NEW YORK—Analysts in the field of regulatory compliance say enterprises should increasingly build their IT auditing processes around database governance efforts.
A panel of analysts, consultants and software vendors gathered here Nov. 9 for a discussion of IT security and regulatory compliance issues stumped hard for companies to increase their focus on better managing their databases.
Speaking at a compliance strategy event hosted by IBM and software maker Guardium, the experts said that the database—one of the oldest, most complex pieces of enterprise infrastructure—must be tackled correctly to help ensure future compliance with regulatory guidelines such as the Sarbanes-Oxley Act.
Loosely defined, data governance involves work to improve the quality of information stored on databases and typically includes the creation of a team of IT professionals whose sole job is to boost the reliability of the data and improve access to the content.
Among the technologies utilized to help forward such efforts are software tools used for tracking the manner in which employees are looking at files, and how they behave while logged into databases.
In addition to increasing companies security by providing a method of detecting a potential misuse of database information, the technologies provide the type of detailed paper trail that compliance auditors demand when inspecting enterprise operations, said Paul Proctor, analyst with Gartner, in Stamford, Conn.
The expanded ability for enterprises to better control the level of access provided to individual workers, such as database administrators, provides another benefit to both security and compliance initiatives, according to the analyst.
Proctor said that setting up a data governance practice will help most firms realize additional benefits from the compliance projects they have already undertaken.
“Auditors, both internal and external, have been largely detested based on the challenges they present to IT and security teams, but enterprises need to foster better relationships between these people to be better prepared for compliance reviews,” Proctor said.
“Starting in the database and bringing governance efforts to the top of compliance strategy is one way we believe that this can be achieved; risk managers, security workers and auditors must work together to find the right solution that actually manages risk.”
While many companies have focused primarily on fixing compliance automation technologies onto their PCs, messaging systems and other faster-moving elements of IT infrastructure, creating smarter policies and controls for the database provides a baseline for all audit-related efforts, the panelists said.
Companies most valuable information is primarily stored on the database, such as financials and customer records, they said, and auditors are increasingly focused on reviewing the procedures employed by businesses to safeguard the systems.
Whereas efforts to encrypt databases have often lagged behind compliance projects aimed at locking down data on laptops, attacking the massive storage systems first may actually make more sense.
Database encryption projects remain unpopular because the software used typically causes significant performance issues when administrators try to encrypt an entire information store.
By tactically seeking out only the most important information to hide, companies can use the technologies without incurring such obstacles, Proctor said.
Behavior-based tools, which look for unusual activity and track access, can help companies overtake such compliance challenges as creating more detailed profiles for users of applications that utilize so-called connection pooling.
IT systems such as financial applications made by SAP obfuscate information about which specific workers are accessing a particular database in this manner.
By using such data governance processes to aid in compliance, businesses can also derive additional benefits such as finding new ways to safely share information across organizations, helping companies offset the expense of their regulatory work by driving new businesses uses for their stored information.
“Companies need to drive value from their data, versus looking at governance as simply another way to remain safe from audits, the need to leverage the data into a business asset that allows them to look at information and plan how they can use infrastructure for strategic business purposes while adhering to security and compliance,” said Brett Gow, leader of IBM Global Business Services Financial Services practice for data governance.
“At the same time, enterprises cannot manage and maintain compliance if they do not understand data from central location.”
Officials from Guardium, which markets database security and monitoring software, pointed to the growing focus among hackers of breaking into databases for a profit.
To illustrate the momentum behind those efforts, Ron Ben-Natan, chief technology officer of the Waltham, Mass.-based firm, pointed to the handful of database cracking workshops that were held at the Black Hat security conference in August 2006.
In addition to giving auditors the trail they desire for tracking how businesses are segmenting worker duties and access to sensitive information, data governance work can help business executives ensure fewer incidents of mistakes in their companies financial reports, and help keep their names out of the headlines attached to corporate reporting scandals.
“Companies have traditionally felt pretty safe about the security of their repositories, but lately things have been happening to undermine that confidence; compliance efforts are waking people up and theyre asking for better tracking and compliance in the database,” said Ben-Natan.
“When the [chief financial officer] is asked to sign financial reports, theyre increasingly asking what is in place to ensure theyre not committing accidental fraud; they dont want to have to restate their position, and the governance initiatives bubble down from there,” he said.
“SOX doesnt talk about database security, but it dictates how companies need to better handle this information.”