Page 186 - DCAP508_DATABASE_ADMINISTRATION
P. 186
Database Administration
Notes multiple database platforms; and can generate alerts on policy violations. While a number of
tools can monitor various level of database activity, Database Activity Monitors are distinguished
by five features:
1. The ability to independently monitor and audit all database activity, including
administrator activity and SELECT transactions. Tools can record all SQL transactions:
DML, DDL, DCL, (and sometimes TCL) activity.
2. The ability to store this activity securely outside the database.
3. The ability to aggregate and correlate activity from multiple heterogeneous Database
Management Systems (DBMSs). Tools can work with multiple DBMSs (e.g., Oracle,
Microsoft, IBM) and normalize transactions from different DBMSs despite differences
between SQL flavors.
4. The ability to enforce separation of duties on database administrators.
Auditing must include monitoring of DBA activity, and solutions should prevent DBA
manipulation or tampering with logs or recorded activity.
5. The ability to generate alerts on policy violations. Tools don’t just record activity, they
provide real-time monitoring and rule-based alerting. For example, you might create a
rule that generates an alert every time a DBA performs a select query on a credit card
column which returns more than 5 results.
Other tools provide some level of database monitoring, including Security Information
and Event Management (SIEM), log management, and database management, but DAM
products are distinguished by their ability to capture and parse all SQL in real time or near
real time and monitor DBA activity.
Depending on the underlying platform, a key benefit of most DAM tools is the ability to
perform this auditing without relying on local database logging, which often entails a substantial
performance cost. All the major tools also offer other features beyond simple monitoring and
alerting, ranging from vulnerability assessment to change management.
13.2 Market Drivers
DAM tools are extremely flexible and often deployed for what may appear to be totally unrelated
reasons. Deployments are typically prompted by one of three drivers:
Auditing for compliance: One of the biggest boosts to the DAM market has been increasing
auditor requirements to record database activity for SOX (Sarbanes-Oxley) compliance.
Some enterprises are required to record all database activity for SOX, and DAM tools can
do this with less overhead than alternatives.
As a compensating control for compliance: We are seeing greater use of DAM tools to
address specific compliance requirements, even though database auditing itself isn’t the
specified control. The most common example is using DAM as an alternative to encrypting
credit card numbers for PCI compliance.
As a security control: DAM tools offer significant security benefits and can sometimes
even be deployed in a blocking mode. They are particularly helpful in detecting and
preventing data breaches for web facing databases and applications, or to protect sensitive
internal databases through detection of unusual activity.
DAM tools are also beginning to expand into other areas of database and application security, as
we’ll see a bit later.
180 LOVELY PROFESSIONAL UNIVERSITY
