Financial organizations are required to demonstrate compliance when it comes to every aspect of data handling, which is deeply tied to databases and how they are managed. Companies in the financial sector are spending millions of dollars annually to stay compliant with the latest rules.
Compliant database DevOps stands at the core of financial risk management today. This allows companies to consistently document and communicate any kind of risk information to the right stakeholder (usually legal executives), a key compliance requirement today. More on this in the next section.
Unfortunately, database compliance is challenging on many levels in the financial sector. Let’s take a closer look at the underlying issues.
All top compliance protocols today have clearly mentioned databases as key components when it comes to safeguarding personal information and data.
The top regulatory compliance protocols in effect today include:
The General Data Protection Regulation (GDPR)
GDPR is a landmark regulation that has changed the regulatory landscape forever. While this set of data privacy protection rules apply to organizations operating in the European Union, it has had a ripple effect on the global regulatory landscape, essentially making it a global protocol.
Not only does the GDPR sharpen the requirements around the collection of personal data, it also specifies who is accountable when it comes to data breaches. Organizations (Controllers) using third-party solutions ( Processors) have to take full responsibility for breaches and need to report them in a timely manner or face significant fines.
In a nutshell, as a DBA you need to put database protocols in place to organize, document, and store all metadata and approvals in a centralized and secured place to pass your GDPR audits.
Sarbanes-Oxley Act (SOX)
The SOX act is essentially the requirement to connect all financial reports to an Internal Controls Report. Introduced all the way back in 2002, SOX was created to contain the growing number of fraudulent activity cases in the USA. Companies were forced to change the way they operate. This included DBAs.
DBAs today have to make sure their organization is implementing specific procedures around the safeguarding of financial data, mainly by restricting direct access to it. SOX differs from other compliance protocols due to the fact that it doesn’t involve the protection of Personally Identifiable Information (PII).
The biggest challenge while enforcing SOX is that while access is restricted and kept to a minimum, it should have a minimal effect on performance.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is essentially a compliance requirement for online entities that are collecting and processing credit card information. Although not yet mandatory everywhere, this is considered the gold standard for credit card compliance. Naturally, the database plays a key part in PCI DSS compliance.
DBAs are now required to adopt a set of best practices to make sure that their database is PCI DSS compliant. These include collaboration with IT professionals to implement a firewall and making sure that all servers are not running on vendor-supplied passwords and ensuring that security best practices are followed on the database level.
Access control also plays a key part in database PCI DSS compliance. All access, remote and on-premise, should be identified and authenticated.
Federal Information Security Management Act (FISMA)
FISMA was introduced back in 2002 due to the increasing exchange of personal information on the internet and the demand for improved cybersecurity standards. This security protocol requires responsible stakeholders, DBAs included, to be available during annual inspections and audits.
This compliance regulation requires organizations to create and maintain a detailed inventory of information systems, all properly categorized according to the risk levels they are introducing. There should be a proper security plan in place that is always kept updated as per risk assessments and monitoring data.
Like many other compliance rules, FISMA also gives a lot of importance to federal data (unemployment data, student loans, etc.) encryption.
Gramm-Leach-Bliley Act (GBLA)
Also referred to as the Financial Services Modernization Act of 1999, GBLA was created to enable financial flexibility and mobility between various financial and government organizations in the USA, while taking the security and privacy aspects of specific sensitive data into consideration at all times.
The three pillars of GBLA include – the Financial Privacy rule (collection and disclosure of personal data), the Safeguards rule (implementation of security processes and policies to safeguard information), and the Pretexting rule (to combat identity theft issues and eliminate unauthorized data access).
The data that is safeguarded by GBLA includes social security numbers, credit card information, income patterns, salary histories, and private addresses.
While companies often focus on security solutions like firewalls, manual documentation, and anti-virus software, there is a lot of confusion when it comes to distinguishing between data and the database.
Industry regulations now use data and databases interchangeably. For instance, in the newest formal release of the Payment Card Industry Data Security Standard (PCI) specifies that “controls that meet all of the following conditions… provide ability to restrict access to cardholder data or databases.”
Still, many organizations fail to realize that everything starts and ends with database compliance.
Now that we have gone over the most important database compliance regulations and covered the concepts of enforcing them, lets touch on the main steps you will need to take in order to achieve sustainable database compliance and steer clear of legal trouble going ahead.
You need to map and categorize your business data in accordance with how each element is impacted by regulations. You will need to be able to answer these questions at any given time: Which data elements are covered by which regulation? What data management changes does the regulation require?
Your controls and policies need to be enacted so that they help enforce compliance with all regulations. Ensure user/developer database compliance policies are in place to enforce minimal data retention periods, impose stricter privacy sanctions, and mandate improved data quality practices.
There are many components in your data. You must design a hardened configuration baseline/benchmark for the database platform you are currently using and implement it at all times. Things may get complicated if you are using multiple databases. This is where automation will help you. More on this later.
Encrypt all sensitive and personal data with the Advanced Encryption Standard (AES), which basically uses symmetric key encryption. It has even been approved by the US National Security Agency (NSA). Furthermore, make sure you are encrypting all communication links with the SSLv3 or TLS protocols.
Don’t wait for your annual audit. Many organizations make the mistake of assuming everything is fine if there are no data breaches. But scaling up and adding new features can always lead to trouble. Run bi-annual security reviews and testing programs to achieve compliant database DevOps.
Complying with GDPR, HIPAA, and SOX is not a one-time thing. Passing your audits with flying colors is great, but you need to make sure things are not changing under your nose. Monitor for database intrusions. Modern monitoring solutions also have customizable alert notifications.
There are a wide range of database maintenance and user auditing tasks that DBAs need to perform on a constant basis. This includes freeing up disk space, locating potential data errors, detecting hardware issues, and documenting internal stats. Automate these to be more proactive on the compliance front.
You will need to have well-defined roles and permissions to pass your compliance audits. But having them isn’t enough. You will need to enforce them, not before everybody within your organization is informed and trained about them. Achieving database compliance is a cross-department operation.
To sum things up, you will need to be on top of everything that is happening to your database at all times. The main actions include tracking the changes being made to the database, the developers and stakeholders performing the tasks, and also documenting each and every action.
This is why database automation is now powering compliant database DevOps.
There are many compliance-related tasks that directly impact database administration. These include actions such as metadata management, data quality, database and data access auditing, data masking and obfuscation, long-term data retention, and database archiving.
DBAs must follow the latest updates in compliance requirements. It’s necessary to find, implement, and manage new compliance-supporting tools, while also performing all regular DBA tasks that revolve around improving code quality and optimal performance metrics to keep the devs happy.
Furthermore, the DBA is now required to closely document all daily tasks such as change management, creating backups, and recovery procedures.
As more developers and IT professionals are adapting to the remote-work protocols, DBA tasks become even more difficult when it comes to permissions and privileges management.
Faced with such complexity, manual compliance management will no longer work.
This is where centralized process automation and control solutions come into play. With the right tools, duties and roles can be clearly defined, allowing dynamic management of each and every stakeholder within the DevOps ecosystem.
Also, all database activity can now be automatically documented (audit history) for future compliance audits or routine security surveillance activities.
With the right automation tools, DBA can now define who is accessing the database and monitor all actions at all times.
Database deployment automation is another key DBA asset when it comes to accomplishing compliant database DevOps. With a proper version control solution, DBAs can now deploy to testing and production literally by hitting a button. This saves a lot of time, prevents configuration drifts and allows quick rollbacks if needed.
The bottom line is that a comprehensive solution including database deployment automation with security and governance capabilities can help you take your database compliance to the next level. Create, enforce, and manage your updated organizational policy to meet all regulations with zero issues.