70% of loss-bearing incidents involve insiders
Many believe that their sensitive data is well-protected by a security program, leaving little to no need to perform auditing processes. The reality cannot be further from the truth. The idea that data integrity is protected through security programs alone is a misguided assumption.
There is no argument that security programs provide a critical component to a robust security environment. Security programs offer data protection, and report on their detection of access activity and violations at the security profile or resource level. Such programs prevent people from accessing restricted resources, and allow people access to the necessary data to do their jobs. What security programs don’t provide, however, are the details about a user’s access activity, which is why sensitive data must be audited to ensure that it hasn’t been inappropriately read or altered.
In an environment where robust security rules are in place, there is little exposure to unauthorized users accessing data. In this case, the main risk of exposure is with the activities of authorized users that have access to data within the scope of their job. Authorized access to data, however, does not ensure the data is accessed in accordance with proper use criteria.
- Has a malicious update been made by a user who has data access?
- Is someone reading data during off hours?
- Is someone accessing data without a business need to know?
Because these accesses are allowed by security, security programs cannot detect malicious or inappropriate activities performed by authorized users. In the absence of other auditing processes, these nefarious accesses will go undetected. The following statistics indicate that:
- 70% of loss-bearing incidents involve insiders.
- In 78% of data breach incidents, the insiders were authorized users with active computer accounts at the time of the incident.
- In 43% of the cases, the insider used his or her own user ID and password.
- Most incidents required little technical sophistication and typically involved exploitation of business rules or organizational processes.
- In 87% of the cases, simple, legitimate user commands and processes were used.
- Standard Non-Disclosure Agreements will not deter a disgruntled employee.
Auditing may seem like a goal that is impossible to achieve, but it isn’t. IBM® IMS™ Audit Management Expert for z/OS® will clearly identify who is reading or altering sensitive data. IMS Audit Management Expert collects and correlates information from many systems and data sources into a security-protected audit repository that is accessible only by the Auditor. With IMS Audit Management Expert, audit data cannot be manipulated without being detected.
Here’s how Audit Management Expert segregates duties between Auditors and DBAs:
- After the product is installed, the Auditor may work with an IMS Database Administrator or IMS Systems Programmer to set up a collection profile. A collection profile identifies the IMS artifacts to be monitored.
- After the product is set up, the Auditor revokes the IMS Database Administrators’ or System Programmers’ User IDs within the Audit Management Expert product, prohibiting their access to the product.
Here’s how IMS Audit Management Expert monitors and reports on data access:
- Audit data is collected from IMS batch and online processes, and from the System Measurement Facility (SMF).
- IMS database and segment activity is reported. All reads, inserts, updates, and delete activities are captured, along with the concatenated key for audited segment data. Updates and inserts also provide the segment data, as found in the DL/I call I/O area.
- Access through utilities is recorded. SMF is used to collect access to IMS data sets outside the control of IMS services (for example, if IMS is down or if z/OS system utilities such as IDCAMS or TSO ISPF have been used).
- Collected audit data is displayed through useful representations in a GUI, and in batch reports.
- Audit data stored in the repository can be sorted, searched for values, exported as a CSV file, or exported to Excel. Auditors are no longer dependent on developers or database administrators to set up or gather the audit information required, which provides for segregation of duties.
- Automated audit notification can be set up to send notification to specified email addresses or issue a broadcast message to a selected two user IDs.
It’s important to use access control to protect sensitive data, but additional comprehensive auditing of user access not only makes sense–it is mandated by every governance and compliance regulation. When there is a will, there is a way.
For more information about IMS Audit Management Expert for z/OS, visit IMS Tools at www.ibm.com/ims.