How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements

Transcription

1 How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements DataSunrise, Inc.

2 Note: the latest copy of this document is available at Since DataSunrise is a powerful security tool, it can help its users to achieve and maintain compliance with some data safety standards such as SOX, PCI DSS and HIPAA. To accomplish this not-so-easy task, DataSunrise has three components in its disposal: Data Audit, Data Protection and Data Masking. Data Audit As its name suggests, this component is used for data auditing tasks. Basically, the firewall performs continuous database traffic monitoring and collects information on all user actions and modifications made to database content. While data auditing mostly used for data breach investigation and security system vulnerabilities assessment, continual data auditing helps to detect data breach preparations. To control data auditing process a dedicated security rules set is used. Data Protection It is the basic tool DataSunrise utilizes to counter various harmful actions: it prevents unauthorized access and defends the database against DDoS attacks and SQL injections among other things. DataProtection functionality is based on smart SQL-analysis algorithms, enabling DataSunrise to detect unauthorized access attempts and SQL injections on-the-fly. Data Protection is adjusted with a set of rules which define protection activation conditions and sequence of firewall s actions. In case of prohibited query or malicious code detection, DataSunrise blocks access attempt and informs the firewall administrator. Data Masking Due to this feature the firewall administrator can hide database entries from unauthorized users by replacing entry's content with random values or predefined strings. DataSunrise performs data masking on the fly, at the stage of incoming query interception. Because data is obfuscated before it leaves database, masking helps to prevent possible data leak. In most cases data masking is used not to protect data from hackers, but in situations when intentional data transfer to 3rd party (software testers, for example) is being performed. Please note that it s a brief description of the DataSunrise firewall components, so if you want to know more about our product s functionality, please, refer to the documentation. And now we will focus on safety regulations and the ways DataSunrise helps to comply with them.

3 What is SOX? The Sarbanes-Oxley Act (SOX) is a federal law that sets strict financial reporting requirements for US public companies. SOX is aimed to prevent investors from accounting fraud by assuring that all the reports on financial activities contain truthful and reliable information that can be verified by independent auditors. There are two principle sections that relate to data security: Section 302 and Section 404. According to Section 302 SOX subjects must safeguard their data responsibly to be sure that their reports are not based upon faulty data. SOX Section 404, in turn, is dedicated to technical means public companies must employ to protect their financial data against tampering and misuse. Besides that, Section 404 states that companies should allow security means and data integrity to be verified by independent auditors and should report all data breaches occurred. Security breach detection DataSunrise Data Audit tool helps to detect security breaches and to perform a proper investigation. At the same time, data auditing component logs all actions made to database and provides independent auditor with full range of data required to complete his or her tasks. Protecting financial data from tampering and theft DataSunrise helps to control user access to sensitive information by utilizing a set of security rules based on user name, IP-address, application name and SQL-statements used. The firewall enables its administrator to track all database changes and ensure that corporate data has not been modified without proper permission. More than that, DataSunrise helps to prevent unauthorized changes to be made to database content due to its Data Protection functionality. What is PCI DSS? Payment Card Industry Security Standard (PCI DSS) was created by major payment card brands (Visa, MasterCard, American Express, JCB and Discover) to be employed by companies that handle credit card data, and their business partners. In fact, PCI DSS is a set of detailed guidelines, aimed to secure credit cards processing and drastically reduce risk of data breach. Database access control PCI (Req 7) obliges its subjects to limit access to credit card holder information on a need-to-know basis. It means that companies should implement strict control over user access rights and limit access to sensitive information to only those individuals whose job requires such access. DataSunrise Data Protection component helps to prevent unauthorized user actions by blocking access to defined database elements. In some cases, if special requirements exist, certain database elements could be not blocked but obfuscated with data masking tool.

4 Disabling inactive user accounts According to Requirement the PCI subjects are obliged to disable or remove inactive user accounts (because hackers often use dormant account to perform a breach). This task can be completed with the help of Data Audit component. It monitors all user activity and helps to detect inactive users as well as suspicious user behaviour. Database breach prevention PCI Requirement 8.7 states that only programmatic method should be used to access any database containing cardholder data and that only database administrators should have an ability to directly access or query databases. In most cases DataSunrise deployed in proxy configuration which means that no user can access the database directly, but through the firewall only it prevents hackers from exploiting software vulnerabilities to perform a data breach. Combine this feature with advanced SQL analysis algorithms of Data Protection component and you can be sure that this PCI requirement is fulfilled. Data auditing PCI Requirement 10 contains 25 subrequirements that oblige covered entities to implement audit means. Basically organizations must track all user activity and prevent any unauthorized access to audit information as well. DataSunrise helps to satisfy the forementioned demands by utilizing its Data Audit functionality. The firewall performs continuous data auditing and monitors all user and client application actions while not inflicting any additional load on DB server or database itself. It is of great importance that Data Audit reports enable the firewall administrator to link all registered actions to specific users. What is HIPAA? US Health Insurance Portability and Accountability Act (HIPAA) provides federal protection for patient's health information against misuse or exposure. Subjects of this Act are: health care providers (doctors of various types), health insurance companies and programs, health care clearinghouse. The HIPAA Security Rule specifies a series of administrative, physical and technical safeguards its subjects should employ to protect electronic protected health information (ephi) from being misused by unauthorized individuals. ephi access control According to HIPAA (reqs (a)(1) and (a)(4)) covered entities should restrict access to ephi on need-to-know basis. It means that only individuals and software programs that are properly authorized should be able to access ephi. DataSunrise enables its administrator to protect the ephi database from being accessed or modified without proper authorization due to its Data Protection functionality. To complete this task the firewall administrator creates a set of safety rules for each user or group of users to specify which database elements to be allowed or restricted to access. Then DataSunrise monitors all user actions and blocks unauthorized access attempts.

5 ephi auditing HIPAA requires its subjects to implement technical and procedural mechanisms to record and examine activity in information systems that contain or use ephi (req (b)). DataSunrise helps to meet these requirements by utilizing the Data Audit functionality. Data Sunrise continuously monitors the database traffic and records all user and client application actions. The audit reports enable the administrator to identify the end user and applications used to access database. Conclusion DataSunrise helps to fulfill the most critical requirements of forementioned security standards. But it should be noted that DataSunrise alone cannot fulfill all the variety of demands, but databasespecific ones only. To achieve full SOX, PCI DSS or HIPAA compliance you need to employ a system of security means including both administrative and technical safeguards.