Angelo Tracanna Senior Manager, OpenEdge Data Management

Slides:



Advertisements
Similar presentations
Pennsylvania BANNER Users Group 2006 Integrate Your Decision Support with Cognos 8.
Advertisements

Client Principal in the wild
Module 12: Auditing SQL Server Environments
1 PUG Challenge Americas 2014 Click to edit Master title style PUG Challenge EMEA 2014 – Dusseldorf, Germany Tales from the Audit Trails Presented by:
1 PUG Challenge Americas 2013 Click to edit Master title style PUG Challenge Americas 2013 – Westford, MA Tales from the Audit Trails Presented by: Mike.
Improving your OpenEdge® Development Productivity David Lund Sr. Training Program Manager, Progress.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
PUG Norway Lillehammer March 16th & 17th
Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.
1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.
Security Controls – What Works
SOX Compliance: A Practical Look at Application Auditor Presented By Sunita Sarathy Product Manager Absolute Technologies, Inc.
© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Concepts of Database Management Seventh Edition
John Sadd Progress Fellow and OpenEdge Evangelist
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Passage Three Introduction to Microsoft SQL Server 2000.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
DB Audit Expert v1.1 for Oracle Copyright © SoftTree Technologies, Inc. This presentation is for DB Audit Expert for Oracle version 1.1 which.
Chapter 7 Database Auditing Models
System Design/Implementation and Support for Build 2 PDS Management Council Face-to-Face Mountain View, CA Nov 30 - Dec 1, 2011 Sean Hardman.
MOVE-4: Upgrading Your Database to OpenEdge® 10 Gus Björklund Wizard, Vice President Technology.
Information Technology Audit
A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
MOVE-1: Progress Dynamics® on Steroids Anthony D Swindells Engineering Fellow.
DB-19: OpenEdge® Authentication Without the _User Table
Concepts of Database Management Sixth Edition
MOVE-14: Migrating Your 4GL Authentication System to OpenEdge® 10
Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan.
MOVE-9: Audit enable your Application the Easy Way Anthony D Swindells Engineering Fellow.
Data: Migrating, Distributing and Audit Tracking Michelle Ayers, Advisory Solution Consultant
Concepts of Database Management Eighth Edition
STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.
Module 7: Fundamentals of Administering Windows Server 2008.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
SEC835 Practical aspects of security implementation Part 1.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Computer Emergency Notification System (CENS)
DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect.
Future of the Server Room Tour. Ottawa Montreal Calgary Vancouver Toronto Future of Your Server Room Three Pillars of Windows Server 2008 Virtualization.
DEV-01 What’s New in Progress Dynamics ® Anthony Swindells Progress Fellow.
SOA-14: Deploying your SOA Application David Cleary Principal Software Engineer.
DB-8: Jump Starting Your OpenEdge® Auditing Solution
SONIC-3: Creating Large Scale Installations & Deployments Andrew S. Neumann Principal Engineer, Progress Sonic.
Reactive Companies Meet Sarbanes-Oxley Standards, Proactive Organizations Exceed Them! Therron Hofsetz Logical Apps, Inc.
Windows Role-Based Access Control Longhorn Update
Business Productivity Infrastructure Optimization Campaign 1 Agenda: BPIO Partner Sales Readiness Workshop Day 3: Topic: Enterprise Content management.
SONIC-3: Creating Large Scale Installations & Deployments Andrew S. Neumann Principal Engineer Progress Sonic.
ARCH-08 A Common Business Service Approach to Application Development Anthony Swindells Progress Fellow.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Delivered by: Matthew Zito, Chief Scientist 156 5th Avenue Penthouse New York, NY P: The Database Diet.
Hosting Websites and Web Applications with Microsoft ® SQL Server ® 2008.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
DEV-17: Effective Design and Deployment of OpenEdge® Audit Policies Michael Jacobs Development Architect.
Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group
Security Management: Successes and Failures
Application Auditing Made Easy
RMS with Microsoft SharePoint
Auditing in SQL Server 2008 DBA-364-M
ARCH-1: Application Architecture made Simple
DAT381 Team Development with SQL Server 2005
TRINITY UNIVERSITY HOSPITAL
Presentation transcript:

Angelo Tracanna Senior Manager, OpenEdge Data Management Auditing: Do You Care Who Did What, When, Where and How? (OpenEdge™ 10.1) Angelo Tracanna Senior Manager, OpenEdge Data Management

Agenda Slide Why auditing? Auditing in OpenEdge® overview Using auditing in OpenEdge Auditing best practices Future thinking Auditing: Who Did What, When, Where, How?

Under Development D I S C L A I M E R This talk includes information about potential future products and/or product enhancements. What I am going to say reflects our current thinking, but the information contained herein is preliminary and subject to change. Any future products we ultimately deliver may be materially different from what is described here. D I S C L A I M E R Auditing: Who Did What, When, Where, How?

Core Business Services Vision Statement “Provide a comprehensive set of common business services that provide the core feature support of a modern SOA based application modeled on the OpenEdge Reference Architecture” Auditing: Who Did What, When, Where, How?

Core Service: Auditing Mission Statement “Provide an auditing framework that can supply an uninterrupted trail of an application client’s access to its operations and data” Auditing: Who Did What, When, Where, How?

Customer Key Drivers for Auditing 1. Compliance with international Government regulations, e.g. Sarbanes-Oxley Act, CFR Part 11, HIPAA, European Union’s Annex 11, European Union Data Protection Directive, etc. 2. Secure auditing to support non-repudiation of audit data 3. High performance, scalable and efficient storage of audit data 4. Consistency across SQL, 4GL and database utilities Auditing: Who Did What, When, Where, How?

The Regulatory Compliance Challenge Organizations today face a growing number of regulations that mandate the accuracy and reliability of information – not just SOX! Sarbanes-Oxley Act 21 CFR Part 11 Gramm-Leach-Bliley Act Basel II HIPAA EU Data Protection Directive Auditing: Who Did What, When, Where, How?

Regulatory Compliance: Sarbanes-Oxley (SOX) Act What is it? Enacted July 30, 2002 Designed to protect investors Senior management and advisors personally accountable Financial information must remain confidential and privileged Data integrity and quality are key Section 404 — Internal Controls annual evaluation and documentation of the internal controls and procedures in place to produce financial information Section 302 — Certifying Results CEO and CFO to certify the existence of controls and sign-off on the organization’s financial statements Section 409 — Reporting Auditing: Who Did What, When, Where, How?

Regulatory Compliance: Example Auditor Objectives Logging and reporting Determine who modified the database schema and when List all schema changes by date by user Determine who has access to particular systems List of resources and the users who are authorized to access them Ensure user accountability For a particular user, list their actions over a period of time Ensure terminated employees access rights are terminated in a timely manner For users who are terminated, list access rights and when they were revoked Auditing: Who Did What, When, Where, How?

Penalties for Non-Compliance: Sarbanes–Oxley Law! The law includes penalties of up to 20 years in prison for chief executives and chief finance officers and fines of up to $5m (£2.5m) per violation, per person So, compliant apps help keep customers out of jail… Auditing: Who Did What, When, Where, How?

Compliance doesn’t impact me…? Think again! Do you supply accounting system software? Do you supply software for the healthcare industry? Do you provide solutions to the government? Do your applications contain confidential data? Might somebody in the state of California buy your application? Have you any growth aspirations? Auditing: Who Did What, When, Where, How?

Think about the Opportunities! Competitive advantage Places a  in the compliance box Enhanced functionality sells apps Security Audit trails BI reporting New product / service offerings Auditing: Who Did What, When, Where, How?

“The Joy of Red SOX” Competitive advantage Think about the opportunities! Competitive advantage Places a  in the compliance box Enhanced functionality sells apps Security Audit trails BI reporting New product / service offerings You can tell tales and not got into trouble Protects whistleblowers Auditing: Who Did What, When, Where, How?

Secure Auditing is Key to Compliance Audit trails can tell you who did what, when, where and how Must reflect the verifiable identify of the real application user Must be complete, accurate and non-reputable Prove audit policy and data has not been tampered with Auditing: Who Did What, When, Where, How?

Auditing Has a Cost! Audit trails can generate large volumes of data – quickly! Audit trails always add overhead The more you audit – the bigger the performance overhead! Must audit all methods of access to the application and data Compromises integration otherwise Auditing: Who Did What, When, Where, How?

Introducing… Auditing in OpenEdge® Surviving the Auditor! Auditing: Who Did What, When, Where, How?

OpenEdge Database Schema-Trigger Based Auditing 4GL Client Audit Policy Tools Application Code Audit Policy Manager API Policy Data Security Manager Application Data App DB Audit Event Manager (schema triggers) Audit Data Manager Offline Audit Data Archive Daemon Manager Audit Data Archive DB Audit Report Report Manager SQL Client Application Code Auditing: Who Did What, When, Where, How?

Auditing Architecture Overview 4GL Client DB Tools & Utilities Open Tools Audit Policy Tools (APMT) Application Code Audit Policy Subsystem API App DB Policy Data Audit Event Subsystem Audit Data Subsystem Application Data Audit Data Security Subsystem Application Internal Database Archive DB Application Code Archiving Subsystem Reporting Subsystem Archive Daemon SQL Client Audit Data Offline Audit Data Audit Report Auditing: Who Did What, When, Where, How?

Audit Policy MetaSchema Multiple active policies Audit Data Application Data Control by event Id Audit Policy Control by table / CUD operation Policy Data Event Policy File Policy Field Policy Audit Event Override individual fields Internal & application defined audit events Auditing: Who Did What, When, Where, How?

Audit Policy MetaSchema Multiple active policies Control by event id Control by table / CUD operation Override individual fields Internal & application defined audit events Auditing: Who Did What, When, Where, How?

Audit Data MetaSchema Client Session Audit Data Audit Data Values Record client session information Client Session Application Data Policy Data Configurable automated audit data with optional context & grouping Audit Data Audit Data Audit Data Values Optional old/new value recording Auditing: Who Did What, When, Where, How?

Audit Data MetaSchema Record client session information Configurable automated audit data with optional context & grouping Optional old/new value recording Auditing: Who Did What, When, Where, How?

What gets Audited? Record level events No need for schema triggers Audit Event Subsystem Database events Database Record level events Create event Update event Delete event No need for schema triggers controlled through file / field policy Auditing: Who Did What, When, Where, How?

What gets Audited? Authentication (login) Database connections Audit Event Subsystem Internal events Internal Authentication (login) Database connections Schema changes Audit policy administration Security administration Database utilities Start, stop, backup, restore, dump, load, copy, etc. Audit archiving Auditing: Who Did What, When, Where, How?

What gets Audited? Application context Audit event groups Subsystem Application events Application Application context Audit event groups Application defined events (ID > 32000) For events with no corresponding database operation Fully control granularity and detail, e.g. 1 audit record for dispatch of an order Can be used for read auditing Group into ranges to simplify reporting Auditing: Who Did What, When, Where, How?

Securing Audit Data Separation of duty No updates to audit data Audit administrator Audit archiver No updates to audit data Prevents deletion of events, e.g. archive Audit data is sealed to prevent tampering Secured administration tools and utilities Security Subsystem Auditing: Who Did What, When, Where, How?

Recording the Real User Trusted authentication systems / domains Assert verified identity of real application user Not dependent on _user records No blank user access to audit data! Security Subsystem Auditing: Who Did What, When, Where, How?

Managing Audit Data PROUTIL commands to enable auditing DB Tools & Utilities Audit Policy Tools (APMT) PROUTIL commands to enable auditing Unique database ID (GUID) and description Audit Policy Maintenance Tool (APMT) Open API Securely deploy policies (via text dump or XML) Secure dump/load options for audit data Auditing: Who Did What, When, Where, How?

Archiving Audit Data Auditing can generate lots of data – fast! Subsystem Auditing can generate lots of data – fast! Consider 2 billion row limit Move audit data from short term to long term storage Delete audit data no longer required Fast audit archive (binary) Select by date range Output to bit bucket Output to binary file Ability to write custom archiver Auditing: Who Did What, When, Where, How?

Querying Audit Data Only users granted read permission Reporting Subsystem Only users granted read permission (Except SQL for Open Edge 10.1a) Exposed as standard database tables Requires knowledge of schema Both application schema and metaschema What are the identifying fields? How is the context formatted? (Varies by event id) Sample reports supplied Audit data searchable by User id, event id, date, context, transaction, audit group, DB connection, client session Auditing: Who Did What, When, Where, How?

Auditing in OpenEdge® Key Value-Add Why use it in place of own solution? Common built-in auditing for both SQL/4GL clients Flexible audit policy management Secure audit data, policy and utilities Separation of duty Purposed audit permissions Verified user identity Secure utilities and sealed data Internal audit events (utilities, schema changes, etc.) Performance, performance, performance High performance archiving Multi-platform – not just Windows! Auditing: Who Did What, When, Where, How?

Auditing Demo… Auditing: Who Did What, When, Where, How?

Agenda Slide Why auditing? Auditing in OpenEdge overview Using auditing in OpenEdge® Auditing best practices Future thinking Auditing: Who Did What, When, Where, How?

Auditing in OpenEdge® Getting Started Enabling auditing for internal events Upgrade client / database to OpenEdge® 10.1a Enable auditing Connect to database as the DBA Set up database security key via data admin Run APMT to load / enable shipped policies Proutil dbname –C enableauditing area area1 [indexarea Area2] [deactivateidx] Auditing: Who Did What, When, Where, How?

Auditing in OpenEdge Getting Started Enabling auditing for database events Run APMT Add new policies for application schema Configure tables / fields to audit Enable policies Run application as normal Query audit data via sample or custom reports Auditing: Who Did What, When, Where, How?

Auditing in OpenEdge Getting Started Asserting the real application user Modify database options to use application user id for auditing Setup authentication system / domains Add application startup code to load trusted domains SECURITY-POLICY:LOAD-DOMAINS(db) Auditing: Who Did What, When, Where, How?

Auditing in OpenEdge Getting Started Asserting the real application user Modify 4GL application authentication code CREATE CLIENT-PRINCIPAL hCP hCp:USER-ID = “aswindel” hCp:DOMAIN-NAME = “progress” … result = hCP:SEAL(“pass phrase”) SECURITY-POLICY:SET-CLIENT(hCP) hCP:LOGOUT DELETE hCP Audited Audited Auditing: Who Did What, When, Where, How?

Auditing in OpenEdge Getting Started Supplying context / application events Set / clear context at appropriate places in application Add code to record application events ctx-id = AUDIT-CONTROL:SET-APPL-CONTEXT(audit-event-ctx[,event-detail[,user-data]]) … id = AUDIT-CONTROL:LOG-AUDIT-EVENT (event-id, event-context[, event-detail[, user-data]]) AUDIT-CONTROL:CLEAR-APPL-CONTEXT Auditing: Who Did What, When, Where, How?

Auditing Best Practices Consider application database as short term storage for audit data Do not enable audit indexes Use separate storage area for audit data Archive often! Use purposed database for audit archive / reporting Only audit what is absolutely necessary – tune with APMT Plan for reporting Group event ids into ranges Structure context consistently Leverage audit event groups Coding style even more important (assigns, record scope, transaction scope) Auditing: Who Did What, When, Where, How?

OpenEdge Auditing Futures (beyond R10.1a) Current thinking Selective audit policy for specific data Read auditing More standard reporting Direct archiving to OpenEdge database SQL audit policy administration IDE integration What else would you like to see??? Auditing: Who Did What, When, Where, How?

In Summary Govt. regulations & security are a concern and an opportunity Start preparing for them NOW! Upgrade to OpenEdge® 10.1 when it ships OpenEdge auditing helps you survive the auditor OpenEdge auditing adds value to your existing applications for minimal effort Avoid Jail! Auditing: Who Did What, When, Where, How?

Questions? Auditing: Who Did What, When, Where, How?

Thank you for your time! Auditing: Who Did What, When, Where, How?

Auditing: Who Did What, When, Where, How?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.