Database auditing solutions support compliance programs, internal security efforts

Keeping accurate corporate records has always been a business priority, but new reporting requirements associated with Sarbanes-Oxley (Sarbox) and other government regulations make it mandatory. And that means more business for companies that sell database auditing software.

“I never thought much about database auditing until I became involved in IT governance, risk management, and compliance,” says Adrian J. Bowles, Ph.D., president of CoSource.Net, a Westport, Conn.-based IT consulting firm. “When we looked at the responsibility of IT to assure the quality of other information assets, such as financial records, it became obvious that we needed more rigor in the area of data management.”

Vendors such as Lumigent Technologies—which sells a package called Audit DB—are benefiting from the trend.

“Our clients want to put database auditing and controls in place to ensure that access to their data is properly controlled,” states Roger Hodskins, Lumigent's VP of marketing and alliances. An important part of protecting data, Hodskins points out, is tracking when it's accessed and modified by individual “privileged users”—i.e., company employees who are authorized to access the data.

Lumigent has several studies showing that almost 70 percent of malicious acts occurring against databases are committed by privileged users.

“We monitor all activity at the transaction log level from the databases, regardless of the source, so that nothing escapes us,” Hodskins says. “Since we are within the firewall, we capture any database activity by privileged users.”

While most of Lumigent's customers initially were interested in complying with other government regulations, many now use Audit DB for internal database control. When Muscatine, Iowa-based Bandag, a manufacturer of retreaded truck tires, was preparing for its annual internal financial audit, it found its CRM application had been altered in a way that was corrupting customer data.

Unable to locate the source of the modifications, Bandag deployed Lumigent's Audit DB solution. The package quickly uncovered a process error in the CRM system. Bandag's IT staff developed a patch to fix the problem, after which the application was again running smoothly, and database errors disappeared.

“Audit DB saved us countless hours of painstaking research to locate this problem,” states Javier Hernandez, Bandag's applications service manager.

The Audit DB application also enables Bandag's IT staff to identify what data is being accessed, by which users or applications—as well as how data is modified.

Realizing the success of DB Audit, Bandag began deploying the solution throughout its enterprise to support specialized applications for multiple company operations, such as human resources, dealer interfaces, and lead analysis. The system allows the company to detect and analyze any anomalies in user and application behavior—whether accidental or intentional—and respond quickly to violations and vulnerabilities.

“Audit DB makes it much easier to get deeper into the database and identify potential problems before they occur,” Hernandez says.