A supplier of enriched uranium fuel for commercial nuclear power plants, USEC Inc. is a publicly traded company whose revenue hovers around $1.5 billion. "Part of the challenge is this: We operate with a real small IT staff [about 50 people]," says Vordick. "So we don't want a solution that is going to make it harder for our DBAs to gain access to do things they need to do."
At the same time, Vordick knew that giving his DBAs carte blanche access to the company's financial databases at the company's three data centers in Kentucky, Maryland and Ohio would be a red flag for auditors. "The problem with monitoring database logs is obvious; the DBAs control what the database logs," says Vordick. The CIO spotted an ad for Guardium Inc.'s appliance-based software -- which essentially sits on a network monitoring traffic and scanning SQL statements -- and alerted his information security manager to it.
"The difference with Guardium is that the software in our case runs on a Unix OS. So the DBAs have privileged access to the database, and the IS manager has access to records of what they've done. Unless the two collude, you should be all set."
Now USEC has undergone two audits with Guardium in place, and Vordick says the $50,000 investment has paid off. One of Guardium's selling points is the simplification of data governance by centralizing Sarbanes-Oxley controls across database platforms and providing preconfigured reports.
"When it comes to Sarbanes-Oxley," says Vordick, "it's good to have one less thing to worry about."
Ellen O'Brien, a former senior editor at CIO Decisions, is now a senior editor at Storage magazine. Write to her at firstname.lastname@example.org.
This was first published in March 2007