Page 188 - DCAP508_DATABASE_ADMINISTRATION
P. 188
Database Administration
Notes As a result, auditors are now demanding monitoring of privileged users for security best practices
as well as a wide range of regulations. Privileged user monitoring helps ensure:
Data privacy, so that only authorized applications and users are viewing sensitive data.
Data governance, so that critical database structures and values are not being changed
outside of corporate change control procedures.
Application Activity Monitoring: The primary purpose of application activity monitoring is to
provide a greater level of end-user accountability and detect fraud (and other abuses of legitimate
access) that occurs via enterprise applications, rather than via direct access to the database.
Multi-tier enterprise applications such as Oracle EBS, PeopleSoft, JD Edwards, SAP, Siebel Systems,
Business Intelligence, and custom applications built on standard middle-tier servers such as IBM
WebSphere and Oracle WebLogic Server mask the identity of end-users at the database transaction
level. This is done with an optimization mechanism known as “connection pooling.” Using
pooled connections, the application aggregates all user traffic within a few database connections
that are identified only by a generic service account name. Application activity monitoring
allows organizations to associate specific database transactions with particular application end-
users, in order to identify unauthorized or suspicious activities.
End-user accountability is often required for data governance requirements such as the Sarbanes–
Oxley Act. New auditor guidance from the Public Company Accounting Oversight Board for
SOX compliance has also increased the emphasis on anti-fraud controls.
Cyberattack Protection: SQL injection is a type of attack used to exploit bad coding practices in
applications that use relational databases. The attacker uses the application to send a SQL statement
that is composed from an application statement concatenated with an additional statement that
the attacker introduces.
Many application developers compose SQL statements by concatenating strings and do not use
prepared statement; in this case the application is susceptible to a SQL injection attack. The
technique transforms an application SQL statement from an innocent SQL call to a malicious call
that can cause unauthorized access, deletion of data, or theft of information.
One way that DAM can prevent SQL injection is by monitoring the application activity, generating
a baseline of “normal behavior”, and identifying an attack based on a divergence from normal
SQL structures and normal sequences. Alternative approaches monitor the memory of the
database, where both the database execution plan and the context of the SQL statements are
visible, and based on policy can provide granular protection at the object level.
Task List the various uses of DAM.
13.5 Common DAM Architectures
Interception-based: Most modern DAM systems collect what the database is doing by being able
to “see” the communications between the database client and the database server. What DAM
systems do is find places where they can view the communication stream and get the requests
and responses without requiring participation from the database. The interception itself can be
done at multiple points such as the database memory (e.g. the SGA), at the network (using a
network TAP or a SPAN port if the communication is not encrypted), at the operating system
level, or at the level of the database libraries.
If there is unencrypted network traffic, then packet sniffing can be used. The advantage is that no
processing is done on the host, however the main disadvantage is that both local traffic and
182 LOVELY PROFESSIONAL UNIVERSITY
