprise database audit information into a single repository, with a rich set of analytical tools to present that data, the review, and more importantly, the understanding of volumes of sometimes disparate enterprise database audit information is made possible. A true enterprise database auditing solution will enable organizations to deploy common audit controls and policies across many databases of varying types regardless of the database?s native feature set. It will also enable the integration of its audit technology and processes with an organization?s general IT processes where appropriate. Workflow and archiving are examples of general IT processes that a database auditing solution should try to leverage to produce a more effective and efficient enterprise solution.
Companies we deal with tell stories of the challenge of pulling together on-demand evidence to present to the auditor about changes to and use of their databases. Manually, it may be impossible; if possible, it may take weeks of staff time. Indeed, one major international financial institution tells of needing two staffers for two weeks just to reconcile and report on two changes to a sensitive line-of-business database.
By consolidating information into one central repository, organizations are no longer forced to experience the pains associated with the 11th hour scramble for interdepartmental coordination required to manually identify, access and process audit information from the enterprise databases. Evidentiary information can be easily prepared in advance or as requested.
5. Timely identification of anomalous activity
Exception reporting provides a key way to realize value from the database auditing process. When a change is made to the data or the configuration of the database, that is not in alignment with stated policy or is unauthorized, alerts and reports are needed to expedite the incident to management to determine whether a remedy is in order.
Examples of activity characteristics that may indicate anomalous activity include:
• unauthorized changes to sensitive data
• excessive access to specific sensitive or private data
• off-hour activity
• unauthorized changes to the database structure
• unauthorized or excessive permission grants
• unauthorized application use
• unapproved source or origin of access
Organizations need to define what activities and configurations affecting data represent the norm and then seek out those audited events and conditions that fall outside of the norm.
Database auditing helps with timely identification of anomalous activity
An effective database auditing solution enables organizations to set policies and baselines that define acceptable activity as well as proper configuration. These policies and baselines serve as the basis against which ongoing activity and configurations are measured in order to surface violations or anomalies. Identifying these anomalies and pushing automatic notification of their existence via alerts and reports serves to enable a timely mitigation of emerging issues before they blossom into incidents that are expensive and embarrassing to the organization.
Database auditing technologies can include enhanced reporting capabilities, which automate the creation of stakeholder-customized analysis. This reduces the time and cost associated with developing reports manually. For executives, trend information and baseline adherence across date ranges helps them quickly determine how security policies are working. For auditors and DBA-level staff, more granular technical detail is best. Sarbanes-Oxley-specific and other regulation-based reports can often be automatically produced too, delivering quick analysis and assurance for specific IT controls.
Database Auditing: An Important Role
Database auditing plays an important role in an organization?s ability to contend with top IT control weaknesses in an automated fashion. These issues aren?t going away. Recently PricewaterhouseCoopers referenced two key issues regarding changes to the Sarbanes-Oxley Act that will be in the spotlight: (1) direct access to data (unmonitored and unvalidated, it can result in a material weakness), and (2) segregation of duties (the role of IT in ensuring appropriate segregation of duties).
Reducing the cost of compliance
PwC offers several ways that overhead can be reduced regarding Sarbanes-Oxley testing. They include: (1) improving the effectiveness of IT controls to increase credibility of the controls and reduce testing, and (2) automating manual controls. As organizations seek ways to reduce the cost of compliance, database auditing can improve operational efficiencies by replacing costly and ineffective manual controls.
Dr. Murray Mazer
Co-Founder and Vice President
Lumigent
Dr. Murray Mazer is Co-Founder and Vice President of Lumigent Technologies, Inc., a software company specializing in database auditing for compliance and security.
Murray works with Lumigent?s most strategic partners and is a frequent speaker at industry events. As Lumigent Co-Founder, Murray helped to develop the company's vision, products, and capital.
During 20 years of experience in early stage and established companies, he has directed strategy and development in security, server, mobile, and other technologies, as well as managing intellectual property protection and licensing.
A former Rotary International Scholar and reformed thespian, Murray received the Ph.D. in computer science from the University of Toronto, where he was elected Junior Fellow at Massey College and Trinity College.
|
|
|
|
|
