I’ve always wondered why I have yet to meet anyone in the Government using Database Activity Monitoring (DAM) solutions, and yet the Government has some of the largest, most sensitive databases around. I’m going to try to lay out why I think it’s a great idea for Government to court the DAM vendors.
Volume of PII: The Government owns huge databases that are usually authoritative sources. While the private sector laments the leaks of Social Security Numbers, let’s stop and think for a minute. There is A database inside the Social Security Administration that holds everybody’s number and is THE database where SSNs are assigned. DAM can help here by flagging queries that retrieve large sets of data.
Targetted Privacy Information: Remember the news reports about people looking at the presidential candidate’s passport information? Because of the depth of PII that the Government holds about any one individual, it provides a phenomenal opportunity for invation of someone’s privacy. DAM can help here by flagging VIPs and sending an alert anytime one of them is searched for. (DHS guys, there’s an opportunity for you to host the list under LoB)
Sensitive Information: Some Government databases come from classified sources. If you were to look at all that information in aggregate, you could determing the classified version of events. And then there are the classified databases themselves. Think about Robert Hanssen attacking the Automated Case System at the FBI–a proper DAM implementation would have noticed the activity. One interesting DAM rule here: queries where the user is also the subject of the query.
Financial Data: The Government moves huge amounts of money, well into $Trillions. We’re not just talking internal purchasing controls, it’s usually programs where the Government buys something or… I dunno… “loans” $700B to the financial industry to stay solvent. All that data is stored in databases.
HR Data: Being one of the largest employers in the world, the Government is sitting on one of the largest repository of employee data anywhere. That’s in a database, DAM can help.
Guys, DAM in the Government just makes sense.
Problems with the Government adopting/using DAM solutions:
DAM not in catalog of controls: I’ve mentioned this before, it’s the dual-edge nature of a catalog of controls in that it’s hard to justify any kind of security that isn’t explicitly stated in the catalog.
Newness of DAM: If it’s new, I can’t justify it to my management and my auditors. This will get fixed in time, let the hype cycle run itself out.
Historical DAM Customer Base: It’s the “Look, I’m not a friggin’ bank” problem again. DAM vendors don’t actively pursue/understand Government clients–they’re usually looking for customers needing help with SOX and PCI-DSS controls.
London is in Our Database photo by Roger Lancefield.