This article explores the role of database activity monitoring in an overall compliance solution.
Database Activity Monitoring and Compliance
Organisations deploy DAM solutions for a number of reasons, ranging from compliance through to beefing up their overall security posture.
Increasingly, compliance laws, rules and regulations are forcing organisations to have tighter control over their data and, more importantly, have a provable audit trail that can be signed off, if necessary, by appropriate organisational officers or executives.
Sarbanes-Oxley, which has implications for organisations based in the United States or with a trading presence there, has a requirement that financial information is accurate, and a company executive will be expected to sign a statement to that effect. Although not specifically mandated, it makes sense to record database activity, especially if that data relates to financial information. Database activity monitoring will often be a useful addition to any compliance suite as it can provide a level of assurance that data usage is being monitored. For example, it could help enforce a separation of duties, preventing a DBA from viewing data they should not have access to during a database backup.
PCI-DSS, the payment card industry standards for data security, place a set of requirements on credit card merchants to protect customer credit card details. PCI-DSS is reasonably proscriptive in its requirements, and merchants that fail to comply with the regulations face fines and possible exclusion from credit card networks. Database activity monitoring would be a useful adjunct to a merchant's information security setup, as out of course access to credit card data can be detected and prevented. For example, if a user normally accesses 10 credit card numbers at a time then the database activity monitoring system could raise an alert if they should access more than this number of card details in a database query.