I NFORMATION S YSTEMS C ONTROL J OURNAL, VOLUME 5, 2008© 2008 ISACA. All rights reserved. www.isaca.org.1Amajor control objective for any organization is toprotect sensitive data. Data protection or informationsecurity is protecting information and informationsystems from unauthorized access, use, disclosure, disruption,modification or destruction to provide confidentiality,integrity and availability.1In the early years of database management systems(DBMS), such a system was acclaimed as atool for centralizing control over data access.But as controls frequently migrate aroundwithin the information infrastructure, dataaccess controls have tended to migrate toother points, such as network perimetercontrols, user identity and accessmanagement, and the application systems thataccess databases. The tendency has been topresume a database is protected because ofthe broad and diverse set of controls applicable to data access.However, the breadth and diversity of controls have takenaway the centralized access control at the database itself,opened key weaknesses in data protection and allowed someof the most serious threats to data to go largely unmanaged.The world is characterized by technology that makes thenews almost daily with stories of loss, theft or disclosure ofsensitive information. The 2007 Computer Crime and SecuritySurvey, by the Computer Security Institute (www.gocsi.org),identifies respondents that actually detected attacks and abusein the last 12 months. Insider abuse of net access is at 59percent, unauthorized access to information 25 percent, andtheft of customer or employee data 17 percent. (Because ofthe general lack of monitoring, one can safely assume mostthreats remain undetected!) These numbers also seem lowbased on media accounts. And, people are beyond the point ofbeing shocked or even surprised when yet another employee,executive or management team betrays a trust and costs thecompany and its stakeholders millions or even billions.Clearly there is a strong need for improved and enforcedaccountability management, and internal controls are anessential element of accountability assurance. This article willreview first the nature of access controls in general and wherethey are found, and then will discuss access controls at thedatabase level.Where Are Data Access Controls?Data access controls tend to be distributed in manyorganizations. They have evolved to that state by systemsgroups attacking the problem of the moment, placing controlswhere they can protect against a given threat, and avoidingperformance bottlenecks and impacts on performance causedby using controls such as native logging and protection in thecommercial DBMS. Commercial enterprise resource planning(ERP) systems have also contributed to the distribution ofcontrols by seeking to be the all-in-one system solution withminimal reliance on other controls. The following are some key distributed control types:• Perimeter controls (e.g., firewalls, intrusion protection,malware detection) attempt to keep the bad guys out. Butthey have two fundamental weaknesses. First,the bad guys are frequently a step ahead ofthe protection, and once they get in they arehard to find and block. Second, the insiderthreat is now recognized to be at least asserious as the threat of attack from outsidethe organization. Perimeter controls havereached a state of maturity where they arerecognized as essential, but they are alsoknown to be inadequate against certainattacks and in need of supplementation by other controls.• User identity and access management is the essence ofdeciding who is allowed to do what and then monitoring toensure things are as they are supposed to be. However, thesecontrols tend to be dispersed across a wide variety ofbusiness functions including policy administration,personnel administration (e.g., keeping up with accessprivileges as people move to new positions), managinggroup access rights (e.g., people in payroll can see somehuman resources [HR] data, but cannot access payroll info),separation of duties (e.g., not allowing the same person toapprove new vendors and payments to them), monitoringaccess rights for application of the least-privilege principle(e.g., access to only the data needed for the position, limitedaccess for changing or deleting data, special privilegesrequired to override controls), revoking rights whenemployees or other users leave the company or change roles,and monitoring all changes and exceptions to accessprivileges rules.The subject is complex and requires close coordination acrossdiverse business functions—some of which do not holdinformation security high on their priorities or the list ofthings that will get them recognized and promoted. Identityand access management is an area in need of some seriousaudit attention, but that is the subject of another article.• Application systems (particularly ERP systems) are a focalpoint for data access protection. And, if user identity andaccess management is complex, application systems can bemore so. Applications administer remote (sometimes global)access by customers, remote and local employees, and oftenbusiness partners. Multiple applications may access thesame database and be subject to differing sets of controls.Database Security, Compliance and AuditBy Charles Le Grand and Dan Sarel There is a strong need for improved and enforced accountabilitymanagement.I NFORMATION S YSTEMS C ONTROL J OURNAL, VOLUME 5, 2008Independent audit software tools2are available to audit themanagement of separation of duties and other controlsapplicable to the popular ERP systems and other means ofaddressing user identity and access privileges.Application systems are subject to changes including securitypatching, maintenance and enhancements by the softwareprovider’s and/or system’s employees, and emergency fixes torestore operations in the event of outages. Applicationsystems may be maintained and enhanced by the originalvendors and/or by outsourced vendors, including offshoreproviders.• Privileged users have access rights beyond those needed forroutine business operations. Database technical andoperational controls (such as backup/recovery, systemupgrades, checkpoint/restart, maintaining pointer integrity,optimizing physical data storage and performance) take placeoutside of the access constraints of application systems andmost of the identity and access management processes, butmust also be closely coordinated with application and