Databases Reference
In-Depth Information
not adopt a framework based on segregation of duties, then it is worthless
and not compliant with the regulation.
When mapping to database security and auditing, segregation of duties
implies that auditing should be defined and performed by people other than
those who work within the database every day. By definition this means that
developers and DBAs should not be responsible for defining the audit trails,
should not be monitoring the audit trails and audit results, and certainly
should not be able to modify the results or the monitoring definitions.
A DBA should not be able to change an audit trail. This almost immedi-
ately means that using the built-in database auditing features is question-
able and that if you do decide to use these features, you will have to put
many check and balances in place. Alternately, you can choose to use an
external system that maintains an independent audit trail. These systems
tend to have a security orientation and preserve an audit trail that cannot be
modified, has nonrepudiation attributes, can be used for investigations, and
can have a different owner. This approach not only complies far better with
regulations, but it also removes some of the work that the DBA needs to do
(since the DBA is usually overburdened with other tasks and views auditing
as the least important task).
11.5
Implement a sustainable solution
The need for good security and auditing is certainly felt today, but it will
become even more prominent in the next few years. Environments are not
becoming simpler; instead, they are becoming increasingly more complex.
Regulations, too, are not a passing fad and are here to stay for the long
run. Complying with all of these policies, whether they are driven by a reg-
ulation or by internal best practices, is a need and a requirement that will
persist. Therefore, when you are thinking about how and what you imple-
ment, you must address the question of whether what you are doing is sus-
tainable for the long run. When you implement a solution for addressing
SOX, GLBA, or any of the other regulations, think of it as something that
you will need to perform every year, possibly multiple times during a year,
and sometimes even throughout the year. It makes sense to work hard one
time to put a system in place that will remove much of the headache for
the years to come; it does not make too much sense to solve the problem
now through a lot of work and have to do it all over again three months
from now.
Sustainability means a few things. First, you need to use tools that will
do most of the work for you. You really don't want to sift through endless
Search WWH ::
Custom Search