<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2826169&amp;fmt=gif">
Start  trial

    Start trial

      roundel-database-and-shileld-01Hello, dedicated database gurus!
      As Database Administrators (DBAs), navigating the complex landscape of cybersecurity is crucial. The first pillar of the National Institute of Standards and Technology's (NIST) Cybersecurity Framework – Identify – provides a robust foundation for understanding and managing cybersecurity risks to systems, people, assets, data, and capabilities.

      In this article, we'll explore Asset Management and Risk Assessment, the first of several essential activities DBAs should undertake to align with this pillar, focusing specifically on database security.

      The Identify function emphasizes the need for organizations to understand their business context, the resources that support critical functions, and the related cybersecurity risks.

      Understanding Identify in the context of database security

      The Identify function serves as the cornerstone of a comprehensive cybersecurity strategy. It emphasizes the need for organizations to understand their business context, the resources that support critical functions, and the related cybersecurity risks. For DBAs, this translates into a thorough understanding of the databases under their control and the criticality of the data they manage.

      Asset management

      The first step is to identify and manage all database assets within the organization. This includes not just the databases themselves but also the associated hardware, software, and network resources. Maintain an inventory of these assets, noting details such as their versions, configurations, and patch levels.

      DBAs should understand how the databases align with the organization’s business objectives. This involves identifying which data is critical for business operations and must be prioritized for protection.

      Recording this information can be done effectively by maintaining a centralized comprehensive document or a set of documents that record all relevant details about each database.

      img-woman-using-laptop-computer-at-office-02-variation-01This should include:

      • Database name and type (e.g., CRM, financial)
      • Data contained and its sensitivity level
      • Users who have access and their access levels
      • Software and hardware details, including any associated network infrastructure
      • Compliance requirements (e.g., GDPR for customer data)
      • Security measures in place (e.g., encryption, access controls)
      • Backup and recovery procedures
      • Audit logs and historical security incidents

      Regular audits and updates

      Schedule regular audits of the documentation and the security measures in place. Update the documentation and security protocols as needed, especially after any significant changes in the database environment or relevant regulations.

      Risk assessment

      Regular risk assessments evaluate potential threats to your databases, considering factors like data sensitivity, system vulnerabilities, and potential impact of data breaches. This assessment should guide your security strategies.

      Database risk assessment by DBAs

      img-people-at-office-using-laptop-computer-01Here are key steps a DBA can undertake to establish a robust foundation for the risk assessment of database assets:

      • Identification of data sensitivity and criticality
        • Classify data - Categorize data stored in the databases based on sensitivity (e.g., public, internal, confidential, highly confidential).
        • Determine criticality - Identify which datasets would cost the business the highest levels of reputation and money if compromised in a breach and requires heightened protection.
      • System vulnerability analysis
        • Regular scans and audits - Implement regular vulnerability scans and audits of the database systems to identify potential weaknesses.
        • Patch management - Keep track of updates and patches for database management systems and associated software, ensuring that systems are up-to-date and secure.
      • Threat modelling
        • Identify potential threats - Understand various types of threats, such as SQL injections, unauthorized access, or insider threats, that can exploit the vulnerabilities in the database systems.
        • Scenario analysis - Develop scenarios to understand how different threats could potentially impact the database and the organization.
      • Impact analysisimg-man-at-office-using-laptop-computer-01-variation-01
        • Evaluate consequences - Assess the potential impact of various threat scenarios on the organization, considering factors like data loss, financial loss, reputational damage, and regulatory implications.
        • Business Impact Analysis (BIA) - Conduct a BIA to understand the ramifications of database security incidents on critical business operations.
      • Risk evaluation and prioritization
        • Risk scoring - Assign a risk score to each identified risk based on its likelihood and impact, creating a risk matrix.
        • Prioritize risks - Prioritize the risks, focusing first on those with the highest scores (high likelihood and high impact).
      • Documentation and reporting
        • Risk register - Maintain a risk register that documents all identified risks, their assessment, and mitigation strategies.
        • Reporting - Regularly report the findings to relevant stakeholders, including management and cybersecurity teams, to inform decision-making.
      • Review and update
        • Continuous monitoring - Continuously monitor the threat landscape and the effectiveness of implemented security measures.
        • Periodic reviews - Regularly review and update the risk assessment to reflect changes in the threat environment, business processes, or technology.

      Integrating risk assessment with broader cybersecurity strategies

      Alignment with security policies: Ensure that the findings from the risk assessment align with and inform the organization's broader database security policies and strategies.

      Collaboration with IT security: Work closely with IT security teams to ensure a unified approach towards managing database risks, including the implementation of appropriate security controls.

      Risk mitigation strategies: Develop and implement risk mitigation strategies, such as enhanced access controls, encryption, data masking, and incident response plans, based on the risk assessment outcomes.

      By conducting thorough risk assessments, DBAs can gain a clear understanding of the vulnerabilities, threats, and potential impacts associated with their database environments. This insight is crucial in guiding the development and implementation of effective security measures, aligning with the Identify pillar of the NIST Cybersecurity Framework, and ensuring the integrity and security of database assets.


      img-man-using-laptop-outdoors-01In conclusion, mastering the Identify pillar of NIST's Cybersecurity Framework is a critical step for Database Administrators in safeguarding their digital assets against emerging threats. The journey begins with robust asset management, ensuring a comprehensive understanding and documentation of all database assets. This foundational knowledge is then powerfully leveraged in conducting detailed risk assessments, which are essential for identifying vulnerabilities and preparing for potential threats.

      The processes of asset management and risk assessment are not static; they require ongoing vigilance, regular updates, and continuous improvement to remain effective. By staying informed about new threats and evolving best practices, DBAs can ensure their risk assessments and mitigation strategies are always current and comprehensive.

      This proactive approach to database security, grounded in the Identify function of the NIST framework, positions DBAs not just as guardians of data, but as strategic partners in their organization's overall cybersecurity posture. By effectively identifying risks and managing assets, DBAs contribute significantly to the resilience and success of their organizations in the face of a dynamic cybersecurity landscape.

      As we move forward in an era where data is increasingly valuable and vulnerable, the role of the DBA in implementing the Identify pillar becomes ever more crucial. Embracing this challenge is not just a professional responsibility; it's a commitment to excellence in the field of database administration and cybersecurity.

      Next on this series

      In our next instalment, we will delve into the Governance and Data Security activities, which intersect with the Protect pillar of NIST’s Cybersecurity Framework. Stay tuned as we explore how these critical components work together to enhance your database security strategy.

      Want to know more? Then subscribe to be notified of new posts.

      Topics: PostgreSQL, Fujitsu Enterprise Postgres, Data governance, Security, NIST Cybersecurity Framework, "Database security" blog series

      Receive our blog

      Search by topic

      see all >
      Gary Evans
      Senior Offerings and Center of Excellence Manager
      Gary Evans heads the Center of Excellence team at Fujitsu Software, providing expert services for customers in relation to PostgreSQL and Fujitsu Enterprise Postgres.
      He previously worked in IBM, Cable and Wireless based in London and the Inland Revenue Department of New Zealand, before joining Fujitsu. With over 15 years’ experience in database technology, Gary appreciates the value of data and how to make it accessible across your organization.
      Gary loves working with organizations to create great outcomes through tailored data services and software.
      Our Migration Portal helps you assess the effort required to move to the enterprise-built version of Postgres - Fujitsu Enterprise Postgres.
      We also have a series of technical articles for PostgreSQL enthusiasts of all stripes, with tips and how-to's.


      Explore PostgreSQL Insider >
      Subscribe to be notified of future blog posts
      If you would like to be notified of my next blog posts and other PostgreSQL-related articles, fill the form here.

      Read our latest blogs

      Read our most recent articles regarding all aspects of PostgreSQL and Fujitsu Enterprise Postgres.

      Receive our blog

      Fill the form to receive notifications of future posts

      Search by topic

      see all >