隨著網際網路與資訊系統快速地發展，企業透過資訊系統及資料庫來完成即時性交易處理之需求日益增加，這已協助了諸多企業大幅地提升其營運效能，且為個人使用者也帶來了便利，但風險與危機亦伴隨而來。任何產業，不論其規模大小，許多已透過資料庫系統所帶來共享性、安全性、集中管理等特性，將可能具敏感性之重要資料與個人資料存放其中，本研究主要探討資料庫系統與企業內部重要資料之關聯性，當企業內部人員透過資訊系統進行資料存取或是外部駭客非法入侵竊取資料時，如何透過資料庫稽核系統DAM (database activity monitoring) 進行監控並提出有效佐證資料。此外，個資法實施代表著各行各業都必須為資料保護提出一套有效的具體做為，為解決上述問題及考量並非所有機關單位有能力購買資料庫稽核系統下，本研究採用以自行開發代理軟體模組的方式來建置資料庫稽核系統，整合內部資訊系統，不影響其效能為基礎下，透過代理軟體模組蒐集所有的SQL交易行為，解決收集軌跡資料與證據保存之問題。

As technologies of Internet and information systems advance rapidly, real-time transaction processing using information systems and DBMS is also of increasing demand. Nevertheless, there are not only significant improvements in convenience and efficiency, but also unexpectable risks and crises for an enterprise and its customers. Even for small business owners, a common use of a database system is to store their important information and further utilize the features of data sharing and centralized management. In this work, we propose a scheme to monitor users when they attempt to access sensitive data entries. Among several alternatives, we choose to develop an own designed prototype because of budget constraints. This is also appropriate for small businerss and organizations. Specifically, our scheme monitors the access of sensitive data and records corresponding logs for auditing purposes. In 2012, the Personal Data Protection Act is announced in Taiwan so that all companies and individuals have to follow the regulations when handling personal information. In view of this and as evaluated in our experimental studies, our scheme help to make database monitoring and auditing a feasible task in practical applications.

[1] 中華民國法務部，“個人資料保護法”，全國法規資料庫，http://law.moj.gov.tw/。
[2] 林柏甫，“「稽核」是有力的線索與證據”，RUN! PC 182期，2009。
[3] 財團法人中華民國國家資訊基本建設產業發展協進會，“個人資料保護法/施行細則宣導與學校因應之道”，教育部提升校園資訊安全服務計畫(101至102年)，2013。
[4] 黃彥棻，“個資盤點的3大原則”，http://www.ithome.com.tw/node/74895。
[5] 庫柏資訊全球資訊網，“資料庫活動監控系統DAM白皮書”，http://www.cobrasonic. com/tw/resource_content.php?id=20。
[6] T客邦，“新版個資法上路，4個重點、8大案例，認識網路個人資料保護問題”，http://www.techbang.com/posts/10878-law-of-personal-data-protection-of-the-interests-of-you-and-me-on-several-networks-of-common-funding-legal-issues-pchome-201-science-and-technolog。
[7] 趙昱川，“資料庫稽核軌跡解決方案”，台灣微軟企業服務方案研討會, http://download.microsoft.com/download/C/6/0/C60E2BD0-8A7C-479F-851E-8B5810C0D70F/20131107EnterpriseSQL.pdf。
[8] 精誠資訊，“資安解決方案”，資訊安全電子報 第017期，2008。
[9] 劉勇炫，“個資生命歷程”，http://myip.tw/itsmw/index.php?title=PerInfoSecurity。
[10] P. Akash, “Citrix® XenMobile™ Mobile Device Management”, Packt Publishing, 2014.
[11] T. Deml, “Application Pool Identities”, http://www.iis.net/learn/manage/configuring-security/application-pool-identities.
[12] Gartner, “Gartner Identifies Top 5 Steps to Dramatically Limit Data Loss and Information Leaks”, http://www.gartner.com/it/page.jsp?id=495173.
[13] C. George and N. Chandak, “Issues and Challenges in Securing Interoperability of DRM Systems in the Digital Music Market,”International Review of Law Computers & Technology, pp. 271-285, 2006.
[14] F. Glynn, “Guide to Data Loss Prevention”, http://www.veracode.com/security/ guide-data -loss-prevention.
[15] S. Herschel and M. Schwind, “Monitor database activity for application users withGuardium and WebSphere Application Server”, http://www.ibm.com/developer works/data/library/techarticle/dm-1208monitordbactivity/dm-1208monitordbactivity-pdf.pdf.
[16] D. G. Hill, “Data Protection: Governance, Risk Management, and Compliance”, Baker & Taylor Books, pp. 131-137, 2009.
[17] P. A. Jamkhedkar, G. L. Heileman and I. Martinez-Ortiz, “Middleware Services for DRM,” Proccedings of the International Conference on Communication Systems Software and Middleware, pp. 1-8, 2007.
[18] Juniper Networks, “Understanding the Loopback Interface”, http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/interface-security-loopback-understanding.html.
[19] L. Liu, R. Moulic, and D. Shea, “Cloud Service Portal for Mobile Device Management,” Proccedings of the International Conference on e-Business Engineering (ICEBE), pp. 474-478, 2010.
[20] W.-T. Liu and R. Augustin, “EndPoint Device Secures Cloud Storage”, LucidPort Technology, 2013.
[21] MarkAny INC, “Digital Rights Management”, http://www.markany.com/ch/sub_ index.asp?fn=tech&spname=tech_01_01.
[22] MiaRec LLC, “What is Port Mirroring”, http://www.miarec.com/faq/what-is-port-mirroring.
[23] Microsoft Corporation, “Device Access Connection Method”, http://technet. microsoft.com/en-us/library/cc135604(TechNet.10).aspx.
[24] R. Mogull, “Understanding and Selecting a Database Activity Monitoring Solution”, The SANS Institute, https://securosis.com/assets/library/reports/DAM-Whitepaper-final.pdf.
[25] S. Nair, “The Art of Database Monitoring”, http://www.isaca.org/Journal/Past- Issues/2008/Volume-3/Documents/jopdf0803-art-of-database.pdf.
[26] R. B. Natan, “Implementing Database Security and Auditing”, Digital Press, pp. 148-174, 2005.
[27] M. Rakhmanov, “Native Auditing in Modern Relational Database Management”, http://infosecisland.com/blogview/15529-Native-Auditing-In-Modern-Relational-Database-Management.html.
[28] W. Rogowski, “The right approach to data loss prevention,” Journal of Computer Fraud & Security, pp. 5-7, 2013.
[29] Y.-F. Sun and Z.-S. Song, “Database Access Technology Based on Connection-pool in JSP [J],” Computer Applications 6, pp. 80-81, 2004.
[30] Verizon Business, “Data Protection and Privacy Policy”, http://about.verizon.com/.