0

Fellow DBAs and Engineers,

I'm looking for few quality Database security metrics. Purpose of these metric is to demonstrate level of security provided to database schemas in the organisation. Specifically, I'm looking for security metrics which can show state of confidentiality and integrity provided to the DBs in the environment.

As an example:

  1. Percentage of DBs encrypted and Redacted.

  2. Percentage of DBs hosting PII information.

Metric request is platform agnostic but mostly pertaining to Oracle environment in hosted DB environment.

Let me know if you have any questions.

Regards

~ RS

Rahul Ratan Sharma
  • 3
  • 1
  • 2
    Hire a company to do an audit, that is what your asking for here really. – JasonBluefire Jun 17 '20 at 16:25
  • Well, i got feedback from most of them. Nothing intresting, all singing the same song. – Rahul Ratan Sharma Jun 17 '20 at 18:36
  • Are you asking about some sort of automatic process which identifies what databases are encrypted/redacted and which contain PII? Are these run by your company? – Vérace Jun 17 '20 at 20:14
  • We have resources to automate metrics. What I'm looking for is objective security measurements which demonstrates state of security of DBs. I'm not asking anyone to implement hi tech solutions like homomorphic encryption, DB firewall etc. Metric should tell a story in itself about how safe is our DBs. Hope that answers your question. – Rahul Ratan Sharma Jun 17 '20 at 20:46
  • "Metric should tell a story..." is not the right way to look at this. Some of the most important things to consider aren't measurable with automation. Things like policy and procedure documentation, backup and recovery plans, architecture design, legal compliance, other parts of the technology stack, etc. Just measuring the lockdown state of a DB from an automation standpoint is a very, very small piece of what it means to be "secure". If you only rely on that, you will not have an accurate measure of your overall security - you will have a very inaccurate, distorted and misleading view. – pmdba Jun 17 '20 at 22:26
  • Thanks, I understand your concern. We have a mature security metric program to capture all you mentioned above. The place where we are lagging is DB metrics. – Rahul Ratan Sharma Jun 18 '20 at 03:58
  • If you're looking for a checklist/guide then I recommend the DISA STIG or CIS benchmark in my answer below. They are very thorough; Oracle has some built-in STIG-compliance monitoring features if you're using Enterprise Manager, too. – pmdba Jun 18 '20 at 04:29
  • Thanks @pmdba! That looks good to me, better then all FIPS and NIST publication. – Rahul Ratan Sharma Jun 18 '20 at 06:29
  • STIGs are based on a combination of FIPS, NIST, CIS, and other federal regulations. – pmdba Jun 18 '20 at 10:37

1 Answers1

0

The only way to get to what you're looking for is through an audit process of some kind, using a pre-defined checklist like the DISA STIG or CIS or some other recognized benchmark. These will all include a variety (even a majority) of "metrics" about documentation and policy that can't be measured through automation, so don't think there's an easy way to do this to get meaningful results.

There are whole areas of research and organization dedicated to how to approach this on a complete infrastructure or system level, like the Risk Management Framework. There are also legal requirements to evaluate against if your system is covered by the Fair Credit Reporting Act, Graham-Beach-Bliley Act, Children's Online Privacy Protection Act, The Health Information Technology for Economic and Clinical Health Act, HIPPA, the Federal Information Security Act of 2002, or GDPR. These carry their own auditing requirements.

It's also important to recognize that a system or application's security is about all layers of that system: database; operating systems; application servers; web servers; application code; network infrastructure; storage; authentication and authorization; and even user and admin training. All must be evaluated from top to bottom to get anything close to a complete picture. Even then with these checklists all you're really demonstrating is what you've prepared for / hardened against; there's no absolute measure of a system's security, per se.

pmdba
  • 3,104
  • 2
  • 6
  • 11