This is a series of articles about database change management (DCM):
- What is Database Change Management (DCM)?
- Top Database Change Management Tools (this one)
Databases are the backbone of most applications. As applications evolve, so do their databases. However, managing database changes can be complex, error-prone, and time-consuming. This is where database change management (DCM) tools come into play. These tools help developers and database administrators (DBAs) automate, track, and apply changes to databases efficiently, ensuring consistency, reliability, and compliance.
In this post, we will explore the mainstream database change management methods, starting with basic manual processes and progressing to advanced, integrated solutions.
Manual Coordination: Documents and Instant Messaging
| Common Tools | Examples |
|---|---|
| Documents | Google Docs, Microsoft Word, Notion, Confluence |
| Instant Messaging | Slack, Microsoft Teams |
At the most basic level, database changes are managed through manual coordination. This often involves using documents, spreadsheets, or instant messaging (IM) platforms as the primary channels for communication and tracking.
How it works:
- A developer or DBA proposes a change, often documented in a shared file or communicated via IM.
- Team members discuss the change informally, and once approved, the change is manually applied to the database.
- The change is then communicated to other team members to ensure everyone is aware of the update. Pros:
- Simple to set up with no additional tooling required.
- Familiar to all team members.
Cons:
- Prone to human error and miscommunication.
- Lacks enforcement and auditing capabilities
- No version control or audit trail.
- Scalability issues as the team or project grows.
Bastion/Jump Server: Adding a Security Layer
| Common Tools | Examples |
|---|---|
| Bastion/Jump Server | AWS Bastion Host, Azure Bastion |
To address security concerns in manual workflows, teams often introduce bastion hosts (jump servers). These act as gateways that control and log access to database servers.
Common tools:
- Bastion/Jump Server (e.g., AWS Bastion Host, Azure Bastion, etc.)
How It Improves Manual Processes:
- Restricts database access to authorized personnel
- Captures session logs for auditing
- Provides a controlled environment for executing database changes
Limitations:
- Still relies on human discipline for documentation
- No structured review and approval workflow
- Change tracking remains fragmented
ITSM & Change Advisory Board (CAB): Introducing Process and Governance
| Common Tools | Examples |
|---|---|
| ITSM | ServiceNow, Atlassian Jira, Freshworks |
| Change Advisory Boards (CABs) | CAB is usually be piggybacked on the ITSM system |
As organizations grow, the need for structure and governance becomes apparent. This is where IT Service Management (ITSM) and Change Advisory Boards (CABs) come into play.
How it works:
- Database changes are formalized through an ITSM system, where each change request is documented, reviewed, and approved.
- A Change Advisory Board (CAB) evaluates the impact, risk, and necessity of each change before approval.
- Once approved, the change is scheduled and implemented, often with oversight from the CAB.
Pros:
- Provides a structured process for managing changes.
- Reduces risk by involving multiple stakeholders in the decision-making process.
- Creates an audit trail for compliance purposes.
- Improves traceability with a centralized change log
Cons:
- Can be bureaucratic and slow, especially for urgent changes.
- Requires dedicated resources to manage the ITSM system and CAB.
- Still relies on manual processes for implementing changes.
Privileged Access Management (PAM): Enhancing Security and Compliance
| Common Tools | Examples |
|---|---|
| PAM | CyberArk, BeyondTrust, Aqua Security |
As databases often contain sensitive information, securing access to them is paramount. Privileged Access Management (PAM) solutions add an additional layer of security to the change management process.
How It Works:
-
PAM solutions control and monitor access to database credentials, ensuring that only authorized personnel can obtain the credentials.
-
Access to the credentials is granted on a need-to-know basis.
-
Access to the credentials is granted for a limited time.
-
All access to the credentials is logged and audited.
Pros:
- Enhances security by restricting access to sensitive databases.
- Provides detailed audit trails for compliance and accountability.
Cons:
- Requires additional investment in PAM solutions.
- Requires disconnected process to apply the database changes.
Let's review the database change workflow that are built on top of tools:
- Developer proposes a change and submit a change request to the ITSM system.
- The change request is reviewed by the Change Advisory Board (CAB).
- The change request is approved.
- Developer obtains the database credentials from the PAM solution.
- Developer configures the database credentials in the local SQL client and connects to the database via a bastion host.
- Developer applies the changes to the database.
The above workflow still have some drawbacks:
- Manual Execution Risk: Developers manually configure credentials and execute SQL changes in a local SQL client.
- Lack of Pre-Deployment Validation: The workflow does not enforce schema validation or dry-run checks before execution.
- No Approval Enforcement at Execution Time: CAB approval does not enforce that the approved change is actually what gets executed. Developers could apply unintended or unauthorized changes after approval.
- No Rollback or Change Tracking: There's no clear process for rollback if something goes wrong. DML and DDL changes are not versioned.
Integrated Database Change Management: Bytebase
Bytebase natively integrates change request approval (CAB), execution enforcement, and rollback capabilities, making it a unified solution for the database change management workflow.
Database change workflow via Bytebase:
-
Developer Proposes a Change
- Developer creates a change request in Bytebase.
- The request includes the SQL script, target environment, and deployment details.
- If integrated with an ITSM system (e.g., Jira, ServiceNow), the request links to an issue/ticket.
-
Review & Approval by Change Advisory Board (CAB)
- Bytebase enforces role-based approvals before execution.
- The CAB reviews SQL linting results.
- Once approved, Bytebase automatically schedules the change or requires manual execution approval.
-
Credential Management via PAM (Optional)
- Bytebase supports IAM authentication and secrets management integration to eliminate credential exposure.
-
Automated Change Execution
- The change is applied through Bytebase’s managed execution, eliminating manual SQL execution.
- Changes are tracked with execution logs, version control.
-
Rollback (If Necessary)
- If an issue arises, Bytebase provides 1-click rollback.
Comparison of Approaches
| Approach | Security | Governance | Automation | Developer Experience |
|---|---|---|---|---|
| Manual (Docs, IM) | ❗️ Low | ❗️ Low | ❗️ Low | 🔶 Moderate |
| Bastion/Jump Server | 🔶 Moderate | ❗️ Low | ❗️ Low | 🔶 Moderate |
| ITSM & CAB | 🔶 Moderate | ✅ High | 🔶 Moderate | 🔶 Moderate |
| PAM | ✅ High | 🔶 Moderate | 🔶 Moderate | 🔶 Moderate |
| Bytebase | ✅ High | ✅ High | ✅ High | ✅ High |
While basic methods may work in small-scale environments, for teams seeking both security and efficiency, Bytebase offers a comprehensive database change management solution that integrates governance, security, and automation into a single workflow.
