The South Australian Government's Department of Planning, Transport and Infrastructure has implemented a real time database monitoring system designed to detect any malicious IT administrator activity, after discovering that business-critical databases weren’t being monitored for unauthorised changes.
The department handles vehicle registration/licensing data for the 1.5 million residents in the state. This includes sensitive information such as driving offences and people’s addresses.
In depth: IT admins gone wild
In-depth: Information Security 2011 Research Report.
Speaking at IBM’s Pulse 2012 event in Sydney, Department of Planning, Transport and Infrastructure's information technology security advisor, Andrew Muecke, told delegates that the registration and licensing system generates over $1 billion a year for the state government so a data compromise by a malicious insider could be very costly.
He added that while the department had a complex system made up of firewalls, intrusion prevention and access controllers, it could not see if database administrators were making changes in the system or what they were doing to critical data. This led the department to implement IBM’s Guardium database monitoring system in mid-2011 after conducting research into various systems.
“The first attraction was its independence from the rest of the network,” he said. “It’s a system that sits in our environment and monitors everyone’s work but the only one who can touch it is my technical security analyst,” he said.
“The fact that Guardium could support all of our major database management systems was a big plus.”
However, the project was not without its challenges as Muecke recognised that Guardium could be seen as intrusive by database administrators as it was designed to monitor their every move. “We wanted to get key people in the department to buy into this system so we told the business that it could be guaranteed those databases are afforded significant protection because only one person has access to Guardiam,” he said.
Another challenge was to limit the amount of data monitored due to the sheer amount of licensing information contained within the department’s system. “There is no way we could grab every data set as our storage system would crash in a very short space of time,” Muecke said.
“We decided that trusted data would not be monitored by Guardiam as it was already monitored within the application.”
According to Muecke, while the deployment was technically seamless, it faced a challenge of analysing the data that was collected.
This has led the department to set parameters within the system so it receives a weekly file of all database activity in critical areas. It has also employed a senior ICT consultant to analyse the database report files.
“We’re nine months into the deployment and we’ve found no malicious behaviour,” Muecke said.
In addition, the South Australian Auditor General's department has given the department of transport a clean bill of health for information security as privileged user activity and changes to any of the databases are monitored.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU