At long last, thousands of words and 5 months later, it’s time to close out our series on Database Activity Monitoring. Today we’ll cover the selection process.
For review, you can look up our previous entries here:
Part 1 Part 2 Part 3 Part 4 Part 5
Define Needs
Before you start looking at any tools; you need to understand why you might need DAM; how you plan on using it; and the business processes around management, policy creation, and incident handling.
Create a selection committee: Database Activity Monitoring initiatives tend to involve four major technical stakeholders , and one or two non-technical business units. On the technical side it’s important to engage the database and application administrators with systems that may be within the scope of the project over time, not just the one database and/or application you plan on starting with. Although many DAM projects start with a limited scope, they can quickly grow into enterprise-wide programs. Security and the database team are typically the main project drivers, and the office of the CIO is often involved due to compliance needs or to mediate cross-team issues. On the non-technical side, you should have representatives from audit, as well as compliance and risk (if they exist in your organization). Once you identify the major stakeholders, you’ll want to bring representatives together into a selection committee.
Define the systems and platforms to protect: DAM projects are typically driven by a clear audit or security goal tied to particular systems, applications, or databases. In this stage, detail the scope of what will be protected and the technical specifics of the platforms involved. You”ll use this list to determine technical requirements and prioritize features and platform support later in the selection process. Remember that your needs will grow over time, so break the list into a group of high priority systems with immediate needs, and a second group summarizing all major platforms you may need to protect later.
Determine protection and compliance requirements: For some systems you might want strict preventative security controls, while for others you may just need comprehensive activity monitoring for a compliance requirement. In this step you map your protection and compliance needs to the platforms and systems from the previous step. This will help you determine everything from technical requirements to process workflow.
Outline process workflow and reporting requirements: Database Activity Monitoring workflow tends to vary based on the use case. When used as an internal control for separation of duties, security will monitor and manage events and have an escalation process should database administrators violate policy. When used as an active security control, the workflow may more actively engage security and database administration as partners in managing incidents. In most cases, audit, legal, or compliance will have at least some sort of reporting role. Since different DAM tools have different strengths and weaknesses in terms of management interfaces, reporting, and internal workflow, knowing your process before defining technical requirements can prevent headaches down the road.
By the completion of this phase you should have defined key stakeholders, convened a selection team, prioritized the systems to protect, determined protection requirements, and roughed out workflow needs.
Formalize Requirements
This phase can be performed by a smaller team working under the mandate of the selection committee. Here, the generic needs determined in phase 1 are translated into specific technical features, while any additional requirements are considered. This is the time to come up with any criteria for directory integration, additional infrastructure integration, data storage, hierarchical deployments, change management integration, and so on. You can always refine these requirements after you proceed to the selection process and get a better feel for how the products work.
At the conclusion of this stage you develop a formal RFI (Request For Information) to release to vendors, and a rough RFP (Request For Proposals) that you’ll clean up and formally issue in the evaluation phase.
Evaluate Products
As with any products, it’s sometimes difficult to cut through the marketing materials and figure out if a product really meets your needs. The following steps should minimize your risk and help you feel confident in your final decision:
Issue the RFI: Larger organizations should issue an RFI though established channels and contact a few leading DAM vendors directly. If you’re a smaller organization, start by sending your RFI to a trusted VAR and email a few of the DAM vendors which seem appropriate for your organization.
Perform a paper evaluation: Before bringing anyone in, match any materials from the vendor or other sources to your RFI and draft RFP. Your goal is to build a short list of 3 products which match your needs. You should also use outside research sources and product comparisons.
Bring in 3 vendors for an on-site presentation and demonstration: Instead of generic demonstrations, ask the vendors to walk you through specific use cases that match your expected needs. Don”t expect a full response to your draft RFP; these meetings are to help you better understand the different options out there and eventually finalize your requirements.
Finalize your RFP and issue it to your short list of vendors: At this point you should completely understand your specific requirements and issue a formal, final RFP.
Assess RFP responses and begin product testing: Review the RFP results and drop anyone who doesn’t meet any of your minimal requirements (such as platform support), as opposed to “nice to have” features. Then bring in any remaining products for in-house testing. You”ll want to replicate your highest volume system and the corresponding traffic, if at all possible. Build a few basic policies that match your use cases, then violate them, so you can get a feel for policy creation and workflow.
Select, negotiate, and buy: Finish testing, take the results to the full selection committee, and begin negotiating with your top choice.
Internal Testing
- Platform support and installation to determine compatibility with your database/application environment. This is the single most important factor to test, including monitoring coverage for the connection methods used in your organization, since different database platforms support a variety of connection types.
- Performance. Is network or agent performance acceptable for your environment? Don”t set arbitrary standards; monitor performance on your production systems to make sure testing represents operational requirements.
- Policy creation and management. Create policies to understand the process and complexity. Do you need to write everything as SQL? Will built-in policies meet your needs? Are there wizards and less-technical options for non-database experts to create policies? Then violate policies and try to evade or overwhelm the tool to learn where its limits are.
- Incident workflow. Review the working interface with those employees who will be responsible for enforcement.
- Behavioral profiling, if the product supports that as a way of developing policies.
- Directory integration.
- Change management integration.
- Enforcement/blocking/rollback and other advanced features.
<
p style=”text-align:right;font-size:10px;”>Technorati Tags: ADMP, Database Activity Monitoring, Tools, Tutorial
Reader interactions
3 Replies to “Understanding and Selecting a Database Activity Monitoring Solution: Part 6, The Selection Process”
As a recent retiree of the encryption and key management space, I should point out one more thing – don’‘t get complacent just because you’‘ve achieved compliance. This is really a starting point for DAM with anyone who’s serious about security.
Encrypting your database will get you many things, but it won’‘t keep you completely safe. Without going into too much detail on Rich’s blog, it doesn’‘t protect from the DBA if he’s smart enough and knows how the product works.
Some guys from Accenture picked me up on several (known) holes, all of which I had to say – we partner with DAM companies to fix that. Pretty weak in front of customers.
Adrian, as always good stuff. I’‘m changing it around a bit in the paper version to incorporate those suggestions.
A couple of other points I would add. The selection committee needs to define what the goal is, but they will need to account for technical staff to complete the mapping to the individual database platforms. You mention this under “Determine Protection and Compliance Requirements”, but I think that both mapping the compliance requirement to company processes and technology implementations need to be considered. For example, I may want to specifically review how I strategically want to comply with PCI, and then I need to specific mapping of database commands to the controls I put in place. Does this make sense?
—
Separation of duties in the process work flow? Policy Management, Operational Management, Reports, Remediation are all distinct roles for most public corporations.
—
Filtering. What you do not keep is an important consideration both from maintaining a data set small enough so you can actually run the reports without waiting for days, but balancing that will collection of pertinent information needed for effective controls.
—
Agent vs. no agent is as much of an operations management issue as it is a performance issue.