Embed Size (px)
Citation preview
EPHRAIM SCHWARTZ
SOA: Good for Vendors or Good for You? p10
Better Than Good?Leading mobile messenger
servers BlackBerry and GoodLinkduke it out in our labs p20
Get It on TapeSony SAIT e1300 pushes tape
capacity to the max p25
White-Collar MiningEnterprise Miner for SAS9 brings BI and BA to businesspeople p22
i INFOWORLD.COM
HANDS-ON PREVIEWS
SQL Server 2005 Beta2and e-Security 4.2 p12
August 9, 2004 b Issue 32 GET TECHNOLOGY RIGHT SM
FROM THEINFOWORLDTEST CENTER
HP Storage Devices to Reduce SAN Costs p14
The Feds AreWATCHING
A modular IT frameworkpositions you to cope with today’s regulatorydeadlines—and newmandates on the horizon p32
CLICK HERE
For a Free Subscription
I N F O W O R L D . C O M 0 8 . 0 9 . 0 4 33
B Y R I C H A R D G I N C E L | P H O T O G R A P H B Y R O B E R T D A L Y
“hurry up” is the latest battle cry at companies
struggling to fall in line with an onslaught of government regulations. Thesummer of Sarbanes-Oxley, the Health Insurance Portability and Account-ability Act (HIPAA), and other mandates is upon us as deadlines loom. Theheat is beating down on IT administrators, whose chief executives face stiffpenalties — even jail time — if their companies fail to comply with the law.
“The frightening big stick of enforcement is out like a brick bat,” warns LaneLeskela, research director at Gartner. “There’s a lot of confusion around imple-menting regulatory compliance as a process.”
Part of the confusion stems from the sheer number and scope of regulationsaffecting companies that, until recently, took an application-specific approachto regulatory compliance in an effort to cope with individual mandates.
With extensible management and technologyframeworks, IT can meet regulatory compliancemandates years in the future, not to mention thosenagging deadlines just ahead
Enterprises are beginning to see thefutility of that strategy, which results infragmented processes ill-equipped forthe next body of mandates that comesdown the line. Instead, business and ITare joining together to create extensiblecompliance frameworks that canaccommodate any number of regulatorymandates, providing componentlikereusability that simplifies change man-agement and reduces deployment costs.
“Sarbanes-Oxley, the Patriot Act, andHIPAA were the straws that broke thecamel’s back, and companies are saying,‘We’ve got to find a better way to do this— the regulations are only going to getworse,’ ” observes Ted Frank, CEO ofAxentis and advisory chairman of TheCompliance Consortium, an industrygroup formed in June to help CIOs andIT outfits get organized. The consor-tium’s mission includes making sense ofall the overtures from vendors who arein gold-rush mode.
The high anxiety is fueled by whatGartner’s Leskela calls “the lack of aconsistent technology approach tomanaging governance, risk, and com-
pliance processes across the board. It’s avery complex environment.”
Looking Out for the LawConsider just a few of the systems thatfall under the monitoring provisions ofSarb-Ox: data security, disaster recov-ery, content management and archiving,information retrieval, transaction sur-veillance, and e-learning (the ability todeliver ongoing education online). Sec-tion 404 of Sarb-Ox will put a huge bur-den on IT by requiring companies withvaluations of more than $75 million toprove that their internal controls andaudit trails are sound and that theirprocesses are capable of producing cer-tifiably correct data. And, ready or not,Sarb-Ox’s infamous Section 409 —which mandates that “material events”such as the acquisition of a big cus-tomer, or anything that could affect acompany’s perceived market value, mustbe reported within 48 hours — is uponus, taking effect Aug. 23.
The liability doesn’t stop there. Manyenterprises remain unaware that Sec-tion 215 of the Patriot Act requires com-
panies to surrender customer data whensubpoenaed and gives customers theright to sue if they haven’t been properlywarned that their information will bedisclosed if the feds ask for it. Thenthere’s the HIPAA Final Security Rule,which will take affect in April 2005 andwill grant individuals the right to sueorganizations that allow a securitybreach to expose medical records.
The good news, experts say, is thatseparate regulations bodies have manydirectives in common — the call toretain IM exchanges and e-mail, forexample — thereby enabling IT to cre-ate a modular compliance framework.Most companies already have systemsthat employees and consultants canleverage and integrate into a widercompliance strategy.
“If you understand the consistenciesof these processes within your compa-ny, you can build a scalable technologyinfrastructure while leveraging existinginvestments,” Axentis’ Frank says. “Justbecause you put together a strategicframework doesn’t mean you need tofull-out implement it right away acrossall processes. If you can develop a base-line plan, you can still act tactically.”
Ultimately, two frameworks arerequired: one for business and one forIT. The business side needs to develop amanagement infrastructure to establishand maintain internal controls andrepeatable processes that ensure reliableregulatory compliance. IT needs a tech-nology framework that capitalizes onexisting resources and makes point solu-tions the exception rather than the rule.
Building Better ManagementGovernment regulators don’t explicitlytell enterprises how they should reorga-nize for compliance. But in June 2003,the Securities and Exchange Commis-sion implicitly recommended the Com-
34 I N F O W O R L D . C O M 0 8 . 0 9 . 0 4
“Companies are saying, ‘We’ve got tofind a better way to do this — the regulationsare only going to get worse.’ ” — Ted Frank, Axentis
Regulatory Blitz The list of regulations is vast and growing,and it cuts across a variety of industries.
IT complianceaCalif. SB 1386aSEC 17A-4
Manufacturing complianceaDOT mandates aFDA 21 CFR Part 11aMSDSaOSHA mandates
Anti-terrorismaForeign Corrupt Practices ActaHomeland Security ActaPatriot Act
Financial complianceaBasel IIaCoCoaGramm-Leach-BlileyaSarbanes-Oxley
Health recordsaHIPAA
NOTE: Not intended as a comprehensive list
SOURCE: OPENPAGES
mittee of Sponsoring Organizations(COSO) of the Treadway Commissionframework. COSO, an independentauditing industry group established in1985, released a seminal report in 1992entitled “Internal Control — IntegratedFramework,” which describes how com-panies should establish and maintaincontrols to avoid fraud. But the COSOframework seeks to help organizationsdevelop proper business processes,mainly related to authorizing andreporting transactions, not to creatingcontrols that apply specifically to IT.
Instead, many IT execs are turning tothe COBIT (Control Objectives forInformation and Related Technology)framework for help. Published by the ITGovernance Institute, COBIT providesguidelines for IT security and control.The organization’s “IT Control Objec-tives for Sarbanes-Oxley” (infoworld.com/1678) details IT’s role in imple-menting and sustaining control overdisclosure and financial reporting,including planning, acquiring missingpieces of technology, properly deployingsolutions, and monitoring compliance.
The larger the company, the morelikely it is to have implemented the con-trols outlined by COSO and COBIT andto have adjusted management structureaccordingly. As regulatory deadlinesapproach, small and midsize companieswill face the greatest risk.
“We’re encouraging smaller compa-nies to form a committee and put a vir-tual team in place,” says David Donelan,senior director of industry and compli-ance solutions at EMC.
According to CJ Rayhill, CIO ofO’Reilly Media, without a cohesiveteam, “you typically have one personwho is anointed as the expert. So, inaddition to their day job, they try tomake sure everyone else is in compli-ance — and it’s mostly hit or miss. The
biggest issues I’ve seenare around authority.At big companies,[compliance officers]have a direct line to theCEO. In smaller andmidsize organizations,a perceived lack ofauthority can make itmore challenging toget people to respondto compliance efforts.”
Gartner ResearchDirector Brian Woodadvises companies tocreate the position ofCCO (chief complianceofficer), who wouldreport to the board andbe equal in stature tothe CEO, rather thanreport to the CEO. “I’msure Mr. [Ken] Laycan see the reason forthat,” he says. Woodbelieves the CCOshould install a rotat-ing IT representative to assess existingIT assets, to validate processes, to meetsecurity needs, and to ensure that thereare clear methods to address abuses.Why rotating? “It helps more and morepeople get trained in compliance andworks toward a cultural change withinthe company,” he says.
The IT and legal departments — oroutside legal counsel — also make up acrucial alliance, according to DeidrePaknad, CEO of PSS Systems, aprovider of document policy solutions.“There needs to be more dialogbetween the two. Compliance is, at itsheart, a legal issue — and then an ITissue. But they all think the otherspeaks a different language. They needto dine together more often. Thereshould be frequent discussions about
the synchronization of information toreduce companies’ risk.”
Risk assessment comes into play atevery turn. “Our advisers have given us3-inch [thick] binders of what to do.But the question is always, ‘Where dowe start?’ ” says Wood, who is also amember of Gartner’s internal compli-ance team.
Wood says to start by assigning risklevels to systems, processes, and person-nel that are susceptible to breaches andthen assess the consequences of thosepotential breaches. From there, you canuse those assessments to make a prioritylist for implementing systems and con-trols. According to Wood, using that cri-teria makes it fairly easy to come up withthe top 10 things your organizationshould be working on.
I N F O W O R L D . C O M 0 8 . 0 9 . 0 4 35
A flexible CPM (corporate performance management) architecture includes software for document and records management, along with an automated BPM component.
Financialand ERPsystems
Businessunit
systems
CRM andcustomer-facing
systems
CPMReporting and risk
Assert process controlsBusiness process management,
integration broker, business activity monitoring
Classify, analyze, interpretBI, infrastructure, tools, and applications
Document and archiveRecords management, document management, knowledge
management, content management, and storage
Identify, audit, secure, and protectIdentity and access management, network security, and business continuity
SOURCE: GARTNER
Compliance From the Ground Up
NOTE: Not intended as a comprehensive list
“If I Must Comply, I Want ROI”
“Anything that has a high likeliness[for an audit] and a high associatedcost is a high-risk item,” Wood notes,stressing that, on an operational level,risk assessment is a group exercise notsolely an IT function.
Marshalling the RightTechnologiesIT is charged with implementing thesystems that allow process owners toknow “what information we have, whereit is physically, which systems have pos-session of it, which rule settings areapplied, and where I go for answerswhen risk arises,” PSS’ Paknad says. Ofcourse, the precise systems vary widely,but the efficient retention and disposalof information in accordance with a sin-
gle system of records is crucial when anaudit or a request for discovery occurs,she says. Document and records man-agement — along with effective man-agement of information lifecycles — arethe foundations of a sound compliancearchitecture (see “Compliance From theGround Up,” page 35).
Creating a modular, extensible ITcompliance framework starts withstorage hardware. Document manage-ment, e-mail archiving, security, andBPM software all have vital roles toplay — and should be equipped withmonitoring and change managementcapabilities.
Yet the law seldom mentions specifictechnologies. Regulations typically don’tdictate which storage medium should be
used. For example, Section 802 of Sar-banes-Oxley stipulates that records bestored for seven years, during whichtime they must be nonerasable and non-rewritable. “So to us that means WORMmedia,” notes Charles Brett, vice presi-dent at Meta Group.
But WORM needn’t mean that enter-prises pony up for slow and expensiveoptical disc solutions. “For a complianceinfrastructure, companies are now look-ing at highly scalable storage such asEMC Centera … and getting away frompoint solutions by departments” such asthose involving magneto-optical drives,Brett says. Offering WORM storage onmagnetic disk, the EMC Centera Com-pliance Edition combines ironclad stor-age software with a capacity that starts
36 I N F O W O R L D . C O M 0 8 . 0 9 . 0 4
when you get put on hold by nth orbit — suppliers ofcompliance solution Certus — you don’t hear generic Muzak.Instead, you’re serenaded by a John Denver wannabe strum-ming a banjo and crooning, “My bottom line is falling morebehind, I’ve got the Sarbanes-Oxley blues.”
There’s a good reason why enterprises are singing theblues. Companies are hemorrhaging money in an effort tocomply with a raft of new federal regulations, which rangefrom Securities and Exchange Commission mandates to thePatriot Act.
AMR Research estimates that Sarb-Ox alone will set backcompanies $5.5 billion in 2004; at the company level, thataverages out to $1 million per $1 billion in revenue, accord-ing to John Haggerty, vice president at AMR Research.
“Everyone’s trying to figure out how much they should bespending and how best to keep costs down,” Haggerty says.But the overarching question is whether it’s possible to recoupthe investment. “Companies are saying, ‘If I must comply, Iwant ROI,’ ” Haggerty adds.
For now, it appears that “soft ROI” is the best anyonecan hope for. Executives are reluctant to divulge how muchthey are spending on compliance initiatives or when theyanticipate a return. The mood, however, is not upbeat.
“We spend a significant amount of time benchmarking withother companies,” says Paul Brothe, vice president of corporatequality at McData. “We compare notes. When we get a [ven-dor] quote, we’ll go to other companies and ask what they werequoted. Meanwhile, we’re trying to use existing tools as muchas possible.”
Those who view compliance as “an opportunity to streamlineprocesses and workflows will obviously benefit the most,” con-cludes Brian Wood, research director at Gartner.
According to Ted Frank, CEO of Axentis and advisory chairmanof The Compliance Consortium, the stringent regulations are forc-ing companies to reassess how they are managing a broad portfolioof business processes. Done correctly, the exercise will result in con-sistencies across systems and processes. He cites the potential forcompanies to squander the opportunity and actually underinvestin compliance solutions.
“If you look at Section 404 [of Sarbanes-Oxley], you’re docu-menting and assessing the risks and the processes to mitigate thatrisk,” Frank says. “If you have 800 business units, … imagine thebenefit of discovering that the same processes are being man-aged differently across those units. Enterprises should look atthis as a substantial opportunity to strip out costs and improveperformance.” — R.G.
“No one can give you compliancein a box.” — Deidre Paknad, PSS Systems
at 5TB. It supports real-time replicationfor fail-over redundancy and has anopen API that allows for integrationwith dozens of compliance applications.Perhaps the biggest plus is the policy-based archive features, along withsearch and index functions that supportfast data retrieval.
EMC’s chief competitor in this space,IBM, sells the Data Retention 450. Inthe context of IBM’s wide array of mid-dleware and network managementofferings, the Data Retention 450 canbe thought of as the WORM compo-nent of a huge content- and data-retention suite. As does EMC, IBMoffers policy- and event-based storagemanagement with compliance in mind.
The next piece of the puzzle is docu-ment management software, whichensures that information is identified,indexed, and labeled at its point of originand then is sent to the appropriate stor-age medium. Leaders in this spaceinclude Documentum — recentlybought by EMC — and FileNet, whichoffers Content Manager and RecordsManager as part of its FileNet Compli-ance Framework. A document and infor-mation policy management application,where policy and rules settings can bechanged to meet different regulations,comes with PSS Systems Atlas IPM(Information Policy Management) suite.
Thanks to a few high-profile fraudcases, e-mail has emerged as an infa-mous liability. The archiving of e-mail —and more recently, IM — has receivedmuch attention from vendors such asLegato, which was bought by EMC lastyear, and from several specialty archiv-ing software providers, includingiLumin and KVS. Along with its shrink-wrapped product, EAS (ExchangeArchive Solution), e-mail archiveprovider Zantaz provides a hosted solu-tion called Digital Safe Service.
Such offerings ensure that e-mail andIMs are indexed in real time, whileallowing IT to set up rules and policiesthat allow for sophisticated searchesand timely retrieval.
Security and identity services play acritical role in proving that the infor-mation being committed to record isvalid (see “Covering Your Assets,” page38). “If your systems themselves aren’tsecure, then what good is the informa-tion from those systems?” Gartner’sWood asks. “But this is a case whereenterprises already ought to have sys-tems in place before compliance issuesare even considered.”
Rick Caccia, director of product man-agement at Oblix, producers of CoreIDidentity management software,acknowledges that the company has no
specific compliance offering and thatmany IT outfits are leveraging existingsecurity systems. “But we can automat-ically generate audit trails for the appli-cations we protect,” he says. “So, itbecomes useful in the compliancearena, where a lot of the language in theregulations, particularly Sarbanes-Oxley, is pretty vague when it comes todefining ‘effective controls.’ ” In the end,security tends to become distributedacross the framework by access-controllimitations placed on a variety systems.
Leveraging Existing AssetsFor every compliance need there is avendor. But to avoid needless spending,industry groups stress the importanceof making a top-to-bottom assessmentof IT assets before writing any checks.That way you can determine whichassets can be folded into a complianceframework. “The No. 1 thing you wantto do is take inventory so you can lookat what you have and figure outwhether or not it can be repurposed,”says John Haggerty, vice president ofAMR Research. “A company alreadyheavily invested in document manage-ment can bypass those potentially costlysolutions, whereas some other companymay have to go outside and find a ven-dor to assist in that area.”
According to analysts, the biggestpiece typically missing at small andmidsize companies is the BPM compo-nent. BPM software demands extensiveapplication integration, but after BPMis implemented, IT can string togetherworkflows across existing applications,making the most of applicationsalready in place. BPM vendors such asIBM, Lombardi Software, Intalio, andSavvion all provide the tools needed tocreate enterprise-spanning compliancesolutions. “If you can’t validate theprocess by which you gathered the
I N F O W O R L D . C O M 0 8 . 0 9 . 0 4 37
Regulation RundownA wealth of compliance resourcesawaits you online.
aAmerican Institute of CertifiedPublic Accountants aicpa.org
aThe Compliance Consortiumthecomplianceconsortium.org
aCompliance Pipelinecompliancepipeline.com
a Compliance Weekcomplianceweek.com
a Health and Human Services,Office of Inspector Generaloig.hhs.gov
a Jefferson Wells Internationalwww.jeffersonwells.com
a Open Compliance and EthicsGroup oceg.org
a U.S. Sentencing Commission ussc.gov
information, how can you validate theinformation?” asks Chris McLaughlin,director of product marketing atFileNet, which equips its software withBPM-like capabilities. “That’s what Sec-tion 404 is all about. Content manage-ment only addresses half of it.”
Big players such as Microsoft, SAS,BMC, SAP, and PeopleSoft haveentered the field to provide compliancesolutions, while Nth Orbit, Movaris,HandySoft, OpenPages, and PaisleyConsulting continue to provide special-
ized offerings. But analysts and evensome vendors caution IT shops to bewary of anyone promising an end-to-end solution with unmatched sophisti-cation. “No one can give you compli-ance in a box,” PSS’ Paknad asserts.
Jeff Lundberg, senior product mar-keting manager at Veritas, urges IT to“look for solutions that provide featuresand functions that can be adapted asregulations change and new ones comeinto play.”
That may be difficult, as companies
scramble to meet deadlines. An April2004 survey by the Institute of InternalAuditors reported that a mere 2 percentof respondents said they were ready forSection 404 certification this Novem-ber. No doubt point solutions will beslapped on in some cases instead ofextensible ones. But after the dustclears, the companies that deployframework-based technologies will ulti-mately enjoy an overall increase in ITflexibility, rather than simply staving offthe long arm of the law. i
38 I N F O W O R L D . C O M 0 8 . 0 9 . 0 4
Intra-applicationrouting andworkflow
BB
b
bB
B
bbbbbBb
Content storagepresentation andscripting
bb
b
bB
B
bbbbBbb
Data andmetadatamanagement
BB
b
bb
B
bbbbbbb
Interapplicationrouting andworkflow
bb
b
bb
b
bbbbbBb
Covering Your Assets As components of your compliance framework expand, their functionsspread across an array of IT systems and business processes.
Accesscontrol
bb
B
bB
B
BBBBBBb
Security and identity
Business processmanagement or portals
Records, knowledge,document, and contentmanagement
Integration broker suites
Business continuitymanagement
Business activity monitoring
Corporate performancemanagement
Forecasting
Planning
Budgeting
Consolidations
Reporting
Financial managementsystems
Audittrail
bb
b
bb
b
bbbbbbb
Approval,status, andescalation
bb
B
bB
b
bbbbbbb
Processand controldocumentation
Bb
b
bB
B
bbbbbBb
Analyticalreporting
BB
B
bB
b
bbbbbbb
Collaboration
bb
b
bB
B
bbbbbbb
bYes BNo
SOURCE: GARTNERNOTE: Not intended as a comprehensive list
I N F O W O R L D . C O M 0 8 . 0 9 . 0 4 41
many companies that were doing business in a
relatively carefree fashion a year ago now find their customersinsisting on high levels of accountability. Of course, health-care organizations have been under the watchful eye of theJoint Commission on Accreditation of Healthcare Organiza-tions (JCAHO) and the Health Insurance Portability andAccountability Act (HIPAA) for quite some time. But publiccompanies outside the health-care industry have woken up tofind themselves facing Sarbanes-Oxley and other mandates.And in April 2005, HIPAA’s Final Security Rule will kick in,exposing organizations to potential lawsuits if medical recordsare exposed — even when as a result of skillful hacking.
Each of these regulations requires enterprises to protect andcontrol the flow of information. Strong, identity-based access-control systems accomplish this for applications andresources, but when it comes to databases — against which
BY SEAN MCCOWN | ILLUSTRATION BY BEN BARBANTE
Prying eyes cancost companies
big time, especiallywhen medical
records areexposed. Thesetechniques for
obscuringdatabase records
can help
you can’t know whether a database is truly secure unless youknow what data has been accessed, how it has been modified, and who hasviewed it. Entegra — an enterprise-level auditing tool for SQL Server (and soonfor Oracle) — can tell youall these things. And it doesso in a way that’s easy toimplement, that’s highlyscalable, and that mini-mizes the impact on data-base performance.
Entegra audits all SQLactivity, including inserts,updates, and deletes, aswell as changes to databaseschema, access permis-sions, and views. It usesagents to collect theseactivities at scheduledintervals, stores them in acentral repository, and pro-vides a Web browser inter-face to view reports. Entegra can also send e-mails and other alerts in responseto events that you specify; for example, if a table schema is changed or an entryin a table is deleted, any number of administrators can be notified.
employees may have become accus-tomed to performing ad-hoc queries —the situation can be more difficult. Inthose cases, one way to protect datafrom prying eyes is to obscure it.
Obscuring data for compliance — atits most basic level — just means keep-ing people from seeing what they’re notsupposed to see. There are two parts toobscuring data: security and privacy.Threats range from analysts clicking onthe wrong database table and acciden-tally seeing something they shouldn’t,to a disgruntled employee looking to getback at the company. So, whether youlock everyone out of your database orjust arrange the data so that nopersonal information can be viewed bynonessential personnel, there are time-tested techniques for protecting yourcompany and your clients against pri-vacy invasion.
There are many ways to obscure datafrom wandering eyes — and sometimesDBAs just have to get creative if theyare going to achieve their goals. Themethods used range in difficulty basednot only on the level of sensitivity of thedata but also on the skill of the DBA,the company’s level of commitment,and the amount of time afforded forthe project.
Basic TechniquesStored procedures are the most flexi-ble tool DBAs have for obscuring data.Stored procedures are snippets of SQLcode that have been compiled andsaved in the database itself, resulting in better performance than thatprovided by noncompiled SQL. Storedprocedures can also call other proce-dures, views, and functions and canperform any type of math available tothe SQL language. Using well-designed procedures, a DBA can alterdata in almost any way necessary,
including encrypting it.Views, another way to obscure data,
are a logical representation of data thatcan join several tables at a time whilemaintaining a good level of security.Sensitive columns can be filtered out —or even modified — using simple con-ditional statements. Because they areless flexible than stored procedures andcan’t make major modifications to data,however, views are only useful for pro-tecting against minor threats. Nonethe-less, they are still useful for obscuringdata as well as the underlying schema.
UDFs (user defined functions) arethe next level down in data obscurity.UDFs are similar to stored proceduresthat can be applied to individual
42 I N F O W O R L D . C O M 0 8 . 0 9 . 0 4
Auditing not only gives you a solid measure of your success but it also providesyou with an added layer of security.
columns. UDFs are implemented atthe database level but can be calleddirectly from queries — unlike storedprocedures, which replace the query.Because they are more granular thanstored procedures, UDFs can actuallybe more flexible.
But these techniques must bedeployed properly for maximum effect.Here, it’s assumed that you’re designingthese solutions for internal protection.(External solutions are a different storycompletely.) Typically, you would applythese methods when supplying analystswith data via the Web, for example,rather than giving them free access toexecute any query they want to write.
Of course, you can bypass each of
Database Auditing Made Easy
Entegra tracks all SQL activity, including changes to permissions and schema. But reporting is limited.
Installing Entegra is easy. Drop an agent oneach monitored server and install the repositoryon another server of your choice. The Entegrarepository should be a beefy box if you plan totrack activities on many databases or if it’sgoing to have a lot of users. After installingEntegra, simply configure the databases youwant audited and assign collection times andlocations.
What separates Entegra from the competi-tion is that collection times and locations canbe assigned. Most database-auditing productshave a tremendous impact on production sys-tems because they use triggers (stored proce-dures that run when a table is changed),network sniffing, or a combination of both.Those methods are resource-intensive. Ente-gra, on the other hand, makes use of transac-tion logs or even backups of transaction logs toallow you to schedule audit-data collectionduring downtime.
When you are auditing Select statements,however, this flexibility is lost. Select state-ments can only be audited in real time;
because of this, Entegra uses SQL Server’strace APIs to track them. The only other way toperform this task is to sniff the network; usingAPIs is the better choice. If you audit all Selectstatements coming into the database, yourperformance will suffer — audit only the mostimportant tables.
The one downside to Entegra is that it lacksa report editor. The Web GUI allows you tofilter audit data based on several criteria, butit doesn’t provide many of the features you’dexpect from a tool of its kind, such as userprofiles, custom reporting, and exporting toother formats. For example, if you want tolook at the same view each time, you have tosave it as a favorite in your browser. Mostshops will want to use a third-party tool tocreate their own reports.
Entegra is a fully capable auditing solutionfor SQL Server. The user interface suffers fromlimited features and reporting capabilities. ButEntegra shines where it matters most, which iscollecting the necessary audit data whileputting minimum load on your servers. — S.M.
Entegra for SQL Server 2.0.2Lumigent lumigent.com
VERY GOOD 7.5Manageability (20%) 8
Performance (20%) 7
Ease of Use (15%) 7
Reliability (15%) 8
Reporting (10%) 4
Setup (10%) 8
Value (10%) 6
COST: $16,000 as tested, includingEntegra Base System ($10,000),Sentry Module ($1,000), and PrivacyModule ($5,000)
PLATFORM: Microsoft SQL Server 7and SQL Server 2000 on WindowsNT, Windows 2000, Windows XP,and Windows Server 2003
BOTTOM LINE: Entegra doesn’tcome cheap, and you’ll need a third-party reporting tool if you want richreports. But for companies fallingunder strict compliance guidelines,it can provide enterprise-class audit-ing on hundreds of servers withoutseverely impacting the performanceof the production environment.
I N F O W O R L D . C O M 0 8 . 0 9 . 0 4 43
these methods and just encrypt thatdata in the database itself. This comesat a cost — not only does it take extratime to write the record, because ithas to pass through the encryptionroutine, but you also have to buy anencryption routine. These typicallyaren’t cheap, and unless you have acryptologist on staff, you may findyourself in the middle of a very expen-sive solution. Using encryption hasone major advantage, however: Withall the other methods, anyone whoknows the database schema canbypass the mechanisms you’ve put inplace and query the data directly. Thisisn’t possible with database-levelencryption.
Use Your ImaginationWhen it comes to obscuring data fromusers, you can seldom be too creative.Remember that data obscurity is asecurity measure and that good securitynever has a single point of failure. Youwould never see a network where afirewall or a router or a simplepassword policy was the sole securitymeasure. So, just as your networkmakes use of many levels of routers,firewalls, access policies, and pass-words, your database should have mul-tiple levels of security.
When it comes to securing data, Ilive by a simple philosophy: Treateveryone as a potential criminal.Threats come from both sides of the
firewall. You never know when a dis-gruntled employee might do mali-cious damage to the network or walkoff with a copy of a database backup.These are real possibilities that mustbe considered — not only for yourcompany’s own needs but also to pro-tect your customers from the falloutof having their sensitive data exposed.
With internal threats in mind,another common method of obscuringdata is to create a separate reportingdatabase, possibly even on a separateserver. An ETL (extraction, transfor-mation, and loading) tool can be usedto publish data to this separate databaseand transform it along the way. Thismay be the most secure of all the meth-
78
84
6
98
44 I N F O W O R L D . C O M 0 8 . 0 9 . 0 4
ods discussed so far, because users neednot be given access to the productiondatabase. Furthermore, the DBA cantake steps to ensure that the reportingdatabase doesn’t contain sensitive data.
Another crafty technique is to createroutines that insert extra data as asmoke screen to confuse anyone whogains access to your database. Bykeeping a pool of fictitious names,phone numbers, and so on, you cangenerate random false records, makingit impossible for even a disgruntledinsider to determine the accuracy of anygiven record.
I implemented this solution for amajor health-care organization, and itworked very well. Even the biostatisti-cians couldn’t spot the fake data. I alsocreated three false records for every realone, which greatly diminishes thelikelihood of a thief finding a realrecord. Separating the genuine recordsfrom the bogus ones simply becomestoo much trouble.
So how can the system administra-tors tell fake data from real data? Well,obviously you have to plan ahead forthat one. There are two basic methodsfor separating the data back out. Oneway is to create an extra column thatprovides some kind of control. Thiscolumn can be encrypted, or it can be abit flag with an ambiguous name.
However, I prefer to not have any-thing in the database that might alludeto the fact that all the data isn’t real.Rather, I prefer to create records inanother system and then use a join topull the real records back out again.This way, everything in the productionsystem is real to everyone who sees it,no matter how closely they look at it.The key is kept in a different location.
No Single SolutionBy now it should be clear that the best
plans for securing data will combineseveral of these methods.
For example, you can use stored pro-cedures or UDFs that call encryptionroutines, but UDFs by themselvesaren’t effective because users might notwrap the column inside the function.You should give users a view to queryand write the view so that it wrapsthe columns inside the UDF. Thisway, users can still perform ad-hoc queries on the data, whileadministrators maintain control overwhat the users see.
If you are adding dummy data, viewscan be used to conceal that fact fromyour users. By creating the view with ajoin against a foreign table that filtersout the extra data, you can create anadditional level of obscurity. This sametechnique could be deployed as astored procedure as well. If you employthis method, don’t forget to run yourfake data through the same encryptionroutines as your real data. It completesthe illusion. And of course, if you don’tpublish your schema, your users won’tbe able to bypass your measures,because they won’t know what tables to query.
When I was brought in to lead thecompliance effort for a major hospitalchain, I entered a culture in which allthe system administrators and ana-lysts had enjoyed complete access toall the clinical databases for years.They were very familiar with both the
schema and the data itself. It forcedme to build another schema thatsummarized the data for the analystsand loaded it every night from theproduction systems. This schemaresided on a different server, inanother building, under the control ofan outsourced datacenter. The admin-istrators and analysts were thenlocked out of the production systems,and the backups were encrypted toprotect against theft from outside. Inthis case, it wasn’t necessary toencrypt anything because sensitivedata simply wasn’t being brought overto the reporting system.
Monitoring the ResultsAfter putting your plan in place, youstill need to measure your success.Auditing is the best way to achieve this.I’m not going to lie to you; a complete,enterprise-level auditing solution is notcheap, and depending on the databaseyou have, you may never find a perfectsolution. That doesn’t mean youshouldn’t try — auditing not only givesyou a solid measure of your success butit also provides you with an added layerof security.
Unlike some security measures, youneed not keep this process under wraps.In fact, if users are aware that theirdatabase activity is being audited andthat there are severe penalties fortampering, they’re far less likely to tryto circumvent your plan. Oftentimes
Countdown to the HIPAA Time Bomb Companieshave until April 21, 2005 to ready their databases for HIPAA. So whatcan database administrators do to ensure compliance?
aDetermine which data can be considered sensitive.
aPerform a risk analysis and document justifications for decisions made.
aDetermine security measures based on identified danger levels.
aEstablish metrics for success, such as proof of thwarted real or simulatedattacks.
aAudit not only changes to each system, but who has access to data.
aEncrypt backups for off-site storage.
dbencrypt allows you to apply column-levelencryption in your SQL Server database and assign viewpermissions to different users. Whether for obscuringcredit card numbers, social security numbers, personalpatient information, or financial data, being able to encryptspecific elements in a database is becoming more impor-tant as companies increasingly share records acrossdepartments or with outside organizations.
Installing DbEncrypt 2.5.0 is relatively easy. You install aclient on your workstation, then connect to the databasethrough the client to install the server-side objects thatperform the encryption. The encryptionmechanisms offered by DbEncrypt are verypowerful; it has 11 encryption algorithmsincluding AES (Advanced Encryption Stan-dard), RC4, DES, and RSA encryption.DbEncrypt also comes with code samplesfor all 11 encryption types, as well assign/verify, hash, and encode/decode, toadd encryption directly to your applications.
The audit trail feature allows authorizedusers to view information about encryptionand decryption activity in the database aswell as all administrative activities. The auditlog may be viewed only through the DbEn-crypt client utility and won’t mesh with anenterprise-level auditing solution — it auditsonly activity in DbEncrypt.
DbEncrypt also manages its own secu-rity. By mapping database log-ins directlyto DbEncrypt log-ins, administrators candefine who can and can’t use encryptionand view encrypted data, all the way downto the column level. Defining encryption
schemes and assigning permissions for a column or for anentire table couldn’t be easier.
Although log-ins are mapped to encryption mechanisms inDbEncrypt, they don’t give the user automatic access to thedata; a separate password must also be used to log in to DbEn-crypt. The unfortunate side effect of having a separate pass-word is not only do your users have to remember two passwordsjust to log in to the database, it also opens up another hole onyour server that’s susceptible to brute-force attacks.
One caveat with this program is its extremely invasive nature.The invasiveness can’t really be avoided, because the only way
to get the kind of security that DbEncrypt offersis to permeate code throughout the database.
Here’s what it does: DbEncrypt has a seriesof .dlls on the server that it uses to control theencryption and user access to the encryptedcolumns. But to accomplish the level of secu-rity desired, it must rename the base table andcreate two views. The highest-level view isgiven the same name as the original table.This could potentially cause a huge problembecause, although views are updatable, DbEn-crypt requires you to remove any constraints orindexes on the columns before encrypting.This extra step could affect performance andpossibly the integrity of your database.
DbEncrypt is a powerful encryption tool thatallows administrators to easily secure sensi-tive data. However, when Microsoft SQL Server2005 is released next year, it will make DbEn-crypt unnecessary for Microsoft shops. SQLServer 2005 promises built-in encryption thatwill be fairly accessible to admins with just afew lines of code. — S.M.
Flexible and Granular Database Protection
this is all it takes to raise the integritylevel of your staff. You can even keepyour auditing costs down by using whatI like to call the dog-training approach.
If you’ve ever bought those electrifiedmats that shock your dog when hewalks across them, you know what I’mtalking about. The mats have a pattern
on them, which the dog learns toassociate with the shock. When you buythe mats, they sell you dummy mats aswell. The theory is that the dog willlearn to not walk across anything withthe mat’s pattern.
Auditing works the same way. Audityour major systems, but tell your
employees that all the systems areunder full audit. This should give you the best of all worlds: Yourcompany is fully compliant, because themajor systems are audited; you didn’thave to actually pay to audit all the systems; and you have the most honestemployees around. i
I N F O W O R L D . C O M 0 8 . 0 9 . 0 4 45
76
8
877
DbEncrypt 2.5.0Application Security appsecinc.com
VERY GOOD 7.2Manageability (25%) 8
Ease of Use (20%) 7
Performance (20%) 6
Reliability (15%) 8
Setup (10%) 7
Value (10%) 7
COST: $15,000 per Oracle SID orSQL Server Instance
PLATFORM: Oracle database server,Microsoft SQL Server
BOTTOM LINE: DbEncrypt is anenterprise-level database encryptionutility that is easy to install and con-figure, and it works at the columnlevel. Decryption of the columns canbe configured through the user inter-face, and it is easy to add and removepermissions. However, such softwarewill be obsolete for Microsoft shopswhen SQL Server 2005 is released.
SIGNATURE DATE
I WISH TO RECEIVE A FREE SUBSCRIPTION TO
❑ 1.Yes ❑ 0. No
Application for Free SubscriptionPriority Code: MT4PDFApply online at: http://subscribe.infoworld.com
Form: 18
GET TECHNOLOGY RIGHT®
NEW SUBSCRIBERS ONLY!
You may receive a renewal reminder via e-mail. May we send other information aboutInfoWorld products or services via e-mail? ❑ 1. Yes ❑ 0. No
Reader feedback is important to us. May a member of our editorial team contact you?❑ 1. Yes ❑ 0. No
SPECIAL REQUEST:B
General Business Industries❑ 01. Defense Contractor / Aerospace❑ 02. Retail❑ 03. Wholesale / Distribution
(non-computer)❑ 04. Pharmaceutical / Medical / Dental /
Healthcare❑ 05. Financial Services / Banking❑ 06. Insurance / Real Estate / Legal❑ 07. Transportation / Utilities❑ 08. Media (print / electronic)❑ 09. Communication Carriers (telecomm,
data comm., TV / cable)❑ 10. Construction / Architecture /
Engineering ❑ 11. Manufacturing & Process Industries
(other than computer-related)❑ 12. Research / Development
Technology Providers❑ 13. Managed Service Provider / Business
Service Provider❑ 14. Technology Service Provider
(ISP / ASP/ MSP, etc.)❑ 15. Computer / Network Consultant❑ 16. Systems or Network Integrator❑ 17. VAR / VAD❑ 18. Technology Manufacturer (hardware,
software, peripherals, etc.)❑ 19. Technology - Related Retailer /
Wholesaler / DistributorGovernment / Education❑ 20. Government: federal
(including military)❑ 21. Government: state or local❑ 22. Education
❑ 98. Other________________(Please specify)
WHAT IS YOUR ORGANIZATION’S PRIMARY BUSINESS ACTIVITY ATTHIS LOCATION? (PLEASE CHECK ONE ONLY):1
IT / Technology Professionals❑ 01. Chief Technology Officer (CTO)❑ 02. Chief Information Officer (CIO)❑ 03. Chief Security Officer (CSO)❑ 04. Vice President (including
SVP, EVP, etc.)❑ 05. Director❑ 06. Manager / Supervisor❑ 07. Engineer❑ 08. Systems Analyst / Programmer /
Architect❑ 09. Consultant / Integrator❑ 10. Developer❑ 11. IT Staff❑ 12. Other IT Professional _____________
(Please specify)
Corporate / Business Management❑ 13. CEO, COO, President, Owner❑ 14. CFO, Controller, Treasurer❑ 15. Vice President (including SVP,
EVP, etc.)❑ 16. Director❑ 17. Manager / Supervisor❑ 18. Other Business Management Title
________________________________(Please specify)
❑ 98. Other Title________________________________(Please specify)
WHAT IS YOUR PRIMARY JOB TITLE? (PLEASE CHECK ONLY ONE):2
IT / Technology Functions❑ 01. Executive❑ 02. Department Management - IT❑ 03. Research and Development
Management❑ 04. Systems / Network Management❑ 05. Management of Enterprise
Applications (CRM, ERP, SCM, etc.)❑ 06. Applications Development❑ 07. Consultant / Integrator❑ 08. Other IT Department Management
______________________________(Please describe)
❑ 09. Other IT - Staff_____________________________(Please describe)
Corporate / Business Functions❑ 10. Executive ❑ 11. Department Management - Business❑ 12. Financial / Accounting Management❑ 13. Research and Development
Management❑ 14. Sales / Marketing Management❑ 15. Other Department Management❑ 16. Other Department Staff
________________________________(Please describe)
❑ 98. Other ________________________________(Please describe)
PLEASE INDICATE YOUR JOB FUNCTION(S)? (PLEASE CHECK ALL THAT APPLY):3
❑ 01. 20,000 or more❑ 02. 10,000 - 19,999❑ 03. 5,000 - 9,999❑ 04. 1,000 - 4,999
❑ 05. 500 - 999❑ 06. 100 - 499❑ 07. 50 - 99❑ 08. Less than 49
HOW MANY PEOPLE ARE EMPLOYED AT THIS ORGANIZATION,INCLUDING ALL OF ITS BRANCHES, DIVISIONS AND SUBSIDIARIES?(PLEASE CHECK ONE ONLY):
4
OVER THE COURSE OF ONE YEAR, DO YOU BUY, SPECIFY,RECOMMEND, OR APPROVE THE PURCHASE OF THE FOLLOWINGPRODUCTS OR SERVICES WORTH:
* CONSULTANTS: PLEASE INCLUDE WHAT YOU RECOMMEND FOR YOUR CLIENTS AS WELLAS WHAT YOU BUY FOR YOUR OWN BUSINESS, IF APPLICABLE. IF YOU CANNOTDISTINGUISH BETWEEN THIS AND OTHER LOCATIONS, PUT RESPONSE IN THE FIRSTCOLUMN.
01. $100 million or more02. $50,000,000 to $99,999,99903. $30,000,000 to $49,999,99904. $20,000,000 to $29,999,99905. $10,000,000 to $19,999,999
06. $5,000,000 to $9,999,99907. $2,500,000 to $4,999,99908. $1,000,000 to $2,499,99909. $600,000 to $999,99910. $400,000 to $599,999
11. $100,000 to $399,99912. $50,000 to $99,99913. Less than $49,99914. None
Product category For this location: For other locations:(write code in box) (write code in box)
Large systems
Client computers
Networking / Telecom (including servers)
Internet / Intranet / Extranet
Security
Storage
Peripheral equipment
Software
Service / Support
5
Publisher reserves the right to limit the number of complimentary subscriptions. Free subscriptions available in the U.S. (including APO and FPO) and Canada.
NAME
TITLE
COMPANY NAME
DIVISION / DEPT / MAIL STOP
MAILING ADDRESS
CITY / STATE / ZIP / POSTAL CODE
Is the above address a home address? ❑ 1. Yes ❑ 0. No
BUSINESS PHONE (INCLUDING AREA CODE) FAX NO. (INCLUDING AREA CODE)
E-MAIL ADDRESS
MAILING ADDRESSA
Please answer the questionson the following page.
Return this form to InfoWorld, P.O. Box 3511,
Northbrook, IL 60065-3511 orFAX to (847) 291-4816.
You can also apply ONLINE at http://subscribe.infoworld.com
recyclable
WHICH OF THE FOLLOWING OPERATING SYSTEMS ARE IN USE ORPLANNED FOR USE AT THIS LOCATION? (PLEASE CHECK ALL THAT APPLY):
❑ 01. Windows XP❑ 02. Windows 2000❑ 03. Windows NT❑ 04. Windows 95/98❑ 05. Windows CE❑ 06. Mac OS (Macintosh)❑ 07. Solaris❑ 08. UNIX
❑ 09. Linux❑ 10. MVS, VMS, ESA❑ 11. VM❑ 12. OS 400❑ 13. Netware❑ 14. Palm OS❑ 15. Other OS
11
ARE YOU INVOLVED IN BUYING, SPECIFYING, RECOMMENDING OR APPROVING THE FOLLOWING PRODUCTS OR TECHNOLOGIES?(PLEASE CHECK ALL THAT APPLY):
❑ 01. Networking❑ 02. LANs (Local Area Networks)❑ 03. WANs (Wide Area Networks)❑ 04. Switches / Routers / Hubs❑ 05. Caching / Load Balancing❑ 06. Grid / Utility Computing❑ 07. E-mail❑ 08. Instant Messaging / Peer-to-Peer❑ 09. Content Delivery Networks❑ 10. Network and Systems
Management❑ 11. Traffic Monitoring and Analysis❑ 12. QoS (Quality of Service)❑ 13. VoIP (Voice over IP)❑ 14. Telecommunications❑ 15. IP Telephony❑ 16. Wireless❑ 17. Remote Access❑ 18. Web / Video Conferencing❑ 19. Other Networking
❑ 20. Storage❑ 21. High-end / Enterprise Class
Storage❑ 22. Network Attached Storage (NAS)❑ 23. Storage Area Networks (SANs)❑ 24. Storage Management Software❑ 25. IP Storage
❑ 26. Direct Attached Storage (DAS)❑ 27. Storage Blades❑ 28. Storage Backup (Tape, Disk,
Optical, RAID)❑ 29. Removable / Portable Storage❑ 30. Disaster Recovery❑ 31. Other Storage
❑ 32. Security❑ 33. Anti-Virus / Content Filtering❑ 34. Firewall❑ 35. VPN (Virtual Private Network)❑ 36. Identity Management /
Authentication❑ 37. Intrusion Detection❑ 38. Encryption❑ 39. Other Security
❑ 40. Internet / Intranet / Extranet❑ 41. Web Servers❑ 42. Web Development / Authoring
Tools❑ 43. Web Performance Management /
Monitoring Software❑ 44. Content Management / Document
Management❑ 45. Content Delivery Networks❑ 46. Internet Software❑ 47. Other Internet / Intranet / Extranet
10
ARE YOU INVOLVED IN BUYING, SPECIFYING, RECOMMENDING ORAPPROVING THE FOLLOWING TECHNOLOGY SERVICES? (PLEASE CHECK ALL THAT APPLY):
❑ 01. Technology Services❑ 02. Systems / Application Integration❑ 03. E-Business / Internet / Intranet /
Extranet❑ 04. Application Development❑ 05. Application Hosting (ASP)❑ 06. Web Hosting❑ 07. Web Development❑ 08. Security❑ 09. Storage
❑ 10. Content Delivery Networks❑ 11. Disaster Recovery / Business
Continuity❑ 12. Outsourcing❑ 13. Utility Computing Services❑ 14. Telecommunications❑ 15. Call Center / IT Services❑ 16. Consulting❑ 17. Other Technology Services
9
❑ 01. Hardware❑ 02. Mainframes❑ 03. NT / Windows 2000 / .NET Servers❑ 04. Unix Servers❑ 05. Linux Servers❑ 06. Blade Servers❑ 07. PCs / Workstations❑ 08. Notebooks / Laptops❑ 09. PDAs / Handhelds / Pocket
PC / Wireless Devices❑ 10. Other Hardware
❑ 11. Peripherals❑ 12. Laser Printers❑ 13. Inkjet Printers❑ 14. Monitors❑ 15. Flat Panel Displays❑ 16. UPS (Uninterruptible Power Supply)❑ 17. Network Copiers❑ 18. Other Peripherals
8 ARE YOU INVOLVED IN BUYING, SPECIFYING, RECOMMENDING OR APPROVING THE FOLLOWING HARDWARE?(PLEASE CHECK ALL THAT APPLY):
ARE YOU INVOLVED IN BUYING, SPECIFYING, RECOMMENDING OR APPROVING THE FOLLOWING SOFTWARE? (PLEASE CHECK ALL THAT APPLY):
❑ 01. Enterprise / E-BusinessApplications
❑ 02. Customer Relationship Management(CRM / eCRM)
❑ 03. Enterprise Resource Planning (ERP)❑ 04. Supply Chain / Procurement❑ 05. Business Process Management❑ 06. Business Intelligence / Data Mining❑ 07. Knowledge Management❑ 08. Portals❑ 09. Collaborative Applications /
Groupware❑ 10. Project Management❑ 11. Financial / Payroll / Billing❑ 12. E-business / E-commerce❑ 13. Database Management Systems
(DBMS)❑ 14. Data Warehouse❑ 15. Manufacturing❑ 16. Asset Management / Software
Distribution❑ 17. Performance / Application
Management❑ 18. Streaming Media❑ 19. Other Enterprise / E-Business
Applications
❑ 20. Integration Software❑ 21. Web Services❑ 22. Web Services Orchestration❑ 23. Application Servers❑ 24. Enterprise Application Integration
(EAI) / Middleware❑ 25. Business Process Management❑ 26. Legacy Application Integration Tools ❑ 27. Other Integration Software
❑ 28. Application Development❑ 29. Application Development Tools❑ 30. Application Servers❑ 31. Web services❑ 32. Java / J2EE❑ 33. XML❑ 34. .NET❑ 35. Testing Tools❑ 36. Other Application Development
Software
7
PLEASE TELL US YOUR INVOLVEMENT WITH YOUR COMPANY’SSTRATEGIC TECHNOLOGY INITIATIVES (PLEASE CHECK ALL THAT APPLY):
6❑ 01. Integrate Technology with company
goals❑ 02. Define Architecture❑ 03. Choose Technology Platforms❑ 04. Develop Technology Integration
Strategy❑ 05. Test, pilot, implement emerging
technologies❑ 06. Scalability Planning❑ 07. Build, Run Web Services
❑ 08. Internet / Network Infrastructure❑ 09. Customer Relationship Management❑ 10. External Partnership Management❑ 11. Budgeting❑ 12. Recruitment & Retention❑ 13. Other_________________________
(Please describe)❑ 99. None of the above
