PCI, HIPAA, SOX: Is Compliance the Tail Wagging the Dog?
Dec 18, 2006 4:00 AM PT
As the sensitive financial and identity data in corporate databases becomes increasingly valuable on the black market, mandates such as PCI, SOX and HIPAA are requiring businesses to protect, track, and control all access to and usage of sensitive information. This is forcing an evolutionary shift in security from protecting against data theft to ensuring comprehensive control over all data access and usage.
To meet the wide array of regulatory requirements, security and compliance teams within organizations must work together.
Narrowing the Gap
PCI, SOX, HIPAA, and other mandates are narrowing the gap between security and compliance. The PCI Data Security Standard 1.1 released in September 2006 requires businesses to implement specific tools to protect and control sensitive data. Compliance is becoming less a matter of passive auditing and reporting, and more an exercise in data security.
Think about the number of regulatory requirements that affect your business. Chances are you are expected to comply with more than one, and each mandate has it its own set of complicated, costly, and time consuming demands.
Addressing these multiple compliance initiatives strains IT resources and creates redundancies in business processes within an organization. Furthermore, the high degree of specialization among security and compliance vendors exacerbates the challenge of finding a solution that works across multiple mandates.
At its core, every compliance initiative requires your business to monitor and control access to sensitive data, and provide reports to substantiate compliance with the given regulation. Logically, a single infrastructure should be able to meet the demands of multiple mandates.
Maintaining a Gateway to the Data
Fortunately, in response to the convergence of compliance and security initiatives, a new class of product has emerged: the database gateway or database firewall appliance.
This product class addresses the fundamental challenges IT departments face when they need to achieve the security objectives and produce the tailored reports to satisfy compliance auditors. These appliances are designed to do the heavy lifting, including report generation, for mandates such as PCI, SOX and HIPAA.
A database gateway not only automates the necessary business processes required to address multiple compliance initiatives, but also hardens security to protect sensitive data against evolving threats associated with Web-based transaction environments.
Essentially, a database gateway or database firewall provides security for and control over sensitive data stored in databases and accessed via Web applications or through direct access to the database. It enables the monitoring and control of all database transactions, thereby protecting all access to sensitive data.
A number of vendors offer this type of product, each using a slightly different approach. Some require quite a bit of custom code writing and ongoing administration, and others provide more automation.
Some are deployed on the database server, some as network appliances on the network. Some are placed inline, some sniff database traffic, some look at database logs, and a few offer multiple options.
As you explore your options, you may want to look for products that offer the following baseline capabilities:
- Ability to identify unique Web users and correlate their identity with specific database transactions -- Several mandates require auditing of user activity. This technology is critical to implementing audit controls and to ensure that sensitive data doesn't fall into the wrong hands.
- Ability to enforce requirements for separation of duties -- If a business is subject to SOX compliance, look for a gateway product that doesn't require the database administrator (DBA) in order to operate. Look for a product that tracks and logs the DBA's console access. SOX and other regulations require monitoring of DBA activity to ensure that it is consistent with organizational policies and controls.
- Ability to operate without IT infrastructure impact -- Some products degrade database performance. Others require special coding to applications and databases upon installation, and more coding with subsequent changes to applications and databases. In organizations where communication between application development teams and DBAs is a challenge, this type of product could introduce change control issues.
- Ability to automate security policies and adapt to legitimate changes within applications and databases -- This type of feature saves a business a significant amount of time and effort, as it removes the need for manual tuning as changes are made to applications and databases.
- Ability to issue compliance reports across several mandates and regulations -- In order to ensure that your investment in a database gateway product saves time and eliminates redundancies, make sure that you can use it to meet the demands of more than one mandate.
Best in Class Characteristics
A best in class database gateway or database firewall product would provide automation of the full compliance lifecycle, including assessment, policy setting, monitoring and enforcing, and measurement. This type of product would handle the stringent requirements across multiple compliance mandates.
The assessment mechanism should analyze systems configuration, locate inherent security risks, and map data usage to show where sensitive data lives in the enterprise. It should track which users access the data, and know what mechanisms are used to access the data.
Ideally, this process is automated and can be run against different databases within the data center, regardless of vendor type, version, etc. The reports should also identify best practice violations pertaining to security and compliance.
There should be a mechanism to set policies and actions that enforce data usage controls. At a minimum, this would be a combination of out of the box and manually customizable policies. Ideally, the product should have the ability to automatically learn policies. This capability greatly eases the rollout and ongoing management and operation of the database gateway.
Monitoring and EnforcingThe information collected by the system must be granular, comprehensive, and tamperproof. Audit logs should provide the data necessary for auditors to know everything they need to about any transaction, including flagging illegitimate activity and identifying the end user that initiated the activity. While a gateway that collects audit data for inspection at a later date may be sufficient for some compliance purposes, look for an audit system that can actively notify administrators about suspicious activity in real time.
MeasurementTo be best in class, a database gateway product must provide built-in and customizable reports that are consistent with the requirements of more than one compliance regulation or mandate, and that are useful to IT from a security perspective. That is, they provide IT with actionable information regarding both controlled and suspicious activity.
The Bottom LineWith the convergence in security and compliance, businesses will evolve their IT infrastructure to include new technologies, such as the database gateways, in order to achieve the level of data security required. Smart businesses will use this new technology to their competitive advantage.
With its automation and flexibility, this new technology promotes the streamlining of internal business processes and controls, and enables organizations to meet the demands of multiple compliance mandates.
As the compliance tail continues to wag the security dog, the new database gateway and database firewall products will have a transformative impact on IT infrastructure, IT staff, business processes, and ultimately the bottom line.
Amichai Shulman s co-founder and CTO of Imperva, a vendor of data security products. He also manages the Application Defense Center, an internationally recognized security and compliance research organization.