search cancel

IT Analytics: OLEDB v. ODBC

book

Article ID: 240734

calendar_today

Updated On:

Products

IT Analytics Data Loss Prevention Endpoint Protection IT Management Suite Server Management Suite Client Management Suite

Issue/Introduction

Can IT Analytics (ITA) be modified to use ODBC connections for data sources instead of linked servers (OLEDB)?

Environment

Release : 2.9.1

Component : Symantec Endpoint Protection Content Pack, Symantec DLP Content Pack

Resolution

ITA is designed to only use OLEDB connections to source databases and cannot be modified to use ODBC connections. The following are common questions about this architectural decision:

  1. Question: Why use linked servers to connect to the source database?
    Answer: ITA uses a standard linked server connectivity framework to connect to external data sources (i.e., Symantec Endpoint Protection, Symantec DLP, and Symantec ITMS databases) because this framework allows ITA to use the same connection model independent of the data source, thereby ensuring consistency in the platform. Additionally, linked servers allow more granular security controls than remote servers (see question 3 below).
  2. Question: What level or type of encryption is used when connecting to the source database and transporting data?
    Answer: The credentials used for connections are stored in a FIPS-compliant manner. ITA salts the password and then encrypts and stores the salt on the record. The data is stored as an encrypted salt using an AES 256 SHA1 algorithm.
  3. Question: With an open architecture (i.e., all ITA database objects and connectors visible), what security measures are recommend to ensure data is protected within the ITA database?
    Answer: As per STIG SV-53765r1, the concept of least privilege must be applied to SQL Server processes, ensuring that all processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. SQL Server's 'Alter any linked server' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any linked server' permission is granted to roles that are unauthorized to have this privilege, then this access must be revoked. Based on this, the 'Alter any linked server' permission access can be removed from any role outside of those used by the ITA application.