Database Security Vendor Evaluation Guide


Requirement for solutions related to Database security

A CISO should define the requirement for solutions related to Database security by first understanding the business and threat environment and decide on the most applicable threats and security parameters while balancing performance of application and security.

( Read more:  5 Best Practices to secure your Big Data Implementation)

The solution requirements should address fundamental security issues viz. Availability, Authenticity, Integrity and Confidentiality. While defining the requirement, one needs to decide what are the information that need to be protected from the fundamental security issues and accordingly select the relevant databases for which security solutions need to be identified. A comprehensive risk assessment needs to be carried out to define the potential security threats holistically in terms of internal or external, intentional or accidental, physical or logical etc. Once the threats are identified, one needs to define the criticality of each threat from business impact perspective post which analyze various vulnerabilities or points/modes of failure. Further analysis to be done to assess probability of occurrence based on the current protection controls already in place and what are the current detection capabilities. Based on this analysis, one needs to arrive the risk priority rating which will actually become the basis for the requirements criteria for database security.

Besides looking at risk based approach, it’s equally critical that one needs to understand and identify if there are any requirements from statutory, regulatory and contractual compliance perspective (eg. PCI standards - Encryption, DAM-Database Activity Monitoring)

Key parameters based on which a CISO should choose a vendor for the same

  • Expertise & capability in providing comprehensive solutions for database security
  • Ability in understanding customer business requirement of database security and providing relevant optimized security solution
  • Maturity of technical products/solutions offered by vendors
  • Well defined roadmap for next 2-3 years with proven track record of delivering product enhancement and support
  • Capability to provide after sales support locally

( Watch more : Attacks on Smart TV and Connected Smart Devices )

Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist

  • What will be the impact or overhead of the solution on application performance, administration/operations and user experience?
  • Where all places the solutions implemented and running successfully and for how long?
  • What kind of security testing or assessment the products/solutions have undergone and if they can share the latest reports
  • What are the mechanisms through which they identify the vulnerabilities in their products and their turnaround time for releasing the patches / fixes?
  • Is product supported and certified by the principle vendor of database?

Top mistakes to avoid while selecting a vendor

  • Going for 3rd party solutions for requirements where the same can be achieved through database inbuilt solutions. This will unnecessarily increase the cost and overhead
  • Going for a leading player based on product features without understanding their capability to support locally. Sometimes the product may be very good, but if they are not implemented properly or not well supported or lack of strong local support / system integration partners
  • Select vendors / solutions that meet your business requirement of database security rather than going by rich feature list of vendors’ product/solution. This will sometimes become overkill not only from cost perspective but also overhead on performance of database/application

Selecting vendor without checking the compatibility of their solution with the database vendor. This will sometimes lead into issues before or after implementation. This aspect needs to be thoroughly checked and evaluated before selecting vendor.

- By A.Raja Vijay Kumar, VP & Global Information Security Leader, Genpact

8669796654?profile=original

Votes: 0
E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (bi-monthly)

  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

Fireside Chat With Rick Doten (VP - Information Security at Centene Corporation)

  • Description:

    We’re excited to bring you an exclusive fireside chat on "A CISO’s Guide on How to Manage a Dynamic Attack Surface" with Rick Doten (VP - Information Security, Centene Corporation) and Erik Laird (Vice President - North America, FireCompass). In this session, we’ll explore how top CISOs are tackling today’s rapidly expanding attack surface and what it takes to stay ahead of evolving threats in a cloud-first, AI-driven world.

    As…

  • Created by: Biswajit Banerjee
  • Tags: ciso, attack surface management, rick doten, ciso guide

CISO Meetup at BlackHat Las Vegas 2025

  • Description:

    We are excited to welcome you to the CISO Meetup during BlackHat USA 2025 in Las Vegas! Join us for an exclusive networking, meaningful conversations, and community building with top CISOs and cybersecurity leaders from around the globe. 

    Meetup Details:

    Location: Mandalay Bay, Las Vegas …

  • Created by: Biswajit Banerjee
  • Tags: ciso, black hat, black hat 2025, black hat usa