It’s now a much easier and faster process for database administrators at U.S. Government agencies to replace expensive legacy database management systems, and meet public policy mandates to adopt more open source software. The Department of Defense (DoD) has published a Security Technical Implementation Guide (STIG) for the open source-based EDB Postgres™ Advanced Server database from EnterpriseDB® (EDB™).
EDB is the first provider of an open source-based database to have a STIG published for its core product offering. EDB is now alongside just two other companies—Oracle and Microsoft—to have completed the stringent review process with the Defense Information Security Agency (DISA), an arm of the DoD, and have a STIG published for a database product. DISA evaluates technologies on behalf of the DoD and sets standards for security and implementation.
With the EDB STIG in hand, DBAs no longer have to invest months in legwork researching and documenting for their security officers how EDB Postgres meets the DoD’s security requirements, and how to configure the deployment to ensure compliance. DBAs can instead rely on the expertise and prior approval of the DoD, and thus move towards implementation more quickly, cost-effectively, and with less risk. The STIG may be downloaded here.
Working with EDB, DISA evaluated EDB Postgres against the DoD’s stringent security requirements and developed the guide to define how EDB Postgres can be deployed and configured to meet security requirements for government systems. (Read the press release here.)
The STIG provides agency DBAs much needed help just as open source-based software has gained greater traction with government agencies. Open source is viewed as an opportunity to quickly reduce costs and shift away from expensive legacy vendors. In fact, Gartner stated in a recent report, migrating “workloads to the EDB Postgres Platform means companies can save 80% or more and divert budget from the high costs of maintaining their database management system and invest in new digital business initiatives.”[1]
Creating the STIG involved examining many security enhancements EDB has integrated into the open source PostgreSQL for its EDB Postgres Advanced Server database. The extensive validation process underscores how EDB Postgres handles encryption, enables fine-grained auditing, and prevents attacks by using such tools as EDB Postgres™ SQL/Protect, a SQL injection attack protection solution. There were over 100 security criteria rules in all.
STIGs are among a number of government-level security reviews that vendors can pursue. It is important to understand why EDB chose an EDB Postgres STIG over other options such as the Postgres Common Criteria Certification (CCC).
According to DSIA, “STIGs and National Security Agency (NSA) Guides are the configuration standards for DoD Information Assurance (IA) and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the STIGs. The STIGs contain technical guidance to ‘lock down’ information systems/software that might otherwise be vulnerable to a malicious computer attack.”
A CCC is an international certification that a product has been evaluated by licensed laboratories so as to determine the fulfillment of particular security properties, to a certain extent or assurance. Common Criteria (CC) is a framework in which computer system users can specify their security functional and assurance requirements through the use of Protection Profiles. Vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims.
While EDB has received a CCC for prior versions of EDB Postgres, the U.S. Government subsequently made it clear in 2014 that such certification was not something it wanted from database vendors. In fact, the National Information Assurance Partnership (NIAP), the government organization overseeing CCCs for the United States, released a position memo stating that they see "no value in a collaborative Protection Profile for DBMS security for Government use" and concluded that “the DBMS technology class is not currently amenable to the type of objective, and isolated, testing that CC can provide.” In order to achieve CCC for a database today, a vendor must be willing to ignore the stated position of NIAP and the judgment of U.S. government security experts and work with a government other than the United States, such as Turkey.
EDB has chosen to follow the guidance provided by the U.S. Government and does not plan to pursue CCC unless the U.S. Government (NIAP) changes its clearly stated position or other foreign customers request it. Therefore, with the first open source-based database STIG and an unwavering focus on security, government database administrators can more quickly and securely deploy powerful open source-based database management systems in full compliance with Department of Defense policies and standards.
EDB already works with more than 150 Civilian, Defense, and Intelligence customers, including branches of the U.S. military such as the Army, Navy, Marine Corps, and Air Force. Customers leveraging EDB Postgres have received accreditation and authority to operate (ATO) on many of the most secure networks in the DoD and IC. To learn more, email government@enterprisedb.com.
Marc Linster, Ph.D., is Senior Vice President, Products and Services, EnterpriseDB.
[1] Gartner Emerging Technology Trends Create Opportunities for DBMS Cost Optimization, Donald Feinberg and Adam Ronthal, published 21 April 2016.