While most companies have developed database change control guidelines since the dawn of the compliance era and the arrival of mandates such as the U.S. governments Sarbanes-Oxley Act, few have been able to build systems that track every change made to their systems and alert administrators when policies are violated, according to Guardium, based in Waltham, Mass.
Guardiums Change Control Solution for Databases package aims to do just that, offering companies the ability to monitor every adjustment made to database objects—including database structures, permissions, stored information and configuration files. The system forgoes the use of onboard database functions such as trace and transaction logs or native auditing that are often used by companies to try to garner the same types of information about systems changes, as those features were never meant to be used in such a manner, company officials said.
By arming companies with a real-time view of all the commands being carried out in their databases, the system provides a clearer picture for internal and external compliance auditors, and alerts security and IT managers of any unauthorized changes that may be carried out either by insiders or external hackers.
Guardium contends that the package also reduces the amount of time necessary for IT and compliance management teams to prepare for outside audits. The process of comparing changes made to databases with policies to look for aberrations, labeled by the firm as "change control reconciliation," is also being required by auditors as they investigate enterprise software applications, and the product has been specifically tailored to cover those products as well, said Phil Neray, vice president of marketing for Guardium.
"Weve seen situations such as the disgruntled worker at [investment firm] UBS who was found to have planted a logic bomb in their databases, and others where people from outsourcing contractors have created new database accounts that allow them almost unlimited access; companies need something to protect themselves and provide a trail of evidence," Neray said.
"On the other side, compliance is forcing people to look more closely at internal controls," he said. "We believe this technology addresses a piece that no one else had gone after—the ability to look at every change, no matter how large or small, and compare that to policy."
Among the specific features touted in the product is the softwares ability to monitor external database system objects, including configuration files, registry variables, shell scripts, OS files and executables such as Java programs. Keeping an eye on those elements of a database specifically help protect against unauthorized changes made by privileged users, according to Guardium.
The change management product also boasts the ability to track manipulation of database structures including system tables, triggers and stored procedures. This functionality would help prevent the use of so-called logic bombs, pieces of code designed to corrupt areas of a database, such as the one used by the UBS worker.
Additional features of the Change Control Solution include security controls for observing shifts made to user accounts and privileges, as well as tools meant to detect changes made to data related to financial transactions.
"Most companies have change management systems, but they only use them to track work orders," Neray said. "With this product, we can access the information already residing in those systems and display that alongside any detected changes. This allows admins to compare what was required with what was implemented to detect unauthorized changes."