Database auditing is a relatively standard federal IT task. That said, it should not be taken for granted or taken lightly. Tracking which person used what sensitive data and when isn’t just a check-the-box government regulation. Database activity monitoring and privileged user auditing and tracking are critical to improving federal IT security.
As a starting point, every federal IT pro should be doing standard database auditing. For example, IT shops should be:
- Taking weekly inventory of who accessed the database, as well as other performance and capacity data
- Ensuring they receive daily, weekly, and monthly alerts through a database-monitoring tool
- Keeping daily logs of logins and permissions on all objects
- Access to the National Vulnerability Database (NVD) changes daily, in order to be aware of—and block—constantly changing vulnerabilities
- Performing regular patching, particularly server patching against new vulnerabilities
These are just the basics. To optimize database auditing with the goal of improving IT security, there are additional core steps federal IT pros can take. The following six steps are the perfect place to start.
Step 1: Assess Inventory
You’re likely already keeping some kind of inventory. From a database auditing perspective, you should be keeping an inventory of data access. Tracking data access can help you better understand the implications of how, when, where, and by whom that data is being accessed. Keeping an inventory of your Personally Identifiable Information (PII) is the perfect example. Keep this inventory in conjunction with your audits can help you better understand who is accessing the PII. Hopefully, you won’t find any unexpected surprises.
Step 2: Monitor Vulnerabilities
Documented vulnerabilities are being updated every day within the NIST NVD. It is critical that you monitor these on a near-constant basis. The best way to do this is to employ a tool that monitors the known-vulnerabilities database and alerts your agency when there is action to be taken. With this strategy, action can be immediate and risks are mitigated in near real-time.
Step 3: Create Reports
This step is one that is easily overlooked. So many federal IT pros often rely on database logs for most data-based audit information. Logs provide lots of information, but they may not provide information relevant to security, for example. The best way to ensure you’re getting relevant information, instead of “just logs,” is to make sure you have a tool in place that takes your logs and provides analysis. This should, ideally, be part of your database monitoring software. Your reports should tell you in an easy-to-digest format who’s using what data, from where, at what time of day, the amount of data used, etc.
Step 4: Monitor Active Directory
Since Active Directory® is a database federal IT pros should consider monitoring and alerting to be part of the database auditing process. From a security standpoint, it’s critical to understand who is accessing what information—particularly if the person accessing certain data should not be accessing that data. With that knowledge, you can literally block data from that person’s view. This ties back to Step 1. It is critical to understand more than just who is accessing your data; you must have a clear understanding of who is accessing what, what they’re querying, which data they’re accessing, and when they’re accessing data.
Step 5: Create a Baseline
The only way to know if your data is being used incorrectly or inappropriately is to know what data usage is supposed to look like. What’s normal? If you have a tool that allows you to create a baseline of data access on a normal day, or at a particular time on any normal day, you’ll know immediately—through that tool, and its monitoring and alerting capabilities—if something is outside of that normal activity. Based on this baseline, you’ll immediately be able to research the anomaly and mitigate risk to the database and associated data.
Step 6: Create One View
While it may seem that database audits are a task unto themselves, the reality is this: true database auditing involves many layers of attention. Effective database auditing is a piece of a much larger puzzle. It is certainly possible that the most critical step to improving security through database auditing is to understand its role within the larger IT environment. How do you gain this understanding? It is worth the investment to find a tool that allows federal IT pros to see database audit information within the context of the greater infrastructure. Application and server monitoring should work in conjunction with database monitoring.
There is one final step that may help even further: monitor the monitor. Particularly from an IT security standpoint, there should never be a single point of failure when performing database audits—whether that point is a tool or a person. Make sure you’ve got secondary checks and balances in place so no single tool or person has all the information, access, or control.