Auditing Mission-Critical Databases for Regulatory Compliance

Transcription

1 Auditing Mission-Critical Databases for Regulatory Compliance

2 Agenda: It is not theoretical Regulations and database auditing Requirements and best practices Summary Q & A

3 It is not theoretical

4 Database Security and Regulatory Compliance Regulations are the primary driver for establishing data compliance and audit requirements. Many organizations deal with more than one regulation Some of the most challenging requirements include: + Auditing all access to sensitive data + Privileged Users Monitoring + Maintaining secure databases

5 Regulations and Data Usage Monitoring Audit Requirements CobiT (SOX) PCI DSS HIPAA GLBA ISO EU Data Privacy Directive 1. System Access (Successful/Failed Logins; User/Role/Permissions/ Password changes) 2. Data Access (Successful/Failed SELECTs) 3. Data Changes (Insert, Update, Delete) 4. Privileged User Activity (All) 5. Schema Changes (Create/Drop/Alter Tables, Columns)

6 PCI DSS Section 10 Protecting card-holder information from theft or leakage Requires auditing of all read access to cardholder information Does not require auditing data change events 1. System Access Audit Requirements (Successful/Failed Logins; User/Role/Permissions/ Password changes) 2. Data Access (Successful/Failed SELECTs) 3. Data Changes (Insert, Update, Delete) 4. Privileged User Activity (All) 5. Schema Changes (Create/Drop/Alter Tables, Columns) PCI DSS

7 SOX Audit Requirements SOX is concerned with: The integrity of public companies financial data Requires auditing of all changes to regulated data Does not require auditing of data read events + about 80% of database activity doesn t require auditing! 1. System Access Audit Requirements (Successful/Failed Logins; User/Role/Permissions/ Password changes) 2. Data Access (Successful/Failed SELECTs) 3. Data Changes (Insert, Update, Delete) 4. Privileged User Activity (All) 5. Schema Changes (Create/Drop/Alter Tables, Columns) SOX

8 HIPAA and HITECH HIPAA is about: Security and privacy of ephi Security concerns associated with the electronic transmission of health information Requires full auditing of all access and changes to ephi and health information 1. System Access Audit Requirements (Successful/Failed Logins; User/Role/Permissions/ Password changes) 2. Data Access (Successful/Failed SELECTs) 3. Data Changes (Insert, Update, Delete) 4. Privileged User Activity (All) 5. Schema Changes (Create/Drop/Alter Tables, Columns) HIPAA

9 Other Regulations and Privacy Acts Financial: + PCI-DSS + SOX + Basel II + GLBA Health/Pharmaceutical + HIPAA + 21 CFR Part 11 (FDA) Federal + DISA + FISMA Privacy + U.S. Data Breach Notification Laws Massachusetts Data Privacy Law (Mass 201 CMR 17) California SB EU Data Breach Notification Laws Energy + FERC + NERC All these regulations refer to database audit as a way to protect regulated data from breach and fraudulent activity

10 Requirements and Best practices

11 Integrity of the Audit trail The audit trail is used for reconstructing suspicious events, learning about the source of transactions, the data accessed and more. An audit trail which can be altered, can t be trusted! You must have a tamper proof audit trail: + Can t be stopped/started + Can t be reconfigured + Can t be modified

12 Independent of Native Audit Solutions Database vendors provide audit tools These tools are designed to be enabled, configured and used by DBAs Problems: + Violate Separation of Duties + Audit into a database -> not tamper-proof! + Not heterogeneous + Have a high overhead on the monitored server + Hidden costs A database audit solution should not require enablement of native auditing

13 Separation of Duties A single person should not be able to carry out and conceal errors and/or irregularities. Database Administrators should not be in charge of the audit solution: + Should not be able to start/stop the solution + Should not reconfigure audit policies + Should not have the ability to modify audit details

14 Heterogeneous Audit Trail Most environments are heterogeneous Each database platform is different Each platform may require different skills A consolidated audit trail simplifies the audit process, reporting and analysis

15 Real-Time Alerts and Compliance Reports Accurate Real-Time alerts allow proper response + Abnormal activities (vs. observed behavior) + Access to regulated data Compliance reports + Pre defined reports provide a good starting point + help streamline compliance efforts + Must be customizable to address unique configurations and needs

16 Audit Analytics Tools The audit trail must be accessible Offer flexible filters Support forensic investigations Ability to run ad-hoc reports

17 Scoping the Audit Deployment Discover new data systems Search for systems that were forgotten (example: Atlassian) Classification: does the system contain sensitive data? Application of audit policies on newly discovered systems and objects

18 Summary Regulations are requiring database auditing + Requirements vary between different regulations + An audit trail is required for protecting regulated data from breach and fraudulent activity Requirements and Best practices for database auditing + Must provide a tamper proof audit trail + Must enforce Separation of Duties + Must provide reports, alerts and analytical tools + Must be easy to manage

19 Imperva: Holistic approach to Data Security Founded in HQ: Redwood Shores, CA Leader in Data Security and Compliance + According to both Forrester and Gartner Proven Solution + NIAP Common Criteria, EAL, SAP and FIPS Certifications Over customers + Finance, Government, Healthcare, Retail/eCommerce, Telcom, Credit Card Processors 19 - CONFIDENTIAL -

20 Imperva: What we do Imperva addresses external and internal risk to sensitive data Hackers Web Application Firewall Virtual Patching, Scanner Integration Reputation-based Security: ThreatRadar Web Databases Applications Insiders Database Firewall Database Activity Monitoring Database Discovery and Classification Database Vulnerability Assessment Database User Rights Management SecureSphere Data Security Suite

21 More Information: Imperva.com Blog itunes/podcasts YouTube Twitter Linkedin Facebook blog.imperva.com twitter.com/imperva

22