Professional Documents
Culture Documents
In Focus - Database Access, Audit, Remediation and Recovery
In Focus - Database Access, Audit, Remediation and Recovery
This is not a new issue, and the discussions of securing the Db2 subsystem and its
data dates back to this databases inception. What has changed over time has been
the evolution of ever more sophisticated means and technologies to breach existing
protections. Originally limiting access to the hardware (i.e., mainframe) was
sufficient. Having Db2 provide and extra barrier to intrusion has also proven to
enhance security. However, the rise of “insider access” by either rogue employees,
customers or hackers with stolen credentials has become a much more critical
security issue. Various studies published in trade journals indicate that at present
upwards of 70% of all data breaches originate from actors with “insider access”.
This article discusses the needs for Db2 data security and recovery at this time.
There is no doubt that every passing day will bring a new threat and it is essential to
be ready to prevent and recover. Prevention is the best outcome we can expect, but
when one occurs, it is essential to have efficient remediation procedures in place.
Auditors, DBAs, Systems and Application Programmers are all on the front line to
deal with security, data integrity, privacy and recovery. The management and policy
issues revolving around the handling of data breaches is fodder for another time. Our
concern is with the hardworking people who must deal the event.
If prevention prevailed then the issue becomes one of analysis and identifying the
source and method of the attempt. This is vital because it provides proof that the
measures taken work, but it may also reveal new tactics being tested. Evolution
whether natural or man-made has a way or wreaking havoc at some point in time.
One interesting source that can create holes in our security wall is the software
upgrades that are produced regularly to enhance the existing systems. That is why
preventive measures need to always be on alert.
When an intrusion has occurred it is essential to identify the nature of the intrusion.
When data has been simply extracted, all remediation activities must center on
evaluating the possible uses and impacts to be dealt with. On the other hand, when
data has been altered it is necessary to also restore the data integrity.
One of the most cyber secure countries, Singapore, had a serious data breach
affecting 1.5M healthcare patients including the Prime Minister. The attack started on
June 27, 2018 but was first detected on July 4, 2018.The government described the
attack as deliberate, targeted and well planned, but assured that no medical data
had been tampered with. However, security experts warned that compromised
financial data will probably end up for sale on the Dark Web. This is a perfect
example of where there is no need to restore the data integrity, but rather, to address
the data access failing.
When action has been taken on the data or Db2 Subsystem, the issue is much more
time critical. For example, the Monetary Authority of Singapore (MAS) has issued an
IT security guidance document that clearly outline actions to be taken. It specifies
the reporting of critical events, a verified capability to restore critical systems to
operation within 4 hours and details auditing requirements. It is quite comprehensive
worth reading. The main take away is that not even one of the most tightly managed
societies is free from cyber attack, and that being prepared to deal with security
breaches is essential for everyone.
To deal effectively with maintaining Db2 security and integrity it is essential to have
the necessary monitoring and surveillance tools in place at all times and running
24x7. The first basic function of these is to control, report and document all accesses
of interest. The second is to pro-actively impede access to specific Db2 tables when
certain specified filtering criteria is not met. This last function is mostly directed at
“insider access intrusions”. The main constraint on the use of monitoring and data
collection in production and real time has always been the high hardware resources
demanded by these.
It is now time to discuss what features a state of the art product needs to fulfil to be
useful, to be sure the following list is limited to the most essential functions:
There is a solution to address this vital need. DBARS® (Database Access Recording
Services), software from ESAi & SPR, is a high-speed, low impact solution that
intercepts all Db2 database activities including modifications and all reads. No Db2
tracing needed as it can intercept all Db2 SQL statements regardless of origin. You
can use DBARS for audit reports of Db2 activity or report events as an agent to a
SIEM tool. Further, it provides the ability to block suspicious SQL activity giving you
the ability to prevent fraudulent access attempts based on specific parameters or
patterns.
See the Enterprise Tech Journal story by IBM Gold Consultant Craig Mullins titled
“Auditing Database Access and Change: A Necessity More Than A Nicety” at
https://mydigitalpublication.com/publication/?m=23234&i=741337&p=10&ver=html5 .