Database Activity Monitoring

Who has unlimited access to your data? None other than the database administrators. We do trust them, don.t we? Yep, what else we can do. There are two things we need to consider; (1) what if the DBA turn malicious? (2) What if the good DBAs accounts are compromised?.

The above two cases requires the need for monitoring the DBA accounts. In addition to DBAs, there are many other users who have access to the databases. Whatever levels of access controls are being setup at the database level, there would be authorized user accounts who may fall into the two threat scenarios mentioned above.

Database activity monitoring is something which is often required to monitor the activities in a database system, including that is performed by the DBAs. Often the challenge is that the DBA.s can control what need to be monitored and audited in the database servers and many a times I have seen excuses that the system performance will be affected if that piece of audit is is enabled etc. This is true in the case of native auditing capabilities of database servers like Oracle or MS SQL.

The alternative solutions are on the rise in the market. Thanks to the PCI DSS requirement towards database activity monitoring. These solutions are either totally out of the database server or they have some agents running on the database server with limited resource utilization capabilities. In other words, Database Activity Monitoring or DAM is a database security technology for monitoring and analysing the database activities in a continuous and real-time manner. It does not depend on the native auditing capabilities or native logs of the database management system.

According to Gartner, .DAM provides privileged user and application access monitoring that is independent of native database logging and audit functions. It can function as a compensating control for privileged user separation-of-duties issues by monitoring administrator activity. The technology also improves database security by detecting unusual database read and update activity from the application layer. Database event aggregation, correlation and reporting provide a database audit capability without the need to enable native database audit functions (which become resource-intensive as the level of auditing is increased

Many of the DAM implementations is extended to become Database activity monitoring and prevention (DAMP) system, in other words, database security firewall. It not only detects and analyses the incidents, but also prevents it from happening.

What are the critical systems need to be monitored. Well, all of it is the general answer; however, it is not really easy to do the monitoring and management of .all of it.. So you have to decide what is critical to your environment and why. prioritize it based on the business needs and then decide the size of your manpower to monitor and review such things. I generally follow the below order to define the controls

  1. Regulatory requirements: It is a blind one, if your regulator is not happy, it is a high risk. It ca be anything from PCI DSS compliance, HIPAA, Sarbanes-Oxley (SOX) etc.
  2. Business criticality: Customer information, Financial information, Password tables, Information considered as confidential etc.
  3. Organization internals: HR systems and related tables in other systems.
  4. Anything else the system/process can support

They key challenge is not in the enabling the monitoring system, but in really monitoring and keeping track of the events. In general, I try to implement the following:

  1. Monitoring of all privileged accounts: All DBA accounts and their activities
  2. Monitoring of the accounts with direct DB access using client tool: Developers, helpdesk, business users with direct access etc. Not all activities but the exceptional activities such as access to customer financial information, health information, card number, social security number etc.
  3. All access on critical tables: such as credit card tables, customer information etc. Monitoring is excepts for the access directly from the business applications provided such access are audited at the business applications

Database monitoring helps organizations to have better understanding about data base management within their organizations. It would be a key tool for IT Security function and/or internal audit function in performing within an organization.

In the next article, I will brief about the different types of database activity monitoring systems and the challenges of implementing them