 |
|
|
|
 |
Guardium for Mainframes Database Auditing Solutions |
|
|
Glossary: Database Activity Monitoring
A | B | C
| D | E
| F | G
| H | I
| J | K
| L | M
|
N | O |
P | Q
| R | S
| T | U
| V | W
| X | Y
| Z
A
agent
Lightweight software component installed as part of a DAM
solution
on a
monitored database system. The agent monitors database activity on the
server and collects or reports to an aggregation or central DAM server.
Local agent monitoring gives excellent audit results, and the better
DAM solutions use negligible resources on the database server. An
agent may also be called a collector or a monitor.
aggregation
The collection of database activity information from multiple
monitored DBMS systems. Aggregated data is then available for unified
analysis and reporting.
alert
Notification of a potential security incident detected by the DAM
solution. Alerts are events that may trigger email notification as well
as workflows in an integrated incident management tool or in a service
desk solution.
anomaly
A database transaction or other activity that deviates from an
established pattern of normal, routine activity. Anomalies are detected
in various ways, but may include defining or establishing baseline
activity patterns, rules, thresholds, confidence level parameters, and
a continuous refinement process. See
also exception.
application policy
A database audit policy configured to monitor transactions for a
specific enterprise application. Some DAM solutions include pre-built
policies for monitoring database activity generated by ERP applications
like SAP, PeopleSoft, or JD Edwards and common CRM applications like
Siebel, among others.
[Top]
B
block
Preventive action taken by a database activity monitoring solution to
stop a database transaction that violates an audit policy
from ever taking place. When the DAM solution detects a policy
violation occurring on an audited database system, it can either block
the transaction from being passed to the DBMS or it can force the DBMS
to rollback the data prior to a COMMIT. An alternative to automated
blocking is to handle policy violations via alerts,
although response times will likely be unacceptable for some real-time
applications and the focus may shift more towards damage mitigation
rather than prevention.
breach disclosure
Public notification that private data was compromised. Disclosure may
take any of several forms, including direct notification to affected
parties by mail,
phone, or email, press releases to the media, and/or statements on
public web sites. Breach disclosure is mandated by various state and
federal laws (more than 40 state laws impose breach disclosure
requirements).
[Top]
C
collector
See agent.
compliance
Practice of adhering to legal or contractual requirements. Corporate
governance laws, such as Sarbanes-Oxley (SOX), or privacy laws, such as
the Health Insurance Portability Assurance Act (HIPAA) may require
changes in IT environments. These changes may entail implementing a DAM
solution to secure databases from unauthorized access, maintain privacy
of confidential information, and prevent breaches resulting in identity
theft. Information about specific laws regulating IT professionals is
available from websites such as The
Compliance Authority.
compliance policy
A database monitoring policy
specifically intended to address the legal requirements of specific
federal or state laws and pass regulatory audits. Compliance policies
are most common for SOX, HIPAA, PCI, and Basel II.
connection pool
Technique used by some by some enterprise applications to increase
performance by reducing the time needed to establish and release
database connections. A group of connections are initialized and
managed by the application and transactions share the pre-established
database connections from the pool as needed. Database activity
monitoring solutions must audit database activities performed via
legitimate applications and should strive to identify the end user,
although some applications mask user identities, creating challenges
for the database auditor.
content-based policy
A set of rules for analyzing database activity to identify potentially
sensitive information. A content-based policy will define the format of
sensitive information such as account numbers or social security
numbers and look for their use in unapproved and potentially unsecured
databases.
Control
Objectives for Information and Related Technology (COBIT)
COBIT is an IT framework that provides best practices, metrics, and
indicators to promote IT governance and corporate oversight. The
activity monitoring and automated workflows of a DAM solution fit well
in an enterprise that has adopted a COBIT framework.
correlation
DAM technique of relating and associating multiple database activity
events using patterns, baselines, calculated statistics, and profiles.
Through correlation, activity patterns can be established and anomalies
or exceptions detected.
[Top]
D
data dictionary
A central catalog or repository of information about data and its
structure. A metadata database that stores information about data
elements, locations, and organization.
data leak
prevention (DLP)
Feature of some DAM solutions in which sensitive data is prevented from
being passed outside the enterprise. Techniques used in DLP include
recognition and classification of sensitive data and mechanisms for
blocking transmission of data through email or blocking copying of
sensitive data to portable media like CDs or USB flash drives.
Dedicated DLP solutions may provide different or more extensive feature
sets than DLP features embedded in DAM solutions.
database
activity monitoring (DAM)
Security software solutions and practices for monitoring database
connections and
transactions so as to identify suspicious or
non-routine access, changes, or other risks to the data. Database
activity monitoring solutions from different vendors have various
strengths and weaknesses, but the core capabilities defining a DAM
solution include: auditing all database activity outside of the
monitored DBMS, storing all audit trace data outside the monitored
DBMS, aggregating audit data from multiple monitored DBMS servers,
enforcing separation of duties and monitoring privileged users (such as
DBAs), and generating alerts in real-time. These products are also
referred to as enterprise
database auditing solutions.
database
administrator (DBA)
A privileged user who maintains a database and can grant access rights,
change schemas, and alter and delete any object in the database. Every
database activity monitoring solution should be capable of auditing
actions taken by privileged users such as DBAs.
database
auditing
See database
activity monitoring.
DB2
Relational database management system from IBM, commonly used with
enterprise business applications.
disclosure
See breach disclosure.
discovery
Automatic location and identification of data resources in an IT
environment that have not previously been registered or configured for
activity monitoring. Many breaches involve data residing on servers or
DBMSs of which a business data owner was previously unaware.
[Top]
E
encryption
Process of transforming information from a readable to an unreadable
form by means of an algorithm. Encryption maintains the confidentiality
of information and can be used in place of a DAM solution in complying
with some data security standards, although a stronger approach is to
use DAM to protect against authorized inside access with encryption used as a
safety net to protect confidentiality even in the event of data leakage
or breach.
enterprise solution
A software application that can be used throughout an organization,
crossing geographical and technological boundaries. DAM solutions are
generally enterprise solutions that can monitor geographically
dispersed heterogenous DBMSs, accessed and supported by a range of
third-party and in-house applications, across a variety of operating
systems. The DAM solution aggregates and manages the audit data for the
entire organization, regardless of location or platform.
exception
A policy violation or technical fault that occurs during a database
activity. Exceptions should be logged and trigger an alert. See also anomaly.
external threat
Risk of data loss or damage posed by a hacker or unknown malicious
source (including viruses or trojans). External threats are handled by
a layered security approach that includes a firewall, strong
authentication methods, well-patched servers, and good database
activity monitoring software. Data loss from external threats can often
be prevented altogether through automated actions taken by the DAM
solution, or effectively mitigated by alerts and quick response by the
IT staff.
[Top]
F
field
A unit of information in a database, typically one column of a table in
a relational database. A field is often the smallest object in a
database that will be monitored by a DAM solution.
[Top]
G
grant
Database access privileges that allow a user or group to work with a
database. A DAM solution will monitor grants to sensitive data
resources.
group
A logical set of database access rights and privileges. A user who is a
member of the group is then granted the access entitlements defined by
the group (such as the ability to read or write to a sensitive
database).
[Top]
H
Health
Insurance Portability and Accountability Act (HIPAA)
U.S. law (P.L. 104-191) enacted in 1996 to protect health insurance
coverage for workers and their families. Provisions of the act
encourage electronic interchange of health care transaction data, but
also contain requirements for safeguarding and protecting private
identity and medical data. Database access monitoring can include
policies that limit access to private data and provide administrative
oversight workflows in compliance with HIPAA's Security Rule.
heuristic
A complex logical approach to determining normal database activity and
spotting anomalies that may be suspicious events requiring
investigation. A heuristic generally relies on a baseline activity
dataset, developed over time, coupled with rules, fuzzy logic, and
flexible thresholds. These elements require tuning to reduce the
incidence of false positive alerts and the DAM solution should be
expected to achieve best results over time.
[Top]
I
IMS
Hierarchical database management system produced by IBM, commonly used
in very large enterprises for business-critical transaction systems and
data stores.
incident
A policy violation or exception that must be investigated and resolved.
The incident is a discrete workflow with assigned tasks and responsible
parties, severity assessments, and status indicators. Incidents are
tracked until closed and rules can be implemented for tracking,
reporting, and escalating incidents.
internal threat
Risks posed to a database by a known, trusted user with legitimate user
identity and access rights. Internal threats include risks posed by
privileged users, employees leaking private data, and contractors
misusing confidential information. Internal threats can be discovered, and losses
prevented or mitigated with a good database activity monitoring
solution.
IT
Infrastructure Library (ITIL)
Framework of IT best practices for service management. The framework
promotes service delivery and managment, and is oriented towards
assuring SLAs are met. The activity monitoring and automated workflows
of a DAM solution fit well in an enterprise that has adopted an ITIL
framework and many DAM solutions integrate with common service desk
solutions so that incidents can be managed within existing ITIL
frameworks.
[Top]
J
[Top]
K
[Top]
L
log monitoring
DAM technique of collecting information about database activity from
DBMS logs. This is sometimes a fast and easy way to obtain some
information about database transactions, but data recorded in logs is
often incomplete and may not be available, collected, and analyzed fast
enough to meet the requirements of real-time alert generation and
incident response.
[Top]
M
monitor
Automated process of continuously analyzing database activity to detect
anomalies and exceptions that may indicate a
security incident. A software agent
on a monitored database system may also sometimes be called a monitor.
Database activity monitoring is also referred to as database auditing.
[Top]
N
network monitoring
DAM technique in which network traffic is monitored for inbound and/or
outbound SQL
activity. Some DAM vendors claim wide platform support because they use
network monitoring techniques, but a good auditor will catch the fact
that network monitoring alone means that all database activities
occurring on the DBMS server itself are overlooked. An agent on the
DBMS server is required for complete monitoring of a platform.
[Top]
O
Oracle
Relational database management system commonly used with enterprise
business applications.
[Top]
P
Payment
Card
Industry Data Security Standard (PCI-DSS)
Common set of data security requirements observed by merchants and
banks. Database activity monitoring is often a critical component of
PCI-DSS compliance because it consistently audits database transaction
activities and using heuristic
policies together with automated workflows,
can detect,
prevent, and mitigate identity theft and fraud
losses.
policy
Set of rules used by the DAM solution in monitoring a database system:
the policy defines normal, allowable activities and/or abnormal,
suspicious activities and will define how the DAM solution reacts to
each type of event, for example, whether to trigger an alert
and/or take preventive action such as blocking a transaction or denying
access. Activities are defined in terms of users, groups, sources,
destinations, activity types, times and dates, and other parameters.
The DAM solution will often provide policy creation tools including
interactive forms or wizards.
privileged user
A trusted database user, such as a DBA or SYSADMIN, who has wide
latitude and extensive rights and privileges to perform operations and
access resources that most users of a system cannot use. Privileged
users often have blanket rights and access to everything in an IT
organization because of the nature of their jobs. A database activity
monitoring solution does not interfere with a privileged user's
elevated rights, but will record and analyze them, and trigger
incidents in the event of abuse. Without database auditing,
privileged users pose a significant known risk and a potential problem
in passing a security audit.
[Top]
Q
[Top]
R
remote monitoring
A DAM solution that monitors a DBMS without an agent on the DBMS
server. This normally requires native trace functions to be turned on,
which may impact database performance to the point that significant
degradation in normal business operations occurs. Remote monitoring may
also require configuration changes and escalated privileges, both of
which may be unpalatable in some enterprises. See also network monitoring and agent.
report
Periodic summary of database activity monitoring activities and results
from the DAM solution. These reports may take multiple forms such as
summary or detail, be oriented towards different stakeholders, and be
geared to specific purposes, such as regulatory compliance.
role
A logical set of rights and privileges in a DAM solution, based on
segregated responsibilities and duties. A user who is assigned a role
is then granted access to product features and configuration options
necessary to fulfill the role.
[Top]
S
Sarbanes-Oxley Act of 2002
(SOX)
A United States federal law that requires corporations to exert greater
corporate oversight with standard accounting and auditing practices.
The formal name of the law is the Public Company Accounting Reform and
Investor Protection Act of 2002 (P.L. 107-204). Section 404 of the law
most directly impacts information technology professionals, who can
achieve SOX compliance by using database auditing solutions to monitor
activity and establish safeguards to ensure data integrity and protect
against unauthorized access.
scalability
The ability of a database or application to expand to meet the changing
demands of a growing enterprise. Some database auditing solutions may
use a client-server architecture with a single central server, but most
use a flexible hierarchical architecture that enables them to add
aggregation appliances to handle a virtually limitless number of DBMS
server-based agents.
security
information and event management (SIEM)
Technology solutions and proceses for analyzing external and internal
threats to an enterprise IT environment. SIEM solutions may include
some elements of DAM solutions, but may not include real-time SQL
monitoring, DBMS server-based monitoring agents, or DBA activity
monitoring.
segregation of duties
Control mechanism to ensure that one person does not have both
operational and oversight control of the database. For example, the IT
and/or database auditor should be independent of the DBA. DAM solutions
enforce segregation of duties by removing audit control and audit trail
data from the DBMS so that a DBA cannot suspend monitoring or alter
audit trails. See also
role.
sensitivity
A risk assessment valuation of a data resource. Sensitive data may be
data that carries an expectation of privacy, that contains company
confidential or trade secret information, that contains intellectual
property, or data that the company otherwise deems to be inappropriate
for public access. Sensitive databases include financial data, personal
customer or employee data, and anything covered by privacy laws and
regulations.
severity
Assessment of the degree of risk placed on the organization as a result
of an incident. Severity is
most commonly assessed as low, medium, or high.
SQL transactions
Database activities done using Standard Query Language calls, typically referred to as SQL statements. DAM solutions monitor SQL
statements, looking for possible mutations of expected calls or trivial
conditions that could indicate a SQL injection attach. DAM solutions
should be capable of monitoring and recording all types of SQL
transactions including DML, DDL, DCL, and TCL.
[Top]
T
[Top]
U
UNIX
Operating system originally developed by AT&T, but now widely
available in different variations. Database and application vendors
widely support UNIX flavors such as Solaris from Sun Microsystems,
HP-UX from Hewlett-Packard, and AIX from IBM.
[Top]
V
vulnerability
assessment
Feature in some DAM solutions which analyzes and provides a report on
the state of database security. Vulnerability assessment features may
vary by vendor, but some can assess whether security patches have been
applied to database servers to plug known vulnerabilities and some may
evaluate user entitlements (rights and privileges) to produce an
identity audit report (although more comprehensive identity
audit
solutions exist and may be more suitable to passing a rigorous security
audit).
[Top]
W
workflow
Defined sequence of tasks that must be completed to accomplish a goal.
Workflows may be created for routine review and approval of audit
reports, or a workflow may establish how incidents, such as data
breaches, are assigned, assessed, investigated, and resolved.
[Top]
X
[Top]
Y
[Top]
Z
z/OS
Operating system used on IBM mainframe systems. Widely used in large
data centers, particularly those requiring fast throughput at high
transaction rates.
[Top]
About the Database Activity Monitoring Glossary
This glossary was developed by NEON Enterprise Software. It defines
common terminology used in securing and auditing
enterprise databases with Database Activity Monitoring (DAM) solutions.
NEON Enterprise Software is a technology partner with Guardium, the
leading solution in DAM, according to Forrester and Gartner reports.
NEON develops database auditing technology for DBMSs in data centers
running IBM mainframe servers. This glossary, however, reflects common
industry usage and concepts: it does not reflect NEON nor Guardium
specific usage.
Learn more
about how Guardium for Mainframes can
monitor your DB2 databases on z/OS to secure your data and pass the
audit.
|
|
|
|
|
|
|
For more information
about Guardium for Mainframes, please call 1.888.338.6366 or email us. |
|
|
