IT Compliance Institute, July 20, 2004:

Best Practices

Auditing Data for Regulatory Compliance

Monitoring and securing enterprise databases to meet SOX regulations

By Mathew Schwartz

As the first year-end Sarbanes-Oxley report deadline approaches for many companies, will their databases be secure? According to Gartner Group, 68 percent of data loss or corruption isn’t caused by attackers, but simply by human error. Of course under Sarbanes-Oxley, any financial misrepresentation—no matter if accidental—can be punished with fines and prison time for executives.

Other regulations, including HIPAA, The USA PATRIOT Act, and the Gramm-Leach-Bliley Act, also require database monitoring.

It's no surprise, then, that many companies are implementing real-time database monitoring and auditing. Such technology safeguards against inappropriate database changes—whether intentional or not.

To discuss the technology, and the rush to meet Sarbanes-Oxley deadlines, IT Compliance Institute spoke with Lee Phillips, vice president of the compliance and audit practice for Acton, Mass.-based Lumigent Technologies Inc., which makes Entegra, a software product that monitors Microsoft and Oracle databases.

In today’s enterprises, what role do databases play?

There isn’t data of any value that’s not stored in a structured database these days. Whether it be corporations’ financial information or anything else of value, it’s going to be in a structured SQL database.

What are the biggest concerns when it comes to keeping databases secure?

Today there are three concerns when it comes to managing data risks. The first is human error, and that’s been underscored in recent years with downsizing. You have someone doing two or three jobs in one job, it’s just [asking for mistakes to happen].

Second is someone trying to do something they should be doing … but they fail to do it correctly.

Third, these days, regulatory compliance is really in the center of the radar screen for organizations … especially in the U.S. right now, with Sarbanes-Oxley having some real deadlines and real teeth in it.

What about the risk of outside attacks against the database?

At the end of the day, almost all of the risk is internal to the organization. So what we’re offering is a way … to audit and monitor everything that’s going on at the database level.

The reason I’m making this distinction is because companies have spent a ton of money on security these last few years—in many surveys in recent years, security is almost always at, or close to, number one [for importance]. Security is mostly weighted to external threats … but what we’re seeing is security risks are [more] from internal threats.

What’s the potential for non-malicious errors?

You may have a privileged user—somebody who has generally direct, and some sort of privileged access, to the database component, such as a database analyst or data analyst, for example—who’s made an unauthorized change.

Or you might have a user who’s made an authorized change … a change they thought was legitimate, but turned out to be in error. Without monitoring, we don’t know the intention, just what was done … and at the end of the day, the company could be operating against false financial data.

Do regulations exempt unintentional errors?

Well, in the era of Sarbanes-Oxley, it’s not okay anymore, because it’s not just about the correctness of the financial data, but also about having controls to mitigate the risk of [this happening].

Entegra does this … by providing a complete audit trail of data changes. So, for example, any before or after values that occur in a database, we’ll capture those, and it will also allow us to track what has happened to the database infrastructure, versus what was intended to happen. What’s unique about Entegra is we’re doing this auditing at the database level. There are lots of ways to attempt this, but at the end of the day … [operating at] the data level …. gives us a true record. We also don’t care how the change was initiated—whether through a direct interface or through an application, [such as] SAP, PeopleSoft, or Oracle.

How is it you do a source-blind look at data changes?

We’re looking at the transaction logs that are recreated and associated with any kind of SQL platform.

What’s the underlying SQL technology?

Very briefly, SQL came out of the IBM world in the ’70s … and at the end of the day there’s an important part of the standard associated with SQL. [It] requires that there will be a transaction log of everything that occurred in the database. In fact, that transaction log … will be updated before the database itself. That [log] exists for only one reason—to restore a database to a previously known state if we had a problem. But because that transaction log exists, we’re able to pull out a comprehensive audit trail.

Why did you go this technology route?

For a couple of reasons. It’s an unimpeachable source of information—it’s considered sacred by database makers, it’s really important to the internals. Also … it doesn’t cause any overhead on the system. These logs exist independently of the database application … We’re doing an out-of-band processing against those logs instead of competing against the SQL engine time.

What do customers require from database-auditing software?

When you talk to guys who are auditing wonks, this is the first thing they talk about: Can I trust the source of information I’m trusting for my audit? If I can’t then I’ve wasted my time … Second is, the way we’ve approached doing this at the data layer is, there aren’t any back doors … because we’re doing it at the data layer … Third is segregation of duty … A lot of approaches to auditing the data would … put it back on the server that’s being audited, [whereas] we extract that information, and pull it off on to a centralized … repository. That’s important because a lot of the people you’re auditing are database administrations (DBAs).

It’s not that auditors distrust the DBAs, it’s that [auditors are] paid not to trust anyone.

Where are regulated industries vis-à-vis compliance and database monitoring today?

I’ve been spending a lot of time with customers and some of the Big Four [auditing] firms … [and] generally speaking, companies have … come up with an approach and method for becoming compliant, and what they’re generally just completing is documentation of all the controls that are needed for meeting the compliance law…

The database is the center of the world … it’s one of the big rocks that’s been turned over. … [Yet] what a lot of companies are finding out [is] we don’t really have an accurate auditing process here.

Is Sarbanes-Oxley driving database monitoring?

Sarbanes-Oxley (SOX) has thrown a lot of the fuel on the fire for us; it is looming for a very large number of companies—they have to fill their first SOX 404 [internal control reporting] reports on Dec 31. [But] the Big Four auditors say, you really need to be ready in September, because we need to come [in and check]. [They’re saying] we’ll definitely find things wrong, and that gives us time to remediate things that are wrong.

Are companies going to be ready?

Let me tell you there’s a lot of work going on right now, a lot of vacations being cut short. This is probably the most important thing in a regulatory sense that’s happened since the 1930s … [Recently] there was a report, 26 companies were de-listed for the first time ever for not meeting their requirements.

There are parts of Sarbanes-Oxley implemented since 2002. One thing is timely reports. For the first time ever, the SEC exercised their ability to de-list companies. As a stockholder, if you see your company de-listed, you’re not going to have a lot of confidence in the management team.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.