For some employees at the Massachusetts Department of Revenue with access to tax and child support data, the temptation to check up on former spouses, contentious neighbors, or real estate agents who rubbed them the wrong way is too hard to overcome.
But whether driven by curiosity, jealousy or anger, just one instance of unauthorized access of confidential data can land an employee a termination notice. In Massachusetts, it's illegal to browse tax or child support information without authorization, and the revenue department has a zero-tolerance policy.
The fact the department catches employees who violate the data-access policy -- four in the past year -- is the downside to a security system that's working, said John Moynihan, the organization's deputy commissioner and internal control officer. He drove development of the department's custom data surveillance program called Transaction Tracking, which monitors employees' access to the tax and child support databases. He's chagrined at how longtime employees will ruin their careers in an instant.
"Folks who have been here 15, 18 years … Everything is lost because of a violation of our access policy," he said.
Like others who participated in a recent Information Security magazine/SearchSecurity.com survey on data protection, Moynihan places a premium on database security. Nearly 58% of the 834 readers surveyed ranked database authentication/access controls as the top data protection technology. Fifty-two percent said data encryption was the most important.
However, unlike the majority of readers, Moynihan places less importance on database access controls. Trusted insiders like employees are authenticated and have access to data, so data surveillance like the kind his organization uses is more critical, he said.
"Any organization that collects data has to acknowledge that people are abusing it because they have access to it," he said. "It's human nature."
His department started a database monitoring program several years ago, when it created a system to track access to the data of about 5,000 taxpayers deemed high-risk for unauthorized access -- athletes, elected officials, CEOs and others. Ten years ago, Moynihan's boss decided the department needed to conduct ongoing, broader monitoring, which led to transaction tracking.
The multi-platform, browser-based system runs on any relational database and captures every access of taxpayer and child support data; there are about a million transactions per day in the two databases. Auditors who suspect a violation of the access policy send a memo to the employee, who must provide a business purpose for the record check.
After a major upgrade last year, transaction tracking is capable of conducting highly detailed, customized database searches. For example, if an auditor suspects an employee is looking up the records of neighbors, he or she can do a location-based search of the database.
Making sure employees aren't violating access policies is critical because the state depends on taxpayers to voluntarily file their information, Moynihan said.
"We are aggressive on the internal threat because that kind of breach would be much more damaging to us, and could impact the way the state government collects taxes, the way revenue comes in," he said. "It could impact all of state government."
The organization has a rigorous program to ensure employees are aware of the access policy and consequences of violating it, he added.
While the revenue department's data protection efforts are driven by the insider threat, 43% of readers ranked compliance as the top driver for data protection in the survey.
Implementing a database monitoring system helps with compliance efforts at Illinois-based Career Education Corp., a provider of private, postsecondary career-oriented education with more than 80 campuses serving 95,000 students across the world.
The company uses software from Conshohocken, Penn.-based RippleTech. The vendor's Informant product monitors database traffic as part of Career Education's layered defense strategy. Informant non-intrusively logs database activity; that information is fed to a netForensics security information management system, which correlates data from multiple security perimeter devices.
Microsoft SQL Server databases store the firm's sensitive information, including student records, so it's critical to keep an eye on who is accessing them, said Michael Gabriel, CISO at Career Education.
"It makes sense that you want to monitor access and who's doing what with that information. By having the application layer correlated along with the operating system and the perimeter, it gives you the ability to trace any attack to see what level of penetration it actually has," Gabriel said. "What we found is there were some real compliance-related advantages to having that visibility."
For example, the company has a change management control that restricts anyone but DBAs from making changes to the production database environment -- any violations prompt a real-time alert. If an organization has a stated change management policy but isn't upholding it, there could be repercussions when it comes to Sarbanes-Oxley, Gabriel notes.
Informant's monitoring doesn't come at the expense of database performance, he said. Because the product monitors database traffic that happens normally -- via a network span port or network tap -- there is no performance impact on the database server at all, he added.