CCC Relational Database Management System Features
This documents the minimual set of features that should be present for a RDMS service to be considered for use in financial services ecosystems.
Release Details
Contributors
ML
Michael Lysaghtmlysaght2017
Citi
A
abikhuilabikhuil
LSEG
VG
Vlad Georgescuvgeorgescu
Morgan Stanley
IW
Ian Walker-Smithianwalkersmithciticom
Citi
DO
Dave Ogledogle-scottlogic
Scott Logic
SH
Steve Hoffmanshoffman-percona
Percona
SM
Sonali Mendissmendis-scottlogic
Scott Logic
EK
Eddie Knighteddie-knight
Sonatype
DB
Damien Burksdamienjburks
Citi
Change Log
- This initial release contains a variety of commits designed to capture all of the features, threats, and controls for this service category.
Features
| ID | Title | Description |
|---|---|---|
| CCC.F01 | Encryption in Transit Enabled by Default | Provides default encryption of data in transit through SSL or TLS. |
| CCC.F02 | Encryption at Rest Enabled by Default | Provides default encryption of data before storage, with the option for clients to maintain control over the encryption keys. |
| CCC.F03 | Access/Activity Logs | Provides users with the ability to track all requests made to or activities performed on resources for audit purposes. |
| CCC.F04 | Transaction Rate Limits | Allows the setting of a threshold where industry-standard throughput is achieved up to the specified rate limit. |
| CCC.F05 | Signed URLs | Provides the ability to grant temporary or restricted access to a resource through a custom URL that contains authentication information. |
| CCC.F06 | Identity Based Access Control | Provides the ability to determine access to resources based on attributes associated with a user identity. |
| CCC.F07 | Event Notifications | Publishes events for creation, deletion, and modification of objects in a way that enables users to trigger actions in response. |
| CCC.F08 | Multi-zone Deployment | Provides the ability for the service to be deployed in multiple availability zones or regions to increase availability and fault tolerance. |
| CCC.F09 | Monitoring | Provides the ability to continuously observe, track, and analyze the performance, availability, and health of the service resources or applications. |
| CCC.F10 | Logging | Provides the ability to transmit system events, application activities, and/or user interactions to a logging service |
| CCC.F11 | Backup | Provides the ability to create copies of associated data or configurations in the form of automated backups, snapshot-based backups, and/or incremental backups. |
| CCC.F12 | Recovery | Provides the ability to restore data, a system, or an application to a functional state after an incident such as data loss, corruption or a disaster. |
| CCC.F13 | Infrastructure as Code | Allows for managing and provisioning service resources through machine-readable configuration files, such as templates. |
| CCC.F14 | API Access | Allows users to interact programmatically with the service and its resources using APIs, SDKs and CLI. |
| CCC.F15 | Cost Management | Provides the ability to filter spending and to detect cost anomalies for the service. |
| CCC.F16 | Budgeting | Provides the ability to trigger alerts when spending thresholds are approached or exceeded for the service. |
| CCC.F17 | Alerting | Provides the ability to set an alarm based on performance metrics, logs, events or spending thresholds of the service. |
| CCC.F18 | Versioning | Provides the ability to maintain multiple versions of the same resource. |
| CCC.F19 | On-demand Scaling | Provide scaling of resources based on demand. |
| CCC.F20 | Tagging | Provide the ability to tag a resource to effectively manage and gain insights of the resource. |
| CCC.F21 | Replication | Provides the ability to copy data or resource to multiple locations to ensure availability and durability. |
| CCC.F22 | Location Lock-In | Provides the ability to control where the resources are created. |
| CCC.F23 | Network Access Rules | Ability to control access to the resource by defining network access rules. |
| CCC.RDMS.F01 | SQL Support | Properly handle queries in the SQL language. |
| CCC.RDMS.F02 | DB Engine Option - MySQL | Ability to create a MySQL managed relational database. |
| CCC.RDMS.F03 | DB Engine Option - PostgreSQL | Ability to create a PostgreSQL managed relational database. |
| CCC.RDMS.F04 | DB Engine Option - MariaDB | Ability to create a MariaDB managed relational database. |
| CCC.RDMS.F05 | DB Engine Option - SQL Server | Ability to create a Microsoft SQL Server managed relational database. |
| CCC.RDMS.F06 | DB Managed Credentials | Ability to managed the database credentials using the cloud provider's secret management service. |
| CCC.RDMS.F07 | DB Self Managed Credentials | Ability to manage the database credentials by client managed username and passwords. |
| CCC.RDMS.F08 | Support for IPv4 | Ability to connect to the database using IPv4 addresses. |
| CCC.RDMS.F09 | Support for IPv6 | Ability to connect to the database using IPv6 addresses |
| CCC.RDMS.F10 | Public Access | Allow database to be accessed by public internet. |
| CCC.RDMS.F11 | Disable Public Access | Prevent database been accessed by public internet. |
| CCC.RDMS.F12 | Managed Connection Pooling | Ability to configure a managed connection pool for the database. |
| CCC.RDMS.F13 | Deletion Protection | Protect the database against accidental deletion. |
| CCC.RDMS.F14 | Dedicated Database Instances | Option to deploy the database on a dedicated instance for isolation requirements. |
| CCC.RDMS.F15 | Horizontal Scaling | Read replicas of the primary database can be created. |
| CCC.RDMS.F16 | Failover | Standby database can be implemented for failover when the primary can't be reached. |
Threats
| ID | Title | Description | MITRE ATT&CK |
|---|---|---|---|
| CCC.TH01 | Access Control is Misconfigured | Misconfigured access controls may grant excessive privileges or fail to restrict unauthorized access to sensitive resources. This could result in unintended data exposure or unauthorized actions being performed within the system. | |
| CCC.TH02 | Data is Intercepted in Transit | Data transmitted between clients and the service may be susceptible to interception or modification in transit if encrypted communication is not properly implemented. This could result in unauthorized access to sensitive information or unintended data alterations. | |
| CCC.TH03 | Deployment Region Network is Untrusted | Deploying a service in an untrusted, unstable, or insecure location, the network may be susceptible to unauthorized access or data interception due to privileged network exposure or physical vulnerabilities. This could result in unintended data disclosure or compromised system integrity. | |
| CCC.TH04 | Data is Replicated to Untrusted or External Locations | Data may be replicated to untrusted or external locations if replication configurations are not properly restricted. This could result in unintended data leakage or exposure outside the organization's trusted perimeter. | |
| CCC.TH05 | Data is Corrupted During Replication | Data may become corrupted, delayed, or deleted during replication processes across regions or availability zones due to misconfigurations or unintended disruptions. This could lead to compromised data integrity and availability, potentially affecting recovery processes and system reliability. | |
| CCC.TH06 | Data is Lost or Corrupted | Data loss or corruption may occur due to accidental deletion, or misconfiguration. This can result in the loss of critical data, service disruption, or unintended exposure of sensitive information. | |
| CCC.TH07 | Logs are Tampered With or Deleted | Logs may be tampered with or deleted due to inadequate access controls, or misconfigurations. This can make it difficult to identify security incidents, disrupt forensic investigations, and affect the accuracy of audit trails. | |
| CCC.TH08 | Cost Management Data is Manipulated | Cost management data may be changed due to misconfigurations, or unauthorized access. This might result in inaccurate resource usage reporting, budget exhaustion, financial losses, and hinder incident detection. | |
| CCC.TH09 | Logs or Monitoring Data are Read by Unauthorized Users | Unauthorized access to logs or monitoring data may expose valuable information about the system's configuration, operations, and security mechanisms. This could allow for the identification of vulnerabilities, enable the planning of attacks, or hinder the detection of ongoing incidents. | |
| CCC.TH10 | Alerts are Intercepted | Event notifications may be intercepted due to misconfigurations, inadequate security measures, or unauthorized access. This could expose information about sensitive operations or access patterns, potentially impacting system security and integrity. | |
| CCC.TH11 | Event Notifications are Incorrectly Triggered | Event notifications may be triggered incorrectly due to misconfigurations, or unauthorized access. This could result in sensitive operations being triggered unintentionally, obfuscate other issues, or overwhelm the system, potentially disrupting legitimate operations. | |
| CCC.TH12 | Resource Constraints are Exhausted | Resource constraints, such as memory, CPU, or storage, may be exhausted due to misconfigurations, or excessive resource consumption. This could disrupt service availability, deny access to users, or impact other systems within the same scope. Exhaustion may occur through repeated requests, resource-intensive operations, or lowering rate/budget limits. | |
| CCC.TH13 | Resource Tags are Manipulated | Resource tags may be altered, leading to changes in organizational policies, billing disruptions, or unintended exposure of sensitive data. This could result in mismanaged resources, financial misuse, or security vulnerabilities. | |
| CCC.TH14 | Older Resource Versions are Exploited | Older versions of resources may contain vulnerabilities due to deprecated or insecure configurations. Without proper version control and monitoring, outdated versions could lead to security measures bypass, potentially leading to security risks or operational disruptions. | |
| CCC.TH15 | Automated Enumeration and Reconnaissance by Non-human Entities | Automated processes or bots may be used to perform reconnaissance by enumerating resources such as APIs, file systems, or directories. These activities can reveal potential vulnerabilities, misconfigurations, or unsecured resources, which might result in unauthorized access or data exposure. | |
| CCC.TH16 | Logging and Monitoring are Disabled | Logging and monitoring may be disabled, potentially hindering the detection of security events and reducing visibility into system activities. This condition can impact the organization's ability to investigate incidents and maintain operational integrity. | |
| CCC.TH17 | Unauthorized Network Access via Misconfigured Rules | Improperly configured or overly permissive network access rules such as security groups can allow unauthorized inbound connections to the service. This could result in unauthorized access to sensitive resources or data and disruption to service availability. | |
| CCC.RDMS.TH01 | Unauthorized Access via Default Credentials | If default credentials are not disabled or changed, unauthorized access may be gained to the RDMS environment. This may lead to data breaches, data manipulation, or overall compromise of the database instance. | |
| CCC.RDMS.TH02 | Brute Force Attempts on Database Authentication | Repeated attempts to guess database user passwords may be made through brute force techniques. This condition could result in unauthorized access if successful, compromising database security and sensitive information. | |
| CCC.RDMS.TH03 | Database Backups Stopped | Database backups may be halted, potentially impairing the organization's ability to recover data and maintain business continuity. This condition increases the risk of data loss and extended system downtime. | |
| CCC.RDMS.TH04 | Unintentional Database Backup Restoration | A database backup may be restored unintentionally, potentially leading to the loss or overwrite of current data. This condition could disrupt operations and result in data inconsistency or corruption. | |
| CCC.RDMS.TH05 | Unauthorized Snapshot Sharing | Snapshots may be shared with untrusted accounts, which can lead to unauthorized access and potential data exfiltration. This significantly increases the risk of data exposure if sensitive information is contained in the snapshots. |
Controls
| ID | Title | Objective | Control Family |
|---|---|---|---|
| CCC.C01 | Prevent Unencrypted Requests | Ensure that all communications are encrypted in transit to protect data integrity and confidentiality. | Data |
| CCC.C02 | Ensure Data Encryption at Rest for All Stored Data | Ensure that all data stored is encrypted at rest to maintain confidentiality and integrity. | Encryption |
| CCC.C03 | Implement Multi-factor Authentication (MFA) for Access | Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. This may include something you know, something you have, or something you are. In the case of programattically accessible services, such as API endpoints, this includes a combination of API keys or tokens and network restrictions. | Identity and Access Management |
| CCC.C04 | Log All Access and Changes | Ensure that all access and changes are logged to maintain a detailed audit trail for security and compliance purposes. | Logging & Monitoring |
| CCC.C05 | Prevent Access from Untrusted Entities | Ensure that secure access controls prevent unauthorized access, mitigate risks of data exfiltration, and block misuse of services by adversaries. This includes restricting access based on trust criteria such as IP allowlists, domain restrictions, and tenant isolation. | Identity and Access Management |
| CCC.C06 | Prevent Deployment in Restricted Regions | Ensure that resources are not provisioned or deployed in geographic regions or cloud availability zones that have been designated as restricted or prohibited, to comply with regulatory requirements and reduce exposure to geopolitical risks. | Data |
| CCC.C07 | Alert on Unusual Enumeration Activity | Ensure that logs and associated alerts are generated when unusual enumeration activity is detected that may indicate reconnaissance activities. | Logging & Monitoring |
| CCC.C08 | Enable Multi-zone or Multi-region Data Replication | Ensure that data is replicated across multiple zones or regions to protect against data loss due to hardware failures, natural disasters, or other catastrophic events. | Data |
| CCC.C09 | Prevent Tampering, Deletion, or Unauthorized Access to Access Logs | Access logs should always be considered sensitive. Ensure that access logs are protected against unauthorized access, tampering, or deletion. | Data |
| CCC.C10 | Prevent Data Replication to Destinations Outside of Defined Trust Perimeter | Prevent replication of data to untrusted destinations outside of defined trust perimeter. An untrusted destination is defined as a resource that exists outside of a specified trusted identity or network or data perimeter. | Data |
| CCC.C11 | Enforce Key Management Policies | Ensure that encryption keys are managed securely by enforcing the use of approved algorithms, regular key rotation, and customer-managed encryption keys (CMEKs). | Encryption |
| CCC.C12 | Ensure Secure Network Access Rules | Ensure network access to the service is restricted to explicitly authorized IP addresses, ports, and protocols by properly configuring security group and/or firewall rules. Configuration must follow the principle of least privilege to minimize the attack surface and prevent unauthorized inbound connections. Overly permissive rules such as, 0.0.0.0/0 must be disallowed or strictly controlled. | |
| CCC.RDMS.C01 | Password Management | Ensure default vendor-supplied DB administrator credentials are replaced with strong, unique passwords and that these credentials are properly managed using a secure password or secrets management solution. | Identity and Access Management |
| CCC.RDMS.C02 | Account Lockout and Rate-Limiting | Ensure the database enforces lockouts or rate-limiting after a specified number of failed authentication attempts. This prevents brute force or password-guessing attacks from succeeding. | Identity and Access Management |
| CCC.RDMS.C03 | Enforce and Monitor Automated Backups | Ensure database backups are automatically scheduled, actively monitored, and promptly reported if any disruptions occur. This helps maintain data integrity, facilitates disaster recovery, and supports business continuity when a system failure or breach occurs. | Data |
| CCC.RDMS.C04 | Access Control for Backup and Restore Operations | Restrict who can initiate, manage, and validate database backup or restore operations through strict role-based or least-privilege access. Prevents accidental or malicious restorations, protecting data integrity and availability. | Identity and Access Management |
| CCC.RDMS.C05 | Restrict Snapshot Sharing to Authorized Accounts | Ensure database snapshots can only be shared with explicitly authorized accounts, thereby minimizing the risk of data exposure or exfiltration. | Identity and Access Management |