Tracking Oracle Database Access for Regulatory ComplianceApr 9, 2015 / Posted By:Robert Buda
Data stored in corporate databases is subject to increasing regulatory scrutiny. To ensure compliance with security guidelines in major regulations like SOX, PCI, HIPAA and FISMA, you need to implement controls not only to protect data from unauthorized access, but also to monitor and report on access when it occurs.
This capability, usually referred to as data access auditing, enables you to produce an audit trail regarding reads and writes to your Oracle database data. An audit trail can tell you after the fact what database objects were acted upon, who acted upon them, and when the action(s) occurred. Taken together, this data creates a state of non-repudiation, whereby a user cannot effectively deny that they performed the action in question.
Without this kind of comprehensive data, there’s no way you can effectively detect and deal with vulnerabilities or breaches related to your Oracle data, or pass a security audit (e.g., for ISO 27001 certification). You also can’t comply with regulations.
For example, the PCI Data Security Standard (PCI DSS) emphasizes the need to track access to cardholder data in real-time. PCI Requirement 10, in particular, requires companies to Track and monitor all access to network resources and cardholder data. Data access tracking is critical both for alerting and for analysis anytime there’s a concern. Without data access tracking there’s no hope.
HIPAA likewise mandates that Covered Entities and Business Associates be prepared to deliver an accounting of every time a patient record was viewed, let alone altered. Can you do that? If not, you might end up like the UCLA Health System, which paid a $865,500 fine for potential HIPAA violations after celebrity patients alleged that UCLAHS staff were looking at their protected health information (PHI) without permissible reason.
If you’re still not convinced, consider SOX Section 302.4.B – Establish verifiable controls to track data access. SOX mandates internal controls over all relevant data so that officers of public companies can’t plausibly deny that they are aware of, and in control of, changes.
So that’s the bad news: if you don’t have some kind of database auditing software in place for your Oracle data, you probably need it. The good news is that robust data auditing software, when properly configured and enabled for your environment, can reliably and comprehensively track the usage of your Oracle database resources. Then you can analyze and report on audit trail data anytime to respond to questions like, “When were Jane Smith’s payment account details last accessed?” or “Who changed Joe Jones’ appointment time?” Having a solid answer in a legal or regulatory context sure beats excuses…
But implementing database auditing can be tricky. Issues include what levels within the database to audit (database level, object level, user level), managing performance impacts, and storing the audit data efficiently and securely while keeping it accessible for reporting.
To provide database auditing for its customers, Oracle offers Oracle Audit Vault and Database Firewall, a unified solution that monitors database activity, provides the full spectrum of audit capabilities for compliance reporting and also detects and blocks unauthorized database activity like SQL injection attacks. There’s also Oracle Database Vault, which supports separation of duties and privileged user access controls. Oracle Database 12c (and older versions) also offer a range of security and compliance supports that complement database audit logs.
Do you have questions or concerns regarding your organization’s ability to track Oracle database access for compliance purposes? Contact Buda Consulting to discuss your environment and your needs.