There are a number of reasons for organisations to deploy Database Activity Monitoring or DAM solutions, which can range anywhere from compliance to cover overall security.

DAM is a data centre technology, which monitors how the data that is stored in core databases and file servers is being accessed; it works on analyzing access behaviour to detect data breaches, if any; and takes action accordingly to mitigate them.

Various rules and regulations, compliance laws, etc also are increasingly forcing organisations to tighten their control over sensitive data they store, and have a verifiable audit trail that can be signed off, if required, by the appropriate organisational executives.

Database Activity Monitoring Architecture

Different DAM vendors have different ways of tracking activities in a database and therefore implementation of architecture is also slightly different.

A DAM with single appliance or single server architecture provides 1-to-1 mapping of a database server with a monitoring appliance; thus it acts both as a sensor and a collector of appropriate data. DAM with this configuration is good for a small database; however, for larger databases it might not be enough effective.

Then there is DAM with 2-tier architecture, consisting of a centralised management server; this server collects information from a set of remote sensors or collection points. With this architecture there is a better degree of system scalability.

DAM with hierarchical architecture builds further onto the 2-tier architecture; this system is best suited for larger organizations; these DAMs are capable of supporting a larger number of sensors and collectors, distributed across a large enterprise.

Advanced Database Activity Monitoring Techniques

The process through which all SQL traffic to a database is monitored is called Network monitoring. Network monitoring allows monitoring multiple databases simultaneously; all the commands that are sent across to databases under scrutiny, are kept track of. The activities of users that are logged directly into the server via a local console are not recorded. Performance of a database is not affected by network monitoring, as no overhead is placed over the database directly.

In remote monitoring, a SQL collector is placed on the database with administrative privileges; the native database auditing is also enabled. The collector aggregates all activity collected by the auditing tools. This type of monitoring imposes an overhead on the database as logging is enabled on the database server, causing it to work more. The advantage of remote monitoring is that all database activities are collected, including that of a user who is logged directly into the server.

One can install local agents on each database that is being monitored, but it is not necessary that they would be successful in detecting all database activity; it would depend on how these agents have been configured, and how much closer to the database they are allowed to sit.

The agents are not very favourites of conservative DBAs, as using agent would mean loading software directly on a database server, and thus would also impact database performance. The advantage of agents, on the other hand, is that they can detect all database activities with no dependence on the local native auditing tools; the adverse affect on performance of the database is by 27%. It is up to business to decide which course to take, after evaluating both pros and cons.

As a matter of fact, it is up to each organisation to decide as to which database activity monitoring solution architecture would fit their purpose, and if a compromise should be considered between performance and security.

We see more advanced DAM solutions increasingly moving into the sphere of the database as well as application monitoring. The monitoring software can monitor all actions done against a database in more effective manner, if there are correct hooks into client applications.