Bài giảng Bảo mật cơ sở dữ liệu - Chapter 7: Database auditing models trình bày các nội dung: Gain an overview of auditing fundamentals, understand the database auditing environment, create a flowchart of the auditing process, list the basic objectives of an audit. Mời các bạn cùng tham khảo.
Trang 1Database Security and Auditing: Protecting Data Integrity and Accessibility
Chapter 7
Database Auditing Models
Trang 2• Gain an overview of auditing fundamentals
• Understand the database auditing environment
• Create a flowchart of the auditing process
• List the basic objectives of an audit
Trang 3Database Security and Auditing 3
Objectives (continued)
• Define the differences between auditing classifications and types
• List the benefits and side effects of an audit
• Create your own auditing models
Trang 5Database Security and Auditing 5
Trang 6Definitions (continued)
• Auditor: person authorized to audit
• Audit procedure: set of instructions for the auditing process
• Audit report: document that contains the audit findings
• Audit trail: chronological record of document changes, data changes, system activities, or operational events
Trang 7Database Security and Auditing 7
Definitions (continued)
• Data audit: chronological record of data changes stored in log file or database table object
• Database auditing: chronological record of database activities
• Internal auditing: examination of activities conducted by staff members of the
audited organization
• External auditing
Trang 8Auditing Activities
• Evaluate the effectiveness and adequacy of the audited entity
• Ascertain and review the reliability and integrity of the audited entity
• Ensure the organization complies with policies, procedures, regulations, laws, and standards of the government and the industry
• Establish plans, policies, and procedures for conducting audits
Trang 9Database Security and Auditing 9
Auditing Activities (continued)
• Keep abreast of all changes to audited entity
• Keep abreast of updates and new audit regulations
• Provide all audit details to all company employees involved in the audit
• Publish audit guidelines and procedures
• Act as liaison between the company and the external audit team
Trang 10Auditing Activities (continued)
• Act as a consultant to architects, developers, and business analysts
• Organize and conduct internal audits
• Ensure all contractual items are met by the organization being audited
• Identify the audit types that will be used
Trang 11Database Security and Auditing 11
Auditing Activities (continued)
• Identify security issues that must be addressed
• Provide consultation to the Legal Department
Trang 12Auditing Environment
• Auditing examples:
– Financial auditing
– Security auditing
• Audit also measures compliance with government regulations and laws
• Audits take place in an environment:
– Auditing environment
– Database auditing environment
Trang 13Database Security and Auditing 13
Auditing Environment (continued)
• Components:
– Objectives: an audit without a set of objectives is useless
– Procedures: step-by-step instructions and tasks
– People: auditor, employees, managers
– Audited entities: people, documents, processes, systems
Trang 14Auditing Environment (continued)
Trang 15Database Security and Auditing 15
Auditing Environment (continued)
Trang 16Auditing Environment (continued)
• Database auditing environment differs slightly from generic auditing environment
• Security measures are inseparable from auditing
Trang 17Database Security and Auditing 17
Auditing Process
• Quality Assurance (QA):
– Ensure system is bug free and functioning according to its specifications
– Ensure product is not defective as it is being produced
• Auditing process: ensures that the system is working and complies with the policies, regulations and laws
Trang 18Auditing Process (continued)
• Performance monitoring: observes if there is degradation in performance at various operation times
• Auditing process flow:
– System development life cycle
– Auditing process:
• Understand the objectives
• Review, verify, and validate the system
•
Trang 19Database Security and Auditing 19
Auditing Process (continued)
Trang 20Auditing Process (continued)
Trang 21Database Security and Auditing 21
Trang 22Auditing Objectives (continued)
• Top ten database auditing objectives:
Trang 23Database Security and Auditing 23
Auditing Objectives (continued)
• Top ten database auditing objectives (continued):
– Data structure changes
– Database or application availability
– Change control
– Physical access
– Auditing reports
Trang 24Auditing Classifications and Types
• Industry and business sectors use different classifications of audits
• Each classification can differ from business to business
• Audit classifications: also referred as types
• Audit types: also referred as purposes
Trang 25Database Security and Auditing 25
Audit Classifications
• Internal audit:
– Conducted by a staff member of the company being audited
– Purpose:
• Verify that all auditing objectives are met
• Investigate a situation prompted by an internal event or incident
• Investigate a situation prompted by an external request
Trang 26Audit Classifications (continued)
• External audit:
– Conducted by a party outside the company that is being audited
– Purpose:
• Investigate the financial or operational state of the company
• Verify that all auditing objectives are met
Trang 27Database Security and Auditing 27
Audit Classifications (continued)
• Automatic audit:
– Prompted and performed automatically (without human intervention)
– Used mainly for systems and database systems
– Administrators read and interpret reports; inference engine or artificial intelligence
• Manual audit: performed completely by humans
• Hybrid audit
Trang 28Audit Types
• Financial audit: ensures that all financial transactions are accounted for and comply with the law
• Security audit: evaluates if the system is as secure
• Compliance audit: system complies with industry standards, government regulations, or partner and client policies
Trang 29Database Security and Auditing 29
Audit Types (continued)
• Operational audit: verifies if an operation is working according to the policies of the company
• Investigative audit: performed in response to an event, request, threat, or incident
to verify integrity of the system
• Product audit: performed to ensure that the product complies with industry
standards
Trang 30Benefits and Side Effects of Auditing
• Benefits:
– Enforces company policies and government regulations and laws
– Lowers the incidence of security violations
– Identifies security gaps and vulnerabilities
– Provides an audit trail of activities
– Provides means to observe and evaluate operations of the audited entity
Trang 31Database Security and Auditing 31
Benefits and Side Effects of Auditing (continued)
• Benefits (continued):
– Provides a sense of security and confidence
– Identifies or removes doubts
– Makes the organization more accountable
– Develops controls that can be used for purposes other than auditing
Trang 32Benefits and Side Effects of Auditing (continued)
• Side effects:
– Performance problems
– Too many reports and documents
– Disruption to the operations of the audited entity
– Consumption of resources, and added costs from downtime
– Friction between operators and auditor
– Same from a database perspective
Trang 33Database Security and Auditing 33
Auditing Models
• Can be implemented with built-in features or your own mechanism
• Information recorded:
– State of the object before the action was taken
– Description of the action that was performed
– Name of the user who performed the action
Trang 34Auditing Models (continued)
Trang 35Database Security and Auditing 35
Simple Auditing Model 1
• Easy to understand and develop
• Registers audited entities in the audit model repository
• Chronologically tracks activities performed
• Entities: user, table, or column
• Activities: DML transaction or logon and off times
Trang 36Simple Auditing Model 1 (continued)
Trang 37Database Security and Auditing 37
Simple Auditing Model 1 (continued)
Trang 38Simple Auditing Model 1 (continued)
Trang 39Database Security and Auditing 39
Simple Auditing Model 2
• Only stores the column value changes
• There is a purging and archiving mechanism; reduces the amount of data stored
• Does not register an action that was performed on the data
• Ideal for auditing a column or two of a table
Trang 40Simple Auditing Model 2 (continued)
Trang 41Database Security and Auditing 41
Advanced Auditing Model
• Called “advanced” because of its flexibility
• Repository is more complex
• Registers all entities: fine grained auditing level
• Can handle users, actions, tables, columns
Trang 42Advanced Auditing Model (continued)
Trang 43Database Security and Auditing 43
Advanced Auditing Model (continued)
Trang 44Historical Data Model
• Used when a record of the whole row is required
• Typically used in most financial applications
Trang 45Database Security and Auditing 45
Historical Data Model (continued)
Trang 46Auditing Applications Actions Model
Trang 47Database Security and Auditing 47
C2 Security
• Given to Microsoft SQL Server 2000
• Utilizes DACLs (discretionary access control lists) for security and audit activities
• Requirements:
– Server must be configured as a C2 system
– Windows Integrated Authentication is supported
– SQL native security is not supported
– Only transactional replication is supported
Trang 48• Audit examines, verifies and validates documents, procedures, processes
• Auditing environment consists of objectives, procedures, people, and audited entities
• Audit makes sure that the system is working and complies with the policies, standards, regulations, and laws
• Auditing objectives established during development phase
Trang 49Database Security and Auditing 49
Summary (continued)
• Objectives: compliance, informing, planning, and executing
• Classifications: internal, external, automatic, manual, hybrid
• Models: Simple Auditing 1, Simple Auditing 2, Advanced Auditing, Historical Data, Auditing Applications, C2 Security