Requirement for solutions related to Database security
A CISO should define the requirement for solutions related to Database security by first understanding the business and threat environment and decide on the most applicable threats and security parameters while balancing performance of application and security.
( Read more: 5 Best Practices to secure your Big Data Implementation)
The solution requirements should address fundamental security issues viz. Availability, Authenticity, Integrity and Confidentiality. While defining the requirement, one needs to decide what are the information that need to be protected from the fundamental security issues and accordingly select the relevant databases for which security solutions need to be identified. A comprehensive risk assessment needs to be carried out to define the potential security threats holistically in terms of internal or external, intentional or accidental, physical or logical etc. Once the threats are identified, one needs to define the criticality of each threat from business impact perspective post which analyze various vulnerabilities or points/modes of failure. Further analysis to be done to assess probability of occurrence based on the current protection controls already in place and what are the current detection capabilities. Based on this analysis, one needs to arrive the risk priority rating which will actually become the basis for the requirements criteria for database security.
Besides looking at risk based approach, it’s equally critical that one needs to understand and identify if there are any requirements from statutory, regulatory and contractual compliance perspective (eg. PCI standards - Encryption, DAM-Database Activity Monitoring)
Key parameters based on which a CISO should choose a vendor for the same
- Expertise & capability in providing comprehensive solutions for database security
- Ability in understanding customer business requirement of database security and providing relevant optimized security solution
- Maturity of technical products/solutions offered by vendors
- Well defined roadmap for next 2-3 years with proven track record of delivering product enhancement and support
- Capability to provide after sales support locally
( Watch more : Attacks on Smart TV and Connected Smart Devices )
Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist
- What will be the impact or overhead of the solution on application performance, administration/operations and user experience?
- Where all places the solutions implemented and running successfully and for how long?
- What kind of security testing or assessment the products/solutions have undergone and if they can share the latest reports
- What are the mechanisms through which they identify the vulnerabilities in their products and their turnaround time for releasing the patches / fixes?
- Is product supported and certified by the principle vendor of database?
Top mistakes to avoid while selecting a vendor
- Going for 3rd party solutions for requirements where the same can be achieved through database inbuilt solutions. This will unnecessarily increase the cost and overhead
- Going for a leading player based on product features without understanding their capability to support locally. Sometimes the product may be very good, but if they are not implemented properly or not well supported or lack of strong local support / system integration partners
- Select vendors / solutions that meet your business requirement of database security rather than going by rich feature list of vendors’ product/solution. This will sometimes become overkill not only from cost perspective but also overhead on performance of database/application
Selecting vendor without checking the compatibility of their solution with the database vendor. This will sometimes lead into issues before or after implementation. This aspect needs to be thoroughly checked and evaluated before selecting vendor.
- By A.Raja Vijay Kumar, VP & Global Information Security Leader, Genpact