The importance of establishing a trusted connections list or whitelisting for data security!
Database monitoring is a key data security control needed today in the age of relentless cyber-attacks, especially with all the data privacy regulations coming up (i.e., GDPR, CCPA etc.) the awareness to implement a data protection program is growing. If you have been monitoring database activity for a while or are just getting started, you may have noticed that databases are very busy and if you log every activity, it’s easy to lose focus on the real threats. Which is why establishing a trusted connections list or whitelisting is so important to help shift through the “noise” coming from your database activities.
Adaptive Systems is a firm exclusively focused on data security and compliance. Data is exploding in the enterprise and organizations want to get control of their data. We help secure all paths to your data, whether it’s on-prem, in the cloud, or hybrid cloud. We help answer questions like how your data is accessed, where data is accessed and who is accessing the data.
One of the biggest challenges to securing “all paths to the data” is the sheer “noise” coming from the databases and shifting through this noise to find out what’s really happening is a tedious task. Databases are very “noisy” because there are n-number of service accounts connecting to the databases and sometimes it feels like you are looking for a needle in a haystack! Therefore, establishing a list of trusted connection or a whitelisting is so important.
So how do you cut through this noise? We use IBM Guardium as our go-to tool. In the past, we have seen clients that use Guardium for SOX compliance receive a 60+ page SOX report! Who is going to go through a 60+ page SOX report? That 60-page report is basically useless because no one is going to read it. By whitelisting we can bring this report down to 2 pages! When you cut through the noise and develop a whitelist, you end up with a 2-page report that is consumable and actionable.
Using IBM Guardium, we collect the session information from the database activity (i.e., database IP, client IP, DB name, etc.) andover the course of a week or two we study the data collected and we see a pattern starting to form. We take this activity report and ask the application or business owner to verify that this behavior is “normal”. After verifying this “normal” BAU activity, we create a whitelist to ignore in Guardium and cut the 60+ page report down to only 2 pages!
There are many other benefits to whitelisting besides shorter reports. By establishing trusted connections, the cost of monitoring is reduced in terms of storage, CPU utilization and IO bottlenecks; performance degradation on monitoring infrastructure including database servers; reduced human resource effort to keep lights green.
Do you have a need to establish a whitelist and cut through the clutter? Feel free to contact us and let us know how we can help.
For further reading on whitelisting and other topics related to data security:
Worrying About Your White List: Defining Trust in Database Sessions