Sarbanes-Oxley Compliance

Goal

Enforce a consistent level of access control across all third-party and in-house applications.

Example

Each of the applications in an enterprise (ERP, HR, CRM, etc.) manages security as to who can access what. As long as the users are accessing the application from the vendor's front-end tools, all the access rights that have been configured within the application are enforced. But in many cases third-party applications that augment or replace the application's functionality are used to access the data.

For example, you may build custom analytics and reporting solutions using Brio. And you may also deploy web applications. These applications typically go directly to the underlying rows of data in the database. How do you maintain the ability to use these third-party or in-house applications, and at the same time, enforce a consistent level of access control no matter how the data is accessed?

Issues and Alternatives

One alternative is to make the lowest layer in the system secure to the required level. For many applications this means securing the database, such as Oracle or SQL Server. The granularity required to comply with SOX and other regulations is not easily implemented and managed using the database features. And since an enterprise will have many different kinds of databases (Oracle, SQL Server, DB2, home-grown, etc), the same level of access control within the database cannot be achieved. Also, the management of taking a set of policies for different classes of users and mapping it to database level settings becomes a daunting task.

Resolution

Force all third-party and in-house applications to access data sources through a middle layer that enforces access control above the database layer. This layer is called a Fine Grained Secure Access Server (FGSAS). The applications would continue using their built-in access control mechanism, but all other access would be through the FGSAS that is developed in-house or purchased. Ideally the FGSAS can be configured with a set of policies based on a user's role without concern for the underlying data source.

DataDirect OpenAccess SDK enables the FGSAS to be exposed as a virtual SQL database with an ODBC and JDBC compliant interface. This interface looks and feels like the Oracle or SQL Server interface the client applications were developed to access. The client applications issue SQL queries to the OpenAccess-enabled server, which in turn uses the FGSAS to perform the data access.

Implementation

See Addressing Sarbanes-Oxley Compliance with Fine Grained Secure Database Access (.pdf)

Benefits

  • Fast delivery - Quickly implement a fine grained secure data access layer between the applications and the data sources using ODBC/JDBC and SQL.
  • Flexibility - Build a centralized access control mechanism without breaking the existing applications.
  • Compatibility - Allows your custom code to appear as a virtual SQL database with an ODBC/JDBC API that is compatible with hundreds of applications in use today.