Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig Mullins

© 2021 IDERA, Inc. All rights reserved.
© 2021 Mullins Consulting, Inc. All rights reserved.
Database Auditing 2021
Tracking who did what to which data when –
on-prem and in the cloud
A webinar by Craig S. Mullins
www.mullinsconsutling.com
1

This presentation was prepared by:
Craig S. Mullins
President & Principal Consultant
IBM Champion for Analytics
IBM Gold Consultant
Mullins Consulting, Inc.
15 Coventry Ct
Sugar Land, TX 77479
Tel: 281-494-6153
E-mail: craig@craigsmullins.com
http://www.mullinsconsulting.com
This document is protected under the copyright laws of the United States and other countries as an unpublished work. This document
contains information that is proprietary and confidential to Mullins Consulting, Inc., which shall not be disclosed outside or
duplicated, used, or disclosed in whole or in part for any purpose other than as approved by Mullins Consulting, Inc. Any use or
disclosure in whole or in part of this information without the express written permission of Mullins Consulting, Inc. is prohibited.
© 2016 Craig S. Mullins and Mullins Consulting, Inc. (Unpublished). All rights reserved.

Data Breach Issues
• Trends and considerations
• Cost of a data breach
• Your database is a target!
Dealing with Data Protection
• Government and Industry Regulations
• Compliance and Requirements
Database Auditing
• Who are the stakeholders
• Types of database auditing
• Database auditing methods

Data Breach Issues
Data Loss Facts and Trends

Privacy Rights Clearinghouse is one source for tracking data breaches:
Since February 2005…
• There have been 9,015 data breach incidents impacting over 10 billion total records
containing sensitive personal information were exposed due to data security
breaches*
• That averages out to almost 12 data breaches every week
• Starting with ChoicePoint: (Feb 15, 2005) – data on 165,000 customers breached
Another good source is the annual Verizon Data Breach Investigations
Report…
• According to the Verizon Data Breach Report, in 2020 there were 5,258 confirmed
data breaches, across 88 different countries.
https://privacyrights.org/data-breaches
* As of September 7, 2019, reported by Privacy Rights Clearinghouse
Data Breaches are Common

Source: 2018 Gemalto Breach Level Index
https://breachlevelindex.com/
Frequency of Data Breaches

• Data breaches impact customer loyalty
• 64% of consumers are unlikely to do business with companies
where their sensitive data was stolen
• Companies bear the responsibility to protect customer data,
according to:
• Governmental and industry regulations
• But also customers: 69% of whom believe companies are most
responsible for protecting customer data
• Customers do not believe that companies take this responsibility to
protect their data as seriously as they should:
• 75% of consumers believe that companies do not take
protection and security of their data seriously
Source: 2015 Gemalto Breach Level Index http://bit.ly/1PUCspY
The Negative Impact of Data Breaches

The average cost of a
data breach (in 2018)
was up to $3.86 million
This is a 6.4% increase
from 2017
Source: Ponemon Institute 2018 Cost of a Data Breach Study: United States
• Regulatory Fines and Legal Judgments
• Legal Defense Costs
• Customer Notifications
• Credit Monitoring
• Forensic Analysis
• Reputational Losses
The Cost of a Data Breach

The cost of a data breach actually varies
• Average loss for a breach of 1,000 records:
• Between $52,000 and $87,000
• Average loss for a breach affecting 10 million records:
• Between $2.1 million and $5.2 million
Source: 2015 Verizon Data Breach Investigation Report

Your Database Systems are Targets for Attack
Enterprise database servers are a
significant target of data breach attacks
• Because that is where the data is!
• Personally identifiable information (PII)
• Such as SSN, address, etc.
• Personal financial data
• Bank account/credit card information
• Healthcare data
• Etc.

Source: 2015 Verizon Data Breach Investigation Report
Frequency of Database Attacks

Dealing With Data Protection Issues
Regulations and Governance

Sample Regulations Impacting Data Protection
Governance Privacy
1. Basel II
2. Sarbanes Oxley
3. Turnbull Report
4. OFAC
5. CMS ARS
1. PCI DSS
2. HIPAA
3. CA SB 1386/AB 1950
4. GLBA
5. FCRA -- “Red Flag”
6. FISMA
7. GDPR
Protect and control the process Protect the data

https://privacyrights.org/resources/data-breach-notification-united-states-and-territories
US State and Territory Regulations
As of 2018, all 50 states have enacted data breach notification
statutes.
The exact requirements of these regulations can vary greatly.
Considerations include:
▪ Definition of a breach
▪ Type and form of data to be protected (electronic, digital, paper, etc.)
▪ Encryption key breach specifications
▪ Type and amount of penalty to be imposed for violations
▪ Entities covered (person, partnership, coporation, sole proprietor, government,
etc.)
▪ Notification obligation and method

These resources can help to guide your compliance efforts:
▪ COBIT - https://cobitonline.isaca.org/
Control Objectives for Information and Related Technology
▪ Center for Internet Security (CIS) - https://www.cisecurity.org/
Organization dedicated to enhancing the cybersecurity readiness and response
among public and private sector entities
▪ Department of Defense (DoD) - http://www.defense.gov/Resources/DoD-Information-
Quality-Guidelines
Guidelines and procedures for information quality
▪ Security Technical Implementation Guide (STIG) -
http://iase.disa.mil/stigs/Pages/index.aspx
Technical guidance for securely locking down computer systems & software that
otherwise might be vulnerable to attacks
▪ Common Vulnerability Exposure (CVE) - https://cve.mitre.org/
Dictionary of publicly known information security vulnerabilities and exposures
Guidance for Regulatory Compliance

Database Auditing by Regulation
Audit Requirement SOX PCI-DSS GLB HIPAA Basel II GDPR
Access to sensitive data
(SELECT)
X X X X X
Modification of sensitive
data
(INSERT, UPDATE,
DELETE)
X X X
Database changes/DDL
(CREATE, ALTER, DROP)
X X X X X X
Security authorizations/DCL
(GRANT, REVOKE)
X X X X X X
Security exceptions
(e.g. failed logins, SQL
errors)
X X X X X X

Monitoring privileged users is a significant aspect of compliance
auditing… From a database perspective this includes:
• DBAs
• SYSADMs
• SECADMs
Not enough of
this is being
done…
Source: Cyberthreat Defense Report, CyberEdge Group
Privileged User Auditing

Database Auditing
What is it?
How is it done?

There are many names used for basically the same thing.
In this presentation the term database auditing is used, but
you may also know it as:
• Data Access Auditing
• Data Monitoring
• Database Activity Monitoring (DAM)
My definition of Database Auditing:
The process of monitoring access to and modification
of selected database objects and resources within
operational databases and retaining a detailed record of the
access where this record can be used to proactively trigger
actions and can be retrieved and analyzed as needed.
What is Database Auditing?

Database Auditing Key Stakeholders
SECURITY
OPERATIONS
✓ Real-time policies
✓ Secure audit trail
✓ Data mining &
forensics
✓ Business rqmts
✓ Separation of
duties
✓ Best practices
reports
✓ Automated controls
✓ Minimal impact
✓ Change management
✓ Performance
issues

Authorization Auditing
• Who can do what
Access Auditing
• Who did do what.
• Modifications: INSERT, UPDATE, DELETE
• Reads: SELECT
• DDL: CREATE, DROP, ALTER
• DCL: GRANT, REVOKE
• Utilities: Load, Unload, Export, Import, Copy…
Replication Auditing
• Who copied which data where.
Types of Database Auditing

Non-Standard Access
• File-level snooping as opposed to going through the DBMS
interface
• System-level snooping and zapping (e.g. pointers)
• Image copy backup data sets
• Unload data sets
• REORG data sets
• Database statistics
• Some database statistics, such as column distribution statistics,
can contain actual data values
• Such as AMASPZAP on mainframes
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieab100/iea3b1_AMASPZAP.htm

Selective
• Must be rules-based to enable the capture of audit details only on the
specific data that requires auditing.
• Should be able to implement privileged user auditing, auditing by
application, by database object, by type of command, by utility, etc.
Comprehensive
• Must be able to capture the complete scenario of auditable
information.
Non-invasive
• Should be able to audit access to data without incurring expensive
performance degradation.
Be capable of answering:
• Who accessed/modified the data?
• When did it happen?
• Using what computer program or client software?
• From what location on the network?
• What was the SQL query that accessed the data?
• Was it successful; and if so, how many rows of data were retrieved?
General Database Auditing Requirements

There are 6 common methods used to audit databases:
1. Audit within the DBMS (traces)
Must start a trace w/I the DBMS/server
2. Audit using temporal capabilities
SYSTEM temporal tables to record all changed data
3. Audit using triggers (or hand-coding)
Database triggers or hard-coding audit trail in programs
4. Audit from the database transaction log files
Modifications are on the log anyway so…
5. Audit over the network
Sometimes called network sniffing: captures SQL requests
as they are sent over the network
6. Audit directly against the DBMS server control blocks
Sometimes called a “tap”
Database Auditing Approaches

Most DBMSes offer an audit or trace capability that enables you
to trace events or categories of events by UserID, object
ownership, etc.
You can typically choose from multiple audit options such as:
• Categories of events
• SELECT, INSERT, UPDATE, DELETE, CREATE, DROP,
REVOKE, GRANT, etc.
• Privileged User Access
• Specific Tables, UserIDs, programs…
1. Native DBMS Audit Capabilities

Potential Native Audit Issues:
Separation of duties – auditing typically is turned on and
off by DBAs (privileged users)
Overhead – some audit traces can consume a significant
amount of resources
• Don’t want to “dim the lights” to audit
Comprehensive capture – may not capture everything
that needs to be captured for compliance
First read/write in a UOR
Statements with syntax errors
Depends on the DBMS and the type of auditing
There can be multiple types of native audit per DBMS
Audit trail access – how do you access the audit trail;
may require significant programming + support
1. Native DBMS Audit Capabilities

A somewhat newer capability of several DBMS offerings is
the ability to create temporal tables
A system-level temporal table can be used to audit changes
(aka transaction time)
• System time tracks the insertion and modification history of the data.
• System Time is typically tracked using two tables.
2. System Temporal Tables
• One table contains the current data.
• Another, history table, contains the non-current data.

• Implementing auditing using SYSTEM time temporal tables…
• Typically requires a 3 step process:
1. Create the base table and include TIMESTAMP columns to track the
starting and ending points for the system time period
2. Create the history table with an identical structure, preferably by using a
CREATE TABLE . . . LIKE statement.
3. ALTER the current table to enable versioning thereby turning on the system
temporal capability.
2. System Temporal Tables

2. Temporal: Adding Data to our System Time “Table”
COURSENO TITLE CREDITS PRICE SYS_START SYS_END
500 INTRO TO COBOL 2 200.00 2012-01-10 9999-12-31
600 INTRO TO JAVA 2 250.00 2012-01-10 9999-12-31
650 ADVANCED JAVA 3 400.00 2012-01-10 9999-12-31
COURSE table
COURSE_HIST table
The table contains three rows
The table is empty
– After inserting
these three rows →
– The data look like this

– After issuing these
statements (UPDATE
and DELETE) →
– Our tables now look like this
2. And then let’s DELETE from our System Time “Table”
COURSE table
COURSE_HIST table
The table contains two rows
The table contains two rows
500 INTRO TO COBOL 2 200.00 2012-01-10 9999-12-31
650 ADVANCED JAVA 3 375.00 2012-01-15 9999-12-31
650 ADVANCED JAVA 3 400.00 2012-01-10 2012-01-15
600 INTRO TO JAVA 2 250.00 2012-01-10 2012-02-05

• Simply retrieve the current info for Advanced Java course:
• Access info about Advanced Java course for January 16, 2012:
2. System Time: Sample Queries (#1, #2)
– Returns one row →
AS OF
FROM
BETWEEN

• Only useful to track modifications (U/I/D)
• No tracking of access to data (read/SELECT)
• No tracking of who made each change
• No way to audit privileged users
• Data management issues
• Large amount of “old” data
• Needs to be purged – but within the specifications of the
regulations being complied with!
• Uses the database itself to store audit data
• Separation of duties: a DBA can get past it
• Disconnect the temporal connection
• Delete data
• Reconnect
2. Issues w/Using Temporal for Auditing

3. Using Triggers
Similar to the temporal option, you can use database
Triggers to write audit records
Write a set of Triggers for the tables you wish to audit
• One each for Insert, Update, and Delete
Write the pertinent details – whatever you want – to audit
tables you define
• Or files if your DBMS allows
triggers to write to files

• You have to write and maintain the Triggers
• This can be an exposure based on who has access to the trigger code
• No tracking of access to data (read/SELECT)
• No way to audit privileged users
• Trigger performance can be poor
• Data management issues similar to temporal data
• e.g.) amount of data, purging, using the database to store audit data,
separation of duties
3. Issues w/Using Triggers for Auditing

Sometimes developers add “audit columns” to tables, such as
LAST_MODIFIED_DATE
• The idea here is for the program to auto-
matically change the LAST_MODIFIED_DATE
column in the programs whenever data is changed
• Every program?
Auditors don’t like this… it is a problem because:
• Audit trails should be kept outside of the database
• Can you guarantee that LAST_MODIFIED_DATE is accurate?
3½. Hand-coding audit trails?
• If you delete the row you lose the audit data
• Couldn’t someone have set it by accident (or nefariously)?

4. What About Using the Database Logs?
Database transaction log(s) capture ALL*
changes
made to data.
DBMS
Transaction
Log(s)
SQL
Changes
*Well, maybe not all changes, all the time.
Database

4. Issues With Database Log Auditing & Analysis
Log format is proprietary
Volume can be an issue
Easy access to online and archive logs?
• But how long do you keep your archive logs?
Dual usage of data could cause problems?
• Recovery and protection
• Audit
Tracks database modifications, but what about reads?
• Transaction logs do not record information about SELECT
And what about non-logged operations?
• LOAD LOG NO, REORG LOG NO
• Non-logged table spaces, LOBs
Cannot invoke real-time actions using log-based auditing

Database auditing via network sniffing captures SQL requests
as they go across the network
• Some third-party database auditing solutions use this approach
• Perhaps more effective for cloud database auditing
But not all requests go across the wire
• DBA access directly on the server
• Mainframe applications (CICS, IMS/TM, TSO, batch)
5. Network Capture

Audit database requests at the server
Capture all SQL requests at the server
All SQL access can be audited, not just those made over a network
Retain all pertinent audited information
• Without relying on the DBMS
No need to keep the active/archive log files
No need to start a DBMS trace
No need to modify the database schema
Concerns?
• Requires purchasing additional ISV software
• Interfaces with DBMS internals
6. Tap Database Server Control Blocks

The Best Approach?
All of the approaches discussed herein have their merits
depending upon the type of database applications that you
need to audit
Database auditing products may use one or more of these
different approaches and methods
• Understand the methods used by any product you
evaluate
• For example, a combination of native tracing and
capturing information from database control blocks
can make for a reasonable solution

Let’s Discuss a Few Cloud Issues
When the database exists in the cloud, remotely instead of on prem,
there may be challenges that need to be understood and managed:
• If the database is managed completely by the CSP, there may be
a lack of visibility and control
• It may be difficult to integrate cloud and on-prem audit activities
• Be aware of volume and licensing issues
Finally, if you rely on the cloud, make sure that any database
auditing product you acquire will work with your cloud provider
• and DBMS
Things can get complex…

Benefits of Database Auditing Products
• Favor products that offer built-in reporting for the regulations
you need to comply with (like GDPR, HIPAA, etc.)
Instead of you having to translate trace records to specific
compliance requirements
• Vendor maintenance and support for changing DBMS
capabilities and regulatory compliance specifications
• Customizable policies and alerting
• Typically come with a dashboard to view compliance
information, audit activities and issues
• Built-in support for specific regulations
• Many product consume fewer resources than alternate
approaches

Craig S. Mullins
Mullins Consulting, Inc.
15 Coventry Ct
Sugar Land, TX 77479
(281) 494-6153
E-mail: craig@craigsmullins.com
Web: www.mullinsconsulting.com
https://datatechnologytoday.wordpress.com/
Data & Technology Today Blog
http://www.mullinsconsulting.com/dba-corner.html
DBA Corner Columns
Contact Information
https://tinyurl.com/cj3x4tm6

Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig Mullins

More Related Content

What's hot (20)

Similar to Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig Mullins (20)

More from IDERA Software (20)

Recently uploaded (20)

Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig Mullins