VictoriaMetrics' Approach to Database Security

Systems & Processes to Prevent Information Security Risks
This is an overview of how we deal with security as a company and in our products as well as some recommendations on how others can keep their information systems secure.

Security at VictoriaMetrics Inc.

As a company that provides an open source time series database and monitoring solution both on-premises and in the cloud, we strive to ensure that our security practices are of the highest possible standard.

We apply the following security measures:

VictoriaMetrics Security Program

Defines how we keep our company’s and customers’ data secure, assesses risk & addresses these risks.

Defines security protocols for all Victoria Metrics operations, services, and systems.

Information Security Team

Its main responsibility is to set up security processes, ensure their effectiveness, and handle security risks and incidents.

Reach us at:
security@victoriametrics.com

Security & Privacy Training

We conduct Security & Privacy training for every new team member upon onboarding, and do annual reviews.

The Information Security Team is responsible for implementing the Security and Privacy Training.

VictoriaMetrics Security Certifications

It is important to note that as a company we have achieved the following security certifications regarding:
Database software development
Software-based monitoring services

EAA:

SIC - System of International Certification Certificate for

Information Security Management System Certificate

AMERICAS:

IAS - Certificate of Registration

Information Security Management System

These comply with the requirements of the international standard

ISO / IEC 27001:2013 for Information Security Management Systems.

Mandatory Security Policies

We have a number of mandatory security policies:

Everyone on our staff must be familiar with and follow recommendations made by NIST and OWASP.

In addition, everyone must follow the policies defined in the following VictoriaMetrics Information Security Program.

Finally, we follow a set of defined policies and procedures that deal with the following security-related topics:

Know-the-limits Policy
Device Security
Development Practices
Risks Assessment
& Incident Response
Third-Party
Services
Communication Channels
If you have any questions on these, please Contact Us

Key Security Features in VictoriaMetrics

The features we have built into VictoriaMetrics help users build a reliable and secure monitoring system with all the requirements one could expect and more. We also provide a lot of features for building secure systems with access control, secure connections, etc.
Authentication & Security features include:
Authentication & Routing
TLS & HTTPS support
JWT, LDAP, SSO
Support integration with Identity Providers
Control metrics visibility for your Users/Customers
Verify User signatures during the reading/writing of metrics
User-Based metrics routing
mTLS support between cluster components

If you’d like to know more about the security features in VictoriaMetrics, please visit our VictoriaMetrics Enterprise page or

Security for Open Source Projects - Some Recommendations

Many organizations nowadays have open source applications in their technology stacks and security is a growing threat, also in open source.
However, there are a number of things businesses can do to ensure that they stay secure.
Project developers must continue to audit and enhance processes to keep up with constantly innovating cyber criminals.
Investing in a core system with better security credentials to reduce the potential of supply chain attacks by slashing the number of dependencies used.
Utilize only necessary third-party libraries, and depend only on well-known packages with credible security reviews.
What we do to make sure that our code is secure enough:
  • Every code change is peer-reviewed and approved
  • Verification of change for known and valid GPG signature
  • Dependency bloat control and automatic vendor scanning for vulnerabilities
  • Release artifacts scanning before every publication for known vulnerabilities
  • Release post publish artifacts scanning for new vulnerabilities
  • Internal security audits
Many open source projects don’t have dedicated security teams to review every single dependency, or have the resources to conduct security audits from a respectable security research company, so are more susceptible to attack.
If open source projects commit to continuously reviewing dependencies for security challenges, both manually and using automated vulnerability scanners, security risk circumstances can be kept at bay.

About ISO 27001

ISO 27001 is an international standard used for developing an Information Security Management System (ISMS) that enables organizations to continuously manage the security of their assets such as cloud resources, intellectual property, and personal or customer data.

Why is ISO 27001 certification important?

Achieving certification means formally adopting a means to maintain and improve a level of industry-wide security best practices for information systems. The certification process aligns with our own security culture and approach to risk management.
With this certification we give our customers the confidence to trust us with their open source monitoring needs. It also confirms that we meet the necessary compliance standards so they can seamlessly adopt our products.
If you’d like to know more about the security features in VictoriaMetrics, please visit our VictoriaMetrics Enterprise page, and if you have questions on our security policies in general, please