26 November 2007

AGORA Audit Compliance Appliance

I'm really excited about the AGORA Audit and Compliance Appliance which my company has developed, and which is starting to see some traction in the market.

The idea actually came from one of our large Banking customers. It's a simple idea (as some of the best ones are), but one which we haven't really seen elsewhere on the market. The "elevator pitch" is as follows:

Your company or bank has just outsourced some key IT activities -- e.g., application development or database administration. It made sense financially, and you're covered by SLAs, so you know what service you can expect. But you no longer have real control over who is doing what, and when, to your customers' data. A firewall or VPN solution doesn't really help, because it's designed to only keep out unauthorized persons -- but the outsourced company have full access, so how do you track what they doing?

Some systems, like Oracle, let you turn on database auditing -- but if you outsource the DBA function, then your DBA can turn it off. So most of the time, you just have to trust people -- until something goes wrong, some critical table is dropped, or some vital information leaks -- and then you're stuck, because where do you start investigating?

This is the business problem solved by AGORA -- it's a secure application gateway appliance which sits between your internal systems, and the authorized persons who need access, that keeps indelible records of all activity -- down to the level of scanning the network protocol in real-time, and recording all keystrokes or SQL queries sent by the external administrator, transparently and with no noticeable impact on performance. It supports SSH, Oracle SQL*Net, Microsoft SQL TDS, HTTP/HTTPS, Telnet, FTP and even X11 protocols. This means that all traffic is captured in separate files, linked to the uniquely-identified user who started the sessions.

A separate auditor user role can login via the Web interface, and review audit logs of the various sessions managed by the system. The workflow management is integrated with a built-in trouble ticket system, so audit logs of access to a service can be linked to specific problems or activities. We also tie the sessions in with specific VPN-authenticated users (we support Check Point VPN, Open VPN or even pre-shared SSH keys for authentication of users.)

We've recently added plug-in modules for supporting HTTP and HTTPS auditing, which also tracks all files which are up or downloaded from a remote Web server. Our latest version of the software will include SSH session audit (which includes the possibility to play-back sessions in real-time), as well as X11 sessions. The system does its work by protocol inspection of every packet -- extracting the audit-relevant information, associating it with a specific two-factor authenticated user, and writing it to a secure tamper-proof logging system, including packet payloads (such as SQL commands or SSH terminal sessions.)

We're planning to offer the AGORA system as a Hardware Appliance for high-performance requirements -- but it's currently available as a software installation, or as a VMWare virtual appliance. When installed on a VMWare server, the same functionality is available, but with slightly reduced performance possible (depending upon the hardware.)

The system uses email and web interfaces to communicate with its users -- typically, for example, a support technician (such as a Database Administrator or DBA) will receive an email informing them of a trouble-ticket which has been opened against one of the many production databases they are responsible for. An email will go to the support co-ordinator for the company, who will assign it to the next available technician with the appropriate access rights. Upon receipt of the email, the technician can then click on a Web link, which opens dynamically a port on the firewall (accessed through the VPN) which gives access to the relevant service. This starts the audit session, and also keeps track of when activity occurs (which is very useful for SLA verification.)

Naturally, because the system is ticket-based it blocks access to resources for which no ticket is available -- and also includes the possibility to restrict access to specific time periods -- and will automatically close access when the ticket expires.

In summary, this is a great tool for organizations that need to provide positive auditing of access to critical or sensitive internal resources by outside users (such as DBAs or developers), without requiring special logging to be enabled directly on every resource. With the increasing requirements of Basel II, ISO27001 and Sarbanes-Oxley for compliance programs, such an audit appliance will become essential in every large enterprise.

No comments: