A targeted approach to automation for DBaaS compliance

By Steve Forsyth, HP Software R&D

 

Based on what I hear from customers, especially those in the Financial Services industry, it’s clear that database compliance is a significant issue that any Database as a Service (DBaaS) must address if it is to work for production environments. Organizations require maximum visibility and compliance reporting, and the ability to automate compliance at scale.

 

Here is how I am thinking about these challenges, and how we’re solving them.

 

As you know, compliance is a pretty broad topic, so let’s first establish something foundational about compliance in the context of DBaaS implementation for production: it must provide visibility to and management of your database estate. As the metaphor implies, the database estate is the boundary of assets provisioned by, or possibly discovered by, DBaaS (Figure 1).

 

database estates.png

 

Fig. 1 Database estates

 

As with the estates of yesteryear, you can achieve higher profits through keen oversight and a focus on continuous improvement of operations. DBaaS must maintain a dynamic repository of the active databases and expose this object model via its API.

 

Once you have this model of the database estate, you can begin to do many interesting things with it, including assuring that the production database estate stays in compliance with PCI, SOX, CIS, HIPPA, or even your own internal standards.

 

> WATCH: Auditing Database Compliance for PCI and SOX standards using automation

 

Scaling Automated DBaaS Compliance

But if the alphabet soup of compliance checks is going to be automated at scale, we also need to be able to segregate the estate by database types. For example, you can use the underlying estate model to simply switch the RDBMS-specific CIS compliance checking workflow that will physically execute against the target database. (I cringe when I think about trying to accomplish this task without the push-button approach offered by HP’s DBaaS solution, but let me hear your horror stories anyways—post a comment below and share with us how you try to do it.)

 

Compliance Reporting

Database compliance solutions must offer a reporting capability. This can take on the form of reporting to auditors in a formal regulatory compliance process to online CIO dashboards. HP’s DBaaS can support this wide variety of reporting needs through its standard RESTful web services API approach.

 

DBaaS should also offer reporting tool and data warehouse integrations through exposure of views. Additionally, we see a strong need for DBaaS to provide holistic representations of database compliance across the estate. 

 

Providing a compliance lens on databases

As with most things in life, we must first understand the problem before we can fix it. A DBaaS implementation for production should provide a compliance lens to the entire database estate.  This lens can then be used to begin remediation tasks in one of three ways:

  1. Directly by the database estate operator
  2. Integrated with organizational change control process
  3. In the case of more agile environments, handed over to the resource subscriber to manage

 

I’d love to hear how your organization reacts to compliance data today and how you imagine yourself wanting to automate it. Post a comment below!

 

Learn more

 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
This account is for guest bloggers. The blog post will identify the blogger.
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.