Many compliance programs require you to audit data acquisition and modification. PCI, HIPAA, SOX as USA examples, and many others around the world, have differing degrees of complexity and retention requirements. Having worked in HIPPA, PCI, AIMR and Limited SOX, there are a lot of similarities and differences that might make it difficult if you fall under two or more. Let’s try and break it up generically and see if we can find a pattern that may be applied to all.
There are some basic generic auditing requirements common to one or more certification:
Who Saw It?
This audits the complete activity of a user from the time they enter your system until the time they left. What records did they look at, and what were the contents of the records at the time the pulled the data.
Who Changed It?
This audits all Insert/Update/Delete actions. You need to be able to re-create the data of a record at any point in time.
Who Got It?
This audits not only the activity of reviewing a record, but extracting it and taking it outside of your contained system. At this point the record goes out of your control. Probably, this external source must be a secure partner with the same certification or you would violate the principle of the certification.
So, what has this got to do with Aspects? Here’s my brainstorm. Aspect s are programs you write. They are introduced into other programs through keywords, adding functionality without even having to have access to the original source code. At compile time, the different program source is merged, and the final result compiled.
If you had a common naming convention for your data access code such as public void Get[SomeEntity] it would be possible to write an aspect to log data retrieval for those methods. You don’t have to know what they are; just the naming convention. You could then write logging code based on the returned results. Using reflection, you could be fairly specific without even knowing the contents when you write the logging code.
This is just a very simplistic example. The intention is the get the little grey cells working. Years ago using NetTiers as an ORM Code generation tool, I was able to modify the templates (T4 templates are quite similar) to generate auditing code. I hadn’t even heard of Aspect programming at the time. Now with persistence being saved to different kinds of storage engines, the thought of using aspects seems to have a lot of promise, and not be directly linked with a specific storage engine. Instead it is linked with the very actions we are trying to audit, all related to touching data.
Is anybody doing this? Maybe you’re doing something similar with web filters. Share your thoughts in our comments or by Email to btaylor@sswug.org.
Cheers,
Ben