Security- What you do not know will hurt you DB2 10 Security · 2019-12-08 · Security- What you...
Transcript of Security- What you do not know will hurt you DB2 10 Security · 2019-12-08 · Security- What you...
1
© 2011 IBM CorporationNovember 15th, 2012
Security- What you do not know will hurt you DB2 10 Security
Stan GoodwinDB2 z Security & Governance [email protected]
© 2011 IBM Corporation
Information contained in this material has not been submitted to any formal IBM review and is distributed on "as is" basis without any warranty either expressed or implied. Measurements data have been obtained in laboratory environment. Information in this presentation about IBM's future plans reflect current thinking and is subject to change at IBM's business discretion. You should not rely on such information to make business plans. The use of this information is a customer responsibility.
IBM MAY HAVE PATENTS OR PENDING PATENT APPLICATIONS COVERING SUBJECT MATTER IN THIS DOCUMENT. THE FURNISHING OF THIS DOCUMENT DOES NOT IMPLY GIVING LICENSE TO THESE PATENTS.
TRADEMARKS: THE FOLLOWING TERMS ARE TRADEMARKS OR ® REGISTERED TRADEMARKS OF THE IBM CORPORATION IN THE UNITED STATES AND/OR OTHER COUNTRIES: AIX, AS/400, DATABASE 2, DB2, e-business logo, Enterprise Storage Server, ESCON, FICON, OS/390, OS/400, ES/9000, MVS/ESA, Netfinity, RISC, RISC SYSTEM/6000, iSeries, pSeries, xSeries, SYSTEM/390, IBM, Lotus, NOTES, WebSphere, z/Architecture, z/OS, System z, System p
The FOLLOWING TERMS ARE TRADEMARKS OR REGISTERED TRADEMARKS OF THE MICROSOFT CORPORATION IN THE UNITED STATES AND/OR OTHER COUNTRIES: MICROSOFT, WINDOWS, WINDOWS NT, ODBC, WINDOWS 95
For additional information see ibm.com/legal/copytrade.phtml
Disclaimer and Trademarks
2
© 2011 IBM Corporation
Worldwide regulations focus attention on data security concerns
Canada: Personal Information Protection
& Electronics Document Act
Canada: Personal Information Protection
& Electronics Document Act
USA: Federal, Financial & Healthcare
Industry Regulations & State Laws
USA: Federal, Financial & Healthcare
Industry Regulations & State Laws
Mexico:E-Commerce Law
Mexico:E-Commerce Law
Colombia:Political Constitution –
Article 15
Colombia:Political Constitution –
Article 15
Brazil:Constitution, Habeas Data &
Code of Consumer Protection & Defense
Brazil:Constitution, Habeas Data &
Code of Consumer Protection & Defense
Chile:Protection of
Personal Data Act
Chile:Protection of
Personal Data ActArgentina:
Habeas Data ActArgentina:
Habeas Data Act
South Africa:Promotion of Access
to Information Act
South Africa:Promotion of Access
to Information Act
United Kingdom: Data Protection
Act
United Kingdom: Data Protection
Act
EU:ProtectionDirective
EU:ProtectionDirective
Switzerland:Federal Law onData Protection
Switzerland:Federal Law onData Protection
Germany:Federal Data Protection
Act & State Laws
Germany:Federal Data Protection
Act & State Laws
Poland:Polish
Constitution
Poland:Polish
Constitution
Israel:Protection ofPrivacy Law
Israel:Protection ofPrivacy Law
Pakistan:Banking Companies
Ordinance
Pakistan:Banking Companies
Ordinance
Russia:Computerization & Protection of Information
/ Participation in Int’l Info Exchange
Russia:Computerization & Protection of Information
/ Participation in Int’l Info Exchange
China Commercial Banking Law
China Commercial Banking Law
Korea: 3 Acts for Financial
Data Privacy
Korea: 3 Acts for Financial
Data Privacy
Hong Kong: Privacy Ordinance
Hong Kong: Privacy Ordinance
Taiwan:Computer- Processed
Personal Data Protection Law
Taiwan:Computer- Processed
Personal Data Protection LawJapan:
Guidelines for theProtection of Computer
Processed Personal Data
Japan:Guidelines for the
Protection of ComputerProcessed Personal Data
India:SEC Board of
India Act
India:SEC Board of
India Act
Vietnam:Banking Law
Vietnam:Banking Law
Philippines:Secrecy of Bank
Deposit Act
Philippines:Secrecy of Bank
Deposit ActAustralia:
Federal PrivacyAmendment Bill
Australia:Federal PrivacyAmendment Bill
Singapore:Monetary Authority of
Singapore Act
Singapore:Monetary Authority of
Singapore Act
Indonesia:Bank SecrecyRegulation 8
Indonesia:Bank SecrecyRegulation 8
New Zealand:Privacy Act
New Zealand:Privacy Act
2
© 2011 IBM Corporation
Database servers are the primary source of breached dataFocus limited resources on the most threatened data source
It’s really not surprising that servers seem to have a lock on first place when it comes to the types of assets impacted by data breaches. They store and process data, and that fact isn’t lost on data thieves.“
Categories of compromised assets by percent of breaches and percent of records
Sources: Verizon Business Data Breach Investigations Report 2011
Servers
User Devices
People
Offline data
Network infrastructure
Unknown
64% / 94%
60% / 35%
7% / 34%
3% / <1%
<1% / <1%
1% / 1%
3
© 2011 IBM Corporation
Initial Attack to Initial Compromise 10% 12% 2% 0% 1% 0%
Initial Compromise to Data Exfiltration
8%
38%
14%25%
8% 8%0%
Initial Compromise to Discovery
0% 0% 2% 13%29%
54%+
2%
Discovery to Containment / Restoration
0% 1% 9%
32% 38%
17%4%
YearsMonthsWeeksDaysHoursMinutesSeconds
75%
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038
Organizations are slow to respond to database attacks
© 2011 IBM Corporation
What’s the risk? Failure to comply leads to data breaches
Hackers obtained credit card information on 1.5 million usersApril 2012: Cost to contain the breach tens of millions of dollars
SQL Injection Campaign Infects 1 Million Web PagesJanuary 2012: Attacker takes full control of operating system, database and Web application
Unprotected test data misused by third-party consultantsFebruary 2009: Vendor exposes PII of 45,000+ employees
Utah Health data breach affects nearly 800,000April 2012: Joint effort between hackers and insiders
4
© 2011 IBM Corporation
Today’s Mainframe:The power of industry-leading security,
the simplicity of centralised management
! Data Access! Minimize the use of a superuser
authorities such as SYSADM! A different group should manage
access to restricted data than the owner of the data
!Data Auditing! Any dynamic access or use of a
privileged authority needs to be included in your audit trail
! Maintain historical versions of data for years or during a business period
!Data Privacy! All dynamic access to tables containing
restricted data needs to be protected
Security Administrator
Tasks
Database Administrator
Tasks
SQL based Auditing
Satisfy Your Auditor: Plan, Protect and Audit
Row & Column Access Controls
TemporalData
© 2011 IBM Corporation
Auditors concerns about security …
" Overloading applications with security logic– Security logic can be bypassed by malicious users– Hampers the ability to use ad-hoc query tools– Difficult to maintain
" Different views for different groups of users– Views updatability may not reflect security policies– Can be bypassed by malicious users– Difficult to maintain
" Evolution of security policies– Affect the security logic in applications– Affect the organization and number of views
5
© 2011 IBM Corporation
DB2 10
" Biggest changes in Security since the lock was invented.
" More control at the SQL level
" Increased ways to catch the bad guys
" Identify who the bad guys are, you maybe surprised
" Increased separation of who Can do what
© 2011 IBM Corporation
Separation of Duties …
" New ZParm – SEPARATE_SECURITY– Specified on DSNTIPB
• YES – Users with SYSADM can not perform GRANTS on objects created by others
• NO – Users with SYSADM can administer security for all objects• Available in CM Mode• Users with INSTALL SYSADM can still perform GRANTS for other
users
" SYSADM/INSTALL SYSADM data access remains unchanged– Future direction is to only use SECADM for security and INSTALL
SYSADM for install activities– Users with SYSADM or INSTALL SYSADM can still view all data within
tables– Recommendation:
• Limit the use of INSTALL SYSADM and SYSADM to only when needed
6
© 2011 IBM Corporation
Separation of Duties …
– New SECADM authority to manage security of data• Does not have access to the data• Is able to manage GRANTS on all objects
– New Administrative authorities• DATAACCESS – to control who can see data• ACCESSCTRL – to control who can govern access to the data
– New DBADM ON SYSTEM authority• Gives the individual or role the ability to
– Manage all user tables in the subsystem > With or without DATAACCESS – default is with DATAACCESS> With or without ACCESSCTRL - default is with ACCESSCTRL
– Administrative authorities can be divided among individuals without overlapping responsibilities
– Allows security administrator to grant the minimum privilege to a user to perform a specific task
© 2011 IBM Corporation
INSTALL SECADM …
" A person or role that manages DB2 objects– This separates the object management from data access and data
control
" No inherent access to data
" Specified in SECADM1 and SECADM2 – Install panel DSNTIPB– In conjunction with SECADM_TYPE
• which can be AUTHID or ROLE
" Set INSTALL SECADM before setting SEPARATE_SECURITY to YES
" Activated by SEPARATE_SECURITY ZParm– If YES, then SYSADM and SYSCTRL can not perform GRANTS for
others
7
© 2011 IBM Corporation
INSTALL SECADM
" What can SECADM do? – GRANT Role privileges
– CREATE, COMMENT, DROP ROLE
– CREATE, ALTER, COMMENT, DROP TRUSTED CONTEXT
– New DB2 10 Audit privileges• SELECT, INSERT, UPDATE, DELETE on new SYSIBM.SYSAUDITPOLICIES table
– New DB2 10 row and column access• CREATE, ALTER, COMMENT, DROP row permissions and column masks• ALTER TABLE to activate row and column level access control • CREATE_SECURE_OBJECT privilege
– SELECT, INSERT,UPDATE, DELETE on catalog tables
© 2011 IBM Corporation
SQLADM
" Designed to be used by Performance analyst
" This will allow performance analyst to do all performance work, except access data
" What can a person with SQLADM do? – Issue SQL EXPLAIN statement
– Issue START, STOP and DISPLAY PROFILE commands
– Perform actions involving• EXPLAIN privilege• STATS privilege on all user databases• MONITOR2 privilege• Execute DB2 supplied stored procedures and routines
– Ability to SELECT, INSERT, UPDATE, DELETE on DB2 catalog tables
– CAN NOT access data, perform DDL or EXECUTE plans or packages
8
© 2011 IBM Corporation
NEW PRIVILEGES – EXPLAIN
" Designed for the application architect
" What can a user do with the EXPLAIN privilege?– Issue SQL EXPLAIN ALL statement without being able to EXECUTE
that statement– Issue SQL PREPARE and DESCRIBE TABLE statements without
having privileges on the object– BIND EXPLAIN(ONLY) and SQLERROR(CHECK)
• REBIND...EXPLAIN(ONLY) added with PM25679– Explain dynamic SQL statements executing under new special register
• CURRENT EXPLAIN MODE = EXPLAIN
© 2011 IBM Corporation
NEW BIND OPTIONS – EXPLAIN(ONLY) & SQLERROR(CHECK)" EXPLAIN(ONLY)
– Provides the ability to EXPLAIN statements without the ability to execute them
– Requires EXPLAIN privilege or necessary BIND privileges– Populates the EXPLAIN tables without creating a package
" SQLERROR(CHECK) – Provides the ability to syntax and semantic check the SQL statements
being bound without the ability to execute the statement(s)
9
© 2011 IBM Corporation
SYSOPR
Install SYSOPR
Authorities DiagramInstall SYSADMSYSADM
SECADM
DBADM System DBADMSQLADM
EXPLAIN
SYSCTRL
EXECUTE,USAGE on D/T,JAR,SEQ PACKADM
DBCTRL
DBMAINT
DATAACCESS
ACCESSCTRL
SELECT/UPDATE Catlg**DEBUGSESSIONTbls, Views, MQTsEXEC Plans, Pkgs, RoutinesLOAD, RECOVERDB, REORG, REPAIRUSAGE JARs, D/Ts, Seq
CREATETAB, CREATETSDISPLAYDB, IMAGECOPYSTATS, START/STOPDB
SELECT, Modify Catlg**GRANT, REVOKE
Dependent on SEPARATE_SECURITY
Optionally
ALTER, CREATE, DROP Security ObjectsGRANT, REVOKE on Security ObjectsSELECT, Modify Catlg Tables
** Modify Catlg w/o SYSAUDITPOLICIES
ARCHIVE, Most STARTDB, Some PACKADM...
For tables in DB: ALTER, References, SUID, Index, Trigger
DROP, LOAD, RECOVER, REORG, REPAIR
DISPLAY,RECOVER, STOPALL,TRACE,Routines Mgmt
CREATEIN; Pkg BIND, COPY, EXECUTEEXECUTE all Packages, Plans,
Routines
© 2011 IBM Corporation
REVOKE DEPENDENT PRIVILEGES …
" Provides additional controls regarding cascading effects of a REVOKE statement– INCLUDING DEPENDENT PRIVILEGES – NOT INCLUDING DEPENDENT PRIVILEGES
• When ACCESSCTRL, DATAACCESS, or DBADM ON SYSTEM is revoked, – the default is always NOT INCLUDING DEPENDENT PRIVILEGES and – the NOT INCLUDING DEPENDENT PRIVILEGES clause must be explicitly
specified
10
© 2011 IBM Corporation
REVOKE DEPENDENT PRIVILEGES …
– ZParm – REVOKE_DEP_PRIVILEGES• Panel DSNTIPP1 –• Values
– NO, YES, SQLSTMT– NO
> You can not specify INCLUDING DEPENDENT PRIVILEGES> Dependent privileges CAN NOT be cascaded
– YES - This is pre DB2 10 behavior> All revokes will include dependent privileges except when ACCESSCTRL,
DATAACCESS and SYSTEMDBA are revoked– SQLSTMT
> Controlled at the SQL statement level as specified in the REVOKE statement. THIS IS THE DEFAULT
© 2011 IBM Corporation
REVOKE DEPENDENT PRIVILEGES without cascading revokes…
CUSTOMER
CUSTOMER
TTNAME
GFRANKDNET775
GDNET775DNET775
SELECTAUTHGRANTEEGRANTOR
SYSTABAUTH
11
© 2011 IBM Corporation
REVOKE DEPENDENT PRIVILEGES without cascading revokes…
CUSTOMER
CUSTOMER
CUSTOMER
TTNAME
GFRANKDNET775
YSTANFRANK
GDNET775DNET775
SELECTAUTHGRANTEEGRANTOR
SYSTABAUTH
© 2011 IBM Corporation
REVOKE DEPENDENT PRIVILEGES without cascading revokes
and REVOKE BY
CUSTOMER
CUSTOMER
TTNAME
YSTANFRANK
GDNET775DNET775
SELECTAUTHGRANTEEGRANTOR
CUSTOMER
TTNAME
GDNET775DNET775
SELECTAUTHGRANTEEGRANTOR
SYSTABAUTH
SYSTABAUTH
12
© 2011 IBM Corporation
DB2 Audit Capability …" New audit capabilities without additional data collectors
" New Audit Policies are managed in the catalog– Audit policy provides wild carding of table names
" Ability to audit (associated column names identified in upper case)– Privileged users (SYSADMIN, DBADMIN)
• Audit policy records each use of a administrative system authority• For DBADMIN, optional DBNAME or COLLID (for PACKADM)
– SQL activity against a table (EXECUTE)• Audit policy does not require AUDIT clause to be specified• Audit policy generates records for all read and update access, not just first access
in the transaction• UTS, Classic Partitioned, and Segmented table space support
– Trusted Context use (VALIDATE)• When established or used by another different user (ASUSER connection)
© 2011 IBM Corporation
DB2 Audit Capability
" Ability to audit (continued)– Authorization & authentication failures (CHECKING)– The alter or drop of a table (OBJMAINT + OBJ* identification columns)– Utility start, change, or end (CONTEXT)– Grants, revokes, or create/alter of a Trusted Context (SECMAINT)
" Various IFCIDs created for the different audit types
" External collectors only report users with a system authority
" Audit Policies can be started at DB2 start– DB2START
• Y: Starts at DB2 start• S: Starts at DB2 start and can only be changed by SECADM
13
© 2011 IBM Corporation
DB2 Audit Capability …
" To create an AUDIT POLICY– Insert a row into new SYSAUDITPOLICIES table– Specify the category and related fields
• See SQL Reference Appendix A– Issue START TRACE command with audit policy name to enable audit
policy– Issue STOP TRACE command with audit policy name to disable audit
policy– Up to 8 audit policies can be specified to auto start when DB2 is started
© 2011 IBM Corporation
DB2 Audit Capability …
SYSIBM.SYSAUDITPOLICIES table
14
© 2011 IBM Corporation
DB2 Audit Capability …
" To create a new AUDITADMIN1 policy to audit the SYSADM authority (S) and the SYSOPR authority (O), you can specify SYSADMIN as the category:
" You can also use the SQL LIKE predicate to audit tables of the same characteristics. For example, you can audit all tables that start with E_P in schema TSCHEMA by issuing the following INSERT statement:
– OBJECTTYPE ‘T’ means table– EXECUTE ‘C’ means Audit on all INSERT,UPDATE,DELETE statements– EXECUTE ‘A’ means Audit all access on the table
© 2011 IBM Corporation
Satisfy Your Auditor:
New audit policies provide needed flexibility and functionality# Auditor can define an audit policy to audit any access to specific
tables for specific programs during day # Audit policy does not require AUDIT clause to be specified using DDL # Audit policy generate records for all read and update access for statements with unique statement identifier #Audit policy provides wildcarding of based on schema and table names
# Auditor can define an audit policy to identify any unusual use of a privileged authority#Records each use of a system authority #Audit records written only when authority is used for access#External collectors only report users with a system authority
15
© 2011 IBM Corporation
How to exploit Audit policies
# Security administrator using the new SECADM authority maintains DB2 audit policies in a new catalog table# SYSIBM.SYSAUDITPOLICIES
# Audit policies enabled using –STA TRACE command# Audit policies disabled using –STO TRACE command# Up to 8 audit policies can be specified to auto start or auto start
as secure during DB2 start up# Only user with SECADM authority can stop a secure audit policy
trace (APAR PM28296)
© 2011 IBM Corporation
Audit policy categories#Audit policy supports eight categories.
Categories! CHECKING! VALIDATE! OBJMAINT! EXECUTE! CONTEXT! SECMAINT! SYSADMIN! DBADMIN
Mapping IFCIDs! IFCID 83 (only authentication failures), IFCID 140! IFCIDs 55, 83, 87, 169, 269, 319! IFCID 142! IFCIDs 143, 144, 145! IFCIDs 23, 24, 25! IFCIDs 141, 270, 271! IFCID 361 (Audits installation SYSADM, installation
SYSOPR, SYSOPR, SYSCTRL, SYSADM)
! IFCID 361 (Audits DBMAINT, DBCTRL, DBADM, PACKADM, SQLADM, system DBADM, DATAACCESS, ACCESSCTRL, SECADM)
16
© 2011 IBM Corporation
RACF support for the new Administrative Authorities#RACF Access Control Module (‘SYS1.SDSNSAMP
(DSNXRXAC)’) has been enhanced to# Honor the setting of SEPARATE_SECURITY # Implement the new DB2 administrative authorities as RACF resource
checks
MDSNSM<subsystem>.EXPLAINEXPLAIN
MDSNSM<subsystem>.SQLADMSQLADM
DSNADM<subsystem>.ACCESSCTRLACCESSCTRL
DSNADM<subsystem>.DATAACCESSDATAACCESS
DSNADM<subsystem>.SYSDBADMSystem DBADM
DSNADM<subsystem>.SECADMSECADM
ClassResourceDB2 Authority
© 2011 IBM Corporation
New improved security features provide more effective controls and accurate audit trail for remote access
# Support password phrases in z/OS V1R10# A RACF password phrase is a character string made up of mixed-case
letters, numbers, special characters, and is between 9 to 100 characters long
# Can be used instead of a traditional 8-character password
# Support connection level security enforcement using strong authentication# Subsystem parameter, TCPALVER value SERVER_ENCRYPT enforces
connections must use strong authentication to access DB2# All userids and passwords encrypted using AES, or connections
accepted on a port which ensures AT-TLS policy protection or protected by an IPSec encrypted tunnel
17
© 2011 IBM Corporation
Satisfy Your Auditor:New table controls to protect against unplanned SQL access# Define additional data controls at the row and column level
# Security policies are defined using SQL# Separate security logic from application logic
# Security policies based on real time session attributes# Protects against SQL injection attacks# Determines how column values are returned# Determines which rows are returned
# All access via SQL including privileged users, adhoc query tools, report generation tools is protected
# Policies can be added, modified, or removed to meet current company rules without change to applications
© 2011 IBM Corporation
Table controls to protect SQL access to individual row levelEstablish a row policy for a table# Filter rows out of answer set# Policy can use session information, e.g. the SQL ID is in what
group or user is using what role, to control which row is returned in result set
# Applicable to SELECT, INSERT, UPDATE, DELETE, & MERGE# Defined as a row permission:
CREATE PERMISSION policy-name ON table-nameFOR ROWS WHERE search-conditionENFORCED FOR ALL ACCESS ENABLE;
Optimizer inserts search condition in all SQL statements accessing table. If row satisfies search-condition, row is returned in answer set.
18
© 2011 IBM Corporation
Table controls to protect SQL access to individual column levelEstablish a column policy for a table# Mask column values in answer set# Policy can use session information, e.g. the SQL ID is in what
group or user is using what role, to control what masked value is returned in result set
# Applicable to the output of outermost subselect# Defined as column masks :
CREATE MASK mask-name ON table-nameFOR COLUMN column-name RETURN CASE-expression
ENABLE;
Optimizer inserts CASE expression in all SQL statements accessing table to determine mask value to return in answer set
© 2011 IBM Corporation
Define table policies based on who or how table is being accessed# SESSION_USER - Primary authorization ID of the process
# CURRENT SQLID - SQL authorization ID of the process# SET CURRENT SQLID = string-constant
# VERIFY_GROUP_FOR_USER function# Get the authorization IDs for the value in SESSION_USER
# Includes both primary and secondary authorization IDs
# Return 1 if any of those authorization IDs is in the argument list
# VERIFY_ROLE_FOR_USER function# Get the role for the value in SESSION_USER# Return 1 if the role is in the argument listWHERE
VERIFY_ROLE_FOR_USER (SESSION_USER, ’MGR’, ‘PAYROLL’) = 1
WHEREVERIFY_GROUP_FOR_USER (SESSION_USER, ‘MGR’, ‘PAYROLL’) = 1
19
© 2011 IBM Corporation
Managing row and column access controls# When activated row and column access controls:
# All row permissions and column masks become effective in all DML# All row permissions are connected with ‘OR’ to filter out rows# All column masks are applied to mask output# All access to the table is prevented if no user-defined row permissions
# When deactivated row and column access controls:# Make row permissions and column masks become ineffective in DML
# Opens all access to the table
ALTER TABLE table-name ACTIVATE ROW ACCESS CONTROLACTIVATE COLUMN ACCESS CONTROL;
ALTER TABLE table-name DEACTIVATE ROW ACCESS CONTROLDEACTIVATE COLUMN ACCESS CONTROL;
© 2011 IBM Corporation
Row and Column level access …
" What is the purpose of row level security?– Filter rows out of answer set– Policy can use session information like SQL ID is in what group or user is using
what role to control when row is returned in result set– Applicable to SELECT,INSERT, UPDATE,DELETE & MERGE– Defined as a row permission:
– Optimizer inserts search condition in all SQL statements accessing table. If row satisfies search-condition, row is returned in the answer set
20
© 2011 IBM Corporation
Row and Column level access …
" What is the purpose of column level security?
– Mask column values in answer set– Applicable to the output of outermost subselect– Defined as column masks:
– Optimizer inserts CASE statement in all SQL accessing table to determine mask value to return in answer set
© 2011 IBM Corporation
Row and Column level access …" Define a column or row policy based on who is accessing
the table– SESSION-USER
• Primary authorization ID of the process– CURRENT SQLID
• SQL authorization ID of the process• SET CURRENT SQLID = some authorization id
– VERIFY_GROUP_FOR_USER (new BIF)• Get authorization IDs for the value in SESSION_USER
– Gets both primary and secondary auth ids– Return 1 if any of those auth IDs are in the argument
– VERIFY_ROLE_FOR_USER (new BIF)• Get the role for the value in SESSION_USER• Return 1 if the role is in the argument list
21
© 2011 IBM Corporation
Row and Column level access" Row and Column Access Control
– When activated row and column access controls:• Make row permissions and column masks become effective in all DML
– All row permissions are connected with ‘OR’ to filter out rows– All column masks are applied to mask output– Rebind required for dependent packages– Modified statements shown in DSN_PREDICAT_TABLE– IFCID 145 names the Mask / Permission enabled at prepare / bind time
• Halts all access to the table if no user-defined row permissions
• When deactivated row and column access controls: – Make row permissions and column masks become ineffective in DML
• Opens all access to the table
© 2011 IBM Corporation
Row and Column level access – Banking example …" A Simple banking scenario
C172,000444-4444David4444-5555-6666-7777
B123,000333-3333Louis3333-4444-5555-6666
B71,000222-2222Bob2222-3333-4444-5555
A22,000111-1111Alice1111-2222-3333-4444
BRANCHINCOMEPHONENAMEACCOUNT
22
© 2011 IBM Corporation
Row and Column level access – Banking example …"Determine access control rules for customer service rep
" Allow access to all customers of the bank (a row permission)" Mask all INCOME values (a column mask)
" Return value 0 for incomes of 25000 and below " Return value 1 for incomes between 25000 and 75000" Return value 2 for incomes between 75000 and 150000" Return value 3 for incomes above 150000
" All are in the CSR group (who)"Create a row permission for customer service representatives
© 2011 IBM Corporation
Row and Column level access – Banking example…" Create a column mask on INCOME for customer service rep
23
© 2011 IBM Corporation
Row and Column level access – Banking example…
" Activate Row-level and column-level access control
" What Happens in DB2? – A default row permission is created implicitly to prevent all access to
table customer (WHERE 1=0)– All packages and cached statements that reference table CUSTOMER
are invalidated
© 2011 IBM Corporation
Row and Column level access – Banking example…
INCOME is automatically masked by DB2
If the user is not a member of the CSR group, then no rows at all will be returned
B333-33332Louis3333-4444-5555-6666B222-22221Bob2222-3333-4444-5555
BRANCH PHONEINCOMENAMEACCOUNT
24
© 2011 IBM Corporation
Row and Column level access – Banking example
DB2 effectively evaluates the following revised query:
If the user is not in the GROUP CSR, the VERIFY_GROUP_FOR_USER returns 0 and no rows are returned
© 2011 IBM Corporation
DB2 10 for z/OS Security Enhancements
Help Satisfy Your Auditors using new features
$ New granular authorities to reduce data exposure for administrators
$ New auditing features using new audit policies comply with new laws
$ New row and column access table controls to safe guard your data
$ New temporal data to comply with regulations to maintain historical data
25
© 2011 IBM Corporation48
Database Danger from Within
" “Organizations overlook the most imminent threat to their databases: authorized users.” (Dark Reading)
" “No one group seems to own database security … This is not a recipe for strong database security” … 63% depend primarily on manual processes.” (ESG)
" Most organizations (62%) cannot prevent super users from reading or tampering with sensitive information …most are unable to even detect such incidents … only 1 out of 4 believe their data assets are securely configured (Independent Oracle User Group).
© 2011 IBM Corporation
xxx: At least 45.7 million credit and debit card numbers were stolen by hackers who accessed the Mainframe computer systems at the xxx. The cost of breach Financial Impact: $256 Million Remediation (2007)
xxx: At least 45.7 million credit and debit card numbers were stolen by hackers who accessed the Mainframe computer systems at the xxx. The cost of breach Financial Impact: $256 Million Remediation (2007)
Cost of a Data BreachUnderstand What’s at Stake – Top 5 Breaches by Cost
RankRank CompanyCompany Records Records BreachedBreached
Estimated Estimated CostCost
1Major
consumer retailer
100 Million Records
$2 Billion
2Multichannel
Marketer 150 Million
Records$225 Million to $4 Billion
3Major
consumer retailer
45 Million Records
$256 Million
4Credit card payment processor
100 Million Records
$140 Million
5US
Government Agency
17 Million Records
$30 Million
Cost / Breached Record BreakdownCost / Breached Record Breakdown
$134
$51
$15 $13
0
20
40
60
80
100
120
140
160
Lost Business Post Response Notification Detection
Breach Cost / Record
Mainframe BreachMainframe BreachMainframe Breach
Total Cost of Breached Record 2011: $214Total Cost of Breached Record 2011: $214
26
© 2011 IBM Corporation
Security – IBM DB2 Tools Support
" Guardium, Guardium Encryption, RACF, TCIM– Concerns about security (DB2, IMS, VSAM*)
" DB2 Admin Tool and Object Compare– New Access Control Authorities
" DB2 Admin Tool, Bind Manager– New Bind Options
" Guardium– New Audit Capabilities
" DB2 Administration Tool– Row/Column Access control
© 2011 IBM Corporation
References" Security Functions of IBM DB2 10 for z/OS (SG24-7959-00)
http://www.redbooks.ibm.com" DB2 10 for z/OS Technical Overview (SG24-7892-00)
http://www.redbooks.ibm.com" DB2 10 for z/OS Administration Guide (SC19-2968-02)
http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/topic/com.ibm.db2z10.doc.admin/src/admin/db2z_admin.htm
" DB2 10 for z/OS RACF Access Control Module Guide (SC19-2982-02)http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/topic/com.ibm.db2z10.doc.racf/src/rac
f/db2z_racf.htm" DB2 V10: A new standard in data protection, by Mark Nelson, Randy Love,
Gayathiri Chandran, zJournal, February 2011 http://publibz.boulder.ibm.com/zoslib/pdf/EOZ2N1C0.pdf
" DB2 9 for z/OS: Configuring SSL for Secure Client-Server communications - Red paper
http://www.redbooks.ibm.com/abstracts/redp4630.html?Open" DB2 10 for z/OS: Configuring SSL for Secure Client-Server communications - Red
paper http://www.redbooks.ibm.com/redpieces/abstracts/redp4799.html?Open
" DB2 for z/OS Information Centerhttp://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/index.jsp