VictoriaMetrics' Approach
to Database Security
Systems & Processes to Prevent Information Security Risks
This is an overview of how we deal with security as a company and in our products as well as some recommendations on how others can keep their information systems secure.
Security at VictoriaMetrics Inc.
As a company that provides an open source time series database and monitoring solution both on-premises and in the cloud, we strive to ensure that our security practices are of the highest possible standard.
We apply the following security measures:
VictoriaMetrics Security Program
Defines how we keep our company’s and customers’ data secure, assesses risk & addresses these risks.
Defines security protocols for all Victoria Metrics operations, services, and systems.
Information Security Team
Its main responsibility is to set up security processes, ensure their effectiveness, and handle security risks and incidents.
Reach us at: security@victoriametrics.com
Security & Privacy Training
We conduct Security & Privacy training for every new team member upon onboarding, and do annual reviews.
The Information Security Team is responsible for implementing the Security and Privacy Training.
VictoriaMetrics Security Certifications
It is important to note that as a company we have achieved the following security certifications regarding:
Database software development
Software-based monitoring services
EAA:
SIC - System of International Certification Certificate for Information Security Management System Certificate
AMERICAS:
IAS - Certificate of Registration Information Security Management System
Mandatory Security Policies
We have a number of mandatory security policies.
Everyone on our staff must be familiar with and follow recommendations made by NIST and OWASP.
In addition, everyone must follow the policies defined in the VictoriaMetrics Information Security Program.
Finally, we follow a set of defined policies and procedures that deal with the following security-related topics:
- Know-the-limits Policy
- Device Security
- Development Practices
- Risks Assessment & Incident Response
- Third-Party Services
- Communication Channels
If you have any questions on these policies, please Contact Us
Key Security Features in VictoriaMetrics
The features we have built into VictoriaMetrics help users build a reliable and secure monitoring system with all the requirements one could expect and more.
We also provide a lot of features for building secure systems with access control, secure connections, etc.
Authentication & security features include:
Authentication & Routing
TLS & HTTPS support
JWT, LDAP, SSO
Support integration with Identity Providers
Control metrics visibility for your Users/Customers
Verify User signatures during the reading/writing of metrics
User-Based metrics routing
mTLS support between cluster components
If you'd like to know more about the security features in VictoriaMetrics, please visit our VictoriaMetrics Enterprise page or
Contact UsSecurity for Open Source Projects
Many organizations nowadays have open source applications in their technology stacks and security is a growing threat, also in open source. However, there are a number of things businesses can do to ensure that they stay secure.
- Project developers must continue to audit and enhance processes to keep up with constantly innovating cyber criminals. - Investing in a core system with better security credentials to reduce the potential of supply chain attacks by slashing the number of dependencies used. - Utilize only necessary third-party libraries, and depend only on well-known packages with credible security reviews.
- Every code change is peer-reviewed and approved. - Verification of change for known and valid GPG signature. - Dependency bloat control and automatic vendor scanning for vulnerabilities. - Release artifacts scanning before every publication for known vulnerabilities. - Release post publish artifacts scanning for new vulnerabilities. - Internal security audits. Many open source projects don’t have dedicated security teams to review every single dependency, or have the resources to conduct security audits from a respectable security research company, so are more susceptible to attack. If open source projects commit to continuously reviewing dependencies for security challenges, both manually and using automated vulnerability scanners, security risk circumstances can be kept at bay.
- ISO 27001 is an international standard used for developing an Information Security Management System (ISMS) that enables organizations to continuously manage the security of their assets such as cloud resources, intellectual property, and personal or customer data.
- Achieving certification means formally adopting a means to maintain and improve a level of industry-wide security best practices for information systems. The certification process aligns with our own security culture and approach to risk management. With this certification we give our customers the confidence to trust us with their open source monitoring needs. It also confirms that we meet the necessary compliance standards so they can seamlessly adopt our products.