Guide To Securing Databases Breaks Down Very Complicated Endeavor Into Set of Simple Process Maps, Associated Metrics To Guide Implementation and Define Success
Following 18 months of research and hard work, two firms today announced the availability of what they say is the industry’s first comprehensive guide to quantifying enterprise database security processes.
Independently researched and written by Adrian Lane, analyst and CTO and Rich Mogull, analyst and CEO of independent research and analysis firm Securosis, the guide to securing databases is sponsored by Application Security, Inc. and titled, “Measuring and Optimizing Database Security and Compliance Operations: An Open Model”.
Rich Mogull, in a blog post says, “To our knowledge this is the most comprehensive database security program framework out there. From developing policies, to patch management, to security assessments, to activity monitoring we cover all of the major database security activities. We’ve structured this with a modular set of processes and sub-processes, with metrics to measure your key costs at each step.”
Dubbed by Securosis as “DB Quant” (short for Database Security Quant Research Project), the guide provides insight into all common database security tasks, with the goal of equipping organizations with a tool to better understand the security costs of configuring, monitoring and managing databases.
From developing policies, to patch management, to security assessments, to activity monitoring we cover all of the major database security activities. We’ve structured this with a modular set of processes and sub-processes, with metrics to measure your key costs at each step.
“Despite being the most important repositories for the most sensitive and critical data, the ongoing, multi-year spate of data breaches proves that most organizations still struggle to effectively secure databases,” said Rich Mogull. “So when AppSec pointed out the need for an independent model for measuring the costs of database security, we were excited about creating what we believe has become the first totally objective, comprehensive database security program framework.”
“Database security encompasses a large number of processes managed by different teams — from database administrators (DBAs), to security operations, to IT operations, really running the gamut of operational staff,” said Adrian Lane. “Our research has uncovered a consistent set of processes every IT team goes through to secure their databases, and each has a quantifiable cost associated with it. Thus with DB Quant, organizations can now model their database security program, in terms of costs and effectiveness.”
With this in mind, DB Quant contains six major phases, with 21 sub-processes and dozens of operational metrics presented in an 80-page guide. The highlights are also available in an Executive Summary packaging, hitting the highlights of the process. Some of the key findings of the 18-month long research project include:
• At the time this project started, there were no standardized processes for database security in the industry.
• Staff time for setup tasks and policy management represents the majority of costs.
• Auditors and operations management personnel – responsible for regulatory mandates and industry compliance – followed the same set of security processes.
• There is a great divide in the depth and complexity of the processes used by mid-market (less than $1B revenue) companies and large enterprises.
• While the processes vary by company size, key metrics that embody the majority of costs tend to be the same.
“The industry lacked and sorely needed an independent look at what it truly costs to secure a database, from soup to nuts, as well as a guide to help practitioners better understand all of the aspects of protecting the database,” said Thom VanHorn, Vice President of Marketing, AppSec. “We believe the tremendous work that Securosis put into DB Quant represents the most significant step forward in helping companies get their arms around a very complex situation in an easy to understand format. We expect this to serve as the standard database security framework moving forward.”
An Executive summary of the report is here (Free PDF)
The Full Report is Available Here (Free PDF)