Microsoft Access Applications and Sarbanes-Oxley Compliance



Similar documents
ADO and SQL Server Security

Avatier Identity Management Suite

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Oracle Database 10g Express

Linking Access to SQL Server

Setting Up Your Team-SQL Database for ORACLE 8.05

Online account access

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

MySQL Security: Best Practices

Sysax Multi Server User manual

DBMoto 6.5 Setup Guide for SQL Server Transactional Replications

Oracle Database Security

GFI White Paper PCI-DSS compliance and GFI Software products

PUBLIC Password Manager for SAP Single Sign-On Implementation Guide

Using LDAP Authentication in a PowerCenter Domain

Matisse Installation Guide for MS Windows. 10th Edition

Teleran PCI Customer Case Study

RSA Security Analytics

The release notes provide details of enhancements and features in Cloudera ODBC Driver for Impala , as well as the version history.

Oracle WebCenter Content

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

INTRODUCING ORACLE APPLICATION EXPRESS. Keywords: database, Oracle, web application, forms, reports

SPECIALIST PRACTICE MANAGER

Declaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

Guide to Upsizing from Access to SQL Server

Setting up an MS SQL Server for IGSS

Crystal Reports Installation Guide

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

FileMaker Security Guide The Key to Securing Your Apps

Identikey Server Windows Installation Guide 3.1

ODBC Client Driver Help Kepware, Inc.

"SQL Database Professional " module PRINTED MANUAL

White Paper. Support for the HIPAA Security Rule PowerScribe 360

Division of IT Security Best Practices for Database Management Systems

Converting InfoPlus.21 Data to a Microsoft SQL Server 2000 Database

HIPAA Information Security Overview

How To Use The Correlog With The Cpl Powerpoint Powerpoint Cpl.Org Powerpoint.Org (Powerpoint) Powerpoint (Powerplst) And Powerpoint 2 (Powerstation) (Powerpoints) (Operations

FileMaker Security Guide

Dell InTrust Preparing for Auditing Microsoft SQL Server

FDA 21 CFR Part 11 Features

MySQL Security for Security Audits

U.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP Records Management

Enable Audit Events in MS SQL Server EventTracker v6.x, v7.x

Advantages of Server-side Database Auditing. By SoftTree Technologies, Inc.

Testing Web Applications for SQL Injection Sam Shober

Agilent MicroLab Software with Spectroscopy Configuration Manager and Spectroscopy Database Administrator (SCM/SDA)

Setting Up ALERE with Client/Server Data

ODBC Driver Guide. Installation and Configuration. Freezerworks Unlimited Version 6.0

Aradial Installation Guide

Tutorial: How to Use SQL Server Management Studio from Home

Online Giving User Guide for Church Members

Best Approaches to Database Auditing: Strengths and Weaknesses.

Thick Client Application Security

Installation Instruction STATISTICA Enterprise Small Business

Log Management and Intrusion Detection

Hang Seng HSBCnet Security. May 2016

Security and Control Issues within Relational Databases

Resco Mobile CRM Security

LabChip GX/GXII with LabChip GxP Software

DOCUMENTATION MICROSOFT SQL BACKUP & RESTORE OPERATIONS

Password Management Buyer s Guide. FastPass Password Manager V 3.3 Enterprise & Service Provider Editions

for Networks Installation Guide for the application on the server August 2014 (GUIDE 2) Lucid Exact Version 1.7-N and later

Document Management Getting Started Guide

PaperClip Audit System Installation Guide

AUTHENTICATION... 2 Step 1:Set up your LDAP server... 2 Step 2: Set up your username... 4 WRITEBACK REPORT... 8 Step 1: Table structures...

Dream Report Version 4.5

for Networks Installation Guide for the application on the server July 2014 (GUIDE 2) Lucid Rapid Version 6.05-N and later

QUANTIFY INSTALLATION GUIDE

4D v1x ODBC Driver INSTALLATION GUIDE

Audit Policy Subcategories

SIEBEL ANALYTICS SCHEDULER GUIDE

In this topic we will cover the security functionality provided with SAP Business One.

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

Training module 2 Installing VMware View

Defense In-Depth to Achieve Unbreakable Database Security

Jet Data Manager 2012 User Guide

Define ODBC Database Library using Management Console

REGULATIONS COMPLIANCE ASSESSMENT

Netop Remote Control Security Server

FileMaker Server 14. FileMaker Server Help

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

FileMaker Server 11. FileMaker Server Help

Central Agency for Information Technology

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster


InfoCenter Suite and the FDA s 21 CFR part 11 Electronic Records; Electronic Signatures

ODBC Driver Version 4 Manual

Matisse Installation Guide for MS Windows

Oriental Bank s NetBanking Services

enicq 5 System Administrator s Guide

MS SQL Server Database Management

Transcription:

A Bunker Hill White Paper 501 Delancey Street San Francisco, CA 94107 (415) 512-0689 www.bunkerhill.com Microsoft Access Applications and Sarbanes-Oxley Compliance By Ron Tornambe, CTO Allen Dutra, CFO/CPA Date 9/24/2006

Contents TUIntroductionUT... 2 TUProblem StatementUT... 2 TUOptionsUT... 2 TUBunker Hill SolutionUT... 3 TUImplementationUT... 3 TUSummaryUT... 6 Introduction This paper presents a practical and expedient approach to converting Microsoft Access applications to comply with Sarbanes-Oxley regulations. Problem Statement The widespread use of Access applications in most organizations presents management with considerable operational and security challenges. The Sarbanes-Oxley Act has far-reaching implications on the use and perhaps future role of Microsoft Access applications in the organization. Data stored in Microsoft Access Jet databases is inherently unsafe. Even the most secure Access databases, those that employ user-level security and encryption, are easily compromised. There are a number of companies that offer inexpensive software that retrieves lost or forgotten Access user and password information, even for encrypted Access databases, effectively cracking them open. Organizations dedicated to SOX compliance are faced with the task of identifying all Microsoft Access applications that contain sensitive data and taking corrective action to prevent unauthorized use. Options Since Access data cannot be protected, it must be stored in a secure DBMS repository, like DB2, Oracle or SQL Server. There is no way around this requirement. The following is a non-exhaustive list of alternatives for securing Access applications. Date

Find a Replacement Purchase software from third party vendors that meet the functional and security requirements of the existing Access applications. Redevelop the Application In some cases it might make sense to just bomb, bulldoze and start over as Buckminster Fuller once remarked when asked about what he would do to improve Los Angeles..Net or Java Conversion Convert the Access applications to IT standard technologies, like Java or.net and Oracle or SQL Server, while retaining the basic database design and front-end interface. Retain the Access Front-End Convert the MS-Access database to a secure DBMS platform and modify the application front-end to operate with the DBMS and conform to SOX compliance standards. Bunker Hill Solution This paper will focus on the last option for the following reasons: Benefit 1 Saves time and resources; requires far less development time than any other alternative. Benefit 2 Least disruptive to normal day-today operations; involves no user retraining or learning curves nor major shifts in development staffing or technologies. Benefit 3 Functionality that implements SOX compliance provisions can be added to Access applications as easily as ones developed using other frameworks, like.net or Java. Implementation I. MS-Access Database Conversion The first step is to convert the MS-Access database to a secure DBMS. The following is a high-level overview of the conversion process. The Access design is replicated using the target DBMS Data Definition Language constructs and data is loaded. To optimize performance, Access queries may be converted to views and/or procedures on the target DBMS. In order to retain the functionality of the original Access application front-end, the DBMS tables are linked into Access using ODBC, replacing the original Access tables. Any converted queries are integrated into the new Access application, preserving the look-and-feel and operation of the original GUI. Some may argue that using ODBC is less secure than ADO/OLEDB since some connection information is stored in the Windows registry and can be viewed using the ODBC Administrator. The only pertinent saved connection information is the Server Name which is not much of a clue for those attempting a break-in. For those who remain unconvinced, the ODBC DSN registry entries can be created by the application program just before the initial connection is established and removed directly afterwards.

II. Define a Security Strategy For an application to be secure, it must ensure that all data it owns can only be changed using its GUI. A complete audit trail of all changes made by users of the application must be recorded. The security approach presented here is based on the concept of Application Users (AU) and the Application Supervisor (AS). The security strategy can be applied to any application and is not limited to Sarbanes-Oxley. Note that if the application connects to the DBMS over an extranet, a corporate VPN or other DBMS provided secure socket layer must be utilized to protect passwords and data from sniffers (programs that inspect data traveling over unsecured links). It is assumed that only the DBA or Password Management group has full control of assigning User-IDs and Passwords and that measures that provide accountability are in place. Application Users The Application Users (AU) group are assigned database User-IDs with roles that do not grant any privileges to application related objects (tables, views, etc.). They are only assigned Execute privilege on a single stored procedure. Application Supervisor The Application Supervisor (AS) account is setup specifically for use with an Access application. It should never be used outside of the application. A role that grants all privileges required to operate the application and update the database is assigned to the AS. The AS Password (PWD) is stored using modern cryptography algorithms supplied by the DBMS vendor that are specifically designed to prevent hackers from deciphering data. Since the application retrieves the AS PWD at runtime, the PWD can be changed as frequently as desired to minimize the risk of intrusion. Application User Login Form A new Application User Login form is added to the Access application and is designated as the form that opens when the application is started. The form accepts the UID and PWD of Application Users. After the AU is authenticated, the program calls the aforementioned stored procedure that returns the AS UID and decrypted PWD. The AS UID and PWD are used to supply ODBC connection information required by the Access application. Note that User-IDs and Passwords are not stored anywhere within the source code or design objects of the Access application or in the Window s registry or file system. After the AS connection is established, an entry is added to a table that contains the application s session-id and the AU UID. The triggers that implement the audit trail will use this information to associate the AU with the transaction details and prevent unauthorized users from updating data.

Application Users are then able to operate the application with full privileges. III. Implement an Audit Trail An essential component of the security strategy is the implementation of an audit trail that logs all AU database insert, update and delete transactions. To implement the audit trail, a new table will need to be created for each application table. The new table will include all fields from the associated application table as well as OperationCode, AU UID, Session- ID, and Timestamp. Since the audit tables do not include any keys, indexes, or constraints, inserts will require minimal overhead. Triggers must be created for insert, update and delete operations on all tables. The triggers ensure that users belong to registered applications and save all data pertaining to the transaction in the associated audit table. The OperationCode will be set to I or D to denote the type of transaction saved; Insert or Delete. Note that database Update transactions are implemented by adding both Delete and Insert records to the associated audit trail table. The Delete record contains the data before the update is applied and the Insert contains the updated record. The Application User s User ID associates the audit trail transactions with the AU responsible for the changes. An example of a trigger that implements the audit trail follows. This example is implemented using DB2, but is also easily implemented using MS-SQL and Oracle. After an application connects to the DBMS, it registers itself by adding an entry to the following table that records the session-id of the application and the AU UID. Note this entry is removed from the table when the application is closed. TCREATE TABLE NORTHWIND.APPLICATION_USERS ( APPL_ID VARCHAR(128), USER_ID VARCHAR(40) ) ; The audit trail table associated with the application s SHIPPERS table follows. CREATE TABLE NORTHWIND.AT_SHIPPERS ( OP_CODE CHAR, USER_ID VARCHAR(40), APPL_ID VARCHAR(128), TRANS_TIME TIMESTAMP, SHIPPERID INTEGER, COMPANYNAME VARCHAR(40), PHONE VARCHAR(24) ) ; Insert Trigger Example The triggers serve as gatekeepers of application data. Only transactions from currently registered application users are accepted. CREATE TRIGGER NORTHWIND.AT_SHIPPERS_INS AFTER INSERT ON NORTHWIND.SHIPPERS REFERENCING NEW_TABLE AS INS_TABLE FOR EACH STATEMENT MODE DB2SQL BEGIN ATOMIC DECLARE APPUSERID VARCHAR(40); SET APPUSERID = ( SELECT USER_ID FROM NORTHWIND.APPLICATION_USERS WHERE APPL_ID=APPLICATION_ID() ); IF APPUSERID IS NULL THEN SIGNAL SQLSTATE '75001' ('Connection expired due to inactivity. Application must be restarted.');

ELSE INSERT INTO NORTHWIND.AT_SHIPPERS SELECT 'I', APPUSERID, APPLICATION_ID(), CURRENT TIMESTAMP, INS_TABLE.* FROM INS_TABLE; END IF; END ; The trigger fires when an insert operation is issued for the SHIPPERS table. It first attempts to retrieve the USER_ID from the APPLICATION_USERS table by supplying the session-id of the user that initiated the transaction. If the session-id does not exist, then either the user s ODBC connection has expired or an unauthorized user has attempted to tamper with data. In either case, the transaction is canceled; the database is not altered and no audit trail entry is recorded. If the session-id is found, an entry is added to the associated audit trail table. IV. Secure the Access Application Although creating an Access MDE file removes all editable source code and disables viewing the particulars of Access Form and Report designs, additional actions must be taken to secure Access applications from unintended and potentially malicious uses. must also be prevented from displaying the Database Window, which exposes database table and query design information that may contain User-IDs or even Passwords. As a general rule, any built-in menu items or buttons that are not essential to the operation of the application should be removed. Since ODBC implements connection pooling, connections expire after they have been idle for 60 seconds. The default can be changed by setting the OPTimeout entry of the ODBC driver in the Window s registry. Although setting the OPTimeout value to a short interval will prevent unauthorized persons from commandeering users workstations while unattended, timeouts that require users to repeat the logon procedure may be more frequent and prove counterproductive. Summary By implementing the steps outlined in this paper, Microsoft Access applications can expediently and cost-effectively be converted to comply with Sarbanes-Oxley regulations. Since the Access databases are converted to robust DBMS, the additional benefits of scalability, improved disaster-recovery, and manageability are also realized. Most Access applications include built-in menus and toolbars that include items that can be used to compromise security. For example, the link to the Startup form can be used to alter options that were set to prevent application misuse. Users

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information