| Author(s) | Collection number | Pages | Download abstract | Download full text |
|---|---|---|---|---|
| Hileta I. V., Кіселик Р. О., Карнаухов В. А., Коминар Т. Н. | № 1 (70) | 72-82 |
|
|
The article presents a methodological approach to the development and use of criteria for assessing the performance of CRM systems, based on a combination of strategic and operational indicators. The problem that the study is aimed at solving is the lack of a unified set of indicators and an integrated evaluation model that can take into account both quantitative and qualitative aspects of CRM functioning. Therefore, the work has formed a system of criteria for measuring performance, which provides an objective and adaptive assessment of the effectiveness of using CRM technologies in various business contexts. The methodological basis of the study is content analysis of literary sources, expert surveys and the use of multi-criteria evaluation methods. A procedure for weighting criteria is proposed, which allows synthesizing an integral performance indicator. This makes it possible to compare different CRM systems, as well as promptly identify weaknesses and reserves for further improvement. To reduce cyberattacks such as lateral movement risks in the event of compromise of one of the microservices, it is proposed to implement inter-service communication according to the mTLS principle, and configure database access policies according to the least privilege principle with role-based privilege restrictions, i.e. only those that are vital for performing only the functions provided by the role. All database requests should go through logging wrappers that send events to the central SIEM system, where they are analyzed for anomalies. This allows not only to track incidents, but also to form behavioral profiles, based on which dynamic reassignment of the access level is possible. The importance of insider threats to authorized users is indicated, which requires imposing additional session restrictions.
The scientific novelty of the work lies in the fact that it is proposed for the first time to combine ML-oriented analysis of SIEM telemetry with dynamic adjustment of RLS policies in real time, which implements the AdaptiveDatabaseSecurity concept. The practical value of the research lies in the construction of a replicable methodology for implementing multi-level protection, suitable for cloud and on-premise CRM installations, which is confirmed by laboratory experiments.
The results of experimental testing indicate the practical relevance and versatility of the developed approach. The application of the methodology allows you to optimize resources, increase the accuracy of management decision-making and stimulate the development of a customer-oriented strategy of enterprises. Further research can be aimed at automating the assessment process, integrating with intelligent systems and expanding the methodological base.
Keywords: CRM system, database protection, RBAC/ABAC, TransparentDataEncryption, row-level security, ZeroTrust, STRIDE, MITREATT&CK, SIEM, CVSS risk assessment.
doi: 10.32403/1998-6912-2025-1-70-60-71
- 1. European Union. General Data Protection Regulation (EU) 2016/679 (GDPR). Official Journal of the European Union, 2016.
- 2. PCI Security Standards Council. Payment Card Industry Data Security Standard v4.0. March 2022.
- 3. ISO/IEC 27001:2022. Information Security, Cybersecurity and Privacy Protection – Information Security Management Systems – Requirements.
- 4. National Institute of Standards and Technology (NIST). Special Publication 800-207: Zero Trust Architecture, 2020.
- 5. Microsoft Corporation. STRIDE Threat Modeling. 2023.
- 6. MITRE Corporation. MITRE ATT&CK® Framework. https://attack.mitre.org/, 2024.
- 7. PostgreSQL Global Development Group. PostgreSQL 15 Documentation: Row Level Security.
- 8. Oracle Corporation. Transparent Data Encryption Best Practices. Whitepaper, 2022.
- 9. Elastic NV. Elastic SIEM Documentation, 2024.
- 10. Red Hat, Inc. mTLS in Service Mesh: Security Patterns with Istio. Technical Brief, 2023.
- 11. IBM Corporation. IBM QRadar: Behavioral Analysis and Correlation Rules, Technical Manual, 2023.
- 12. Liu, Y., Zhang, X., & Li, J. Adaptive Access Control in Dynamic Environments Using RBAC/ABAC Hybrid Models, Journal of Computer Security, 2021.
- 13. Khan, S., & Alsaqour, R. Performance Impact of TDE and SIEM Integration in Cloud CRMs, Cloud Computing Journal, 2023.
- 14. Splunk Inc. Security Information and Event Management (SIEM) Use Cases and Deployment, 2022.
- 15. Cockroach Labs. CockroachDB: Architectural Overview and Use in Regulated Industries, Technical Whitepaper, 2023.
- 16. Gartner. CRM Market Size and Security Trends, Industry Report, Q3 2024.
- 17. Cisco Systems. Zero Trust Implementation for SaaS and CRM Platforms, Technical Guide, 2022.
- 18. Carnegie Mellon University. Behavioral Security Analytics with SIEM Telemetry, Research Summary, 2023.
- 19. Tencent Cloud. Encrypted Database Performance Evaluation Report, 2022.