Security Functions of IBM DB2 10 for z/OS

Book description

IBM® DB2® 9 and 10 for z/OS® have added functions in the areas of security, regulatory compliance, and audit capability that provide solutions for the most compelling requirements.

DB2 10 enhances the DB2 9 role-based security with additional administrative and other finer-grained authorities and privileges. This authority granularity helps separate administration and data access that provide only the minimum appropriate authority.

The authority profiles provide better separation of duties while limiting or eliminating blanket authority over all aspects of a table and its data. In addition, DB2 10 provides a set of criteria for auditing for the possible abuse and overlapping of authorities within a system.

In DB2 10, improvements to security and regulatory compliance focus on data retention and protecting sensitive data from privileged users and administrators. Improvements also help to separate security administration from database administration.

DB2 10 also lets administrators enable security on a particular column or particular row in the database complementing the privilege model.

This IBM Redbooks® publication provides a detailed description of DB2 10 security functions from the implementation and usage point of view. It is intended to be used by database, audit, and security administrators.

Table of contents

  1. Figures
  2. Tables
  3. Examples (1/2)
  4. Examples (2/2)
  5. Notices
    1. Trademarks
  6. Preface
    1. The team who wrote this book
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  7. Part 1: Security for DB2 for z/OS
  8. Chapter 1: Security regulations
    1. 1.1: The cost of a data breach
      1. Actions after a data breach
      2. ROI calculation
    2. 1.2: Regulatory compliance
      1. Health Insurance Portability and Accountability Act of 1996
      2. Gramm-Leach-Bliley Act of 1999
      3. Sarbanes-Oxley Act
      4. California Senate Bill 1386
      5. Payment Card Industry Data Security Standard
      6. IBM Data Server Security
  9. Chapter 2: Introduction to security for DB2 for z/OS
    1. 2.1: DB2 and z/OS threat environment
      1. System z and DB2 for z/OS statement of integrity
      2. Buffer overflow and storage protection on z/OS
      3. Storage keys and the Authorized Program Facility
      4. Patch management and the IBM Red Alerts subscription service
    2. 2.2: Application versus DBMS compliance controls
    3. 2.3: Privileged user controls
    4. 2.4: DB2 for z/OS from an evolutionary perspective
  10. Part 2: DB2 capabilities
  11. Chapter 3: Administrative authorities and security-related objects
    1. 3.1: Rationale for new features
      1. Administrative authorities available in DB2 9
      2. New administrative authorities available in DB2 10
      3. New system privileges in DB2 10
      4. Current administrative authorities and their privileges
    2. 3.2: Management of security-related objects
    3. 3.3: SECADM
      1. Privileges held by the SECADM authority
      2. A new separate security install parameter
      3. Migration to DB2 10 and SEPARATE_SECURITY YES / NO
      4. Role naming considerations
    4. 3.4: SYSTEM DBADM
    5. 3.5: ACCESSCTRL
    6. 3.6: DATAACCESS
    7. 3.7: Reassigning powerful privileges held by SYSADM and SYSCTRL
      1. Maintaining a existing common model
      2. Separating security administration from system administration
      3. Separating the system database administration from system and security administration
      4. Separating system database administration without access control
      5. Keeping security simple
      6. Dependent privileges with new authorities
    8. 3.8: Revoking without cascade
      1. Controlling cascade
      2. Removing DBA privileges to improve auditing
    9. 3.9: Debugging and performance analysis privileges
      1. EXPLAIN privilege
      2. SQLADM
    10. 3.10: DSNZPARMs related to security
      1. Installation panels
      2. SECADM1 and SECADM2 and role name: Additional details
      3. Online-updatable subsystem parameters
      4. Summary of subsystem parameters related to security
  12. Chapter 4: Roles and trusted contexts
    1. 4.1: Existing challenges
      1. Trusting all connection requests
      2. Application server user ID / password (three-tier architecture)
      3. Dynamic SQL auditability
      4. Securing DBA privileges
      5. DBADM create view and drop / alter
      6. Reserving a RACF group and table dropping
      7. Exercising granted privileges
    2. 4.2: Roles
      1. Role access to data
      2. Role ownership of objects
      3. Auditing notes
    3. 4.3: Trusted contexts
      1. Characteristics of a trusted context
      2. How a trusted connection comes alive
      3. Authid switching within a trusted connection
    4. 4.4: Challenges addressed by roles and trusted contexts
      1. Trusting all connection requests
      2. Application server user ID and password (three-tier architecture)
      3. Dynamic SQL auditability
      4. Allowing connections without credentials
      5. Shared SYSADM ID
      6. Dual responsibilities
      7. Full-time access to sensitive/private data
      8. DBADM create view and drop / alter
      9. Reserving a RACF group and table dropping
      10. Exercising granted privileges
    5. 4.5: Example of a local trusted context: Securing DBA activities
    6. 4.6: Example of a remote trusted connection
    7. 4.7: Example of a remote trusted connection with multiple users
    8. 4.8: Protecting new DB2 10 administrative authorities
      1. SYSTEM DBADM
      2. SECADM
      3. SQLADM
  13. Chapter 5: Data access control
    1. 5.1: New access control functions and terminology
    2. 5.2: Row permission object
      1. Built-in functions
      2. Creating and activating a row permission (1/2)
      3. Creating and activating a row permission (2/2)
      4. Row access control and catalog tables
    3. 5.3: Column masks
      1. DDL for masks
      2. Creating and activating column masks
    4. 5.4: EXPLAIN table information
      1. DSN_PREDICAT_TABLE information
      2. DSN_STRUCT_TABLE information
    5. 5.5: Triggers and UDF information
  14. Chapter 6: Cryptography for DB2 data
    1. 6.1: DB2 built-in-function support for encryption
      1. Insert and create
      2. SELECT
      3. Prerequisites and considerations
    2. 6.2: InfoSphere Guardium Data Encryption for DB2 and IMS Databases
      1. Deciding between EDITPROC, DB2 based encryption, and disk encryption
    3. 6.3: Disk storage based encryption with IBM System Storage DS8000
      1. DS8000 data encryption management overview
      2. Disk encryption details
      3. Characteristics of the ES8000 encryption implementation
    4. 6.4: Tape storage encryption
      1. How tape encryption works
      2. What to encrypt
      3. Why use tape encryption
      4. Summary
    5. 6.5: Overview of SSL and IP AT-TLS
  15. Chapter 7: User authentication
    1. 7.1: Authentication and the data server security categories
      1. Support for a z/OS password phrase
      2. Effectively audit distributed workloads
      3. Support for z/OS client login using digital certificates
      4. Using private protocol authorization
    2. 7.2: z/OS Security Server password phrase and DRDA encryption
      1. Creating a user ID with a password phrase
      2. Connecting from a remote desktop to DB2 for z/OS using a password phrase
      3. Connecting JDBC type 4 using WebSphere Application Server to a DB2 for z/OS server using a password phrase
    3. 7.3: z/OS identity propagation and distributed DB2 workloads
      1. Distributed identity propagation using DB2 10
      2. Distributed identity propagation using CICS Transaction Gateway
      3. Distributed identity propagation with WebSphere Application Server V8
    4. 7.4: z/OS digital certificates and DB2 AT-TLS
  16. Chapter 8: Audit policies
    1. 8.1: Policy-based audit capability
      1. Audit policies
      2. Starting, stopping, and managing DB2 audit policies
      3. Authorization
      4. Policy-based SQL statement auditing for tables
      5. Unique statement identifier
      6. Auditing authorities with audit policies
  17. Chapter 9: RACF and DB2
    1. 9.1: Authorization IDs for accessing data within DB2
      1. Processing connections
      2. Processing sign-ons
    2. 9.2: DB2 managed security
    3. 9.3: RACF managed security
      1. The RACF access control module
      2. RACF profiles and class structure
      3. RACF defined administration privilege profiles
      4. Activating and using RACF classes
      5. RACF sample scenario (1/2)
      6. RACF sample scenario (2/2)
      7. RACF/DB2 Conversion Utility
      8. RACF SMF data unload utility IRRADU00
      9. Using the RACF database unload utility IRRDBU00
  18. Part 3: Implementation scenarios
  19. Chapter 10: Implementing data access control
    1. 10.1: Description of the Spiffy Computer Company
    2. 10.2: Scenario 1: Separation of duties
    3. 10.3: Scenario 2: Classification of users
    4. 10.4: The SYSADM authority
      1. Setting SEPARATE_SECURITY to YES: Concerns
      2. Taking over the authority of another person
      3. Using a trusted context to circumvent a row permission rule (1/2)
      4. Using a trusted context to circumvent a row permission rule (2/2)
  20. Chapter 11: Remote client applications access
    1. 11.1: Using a password phrase for remote client applications
      1. Background information for the strong password scenario
      2. Implementing the password phrase solution
      3. Lessons learned
    2. 11.2: Protecting data through DB2 SSL with digital certification
      1. Background information for the certificate scenario
      2. Implementation scenario (1/3)
      3. Implementation scenario (2/3)
      4. Implementation scenario (3/3)
      5. Advanced implementation scenario (1/2)
      6. Advanced implementation scenario (2/2)
      7. Lessons learned
    3. 11.3: Identity propagation for a remote client application
      1. Background information
      2. Scenario implementation (1/2)
      3. Scenario implementation (2/2)
      4. Lessons learned
    4. 11.4: Considerations about SQL injection
      1. Background information
      2. Implementation scenario
  21. Chapter 12: Database monitoring and the audit application
    1. 12.1: Activity monitoring options on DB2 for z/OS
    2. 12.2: Tivoli OMEGAMON for DB2 Performance Expert Version V5R1
      1. Executing the OMEGAMON PE batch reporter
      2. Loading event data into DB2 tables SQL based reporting
      3. OMEGAMON PE Performance Database
      4. Authorization failure reporting and loading events into DB2
      5. Monitoring and reporting on changes in the security environment
      6. Monitoring the use of privileges in DB2
      7. Finding the dynamic statement
      8. Considerations for reporting using the OMEGAMON PE audit tables
  22. Chapter 13: DB2 temporal support
    1. 13.1: Temporal tables
      1. How temporal tables work
      2. Creating a system-period temporal table (1/2)
      3. Creating a system-period temporal table (2/2)
      4. Tracking effective dates with BUSINESS_TIME (1/2)
      5. Tracking effective dates with BUSINESS_TIME (2/2)
      6. Bitemporal tables
    2. 13.2: Using temporal tables for auditing
      1. Basic security setup
      2. Production setup
      3. Interest rates scenario
      4. Investigation
      5. Altering the mortgage table to become aware of time
      6. New security measures
      7. Next mortgage offline scenario
      8. Problem with interest rates scenario
      9. Conclusion
  23. Part 4: Security tools
  24. Chapter 14: Security tools for discovery and control
    1. 14.1: InfoSphere Discovery
    2. 14.2: IBM Tivoli Security Solutions
      1. Tivoli Security Information and Event Manager
      2. InfoSphere Guardium and TSIEM
    3. 14.3: SQL injection and IBM Optim pureQuery Runtime
      1. SQL injection
      2. Optim pureQuery Runtime for z/OS for protection from SQL injection
  25. Chapter 15: Auditing and InfoSphere Guardium
    1. 15.1: InfoSphere Guardium
      1. Homegrown audit reporting
      2. Database activity monitoring with InfoSphere Guardium for DB2 for z/OS
      3. InfoSphere Guardium heterogeneous database support
      4. InfoSphere Guardium components in a heterogeneous environment
    2. 15.2: Database security functionality using InfoSphere Guardium
    3. 15.3: InfoSphere Guardium S-TAP for DB2 for z/OS (1/2)
    4. 15.3: InfoSphere Guardium S-TAP for DB2 for z/OS (2/2)
      1. Event collection
      2. SQL inspection and performance monitoring
      3. Building audit reports with InfoSphere Guardium (1/2)
      4. Building audit reports with InfoSphere Guardium (2/2)
      5. InfoSphere Guardium Vulnerability Assessment reporting (1/2)
      6. InfoSphere Guardium Vulnerability Assessment reporting (2/2)
      7. InfoSphere Guardium data classification (1/2)
      8. InfoSphere Guardium data classification (2/2)
  26. Part 5: Appendixes
  27. Appendix A: Spiffy Computer Company security setup
    1. Spiffy Computer Company
      1. Determining security objectives
    2. Organization of Spiffy Computer Company
  28. Appendix B: Introduction to cryptography
    1. Fundamentals of cryptography
      1. Encryption algorithms
    2. Integrated Cryptographic Service Facility for z/OS
      1. Clear and secure keys for z/OS
      2. Protected Key support with CEX3C
      3. Key rotation
      4. Protecting ICSF resources with RACF
    3. Tivoli Key Lifecycle Manager
      1. IBM Java Security keystore
      2. Tivoli Key Lifecycle Manager on distributed systems
      3. Cryptographic services
      4. Key exchange
      5. Asymmetric and symmetric keys
      6. TS1100 family of tape drives and DS8000
      7. LTO Ultrium 4 tape drives
      8. System-managed encryption for System z
  29. Abbreviations and acronyms
  30. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. Help from IBM
  31. Index (1/3)
  32. Index (2/3)
  33. Index (3/3)
  34. Back cover

Product information

  • Title: Security Functions of IBM DB2 10 for z/OS
  • Author(s): Paolo Bruni, Marcelo Antonelli, Hyun Baek, Rick Butler, Ernie Mancill
  • Release date: September 2011
  • Publisher(s): IBM Redbooks
  • ISBN: None