Database activity monitoring is the primary responsibility of enterprise database administrators, which is a very important activity in order to ensure the integrity and security of the DB and the performance of the applications rely on it. In this post, we will discuss the essentials of database activity monitoring and the important approaches in terms of data security measures.
DAM or database activity monitoring is a custom set of activities and tools, which support the administrator’s ability to find and report any adverse behavior or illegal activities. It is essential to keep an eye on these and ensure that there is no or minimal impact of the same on the user operations and enterprise productivity. Database activity monitoring tools have evolved over time from activity monitoring to advanced analysis with:
- Robust data-centered security measures
- Data discover
- Data classification
- Management of user rights
- Monitoring privileged users
- Data protection, and
- Loss prevention etc.
As per another definition, a DAM solution should be able to independently audit and monitor all the database activities, including SELECT query transactions and administrator activities, etc. Monitoring tools can record the SQL transactions like DDL, DML, DCL, and TCL. DAM can do these without relying on any local database logs and thereby reducing any performance degradation based on various data collection and management methods.
Securely Storing The Audit Logs At A Central Server
DAM also covers monitoring, aggregating, and correlating the activities from multiple heterogeneous DBMS. These tools can work effectively with various DBMS like MySQL, Oracle Microsoft SQL Server, IBM DB2, etc. Despite the differences between various SQL flavors, DAM tools can help normalize the transactions from a wide range of DBMSs.
It will also help ensure that service accounts only access the databases from a given source IP and can only run a narrow group of authentic queries. It will alert the admins about any compromises in a service account either from the system which uses it normally or account credentials which show up in the connection from any unexpected system. For any support regarding database server security administration, you can also rely on professional remote administration services like RemoteDBA.com.
Enforcing Separation Of The Duties By Logging Db Activities
DAM tools can also generate alerts on any heuristic-based or rule-based policy violations. For example, it is possible for the admins to create a rule to generate alerts each time when privileged users perform a SELECT query that can return more than 5 results from the credit card information column. This trigger will alert you about the possibilities of the applications being compromised through SQL injection or similar attacks.
Various DAM tools can also:
- Provider better visibility to the volume, location, and context of on-premises, cloud, and legacy databases data.
- Classify discovered data based on personal info data types like email ID, credit card info, patient records, etc., at a higher security level.
- Put forth pre-defined policies for SOX, PCI, and various other generic compliance needs.
- Offer closed-loop integration for external change management tools and tracking any approved DB changes implemented on SQL.
- Track administrator activities and regulate change management reports to reconciliation manually.
Evaluation Checklist Of Database Activity Monitoring:
All enterprises need database activity monitoring to minimize the adverse impacts on their DBs. With this in mind, here, we will try to build a checklist for DBAs to evaluate. Here are the do’s and don’ts to be added to the checklist.
- Consumes about 1% to 3% of the disk and CPU resources using an agent-only method for collection. With agent-only collection mode, it will allow you to cluster the gateways. It will also ensure high availability and optimum performance of the DB.
- Offer real-time and continuous monitoring of the local SQL traffic like Bequeath and IPC. It will also be monitoring all the incoming SQL traffic from the network to the DB.
- Issuing TCP reset on any blocked session as if the client lost network connections. With this, nothing may change in the DB, and cleanup of the normal DB client connection occurs as normal.
- Consumes only minimal bandwidth to monitor the incoming SQL statements through gateway ad also some metadata like response time, number of rows returned, etc.
- You can monitor the traffic to the outbound network also through another interface. However, this may also create some security issues if you try to trap sensitive data.
- Provide a graphical interface to troubleshoot. The admins can quickly view the resources an agent is availing and also the history of resource usage. On enabling blocking, you can also specify mail sending to the DBMS monitoring tool.
- Will not require any installation of external objects into the DB. No scripts to run and no credentials other than the default operating credentials.
- Will not alter or require any database altering, database configuration files, or any DB parameters. The agent will not touch your DB or alter it.
- It Will not require rebooting of the host except in some rare cases like DB2 on the AIX database bounce.
- Will not require any existing or new database user accounts to install, monitor, or block DB elements.
- Need not write to file system except for any communication loss due to any block on the gateway. In such cases, it can also be curtailed as soon as the communication re-establishes.
Provided the evolving security threats to modern-day databases and exponential growth in volume and variety of sensitive enterprise data, it is very important to deploy high-end measures for data-centric security. All these tools and strategies must focus on safeguarding data that moves across various networks, applications, servers, and endpoints. These usually come in two categories as native DBMS auditing tools and DBMS activity monitoring tools.
Native DB auditing tools come packed with the databases themselves and may sometimes incur some hidden costs too for additional software, hardware, and storage expenses. However, in cany case adopting data-centered activity monitoring best practices will offer robust compliance and optimum security coverage as needed to protect your data and justify any costs associated with the database monitoring and auditing.