SOX Compliance with NATS
Colin Sullivan
Posted on May 10th, 2022
How to Use NATS.io to Set Up a SOX Compliance System
An enterprise customer of ours recently asked for guidance around how their NATS.io enabled system could help them achieve SOX compliance. Sarbanes Oxley Compliance encompasses a very broad set of practices around financial record keeping and reporting, touching nearly every aspect of running a business. While ensuring financial accuracy, undergoing compliance is like going to the dentist - no-one looks forward to doing it but it has to be done.
NATS provides several fundamental features that can help businesses to more easily achieve SOX compliance when properly used. This is most applicable to Sarbanes–Oxley Section 404: Assessment of internal control.
These features are centered around NATS advisories and System Events. Caveat: In corner cases, system events and advisories may not be generated, published, or saved in the event of hardware failure, unexpected server shutdown, and other error conditions.
Exabeam provides a very nice SOX compliance checklist. There is a lot to SOX compliance; this article is by no means exhaustive but we can run through some of the features of NATS as a good starting place.
Prevent data tampering
Implement systems that track logins and detect suspicious login attempts to systems used for financial data.
This is fairly straightforward to implement for NATS. NATS generates system events that can be used to track these and persist them in the NATS JetStream subsystem. Create a stream and specfify the subjects you'll want to track to store these events.
The system event subjects you’ll want your stream(s) to include are:
- $SYS.ACCOUNT.*.CONNECT (client connects)
- $SYS.ACCOUNT.*.DISCONNECT (client disconnects)
- $SYS.SERVER.*.CLIENT.AUTH.ERR (authentication error)
If you are using leaf nodes, then include these subject:
- $SYS.ACCOUNT.*.LEAFNODE.CONNECT (leaf node connects)
- $SYS.ACCOUNT.*.LEAFNODE.DISCONNECT (leaf node disconnects)
You can then develop an application report and inspect these events to ensure no suspicious users connect, track down the source of authentication errors, and the frequency, time, and duration of connections are in line with normal parameters of your system. The definition of suspicious is left to the implementer.
Note that JetStream streams are tamper-proof, with the exception of erasing a message for GDPR purposes (this action can be locked down and audited).
Record timelines for key activities
Implement systems that can apply timestamps to all financial or other data relevant to SOX provisions. Store such data at a remote, secure location and encrypt it to prevent tampering.
You’re covered by adding a bit of process and would want to ensure relevant financial transactions are stored in the NATS JetStream subsystem. JetStream supports encryption at rest to protect your data. Each message stored in JetStream automatically has a timestamp associated with it, set at the time the message was first stored. This applies to your event and NATS systems events (if stored in a stream).
$ nats s get transactions 2
Item: transaction#2 received 2022-05-03 17:38:18.114054892 +0000 UTC on Subject payable
Data in streams can be mirrored or sourced to a remote location and/or backed up to files for remote storage.
Build verifiable controls to track access
Implement systems that can receive data from practically any organizational source, including files, FTP, and databases, and track who accessed or modified the data.
NATS has various connecting technologies, but let's focus on tracking of NATS assets. In a secure NATS system, each connection has a user associated with it. NATS provides rich monitoring tools to identify which users are accessing the system at any given time. Furthermore, each time there is a CRUD operation on a JetStream asset an advisory can be sent which includes the identity of the user. These advisories can be stored in a stream or read by a process to store externally.
Test, verify and disclose safeguards to auditors
Implement systems that can report daily to selected officials in the organization that all SOX control measures are working properly. Systems should provide access to auditors using permissions, allowing them to view reports and data without making any changes.
This is wide ranging. NATS provides monitoring and logging in to ensure the system is up, and streams containing metadata of advisories and system events can be replayed anytime to generate a report. Given proper permissions, data stored in NATS can be accessed to generate a report anytime.
Report on the effectiveness of safeguards
Implement systems that generate reports on data that have streamed through the system, critical messages and alerts, security incidents that occurred and how they were handled.
Earlier we discussed persisting events correlated to these items to streams. If a user has permissions they can replay the stream containing system events and jetstream audit events to generate a report.
Detect and disclose security breaches
Implement security systems that can analyze data, identify signs of a security breach and generate meaningful alerts, automatically updating an incident management system.
Implement systems that log security breaches and also allow security staff to record their resolution of each incident. Enable auditors to view reports showing which security incidents occurred, which were successfully mitigated and which were not.
This would fall on the NATS operators to develop a system that meets the needs of the business. Though the system events generated, NATS provides plenty of data points for an enterprise to quickly build a custom system that does exactly this.
Summary
SOX compliance is a very broad and loosely defined initiative; this article does not cover every aspect, but can serve as a starting point for enterprises that need to be compliant and are using NATS. We on the NATS team would be certainly open to suggestions as to how to make this easier; if you have ideas or would like to offer contributions in this area please reach out.
About the Author
Colin Sullivan is VP of Product Synadia Communications. If your enterprise needs assistance with SOX Compliance Synadia, or NATS usage in general Synadia can provide guidance.