PCI-DSS in Oracle Databases
PCI-DSS is the Payment Card Industry’s Data Security Standard. It is required when working with Visa, MasterCard, American Express, Discover or JCB.
PCI-DSS contains specific instructions for the management and storage of cardholder data. These requirements include networking, data protection, encryption, access control and more. Requirement 10 deals with activity monitoring.
Most compliance regulations follow the risk-control methodology were it is eventually up to the organization to decide how to implement security. PCI-DSS version 2.0 is NOT like that. PCI-DSS contains very detailed instructions about how security should be implemented, what should be done, and what is prohibited.
Requirement 10 of PCI-DSS deals exclusively with the need to audit activity. To best describe how vital PCI-DSS considers auditing to be, it is best to quote directly from the regulation:
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.
You can read the detailed analysis of the requirement, but the basics are:
- Audit all accesses to tables containing cardholder data (10.2.1)
- Audit DBA and privileged users (10.2.2)
- Audit DDLs (10.2.7)
- Audit errors (10.2.4)
- Audit successful and failed sessions (10.2.5)
In addition, the audit trails need to have information about the user, the time etc (10.3, 10.4), be secured (10.2.3, 10.2.6, 10.5), be available for at least a year (10.7), and be reviewed daily (10.6).
There are several challenges in complying with requirement 10 in Oracle databases, but the most difficult is the data capture. Data capture is the method used to collect the audit information and transport it from the Oracle database server to a secured log facility.
The reason this is a problematic issue is the volume of information that needs to be collected and transported. Oracle databases tend to process thousands if not tens of thousands of SQLs per second, and auditing each one has the potential of slowing the database to a halt.
There are several ways to capture DMLs and DDLs, but only three options to capture queries (select) as well:
- Oracle Auditing – The old well known built-in audit facility. Its main problem: it slows the database to a halt. Almost no Oracle DBA will turn this on in a production database. Additionally it has no audit trail security or processing capabilities.
- Fine-Grained Auditing – FGA is a newer built-in facility in Oracle that allows partial auditing of pre-defined activity only. The more activity you audit, the higher the overhead. Additionally, it has no DDL capture, limited audit trail security, and no processing capabilities.
- Core Audit – A complete 3rd party solution from Blue Core Research that includes capture, processing, reports and more. The new Full Capture technology developed by Blue Core Research, can perform full auditing at less than 3% overhead.
Core Audit’s Full Capture is the only capture technology that provides 100% capture of all the activity in the Oracle database at an overhead that will not impact any production environment.
The other challenges in Requirement 10 are to process the audit data, store it in a secured solution for at least one year, and produce daily reports.
Your options are:
- Oracle Audit Vault & Database Firewall – These costly Oracle products can only use the Oracle data captures (with their limitations), and are complex to install and manage.
- SIEM – Many 3rd party solutions called SIEM exist. However, they all require a data capture source to feed them activity from Oracle databases. Your options are the above mentioned Oracle Auditing, FGA, or Core Audit.
- Core Audit – A complete 3rd party solution from Blue Core Research equipped with everything needed for PCI compliance and much more. It comes built-in with its own Full Capture agents, repository, reports, incident investigation tools, and more.
I want to know more about Core Audit!Great! Here are a few options: