How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements
Since DataSunrise is a powerful security tool, it can help its users to achieve and maintain compliance with some data security standards such as SOX, PCI DSS and HIPAA.
To accomplish this not-so-easy task, DataSunrise has three components at its disposal: Data Audit, Data Security and Data Masking.
As its name suggests, this component is used for database audit tasks. Basically, the firewall performs continuous database traffic monitoring and collects information on all user actions and modifications made to database contents.
While database auditing mostly used for data breach investigation and security system vulnerabilities assessment, continual monitoring helps to detect data breach preparations. To control database auditing process a dedicated security rules set is used.
It is the basic tool DataSunrise utilizes to counter various harmful actions: it prevents unauthorized access and defends the database against SQL injections.
Data Security functionality is based on smart SQL-analysis algorithms, enabling DataSunrise to detect unauthorized access attempts and SQL injections on-the-fly.
Data Security is adjusted with a set of rules which define conditions for activating protection and sequence of firewall’s actions. If DataSunrise detects prohibited query or malicious code, it blocks database access attempt and informs the firewall administrator via email.
Due to this feature the firewall administrator can hide database entries from unauthorized users by replacing entry contents with random values or predefined string. DataSunrise performs data masking on-the-fly, just after intercepting a suspicious query. Because data is obfuscated before it leaves the database, masking helps to prevent possible data leak.
In most cases data masking is used not to protect data from hackers, but in situations when intentional data transfer to 3rd party (software testers, for example) is being performed.
Please note that it’s a brief description of the DataSunrise firewall components, so if you want to know more about our product’s functionality, please, refer to the documentation. And now we will focus on data safety regulations and the ways DataSunrise helps to comply with them.
What is SOX?
The Sarbanes-Oxley Act (SOX) is a federal law that sets strict financial reporting requirements for US public companies. SOX is aimed to prevent investors from accounting fraud by assuring that all the reports on financial activities contain truthful and reliable information that can be verified by independent auditors.
There are two principle sections that relate to data security: Section 302 and Section 404. According to Section 302, SOX subjects must safeguard their data responsibly to be sure that their reports are not based upon faulty data.
SOX Section 404, in turn, is dedicated to technical means public companies must employ to protect their financial data against tampering and misuse. Besides that, Section 404 states that companies should allow security means and data integrity to be verified by independent auditors and should report all data breaches occurred.
How can DataSunrise help?
Security breach detection
DataSunrise Data Audit tool helps to detect security breaches and to perform a proper investigation. At the same time, Data Audit component logs all actions made to database and provides independent auditor with full range of data required to complete his or her tasks.
Protecting financial data from tampering and theft
DataSunrise helps to control user access to sensitive information by utilizing a set of security policies based on database user name, IP-address, application name and SQL-statements used.
The firewall enables its administrator to track all database changes and ensure that corporate data has not been modified without proper permission. More than that, DataSunrise helps to prevent unauthorized changes to be made to database content due to its Data Security functionality.
What is PCI DSS?
Payment Card Industry Security Standard (PCI DSS) was created by major payment card brands (Visa, MasterCard, American Express, JCB and Discover) to be employed by companies that handle credit card data, and their business partners. In fact, PCI DSS is a set of detailed guidelines, aimed to secure credit cards processing and drastically reduce risk of data breach.
How can DataSunrise help?
Database access control
PCI (Req 7) obliges its subjects to limit access to credit card holder information on a need-to-know basis. It means that companies should implement strict control over user access rights and limit access to sensitive information to only those individuals whose job requires such access.
DataSunrise Data Security component helps to prevent unauthorized user actions by blocking access to specific database elements. In some cases, if special requirements exist, certain database elements could be not blocked but obfuscated with data masking tool.
Disabling inactive user accounts
According to Requirement 8.1.5, the PCI subjects are obliged to disable or remove inactive user accounts (because hackers often use dormant account to perform a database breach).
This task can be completed with the help of Data Audit component. It monitors all user activity and helps to detect inactive users as well as suspicious user behaviour.
Database breach prevention
PCI Requirement 8.7 states that only programmatic method should be used to access any database containing cardholder data and that only database administrators should have an ability to directly access or query databases.
In most cases DataSunrise deployed in proxy configuration which means that no user can access the database directly, but through the firewall only. It prevents hackers from exploiting software vulnerabilities to perform a data breach. Combine this feature with advanced SQL analysis algorithms of Data Security component and you can be sure that this PCI requirement is fulfilled.
PCI Requirement 10 contains 25 subrequirements that oblige covered entities to implement audit means. Basically organizations must track all user activity and prevent any unauthorized access to audit information as well.
DataSunrise helps to satisfy the forementioned demands by utilizing its Data Audit functionality. The firewall performs continuous database auditing and monitors all user and client application actions while not inflicting any additional load on DB server or the database itself. It is of great importance that Data Audit reports enable the firewall administrator to link all registered actions to specific users by the means of external SIEM system.
What is HIPAA?
US Health Insurance Portability and Accountability Act (HIPAA) provides federal protection for patient’s health information against misuse or exposure. Subjects of this Act are: health care providers (doctors of various types), health insurance companies and programs, health care clearinghouses. The HIPAA Security Rule specifies a series of administrative, physical and technical safeguards its subjects should employ to protect electronic protected health information (ePHI) from being misused by unauthorized individuals.
How can DataSunrise help?
ePHI access control
According to HIPAA (reqs 164.312(a)(1) and 164.308(a)(4)), covered entities should restrict access to ePHI on need-to-know basis. It means that only individuals and software programs that are properly authorized should be able to access ePHI.
DataSunrise enables its administrator to protect the ePHI database from being accessed or modified without proper authorization due to its Data Security functionality. To complete this task the firewall administrator creates a set of security policies for each user or user group to specify which database elements to be allowed or restricted to access. Then DataSunrise monitors all user actions and blocks unauthorized access attempts.
HIPAA requires its subjects to implement technical and procedural mechanisms to record and examine activity in information systems that contain or use ePHI (req 164.312(b)).
DataSunrise helps to meet these requirements by utilizing the Data Audit functionality. DataSunrise continuously monitors the database traffic and records all database user and client application actions. The audit reports enable the administrator to identify the end user and applications used to access the database.
DataSunrise helps to fulfill the most critical requirements of forementioned security standards. It should be noted though that DataSunrise alone cannot fulfill all the variety of demands, but database-specific ones only. To achieve full SOX, PCI DSS or HIPAA compliance, you need to employ a system of security means including both administrative and technical safeguards.
DataSunrise supports all major databases and data warehouses such as Oracle, Exadata, IBM DB2, IBM Netezza, MySQL, MariaDB, Greenplum, Amazon Aurora, Amazon Redshift, Microsoft SQL Server, Azure SQL, Teradata and more. You are welcome to download a free trial if would like to install on your premises. In case you are a cloud user and run your database on Amazon AWS or Microsoft Azure you can get it from AWS market place or Azure market place.