Share on Facebook Share on Twitter Share on Digg Share on Stumble Upon Share via e-mail Print

Compliance and Data Access Tracking

by Craig S. Mullins

In a world replete with regulations and threats, organizations today have to go well beyond just securing their data. Protecting this most valuable asset means that companies have to perpetually monitor their systems in order to know who did exactly what, when and how - to their data.

Increased regulations demand the implementation of policies and procedures to protect sensitive data. For example, medical professionals must comply with HIPAA (Health Insurance Portability and Accountability Act), thereby making them ever vigilant in the techniques used to manage and protect the data under their care. When healthcare records are stored in a DBMS, extra attention must be paid to how data in those databases is governed.

Consider also the impact on organizations that accept credit and payment cards. A company processing, storing, or transmitting credit card numbers must be PCI DSS (Payment Card Industry Data Security Standards) compliant or it risks losing the ability to process credit card transactions. As such, executives must ensure their databases are protected so that only properly authorized entities have access to only the specific data they need in order to do their jobs-and to be able to prove this.

One important technique is to audit access to database data. This can be accomplished using database auditing software. Robust database auditing software can comprehensively track the usage of database resources and authority. When auditing is enabled, each database operation produces a detailed audit trail of information tracking what data was accessed, who accessed it, and when. Operators can analyze the audit trail and generate reports showing access and modification patterns against the healthcare data in the DBMS.

Database auditing helps answer questions such as, "Who accessed the payment account details for Mr. Jones?" or "When was Mrs. Smith's appointment time changed?" as well as "Who changed that appointment time?" It is even possible to answer more detailed questions such as "What was the old appointment time prior to the change?" The ability to answer such questions is very important for regulatory compliance.

Regulatory Compliance

HIPAA requires that healthcare providers protect an individual's healthcare information, going so far as to state that the provider must be able to track everyone who even looks at an individual's healthcare data. And the PCI DSS industry standards dictate specific rules regarding the display of debit and credit card information on receipts and reports. These are not the only two regulations (e.g., Sarbanes-Oxley), but they are prime drivers of the need to implement database auditing.

Tracking who does what to each piece of regulated data is important because there are many threats to database data security. External agents trying to compromise security and access company data are rightly viewed as a threat to security. But industry studies have shown that many security threats are internal-within an organization. The most typical security threat comes from a disgruntled current (or ex-) employee with valid authorization to access the data. In these instances, auditing is crucial to find an unauthorized access emanating from an authorized user.

Audit trails help promote data integrity by enabling the detection of security breaches, also referred to as intrusion detection. An audited system can serve as a deterrent against data tampering because infiltrators are more easily identified and caught.

Things to Watch For

A typical auditing facility permits auditing at different levels within the DBMS, for example, at the database, database object level, and user levels. But capturing so much information, particularly in a busy system, can cause performance to suffer. Production of the required audit details must be accomplished without diminishing the operations of the systems that keep the organization functioning.

The detail and authenticity of the audit trail produced is just as important as the operational systems' performance. The audit trails must be detailed enough to capture before- and after-images of database changes. If the mechanism capturing the audit details is not comprehensive and efficiently engineered, it ceases to be a compliance solution. Furthermore, the audit trails must be stored somewhere that protects the authenticity of the audited information while allowing seamless access for reporting.

Due to the potential volume of changes made to database data, a useful auditing facility must allow for the selective creation of audit records to minimize performance and storage problems. The general rule of thumb is that only data which must be audited to be in compliance should be audited and nothing more.

Auditing Techniques

There are several popular techniques that can be deployed to audit database data. By far, the best technique engages proactive monitoring of database operations directly at the database server. This technique captures all requests for data as they are made. By capturing the audit details at the server level, the software can guarantee that all access is monitored. Other techniques, such as trace-based auditing or parsing database logs, can miss certain types of database activities.



From Database Trends and Applications, December 2011.

© 2012 Craig S. Mullins,  

December 2011

DBA Corner