Presentation is loading. Please wait.

Presentation is loading. Please wait.

Angelo Tracanna Senior Manager, OpenEdge Data Management

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Angelo Tracanna Senior Manager, OpenEdge Data Management"— Presentation transcript:

1 Angelo Tracanna Senior Manager, OpenEdge Data Management
Auditing: Do You Care Who Did What, When, Where and How? (OpenEdge™ 10.1) Angelo Tracanna Senior Manager, OpenEdge Data Management

2 Agenda Slide Why auditing? Auditing in OpenEdge® overview
Using auditing in OpenEdge Auditing best practices Future thinking Auditing: Who Did What, When, Where, How?

3 Under Development D I S C L A I M E R
This talk includes information about potential future products and/or product enhancements. What I am going to say reflects our current thinking, but the information contained herein is preliminary and subject to change. Any future products we ultimately deliver may be materially different from what is described here. D I S C L A I M E R Auditing: Who Did What, When, Where, How?

4 Core Business Services Vision Statement
“Provide a comprehensive set of common business services that provide the core feature support of a modern SOA based application modeled on the OpenEdge Reference Architecture” Auditing: Who Did What, When, Where, How?

5 Core Service: Auditing Mission Statement
“Provide an auditing framework that can supply an uninterrupted trail of an application client’s access to its operations and data” Auditing: Who Did What, When, Where, How?

6 Customer Key Drivers for Auditing
1. Compliance with international Government regulations, e.g. Sarbanes-Oxley Act, CFR Part 11, HIPAA, European Union’s Annex 11, European Union Data Protection Directive, etc. 2. Secure auditing to support non-repudiation of audit data 3. High performance, scalable and efficient storage of audit data 4. Consistency across SQL, 4GL and database utilities Auditing: Who Did What, When, Where, How?

7 The Regulatory Compliance Challenge
Organizations today face a growing number of regulations that mandate the accuracy and reliability of information – not just SOX! Sarbanes-Oxley Act 21 CFR Part 11 Gramm-Leach-Bliley Act Basel II HIPAA EU Data Protection Directive Auditing: Who Did What, When, Where, How?

8 Regulatory Compliance: Sarbanes-Oxley (SOX)
Act What is it? Enacted July 30, 2002 Designed to protect investors Senior management and advisors personally accountable Financial information must remain confidential and privileged Data integrity and quality are key Section 404 — Internal Controls annual evaluation and documentation of the internal controls and procedures in place to produce financial information Section 302 — Certifying Results CEO and CFO to certify the existence of controls and sign-off on the organization’s financial statements Section 409 — Reporting Auditing: Who Did What, When, Where, How?

9 Regulatory Compliance: Example Auditor Objectives
Logging and reporting Determine who modified the database schema and when List all schema changes by date by user Determine who has access to particular systems List of resources and the users who are authorized to access them Ensure user accountability For a particular user, list their actions over a period of time Ensure terminated employees access rights are terminated in a timely manner For users who are terminated, list access rights and when they were revoked Auditing: Who Did What, When, Where, How?

10 Penalties for Non-Compliance: Sarbanes–Oxley Law!
The law includes penalties of up to 20 years in prison for chief executives and chief finance officers and fines of up to $5m (£2.5m) per violation, per person So, compliant apps help keep customers out of jail… Auditing: Who Did What, When, Where, How?

11 Compliance doesn’t impact me…?
Think again! Do you supply accounting system software? Do you supply software for the healthcare industry? Do you provide solutions to the government? Do your applications contain confidential data? Might somebody in the state of California buy your application? Have you any growth aspirations? Auditing: Who Did What, When, Where, How?

12 Think about the Opportunities!
Competitive advantage Places a  in the compliance box Enhanced functionality sells apps Security Audit trails BI reporting New product / service offerings Auditing: Who Did What, When, Where, How?

13 “The Joy of Red SOX” Competitive advantage
Think about the opportunities! Competitive advantage Places a  in the compliance box Enhanced functionality sells apps Security Audit trails BI reporting New product / service offerings You can tell tales and not got into trouble Protects whistleblowers Auditing: Who Did What, When, Where, How?

14 Secure Auditing is Key to Compliance
Audit trails can tell you who did what, when, where and how Must reflect the verifiable identify of the real application user Must be complete, accurate and non-reputable Prove audit policy and data has not been tampered with Auditing: Who Did What, When, Where, How?

15 Auditing Has a Cost! Audit trails can generate large volumes of data – quickly! Audit trails always add overhead The more you audit – the bigger the performance overhead! Must audit all methods of access to the application and data Compromises integration otherwise Auditing: Who Did What, When, Where, How?

16 Introducing… Auditing in OpenEdge®
Surviving the Auditor! Auditing: Who Did What, When, Where, How?

17 OpenEdge Database Schema-Trigger Based Auditing
4GL Client Audit Policy Tools Application Code Audit Policy Manager API Policy Data Security Manager Application Data App DB Audit Event Manager (schema triggers) Audit Data Manager Offline Audit Data Archive Daemon Manager Audit Data Archive DB Audit Report Report Manager SQL Client Application Code Auditing: Who Did What, When, Where, How?

18 Auditing Architecture Overview
4GL Client DB Tools & Utilities Open Tools Audit Policy Tools (APMT) Application Code Audit Policy Subsystem API App DB Policy Data Audit Event Subsystem Audit Data Subsystem Application Data Audit Data Security Subsystem Application Internal Database Archive DB Application Code Archiving Subsystem Reporting Subsystem Archive Daemon SQL Client Audit Data Offline Audit Data Audit Report Auditing: Who Did What, When, Where, How?

19 Audit Policy MetaSchema
Multiple active policies Audit Data Application Data Control by event Id Audit Policy Control by table / CUD operation Policy Data Event Policy File Policy Field Policy Audit Event Override individual fields Internal & application defined audit events Auditing: Who Did What, When, Where, How?

20 Audit Policy MetaSchema
Multiple active policies Control by event id Control by table / CUD operation Override individual fields Internal & application defined audit events Auditing: Who Did What, When, Where, How?

21 Audit Data MetaSchema Client Session Audit Data Audit Data Values
Record client session information Client Session Application Data Policy Data Configurable automated audit data with optional context & grouping Audit Data Audit Data Audit Data Values Optional old/new value recording Auditing: Who Did What, When, Where, How?

22 Audit Data MetaSchema Record client session information
Configurable automated audit data with optional context & grouping Optional old/new value recording Auditing: Who Did What, When, Where, How?

23 What gets Audited? Record level events No need for schema triggers
Audit Event Subsystem Database events Database Record level events Create event Update event Delete event No need for schema triggers controlled through file / field policy Auditing: Who Did What, When, Where, How?

24 What gets Audited? Authentication (login) Database connections
Audit Event Subsystem Internal events Internal Authentication (login) Database connections Schema changes Audit policy administration Security administration Database utilities Start, stop, backup, restore, dump, load, copy, etc. Audit archiving Auditing: Who Did What, When, Where, How?

25 What gets Audited? Application context Audit event groups
Subsystem Application events Application Application context Audit event groups Application defined events (ID > 32000) For events with no corresponding database operation Fully control granularity and detail, e.g. 1 audit record for dispatch of an order Can be used for read auditing Group into ranges to simplify reporting Auditing: Who Did What, When, Where, How?

26 Securing Audit Data Separation of duty No updates to audit data
Audit administrator Audit archiver No updates to audit data Prevents deletion of events, e.g. archive Audit data is sealed to prevent tampering Secured administration tools and utilities Security Subsystem Auditing: Who Did What, When, Where, How?

27 Recording the Real User
Trusted authentication systems / domains Assert verified identity of real application user Not dependent on _user records No blank user access to audit data! Security Subsystem Auditing: Who Did What, When, Where, How?

28 Managing Audit Data PROUTIL commands to enable auditing
DB Tools & Utilities Audit Policy Tools (APMT) PROUTIL commands to enable auditing Unique database ID (GUID) and description Audit Policy Maintenance Tool (APMT) Open API Securely deploy policies (via text dump or XML) Secure dump/load options for audit data Auditing: Who Did What, When, Where, How?

29 Archiving Audit Data Auditing can generate lots of data – fast!
Subsystem Auditing can generate lots of data – fast! Consider 2 billion row limit Move audit data from short term to long term storage Delete audit data no longer required Fast audit archive (binary) Select by date range Output to bit bucket Output to binary file Ability to write custom archiver Auditing: Who Did What, When, Where, How?

30 Querying Audit Data Only users granted read permission
Reporting Subsystem Only users granted read permission (Except SQL for Open Edge 10.1a) Exposed as standard database tables Requires knowledge of schema Both application schema and metaschema What are the identifying fields? How is the context formatted? (Varies by event id) Sample reports supplied Audit data searchable by User id, event id, date, context, transaction, audit group, DB connection, client session Auditing: Who Did What, When, Where, How?

31 Auditing in OpenEdge® Key Value-Add
Why use it in place of own solution? Common built-in auditing for both SQL/4GL clients Flexible audit policy management Secure audit data, policy and utilities Separation of duty Purposed audit permissions Verified user identity Secure utilities and sealed data Internal audit events (utilities, schema changes, etc.) Performance, performance, performance High performance archiving Multi-platform – not just Windows! Auditing: Who Did What, When, Where, How?

32 Auditing Demo… Auditing: Who Did What, When, Where, How?

33 Agenda Slide Why auditing? Auditing in OpenEdge overview
Using auditing in OpenEdge® Auditing best practices Future thinking Auditing: Who Did What, When, Where, How?

34 Auditing in OpenEdge® Getting Started
Enabling auditing for internal events Upgrade client / database to OpenEdge® 10.1a Enable auditing Connect to database as the DBA Set up database security key via data admin Run APMT to load / enable shipped policies Proutil dbname –C enableauditing area area1 [indexarea Area2] [deactivateidx] Auditing: Who Did What, When, Where, How?

35 Auditing in OpenEdge Getting Started
Enabling auditing for database events Run APMT Add new policies for application schema Configure tables / fields to audit Enable policies Run application as normal Query audit data via sample or custom reports Auditing: Who Did What, When, Where, How?

36 Auditing in OpenEdge Getting Started
Asserting the real application user Modify database options to use application user id for auditing Setup authentication system / domains Add application startup code to load trusted domains SECURITY-POLICY:LOAD-DOMAINS(db) Auditing: Who Did What, When, Where, How?

37 Auditing in OpenEdge Getting Started
Asserting the real application user Modify 4GL application authentication code CREATE CLIENT-PRINCIPAL hCP hCp:USER-ID = “aswindel” hCp:DOMAIN-NAME = “progress” result = hCP:SEAL(“pass phrase”) SECURITY-POLICY:SET-CLIENT(hCP) hCP:LOGOUT DELETE hCP Audited Audited Auditing: Who Did What, When, Where, How?

38 Auditing in OpenEdge Getting Started
Supplying context / application events Set / clear context at appropriate places in application Add code to record application events ctx-id = AUDIT-CONTROL:SET-APPL-CONTEXT(audit-event-ctx[,event-detail[,user-data]]) id = AUDIT-CONTROL:LOG-AUDIT-EVENT (event-id, event-context[, event-detail[, user-data]]) AUDIT-CONTROL:CLEAR-APPL-CONTEXT Auditing: Who Did What, When, Where, How?

39 Auditing Best Practices
Consider application database as short term storage for audit data Do not enable audit indexes Use separate storage area for audit data Archive often! Use purposed database for audit archive / reporting Only audit what is absolutely necessary – tune with APMT Plan for reporting Group event ids into ranges Structure context consistently Leverage audit event groups Coding style even more important (assigns, record scope, transaction scope) Auditing: Who Did What, When, Where, How?

40 OpenEdge Auditing Futures (beyond R10.1a)
Current thinking Selective audit policy for specific data Read auditing More standard reporting Direct archiving to OpenEdge database SQL audit policy administration IDE integration What else would you like to see??? Auditing: Who Did What, When, Where, How?

41 In Summary Govt. regulations & security are a concern and an opportunity Start preparing for them NOW! Upgrade to OpenEdge® 10.1 when it ships OpenEdge auditing helps you survive the auditor OpenEdge auditing adds value to your existing applications for minimal effort Avoid Jail! Auditing: Who Did What, When, Where, How?

42 Questions? Auditing: Who Did What, When, Where, How?

43 Thank you for your time! Auditing: Who Did What, When, Where, How?

44 Auditing: Who Did What, When, Where, How?

Download ppt "Angelo Tracanna Senior Manager, OpenEdge Data Management"

Similar presentations

Pennsylvania BANNER Users Group 2006 Integrate Your Decision Support with Cognos 8.

Pennsylvania BANNER Users Group 2006 Integrate Your Decision Support with Cognos 8.
Client Principal in the wild

Client Principal in the wild
Module 12: Auditing SQL Server Environments

Module 12: Auditing SQL Server Environments
1 PUG Challenge Americas 2014 Click to edit Master title style PUG Challenge EMEA 2014 – Dusseldorf, Germany Tales from the Audit Trails Presented by:

1 PUG Challenge Americas 2014 Click to edit Master title style PUG Challenge EMEA 2014 – Dusseldorf, Germany Tales from the Audit Trails Presented by:
1 PUG Challenge Americas 2013 Click to edit Master title style PUG Challenge Americas 2013 – Westford, MA Tales from the Audit Trails Presented by: Mike.

1 PUG Challenge Americas 2013 Click to edit Master title style PUG Challenge Americas 2013 – Westford, MA Tales from the Audit Trails Presented by: Mike.
Improving your OpenEdge® Development Productivity David Lund Sr. Training Program Manager, Progress.

Improving your OpenEdge® Development Productivity David Lund Sr. Training Program Manager, Progress.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
PUG Norway Lillehammer March 16th & 17th

PUG Norway Lillehammer March 16th & 17th
Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.

Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.
1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.

1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.
Security Controls – What Works

Security Controls – What Works
SOX Compliance: A Practical Look at Application Auditor Presented By Sunita Sarathy Product Manager Absolute Technologies, Inc.

SOX Compliance: A Practical Look at Application Auditor Presented By Sunita Sarathy Product Manager Absolute Technologies, Inc.
Www.lumension.com © Copyright 2008 - Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.

Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
John Sadd Progress Fellow and OpenEdge Evangelist

John Sadd Progress Fellow and OpenEdge Evangelist
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Similar presentations

Ads by Google