Blog Viewer

Configuring Audit Policies in Imperva DAM

By Craig Burlingame posted 11-22-2020 17:44

find pic here:

Introduction to Audit Policies

Audit policies in Imperva DAm enable an organization to monitor access attempts and activity on sensitive data or other data of interest.  These policies can be designed to enable an organization to comply with the requirements of data protection regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) or the California Consumer Privacy Act (CCPA), and to perform the monitoring necessary for cybersecurity and breach protection.

Think of audit policies like a DVR (digital video recorder).  You may have 400 channels on your satellite or cable system, but you really only like to watch a few channels or shows on it.  So you record those shows so you can watch them later.  Audit policies act the same way.  You record the user activity on those databases that are really important to you so you can rewind and watch that activity later.

Configuring an Audit Policy

An audit policy in Imperva DAM is designed to monitor sensitive information that has already been identified and tracked within the system.  Before starting on configuring an audit policy, it is necessary to develop a site tree and to perform a scan for sensitive information.

Determine Policy Requirements

The first step in creating an audit policy is determining the desired goals of the policy.  Audit policies can have a number of different applications and may be based upon both internal policies or the requirements of data protection regulations.

Determining the requirements of the audit policy is vital to selecting and configuring the right type of policy.  Different regulations cover different types of sensitive data (such as payment card data for PCI DSS and healthcare information for HIPAA) and may require different levels of visibility and data collection for compliance.  Identifying these requirements in advance enables an organization to balance the need for visibility with the resources required to store and process the events generated by the audit policy.

Watch the entire Imperva DAM Deployment webinar

Select or Build Audit Policy

Once the requirements of the audit policy have been defined, it is possible to create the policy itself.  To do so, select the Policies tab in the top window of the Imperva DAM console, then select the Audit tab in the blue ribbon below.

Imperva DAM includes pre-built policies for common regulations such as PCI DSS and SOX.  It also has built-in policies for certain types of monitoring actions, such as watching access attempts to sensitive parts of databases or all sensitive information discovered within a scan.

Organizations may have unique monitoring needs, so Imperva DAM also offers the capability to build custom audit policies.  These can cover regulations not supported by default or allow an organization to monitor specific types of data in alignment with business needs.

Based on the assessment of policy requirements, it should be possible to identify the pre-built or custom policies that an organization requires.  The specific criteria used to identify events of interest can be tuned within the Match Criteria tab of the pane to the right of the screen.

Configuring an Audit Policy

After selecting an audit policy to apply, use the tabs on the menu to the right of the screen to configure how the policy should be applied.

Apply To Tab

The Apply To tab defines the scope to which the audit policy should be applied.  An audit policy can be applied to all or part of a site tree.  This enables an organization to strike a balance between covering the parts of the site tree that need to be monitored and not wasting resources monitoring sections that do not contain sensitive information or are not covered by a given regulation.

This is why it is so important to start out right with DAM and build a usable site tree.  When configuring audit and other policies, monitoring and protection can rapidly be applied to all or a subset of a site in a usable and meaningful way.

Settings Tab

One important configuration setting is the Extended Collection setting.  For this setting, it is best to select the Events option.  This will provide information about the query, the number of records returned from the database, the types of information returned, etc.

Selecting the DB Responses option will cause the actual records to be returned and stored in Imperva SecureSphere as well.  This is not recommended because it increases the volume of storage required for the logs (which may be significant for a very busy system) and makes data security and access control more complex because another copy of the sensitive data is now stored within Imperva SecureSphere as well and must be monitored and managed in accordance with regulatory requirements.

Archiving Tab

This tab contains another important configuration setting, which describes how often data should be moved to the archive.  For very active systems, this may be a matter of days, while less active ones could be archived weekly or even monthly.

External Logger

The final tab determines what should be done with the events created by an audit policy.  A common choice is to send this to an external system like Splunk.

An important consideration when configuring this setting is whether or not the target system can handle the volume of data.  A very active system may create millions or billions of alerts, and it is a good idea to check with Splunk admins to see if they can handle that load and what the cost would be.

Performing Data Audits in Imperva DAM

Defining an audit policy in Imperva DAM enables an organization to easily and scalably comply with the data access monitoring requirements of data protection regulations or internal policy.  Once a policy is configured, any events that match its criteria will be flagged and can be sent to an external logging service (like Splunk).

Audit policies are designed for monitoring and logging and are only one of the policy options available in Imperva DAM.  It is also possible to configure Security and Enrichment policies to protect sensitive data or perform data enrichment within SecureSphere.

Other relevant content: 
Configuring a Scan for Sensitive Data with Imperva DAM
6 Steps to Deploying Imperva DAM






11-23-2020 10:47

@Ajay Rawat - If you mean can you generate a security alert if the audit policy triggers, then no, that is not possible.  ​But you can use the same match criteria to enable a security policy that will then trigger an alert which you can have sent out via a followed action.  Please let me know if this is what you were looking for.  Thank you.

11-22-2020 20:53

Hi I am new to DAM. I want to generate the alert for my Audit policy. Is it possible ?