Link to home
Avatar of sunhux
sunhux

asked on

embedded postgresql to be exempted fr CIS hardening & how to onboard it to SOC


Our GIS (Geospatial Info System) vendor replied me that 

"their ArcGIS Data Store is a PostgreSQL database that runs 'under the hood' of ArcGIS Enterprise. It’s managed by the software and does not have a UI to interact with it directly. The ArcGIS Data Stores are behind the scenes databases that allow for full functionality of ArcGIS Enterprise and are not used as databases for authoritative GIS data. Hence, in all our project implementation for all clients, we cannot perform hardening on PostgreSQL.


Hence our commitment for Esri Software Security and Privacy released under the Trust.ArcGIS.com"


However, if I still want to onboard the 'embedded' postgresql to our

SOC (Qradar SIEM), I find quite a number of CIS hardenings (esp on

logging, logs retention/rotation and types of events to be logged)

still highly relevant.   Is the vendor's argument above valid or I should

still select some of the pertinent CIS hardenings to be applied & ask

them to test it out the other CIS settings if it affect their ArcGIS

functioning?


Btw, the CIS hardening benchmark for postgresql is based on

Linux OS but this vendor is running postgresql on Windows:

guess I should just skip all Linux related hardenings or is there

a specific postgresql hardening doc for Windows (& in particular

for ArcGIS?)

SOLUTION
Avatar of btan
btan

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of sunhux
sunhux

ASKER

So I should still onboard that 'embedded postgresql'
into our SOC?   A past SOC2 report produced by an
SaaS vendor revealed still quite a bit of settings
missing out on CIS compliances.

eg: SWIFT's embedded DB could have been
monitored by a Db Activity Monitoring with certain
loggings enabled
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of sunhux

ASKER


Esri_SDLC.pdf

When requested, the attached above was the assurance
report given: it doesn't say anything much about what's
been configured.  Guess will have to request a report
that indicates specifically what's the security configs
that are being done
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.