Database Activity Monitoring / Database Firewall

Database Activity Monitoring / Database Firewall

KNOW MORE ABOUT Database Activity Monitoring / Database Firewall

Database Activity Monitoring / Database Firewall

Database activity monitoring (DAM) / Database Firewall (DBF) monitors database activity to identify fraudulent, illegal or other undesirable behavior, by using  embedded knowledge about database structures and access to analytics and reporting and enforce policies and control. The DAM/DBF solutions operates independently of the database management system (DBMS) audit functionality of the database itself. The DAM/DBF can be regarded to either as an alternative to the DBMS functionality (due to heavy overload on the database servers), either as complementary control to it.

DAM solutions contain also database vulnerability assessment and user account audit, coupled with firewall file access monitoring and web application monitoring.

The user benefits can be classified as:

  1. Monitoring
  • Privileged users monitoring – DBAs, root, system admins – which have access to access and alter data either via the application either by logging in at the system OS or local console. Their access has to be monitored in order to prevent privileged users from accessing data, making modifications to schema or table structure, or creating or modifying user accounts or permissions
  • User activity monitoring in order to track the users and the applications that connect to the database. Beside fraud access, an important aspect is also to monitor and eventually prevent also malicious or unintended activity of the legitimate users.
  • If possible, also the user accounts have to be constantly monitored in order to detect the dormant user accounts, and take appropriate action.
  1. Risk and Compliance– the risk and security teams are seeking to implement tight controls around the data stores in order ensure data confidentiality and integrity while limiting access to privileged users and subsequently identifying fraudulent activities. The preventive security solutions and controls such as encryption and access management, are not effective for authorized / legitimate user access.  Thus, the DAM solution can be successfully deployed in order to fulfill the security controls required by:
  • Data Governance
  • Risk Management
  • Audit
  • Regulatory Compliance.

The benefits provided by the DAM solution, via a tight integration with DLP and SIEM solutions respectively, allow the extension of the network controls and the security framework also to the databases and data stores.

  1. Policy Enforcement
    Database Firewall includes a complete set of predefined, customizable security and audit policies. Security alerts can be sent to SIEM, ticketing systems, and other third-party solutions to streamline business processes.

The  solutions can be deployed off path either inline. In order to comprehensively monitor and detect fraudulent activity, a solution must monitor all the “gateways” to the data store. Thus, the employment of software agents in order to monitor also the local activity (server console or other applications connecting to the database) is to be taken into consideration.

If the solutions are deployed off path, then there is no impact on the monitored network segments.

If the solutions are to be deployed inline in protect mode (database firewall), then several considerations are to be taken into account:

  • Usually the solution is deployed in transparent mode, with no IP addressing on the traffic interfaces. Thus, the DAM should have fail-open functionalities in order to allow the traffic to pass through in case of platform malfunction
  • Minimum latency – the latency induced in the network has to be minimum
  • The enforcement of the security policies is to be done in stages – first deployed non-intrusively, and upon successful testing only the security policies are to be enforced in place.
  • Proper performance dimensioning in order to withstand peak traffic, in terms of both legitimate and malicious traffic; if the device cannot operate properly under heavy load this will have a direct impact on the business process
  • Access policies have to be reviewed each time a modification has to be operated to the application, at both the application and at user access policies; failing to do this can result in blocking legitimate traffic and/or blocking legitimate users’ access.
  • Data audit – when turned on, it consumes very severely the resources – thus, a powerful enough hardware appliance has to be deployed.