Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Using Privileged Identity Management Solution To Audit End User Database Activity In Shared Database Connections Environment

IP.com Disclosure Number: IPCOM000239630D
Publication Date: 2014-Nov-20
Document File: 5 page(s) / 79K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a technology related to Using Privileged Identity Management Solution To Audit End User Database Activity In Shared Database Connections Environment.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 41% of the total text.

Page 01 of 5

Using Privileged Identity Management Solution To Audit End User Database Activity In Shared Database Connections Environment
* Background
In a typical Java Enterprise Edition (Java EE) container, a web
application gets the database connections from a DataSource
managed by the Java EE container to perform database operations.

The reason for using pooled (shared) database connections is because it takes time to setup a fresh database connection. Current best practice is to reuse database connection operations once it has been created to improve the database operation latency. Furthermore, all connections in the database pool are usually established using the same database credential. In the other word, say a database connection pool containing 5 pooled connections to a database, all of them are created using the same database user identity (e.g. =dbuser1=).

* Problem
Many regulations require end user activity to be captured in an audit log. This includes any database activity of the end user.

There are multiple end users (e.g. Alice and Bob) accessing the web application and the requirement is to log the database operations performed by them individually. However as the web application is using shared database connections, all database operations are performed with a single database user identity. It is not possible by inspecting the database activity log to know the end user associated with any given database operation.

* Key Idea
The solution requires the deploy of a Privileged Identity Management (PIM) system like IBM Security Privileged Identity Manager and a PIM augmented =DataSource= implementation.

The PIM system manages and controls the database credentials. It ensures (with the corresponding =DataSource= implementation) that each database credential is associated with one database connection at any one time.

The PIM augmented =DataSource= emits check-in / check-out (CICO) records of the database connection when the web application requests and returns a connections on behalf of a end user. The CICO records contain the mapping of database user and end user identities.

Database connection CICO log can later be correlate with the database activity log to derive the end user database audit log.

1


Page 02 of 5


* How It Works
** Setup Database Connection Pool with PIM

1. Deploy a PIM system. The PIM system is responsible for managing

and controlling the database credentials

2. Create a batch of database users (e.g. =dbuser1=, =dbuser2=,

... =dbuser40=) and configure the PIM system to manage them.

3. Deploy a PIM Data Source to the Java EE container. The Data Source

manages the database connection pool. The PIM-augmented Data

Source is configured to communicate with the PIM system with

regard to obtaining the database credentials to establish the

database connections.

4. PIM Data Source submits a request to PIM for a batch (e.g. 20) of

database credentials.

5. PIM finds 20 available database users and marked them as

reserved. This is so...