Database Security and Auditing: Protecting Data Integrity and Accessibility
Database Security and Auditing: Protecting Data Integrity and Accessibility
Database Security and Auditing: Protecting Data Integrity and Accessibility
Chapter 7
Database Auditing Models
Auditing Overview
• Database auditing
objectives:
– Data integrity – Data structure
– Application users and changes
roles – Database or
– Data confidentiality application availability
– Access control – Change control
– Data changes –Auditing reports
• Internal audit:
– Conducted by a staff member of the company
being audited
– Purpose:
• Verify that all auditing objectives are met
• Investigate a situation prompted by an internal
event or incident
• Investigate a situation prompted by an external
request
• External audit:
– Conducted by a party outside the company that
is being audited
– Purpose:
• Investigate the financial or operational state of the
company
• Verify that all auditing objectives are met
• Automatic audit:
– Prompted and performed automatically (without
human intervention)
– Used mainly for systems and database systems
– Administrators read and interpret reports;
inference engine or artificial intelligence
• Manual audit: performed completely by humans
• Hybrid audit
• Benefits:
– Enforces company policies and government
regulations and laws
– Lowers the incidence of security violations
– Identifies security gaps and vulnerabilities
– Provides an audit trail of activities
– Provides means to observe and evaluate
operations of the audited entity
– Makes the organization more accountable
• Side effects:
– Performance problems
– Too many reports and documents
– Disruption to the operations of the audited entity
– Consumption of resources, and added costs
from downtime
– Friction between operators and auditor
– Same from a database perspective
Action
Object
Previous
values and
record
• Control columns:
– Placeholder for data inserted automatically when
a record is created or updated (date and time
record was created and updated)
– Can be distinguished with a CTL prefix
A list of
columns to
be audited
• Steps:
– Use any user other than SYSTEM or SYS; with
privileges to create tables, sequences, and
triggers
– Create history table
– Create the trigger to track changes and record
all the values of the columns
– Test your implementation