Case Studies/ TOHO GAS Information System
Database Activity Monitoring
TOHO GAS Information System Co., Ltd.
Efficient Database Access Control
Improve Data Security and Solve Audit Data Management Dilemma
TOHO GAS × 
TOHO GAS × 
“Until we installed PISO, we had no idea about our database activities. As a result, our access control system was ill-equipped for data security. However, PISO helps us to understand user activities such as Who accessed the data, What data was accessed, How many records were accessed, What SQL statement, When and Where. Now we have successfully and effectively improved access control to secure our systems.”
Objectives
Improve Data Security for Regulatory Compliance
TOGIS had implemented a variety of security controls to ensure the compliance with regulatory requirements for the Protection Acton Personal Information and J-SOX. TOGIS attained ISO27001 Information Security Management System (ISMS) certification in 2003. In 2004, TOGIS established the Special Security and Tactics Team. They strictly managed the people entering and leaving the rooms. They also restricted the terminal, machine and user access to sensitive data through ID management. However, they felt they needed more protection on data security for accountability. Consequently, TOGIC planned to protect database security privacy as well as financial data and to collect the database access information for accountability. So, in order to solve their data security challenges, they installed PISO for their data security infrastructure.
Target System
SOUNET: Pipeline Constructions Management System |
Customer Safety System for Periodic Check |
Internet Reception System for Online Payment & Others |
Gas Device Sales Support System (SAP R/3) |
Gas Agreement System for Business Use |
Financial System (SAP R/3) |
HR System for WORKS APPLICATIONS Company |
Personnel Inquiry System |
Health Check System |
Dilemmas
Dilemma 1:Performance Penalty for Database Auditing
Due to server integration as part of TOHO Gas Company’s IT strategy, several mission-critical database instances were running on the same machine. A significant requirement was that the security solution should not affect the server performance, which also affects other systems. Therefore, TOGIS thoroughly evaluated and compared different security products available in the market, including the Oracle build-in auditing feature, especially from the system overhead aspect. They found that PISO, a real-time database monitoring and auditing solution suited their requirements.
Dilemma 2:Database Security Management and Evaluation
TOGIS implemented real-time database access monitoring for data security, and collected the detailed access logs. TOGIS decided to improve data security by analyzing the massive volume of database access logs. However, TOHO Gas Company’s systems generate millions of transactions per day, which dramatically increases complexity, time and cost for data security. To meet auditing and security compliance objectives, TOGIS needed to build additional systems to handle data management challenges, such as volume, analysis, retention and performance. Otherwise, analytical value from the database access logs would be lost. To solve the data management dilemma, TOGIS used PISO to provide pre-defined advanced auditing templates to efficiently analyze the massive volume of database access logs, and to effectively respond to security risks by monitoring such access and activities. As a result, PISO Forensic option enables TOGIS to address IT compliance and requirements effectively by solving the data management dilemma.
In addition, the more TOGIS used PISO, the more they discovered about PISO. TOGIS felt that PISO improves IT operations for efficient application tuning. For example, PISO empowered TOGIS to address the Computer Operation section of PACOB Auditing Standard No.2., especially system availability and service-level management. More specifically, PISO supported TOGIS to improve application tuning because PISO provided the details of database activity information. For example, PISO allowed TOGIS to identify unnecessary or resource-intensive SQL statements executed from the
application by analyzing the number of executions and the number of rows processed. Moreover, if an application program error occurred, PISO helped TOGIS to identify the problematic SQL statements to fix that program.
How did they solve their dilemma with
?
]