Idera has come out with a version of its SQL Server database auditing tool that provides real-time auditing and continuous compliance for organizations dealing with Sarbanes-Oxley, GLBA, HIPAA, BASEL II and the USA Patriot Act.
Idera worked in partnership with both security and auditing firms, including Ernst and Young LLP, to design SQL Compliance Manager, according to Rick Pleczko, president and CEO of the Houston company.
“They said, You must have the ability to provide a true, trusted source of data, so you can prove to auditors that this is a reflection of the real world that hasnt been tampered with,” he said.
To accomplish that, Idera built in features to make the tool self-auditing. For example, if the database server goes down, auditing comes back as soon as the server recovers.
If somebody were to try to shut the auditing process down, the product “immediately squawks, sends out an alert and refuses to let you kill the auditing process,” Pleczko said.
“Even if subverted, weve used whats called immutable schema. Its not susceptible to change. We have features that will tell you if anybody changes any content in any row in a table, or if anybody inserted or deleted anything in the table.”
The product is built to support two audiences: the DBA (database administrator), who serves as custodian and manager of the product, and the external and internal auditors, who are the real consumers of the data the tool produces, Pleczko said.
“On the DBA side of the house, they want a set-it-and-forget-it system,” he said.
Specifically, SQL Compliance Manager has a low overhead, being designed to use less than 5 percent of the load on a machine to collect data.
It achieves that by eschewing high-overhead tactics such as triggers, profiling, heavy tracing or log scraping.
Patrick Rios, senior master planner for Continental Airlines, in Houston, said he appreciates that.
He started using SQL Compliance Manager about a month ago to audit aircraft maintenance databases and ensure compliance with FAA regulations.
“This product doesnt put load on the server,” he said. “Im not using 5 percent, and Im hitting it pretty heavy: whole table deletes and inserts on some applications parts.”
Rios said he particularly likes having the task of compliance lifted from his back.
“When they showed me this, I could automatically see a lot of prospects for the product to help me with everyday needs as far as tracking data, being able to set filters on the fly,” he said.
“Usually a bigwig says Hey, I want to know the last time an aircraft was changed, or Who changed these conditions on the aircraft? Without having to write stored procedures or triggers or put load on the database, I was able to go in, target whether it was by user, location, position on the field or whatever, or even track the interface, and capture data without having to write code, and produce a report,” he said.
“So it was definitely impressive to me, because there arent too many tools out there, especially with Select statements, where you can filter down to where youre not blowing the transaction log out of the water.”
SQL Compliance Manager provides out-of-the-box, customizable auditing and compliance reports.
The reports are all .Net-based, Pleczko said, which also makes Rios happy.
“In the aviation industry, reports and knowledge is your goal,” he said. “Its built on C++ and C Sharp, and theyre taking advantage of Reporting Services available to it, which is really a good thing, since most of us are looking toward that product. The buzzword has been BI [Business Intelligence], BI.”
SQL Compliance Manager will be available for download from Ideras site within the next two months. It costs $995 per SQL Server instance, inclusive of all components.