Based on what I hear from customers, especially those in the Financial Services industry, it’s clear that database compliance is a significant issue that any Database as a Service (DBaaS) must address if it is to work for production environments. Organizations require maximum visibility and compliance reporting, and the ability to automate compliance at scale.
Here is how I am thinking about these challenges, and how we’re solving them.
As you know, compliance is a pretty broad topic, so let’s first establish something foundational about compliance in the context of DBaaS implementation for production: it must provide visibility to and management of your database estate. As the metaphor implies, the database estate is the boundary of assets provisioned by, or possibly discovered by, DBaaS (Figure 1).
Fig. 1 Database estates
As with the estates of yesteryear, you can achieve higher profits through keen oversight and a focus on continuous improvement of operations. DBaaS must maintain a dynamic repository of the active databases and expose this object model via its API.
Once you have this model of the database estate, you can begin to do many interesting things with it, including assuring that the production database estate stays in compliance with PCI, SOX, CIS, HIPPA, or even your own internal standards.
But if the alphabet soup of compliance checks is going to be automated at scale, we also need to be able to segregate the estate by database types. For example, you can use the underlying estate model to simply switch the RDBMS-specific CIS compliance checking workflow that will physically execute against the target database. (I cringe when I think about trying to accomplish this task without the push-button approach offered by HP’s DBaaS solution, but let me hear your horror stories anyways—post a comment below and share with us how you try to do it.)
Database compliance solutions must offer a reporting capability. This can take on the form of reporting to auditors in a formal regulatory compliance process to online CIO dashboards. HP’s DBaaS can support this wide variety of reporting needs through its standard RESTful web services API approach.
DBaaS should also offer reporting tool and data warehouse integrations through exposure of views. Additionally, we see a strong need for DBaaS to provide holistic representations of database compliance across the estate.
Providing a compliance lens on databases
As with most things in life, we must first understand the problem before we can fix it. A DBaaS implementation for production should provide a compliance lens to the entire database estate. This lens can then be used to begin remediation tasks in one of three ways:
Directly by the database estate operator
Integrated with organizational change control process
In the case of more agile environments, handed over to the resource subscriber to manage
I’d love to hear how your organization reacts to compliance data today and how you imagine yourself wanting to automate it. Post a comment below!