Bài giảng Bảo mật CSDL - Chap 7: Database Auditing Models

Database Security and Auditing: Protecting Data Integrity and AccessibilityChapter 7 Database Auditing ModelsDatabase Security and Auditing2ObjectivesGain an overview of auditing fundamentalsUnderstand the database auditing environmentCreate a flowchart of the auditing processList the basic objectives of an auditDatabase Security and Auditing3Objectives (continued) Define the differences between auditing classifications and typesList the benefits and side effects of an auditCreate your own auditing modelsDatabase Security and Auditing4Auditing OverviewAudit examines: documentation that reflects (from business or individuals); actions, practices, conductAudit measures: compliance to policies, procedures, processes and lawsDatabase Security and Auditing5DefinitionsAudit/auditing: process of examining and validating documents, data, processes, procedures, systemsAudit log: document that contains all activities that are being audited ordered in a chronological mannerAudit objectives: set of business rules, system controls, government regulations, or security policiesDatabase Security and Auditing6Definitions (continued)Auditor: person authorized to auditAudit procedure: set of instructions for the auditing processAudit report: document that contains the audit findingsAudit trail: chronological record of document changes, data changes, system activities, or operational eventsDatabase Security and Auditing7Definitions (continued)Data audit: chronological record of data changes stored in log file or database table objectDatabase auditing: chronological record of database activitiesInternal auditing: examination of activities conducted by staff members of the audited organizationExternal auditingDatabase Security and Auditing8Auditing ActivitiesEvaluate the effectiveness and adequacy of the audited entityAscertain and review the reliability and integrity of the audited entityEnsure the organization complies with policies, procedures, regulations, laws, and standards of the government and the industryEstablish plans, policies, and procedures for conducting auditsDatabase Security and Auditing9Auditing Activities (continued)Keep abreast of all changes to audited entityKeep abreast of updates and new audit regulations Provide all audit details to all company employees involved in the auditPublish audit guidelines and proceduresAct as liaison between the company and the external audit teamDatabase Security and Auditing10Auditing Activities (continued)Act as a consultant to architects, developers, and business analystsOrganize and conduct internal auditsEnsure all contractual items are met by the organization being auditedIdentify the audit types that will be usedDatabase Security and Auditing11Auditing Activities (continued)Identify security issues that must be addressedProvide consultation to the Legal DepartmentDatabase Security and Auditing12Auditing EnvironmentAuditing examples:Financial auditingSecurity auditingAudit also measures compliance with government regulations and lawsAudits take place in an environment:Auditing environmentDatabase auditing environmentDatabase Security and Auditing13Auditing Environment (continued)Components:Objectives: an audit without a set of objectives is uselessProcedures: step-by-step instructions and tasksPeople: auditor, employees, managersAudited entities: people, documents, processes, systemsDatabase Security and Auditing14Auditing Environment (continued)Database Security and Auditing15Auditing Environment (continued)Database Security and Auditing16Auditing Environment (continued)Database auditing environment differs slightly from generic auditing environmentSecurity measures are inseparable from auditingDatabase Security and Auditing17Auditing ProcessQuality Assurance (QA):Ensure system is bug free and functioning according to its specificationsEnsure product is not defective as it is being producedAuditing process: ensures that the system is working and complies with the policies, regulations and lawsDatabase Security and Auditing18Auditing Process (continued)Performance monitoring: observes if there is degradation in performance at various operation timesAuditing process flow:System development life cycleAuditing process:Understand the objectivesReview, verify, and validate the systemDocument the resultsDatabase Security and Auditing19Auditing Process (continued)Database Security and Auditing20Auditing Process (continued)Database Security and Auditing21Auditing ObjectivesPart of the development process of the entity to be auditedReasons:ComplyingInformingPlanningExecutingDatabase Security and Auditing22Auditing Objectives (continued)Top ten database auditing objectives:Data integrityApplication users and rolesData confidentialityAccess controlData changesDatabase Security and Auditing23Auditing Objectives (continued)Top ten database auditing objectives (continued):Data structure changesDatabase or application availabilityChange controlPhysical accessAuditing reportsDatabase Security and Auditing24Auditing Classifications and TypesIndustry and business sectors use different classifications of auditsEach classification can differ from business to businessAudit classifications: also referred as typesAudit types: also referred as purposesDatabase Security and Auditing25Audit ClassificationsInternal audit:Conducted by a staff member of the company being auditedPurpose:Verify that all auditing objectives are metInvestigate a situation prompted by an internal event or incidentInvestigate a situation prompted by an external requestDatabase Security and Auditing26Audit Classifications (continued)External audit:Conducted by a party outside the company that is being auditedPurpose:Investigate the financial or operational state of the companyVerify that all auditing objectives are metDatabase Security and Auditing27Audit Classifications (continued)Automatic audit:Prompted and performed automatically (without human intervention)Used mainly for systems and database systemsAdministrators read and interpret reports; inference engine or artificial intelligenceManual audit: performed completely by humansHybrid auditDatabase Security and Auditing28Audit TypesFinancial audit: ensures that all financial transactions are accounted for and comply with the lawSecurity audit: evaluates if the system is as secureCompliance audit: system complies with industry standards, government regulations, or partner and client policiesDatabase Security and Auditing29Audit Types (continued)Operational audit: verifies if an operation is working according to the policies of the companyInvestigative audit: performed in response to an event, request, threat, or incident to verify integrity of the systemProduct audit: performed to ensure that the product complies with industry standardsDatabase Security and Auditing30Benefits and Side Effects of AuditingBenefits:Enforces company policies and government regulations and lawsLowers the incidence of security violationsIdentifies security gaps and vulnerabilitiesProvides an audit trail of activitiesProvides means to observe and evaluate operations of the audited entityDatabase Security and Auditing31Benefits and Side Effects of Auditing (continued)Benefits (continued):Provides a sense of security and confidenceIdentifies or removes doubtsMakes the organization more accountableDevelops controls that can be used for purposes other than auditingDatabase Security and Auditing32Benefits and Side Effects of Auditing (continued)Side effects:Performance problemsToo many reports and documents Disruption to the operations of the audited entityConsumption of resources, and added costs from downtimeFriction between operators and auditorSame from a database perspectiveDatabase Security and Auditing33Auditing ModelsCan be implemented with built-in features or your own mechanismInformation recorded:State of the object before the action was takenDescription of the action that was performedName of the user who performed the actionDatabase Security and Auditing34Auditing Models (continued)Database Security and Auditing35Simple Auditing Model 1Easy to understand and developRegisters audited entities in the audit model repositoryChronologically tracks activities performedEntities: user, table, or columnActivities: DML transaction or logon and off timesDatabase Security and Auditing36Simple Auditing Model 1 (continued)Database Security and Auditing37Simple Auditing Model 1 (continued)Control columns:Placeholder for data inserted automatically when a record is created or updated (date and time record was created and updated)Can be distinguished with a CTL prefixDatabase Security and Auditing38Simple Auditing Model 1 (continued)Database Security and Auditing39Simple Auditing Model 2Only stores the column value changesThere is a purging and archiving mechanism; reduces the amount of data storedDoes not register an action that was performed on the dataIdeal for auditing a column or two of a tableDatabase Security and Auditing40Simple Auditing Model 2 (continued)Database Security and Auditing41Advanced Auditing ModelCalled “advanced” because of its flexibilityRepository is more complexRegisters all entities: fine grained auditing levelCan handle users, actions, tables, columnsDatabase Security and Auditing42Advanced Auditing Model (continued)Database Security and Auditing43Advanced Auditing Model (continued)Database Security and Auditing44Historical Data ModelUsed when a record of the whole row is requiredTypically used in most financial applicationsDatabase Security and Auditing45Historical Data Model (continued)Database Security and Auditing46Auditing Applications Actions ModelDatabase Security and Auditing47C2 SecurityGiven to Microsoft SQL Server 2000Utilizes DACLs (discretionary access control lists) for security and audit activitiesRequirements:Server must be configured as a C2 systemWindows Integrated Authentication is supportedSQL native security is not supportedOnly transactional replication is supportedDatabase Security and Auditing48SummaryAudit examines, verifies and validates documents, procedures, processesAuditing environment consists of objectives, procedures, people, and audited entitiesAudit makes sure that the system is working and complies with the policies, standards, regulations, and lawsAuditing objectives established during development phaseDatabase Security and Auditing49Summary (continued)Objectives: compliance, informing, planning, and executingClassifications: internal, external, automatic, manual, hybridModels: Simple Auditing 1, Simple Auditing 2, Advanced Auditing, Historical Data, Auditing Applications, C2 Security