It's not enough to secure corporate databases from the outside world, according to Sarbanes-Oxley (SOX) regulations, because, like an old horror movie, the threat could be coming from inside the building.
So, even though Bethesda, Md.-based USEC trusts its database administrators (DBAs), it needed to upgrade its database security controls to comply with SOX, according to David Vordick, chief information officer. The global energy company is no stranger to security requirements. It supplies enriched uranium fuel to commercial nuclear power plants and is the U.S. agent for the "megatons to megawatts" program, which converts uranium from dismantled Russian nuclear warheads into fuel for nuclear power plants.
"The problem with a lot of database products is that the logging that's built into them is fully configurable by the DBAs themselves. So you can turn on logging, but the DBA can turn it right off," Vordick explained.
No logging translates to no complete audit trail of financial database activity -- a major SOX no-no. To solve this problem, USEC needed to find a way to monitor and track DBA activity, Vordick said, but not hinder them in doing their job.
"Our SOX control requirements are extremely important -- but we didn't want to implement controls that wouldn't allow us to fully support the financial systems," Vordick said. "It's important that those systems are available and operational and, obviously, the DBAs' role in that is very important."
Initially, the USEC team considered an intrusion detection system, which monitors network traffic. However, those tools would be able to show only that someone was connecting to a database and wouldn't be able to tell who it was and what he was doing, Vordick said. Then the team considered different proxy access scenarios, which would require DBAs to connect to databases through an intermediate system with monitoring controls. But USEC determined that the proxy approach would create additional application integration challenges, and the DBAs did not like that approach.
Then USEC learned about Waltham, Mass.-based Guardium Inc. and its SQL Guard appliance. It was the most effective product they found, Vordick said, because it would help USEC meet the SOX requirements without getting in the way of the DBAs. So, in 2005, USEC deployed the Guardium appliance to monitor multiple Oracle and SQL Server financial databases. The implementation took only a few weeks.
The Guardium appliance is monitored by USEC's information security manager, Vordick said, not by the DBAs. The appliance essentially "sniffs," or monitors, all network traffic. It logs everything that the DBAs are doing at the SQL statement level, so the security manager can see exactly what they're doing with the database. Now, the DBAs follow a change control process to give the security manager advance notice of any planned, and authorized, database work. Anytime a DBA or other privileged user connects to the database, the security manager gets an alert and can compare that activity against approved changes, Vordick said.
So far, there have been no problems with unauthorized changes, he said. More importantly, when SOX auditors ask Vordick about internal database security, he has a good answer. In addition to the system, he said, the change control processes that USEC implemented are also important to auditors.
And how do the DBAs feel about the new system and processes? None has expressed concern, Vordick said.
"I think they understand that with that level of privilege, there need to be some checks and balances," he said.