Database Security Essentials - LISUGlisug.org/presentations/DB2 and SQL Security.pdf · Database Security Essentials Rob Bestgen [email protected] DB2 for i Center of Excellence

© 2014 IBM Corporation

IBM Power Systems

Database Security Essentials

Rob Bestgen [email protected]

DB2 for i Center of Excellence


IBM Power Systems

2

Who is the DB2 for i Center of Excellence?An experienced IBM Team delivering:

� Product Offerings Developed through Engagements

� Briefings, consulting and guidance on demand

� IBM i for Business Intelligence Installation Services

� DB2 Web Query Getting Started Services

� Query/400 Modernization Services

� DB2 for i Modernization Workshop(s)

� DB2 for i SQL Performance Workshop

� DB2 for i SQL Performance Health Check

� DB2 for i Very Large Database (VLDB) Assessment

� DB2 for i remote database administration and engineer services

For more information, contact Mike Cain ([email protected]) Or Doug Mack ([email protected])


IBM Power Systems

3

Is Database Security Needed?

� Privacy Rights Clearinghouse reports over 867 million data records compromised in 4274 incidents since 2005

– http://www.privacyrights.org/ar/data-breach

– And that is only what was reported!

� Only large companies? Information Week states that small and mid-sized businesses (SMBs) were the victims in 40% of all data breaches last year

� Forrester Research estimates costs to remediate data breach is $90-305 per record


IBM Power Systems

4

Is Database Security Needed?

�Data is not just Information, but an ASSET– What’s it worth?

– Secured like other business assets?

�Because Data is an Asset, securing data needs to be a regular cost of doing business


IBM Power Systems

5

The Compliance Mandate

DDL = Data Definition Language (aka schema changes)DDL = Data Definition Language (aka schema changes)

DML = Data Manipulation Language (data value changes)DML = Data Manipulation Language (data value changes)

DCL = Data Control LanguageDCL = Data Control Language


IBM Power Systems

6

Database Security Fundamentals

�Security Policy

– No policy, no plan for securing data

– No policy, no measurement

– No policy, expensive audits

�Resource Security

– Prevents data breaches from internal & external intrusions

– Closely tied to Security Policy definition


IBM Power Systems

7

Security Policy Fundamentals

� Policy creation

– IT Staff should Help, NOT Drive – Corporate leaders legally responsible

– Learn which government & industry regulations apply (PCI, HIPAA, etc)

– Write and maintain policy

� Policy implementation

– Turn the policy into practice

� Which data can be changed and/or accessed

� Who can change and/or access data

– Ensure that IT assets remain correctly configured

� Compliance audits

– Explaining to auditors why the policy is compliant

– Showing that the policy is followed

– Responding to auditor change requests


IBM Power Systems

8

DB2 for i – Current Security State

Middleware:

ODBC, .NET, JDBC, …

Query Tools

Mgmt Tools


IBM Power Systems

9

DB2 for i – Current Security State with Exit Points

Middleware:


Query Tools

Mgmt Tools


IBM Power Systems

10

DB2 for i – Desired Security State

Middleware:


Query Tools

Mgmt Tools


IBM Power Systems

11

DB2 for i Resource Security Fundamentals

�Determine how data needs to be protected

– Everyone can update !?!?

– Everyone can read, authorized users can update

– No one can access by default, authorized users given access

�Approaches

– Private Authorities

– Adopted Authorities

– IBM i 7.2 – Separation of Duties


IBM Power Systems

12

Private Authority Fundamentals

�Step #1 – Limit number of *ALLOBJ special authority users– No direct control to prevent *ALLOBJ user from accessing object

�Step #2 – Tighten down *PUBLIC authority– QCRTAUT System Value controls default behavior

– SQL interfaces can have different behavior

� *SQL Naming – *PUBLIC given *EXCLUDE

� *SYS Naming – follows QCRTAUT model

�Step #3 – Consider granularity of private authorities– Individual user profiles

– Group profiles

– Authorization lists

– Adopted authority

– Separation of Duties (v7.2)


IBM Power Systems

13

IBM i Authority Verification Order

� Ignoring *ALLOBJ authority, IBM i verifies users authority to object in following order:

CheckUser

Private AuthorityAuthorization List

CheckGroups


Check*PUBLIC


Check for Adopted Authority


IBM Power Systems

14

Private Authority Interfaces

�System commands

– EDTOBJAUT

– GRTOBJAUT

– CHGAUT

�SQL Statements

– GRANT

– REVOKE

– SQL has no interface for Authorization List

– RCAC (v7.2)


IBM Power Systems

15

Private Authority – Group Profiles

�Group profiles can simplify administration of private authorities

– Authorities granted to groups of similar users

– Group profiles often created by department or business role (help desk,

teller, …)

– All users in the group have same authority to the DB2 object

– Credentials for an individual user & group profile are NOT additive

– If user profile belongs to many groups, the group authorities are additive

– Best practices

� Individual user profiles have no private authorities for DB2 object

� Create group profile with Password(*NONE), Status(*DISABLED), INLMNU(*SIGNOFF)

� Improve performance using CHGOBJPGP command


IBM Power Systems

16

Private Authorities – Group Profiles Example

/* Create “group” user profiles */

CRTUSRPRF USRPRF(GPSALES) PASSWORD(*NONE) STATUS(*DISABLED)

INLMNU(*SIGNOFF)

CRTUSRPRF USRPRF(GPPAY) PASSWORD(*NONE) STATUS(*DISABLED)

INLMNU(*SIGNOFF)

/* Add user profiles to the groups */

CHGUSRPRF USRPRF(APPUSER1) GRPPRF(GPSALES)

CHGUSRPRF USRPRF(APPUSER2) GRPPRF(GPPAY)

…

CHGUSRPRF USRPRF(APPUSER3) GRPPRF(GPSALES) SUPGRPPRF(GPPAY)

/* Authorize group profiles to DB2 tables */

GRTOBJAUT OBJ(PAYTAB) OBJTYPE(*FILE) USER(GPPAY) AUT(*USE)

GRTOBJAUT OBJ(SALESTB) OBJTYPE(*FILE) USER(GPSALES) AUT(*CHANGE)

/* SQL version of granting table access to group profiles */

GRANT SELECT ON paytab TO gppay

GRANT SELECT,INSERT,UPDATE,DELETE ON salestb TO gpsales


IBM Power Systems

17

Private Authority – Authorization Lists

� Authorization lists also simplify administration of private authorities

– Provide method to group objects with similar security requirements

– Authorization lists enable authorities to be changed even when DB2 objects are

open

– Different, not necessarily better than group profiles

– Authorization lists can reference group profiles

DW_AUTL

DWADMIN *CHANGEETL_GRP *CHANGERPT_GRP *USE*PUBLIC *EXCLUDE

ITEM_FACT

SALES_DIM

DATE_DIM


IBM Power Systems

18

Private Authorities – Authorization List Example

/* Create authorization list */

CRTAUTL AUTL(DW_AUTL) AUT(*EXCLUDE)

/* Associate tables with authorization list */

GRTOBJAUT OBJ(ITEM_FACT) OBJTYPE(*FILE) AUTL(DW_AUTL)

GRTOBJAUT OBJ(SALES_DIM) OBJTYPE(*FILE) AUTL(DW_AUTL)

GRTOBJAUT OBJ(DATE_DIM) OBJTYPE(*FILE) AUTL(DW_AUTL)

/* Give users access to the authorization list */

ADDAUTLE AUTL(DW_AUTL) USER(DWADMIN) AUT(*CHANGE)

ADDAUTLE AUTL(DW_AUTL) USER(ETL_GRP) AUT(*CHANGE)

ADDAUTLE AUTL(DW_AUTL) USER(RPT_GRP) AUT(*USE)


IBM Power Systems

19

Adopted Authority Approach

� Used to temporarily give “extra” authority to a user by augmenting with program owner authorities

– CRTPGM/CHGPGM USRPRF parameter

– SQL Interface support (next chart)

– Swap Profile API Set (QSYGETPH, QWTSETP, QSYRLSPH )

� Benefits

– Reduce number of authority grants for individual profiles

– Can force all data access to be done with program calls

� Tradeoffs

– Extra authority in effect as long as program on call stack

• Watch command line access

• CHGPGM USEADPAUT(*NO) to minimize authority propagation

– “Direct” data access interfaces not a good fit


IBM Power Systems

20

Adopted Authority Approach – SQL Considerations

SQL Executable Objects can use adopted authority:

• By default, SQL Naming mode will adopt the executable object authority for Static SQL statements, BUT not adopt for Dynamic SQL

• System naming by default follows IBM i rules by default

• Default behavior can be overridden using the DYNUSRPRF and USRPRF keywords:

• Embedded SQL

Pre-Compiler parameters

SET OPTION in the language source

• SQL Functions, Procedures and Triggers

SET OPTION in the SQL CREATE and ALTER statements


IBM Power Systems

21

pgmBOwner: SECTEAM

USRPRF: *OWNER

Adopted Authority Approach Example

JANE

pgmAOwner: WORKAPPS

USRPRF: *OWNER

Checked User

Profiles

pgmCOwner: WORKAPPS

USRPRF: *USER

USEADPAUT: *NO

JANE, WORKAPPS

JANE, WORKAPPS,

SECTEAM

JANE


IBM Power Systems

22

Adopted Authority Approach Example

/* Authorize program owners to access DB2 tables */

GRTOBJAUT OBJ(WORKTAB) OBJTYPE(*FILE) USER(WORKAPPS) AUT(*CHANGE)

GRTOBJAUT OBJ(EMPTAB) OBJTYPE(*FILE) USER(SECTEAM) AUT(*CHANGE)

RVKOBJAUT OBJ(WORKTAB) OBJTYPE(*FILE) USER(*PUBLIC) AUT(*ALL)

RVKOBJAUT OBJ(EMPTAB) OBJTYPE(*FILE) USER(*PUBLIC) AUT(*ALL)

/* SQL version of Grant & Revoke for Program Owners */

GRANT ALL ON worktab TO workapps

GRANT ALL ON emptab TO workapps

REVOKE ALL ON worktab,emptab FROM PUBLIC

/* Get Program objects ready

CHGOBJOWN OBJ(PGMA) OBJTYPE(*PGM) NEWOWN(WORKAPPS)

CHGPGM PGM(PGMA) USRPRF(*OWNER)

CHGOBJOWN OBJ(PGMB) OBJTYPE(*PGM) NEWOWN(SECTEAM)

CHGPGM PGM(PGMB) USRPRF(*OWNER)

CHGOBJOWN OBJ(PGMC) OBJTYPE(*PGM) NEWOWN(WORKAPPS)

CHGPGM PGM(PGMC) USRPRF(*USER)


IBM Power Systems

23

DB2 for i Security Control Levels

�Schema Level

�Table Level

�Column & Row Level


IBM Power Systems

24

DB2 for i Security Control Values

*OBJOPR *OBJMGT *OBJEXIST *OBJALTER *OBJREF *READ *ADD *UPD *DLT *EXECUTE

*ALL X X X X X X X X X X

*CHANGE X X X X X X

*USE X X X

*EXCLUDE


IBM Power Systems

25

*OBJOPR –

Object Operational

Look at object description and and Use the object according to data authorities for user

*OBJEXIST –

Object Existence

Change ownership, Delete object, Free storage, and Save/Restore operations

*OBJMGT –

Object Management

Move or Rename object and Add DB2 Tables

Superset of *OBJALTER & *OBJREF

*OBJALTER –

Object Alter

Add, Clear, Initialize and Reorganize DB2 Tables, Alter or Change DB2 Tables,

Add/Remove Triggers,

Change SQL Package attributes

*OBJREF –

Object Reference

Reference DB2 table as parent table in RI Constraint

DB2 for i Security – Object Authority Definitions


IBM Power Systems

26

DB2 for i Security - Data Authority Definitions

*READ Display / view the contents of DB2 table

*ADD Add new rows to DB2 table

*UPD (Update)Update existing rows in DB2 table

*DLT (Delete) Delete existing rows in DB2 table

*EXECUTE Run Program or Search library


IBM Power Systems

27

DB2 for i Security Control Levels - Schema

�Schema (Library) is a container for all DB2 data objects…– Data access can NOT be controlled at Schema-level

– User profile needs minimum *USE authority to access any object within schema

�Some differences between CREATE SCHEMA & CRTLIB– CRTLIB follows QCRTAUT system behavior

– CREATE SCHEMA only follows QCRTAUT with System Naming (*SYS)


IBM Power Systems

28

DB2 for i Security Control Levels - Table

� Best Practice – Revoke Public access

– Grant Private Authorities to User Profile, Group Profile, Authorization List

– Consider forcing all application & user access thru Views/LFs

– IBM i 7.2 - consider using RCAC (Row and Column Access Control)

� Remember Object Ownership… Owner can do ANY operation on table– Avoid assigning object ownership to group profile

– Non-SQL Interfaces: User profile that creates DB2 object is the owner

– SQL Interfaces: Depends on Naming Format• System Naming (*SYS) same as Non-SQL Interface

• SQL Naming:

Owner of table is User Profile with same name as Schema that table created into

If User Profile does not match Schema name, use System Naming method

� Grant & Revoke not supported or needed on SQL Indexes for query optimization


IBM Power Systems

29

DB2 for i Security Control Levels – Row & Column

� Column-Level

– Views (& LFs) used to prevent sensitive columns from being accessed by

specific applications and/or users

– UDFs can conditionally return column values

– Use Field Procedure to conditionally mask column values

– IBM i 7.2 – RCAC masking

� Row-level– Subsetting of table data best done with SQL View

– SQL Table Function can also subset rows

– IBM i 7.2 – RCAC row restrictions


IBM Power Systems

30

DB2 for i Security Control – View Column Control Example

CREATE TABLE emp_tab (empid INTEGER,

empname VARCHAR(30), empsalary DECIMAL(7,2))

REVOKE ALL ON emp_tab FROM user1, hruser1, PUBLIC

CREATE VIEW empview AS

SELECT empid, empname FROM emp_tab

GRANT INSERT,UPDATE,DELETE,SELECT ON empview TO user1

CREATE VIEW empview_hr AS

SELECT empid, empname, empsalary FROM emp_tab

GRANT INSERT, UPDATE, DELETE, SELECT ON empview_hr TO hruser1


IBM Power Systems

31

DB2 for i Security Control – View & UDF Example

CREATE VIEW secureDept(division,deptname,lname,fname,salary) AS

SELECT division, deptname, lname, fname,

protectSal(deptno,salary) AS salary

FROM employee a, org b

WHERE a.deptno = b.deptno AND division IN

(SELECT division FROM org c, staff d

WHERE c.deptno = d.deptno AND

emp_userid = SESSION_USER)CREATE FUNCTION protectSal

(indept SMALLINT, insalary DECIMAL(7,2))RETURNS DECIMAL(7,2)

LANGUAGE SQLBEGINDECLARE mymgrflag CHAR(1);SELECT '1' INTO mymgrflag FROM staff

WHERE usrprf = SESSION_USER AND

jobtitle='Mgr' AND dept=indept;IF mymgrflag = '1' THEN RETURN insalary ;ELSE RETURN 99999 ;

END IF;

END


IBM Power Systems

32

DB2 Data Protection with Encryption

� Data Transmission Protection– TSL/SSL

– Secure VPN

– SSH/OpenSSH

– IBM tape encryption

– Home-grown encryption

� Disk-level Protection

– ASP Encryption introduced with IBM i 6.1

– Requires creation of User ASP or IASP and purchase of Licensed IBM i Program Feature (Option 45 - Encrypted ASP Enablement )

� Column-level protection

– DB2 7.1 - Field Procedures for Transparent solution


IBM Power Systems

33

Field Procedures and Data EncryptionAllows for transparent encryption or encoding/decoding of data on SQL or native interfaces

Create a CUSTOMER table where the CCNBR column has a FIELDPROC.

CREATE TABLE CUSTOMER ( NAME VARCHAR(50),

ADDRESS VARCHAR(100), CCNBR CHAR(16) FIELDPROC ENCRYPTLIB.ENCRYPTPGM1 )

White Paper: Protecting IBM i data with encryption http://www-304.ibm.com/partnerworld/wps/servlet/ContentHandler/whitepaper/ibmi/db2/encryption

Articles:Enable Transparent Encryption with DB2 Field Procedureswww.mcpressonline.com/database/db2/enable-transparent-encryption-with-db2-field-procedures.html

DB2 Field Procedures Finally Support Conditional Maskingwww.mcpressonline.com/rpg/db2-field-procedures-finally-support-conditional-masking.html

Alter an existing CUSTOMER table to add a FIELDPROC to the CCNBR column.

ALTER TABLE CUSTOMER ALTER COLUMN CCNBR SET FIELDPROC ENCRYPTLIB.ENCRYPTPGM1


IBM Power Systems

34

r3vS#45zt!J9*m$p6

Encrypt

1111 2222 3333 4444

1111 2222 3333 4444

Transparent FIELDPROC Encoding & Decoding

Decrypt

New Order

Authorized Access

FIELDPROC - Transparent Column-Level Encoding and Decoding


IBM Power Systems

35

Security Controls for DB2 for i Tooling

� Good practice to limit the authorities & capabilities of DBAsand DB Engineers

� Some DB2 for i Performance Tools can provide access to sensitive data values (… WHERE cardnum = :hostvar… )

� You can mark some columns as sensitive

CALL SYSPROC.SET_COLUMN_ATTRIBUTE ('LIB1', 'ORDERS', 'CCNBR', 'SECURE YES')

– Sensitive column registration causes DB2 to only capture real data value for QSECOFR, all other users see ‘*SECURE’

– Sensitive column registrations can be found in QSYS2/SYSCOLUMNS2

– DB2 Monitor Files & Plan Cache Snapshots must also be properly secured


IBM Power Systems

36

Security Controls for DB2 for i Tooling…

� Some DB2 for i Tools use to require *JOBCTL special authority

– Alternative: Function Usage Definitions

� QIBM_DB_SQLADM – Database Administrator

� QIBM_DB_SYSMON – Database Information

– Users enabled to use DB2 tools with CHGFCNUSG command

� Good practice to use group profiles

� Examples:

– Addtional Details:

ibm.com/systems/resources/systems_i_db2_navigator_security_controls.pdf

CHGFCNUSG FCNID(QIBM_DB_SQLADM) USER(DBAUSER1) USAGE(*ALLOWED)

CHGFCNUSG FCNID(QIBM_DB_SYSMON) USER(DBAGROUP) USAGE(*ALLOWED)


IBM Power Systems

37

IBM i 7.2 and RCAC


IBM Power Systems

38

DB2 for i - 7.2 Enhancements by role - Security

Security & DB2 for i

– Column Masks � Deploy “need to know” logic

– Row Permissions � Simpler, faster security

– Violation clause for CHECK constraints � Protect data integrity

– Secure remote journal using SSL� Achieve HA & DR objectives without exposure

– SQL alternative to CHGOBJOWN� Embrace separation of duty, using SQL

– Use adopted authority identity within business logic � “Who am I?” conditional code using SQL

Data-Centric Security

• Comprehensive

• Auditable

• Sustainable

• Scalable

• Manageable

Data is an asset… what’s your data worth?


IBM Power Systems

39

IBM i 7.2 – Security: Separation of DutiesBefore 7.2

In order to grant or revoke privileges, a user must have one of the following:

1. Object ownership

2. Object management (*OBJMGT) authority for the specified object. Note: A user with object management authority can grant to other users any authority that the user has, except object management authority

3. All object (*ALLOBJ) user special authority

Problem: Anyone that has the authority to grant privileges also has the authority to perform operations that require those privileges. If you are allowed to grant the SELECT privilege, you are also allowed to query the data.

IBM i 7.2

A user with security administration function usage (QIBM_DB_SECADM) will be able to grant or revoke privileges on any object to anyone, even if they do not have the SELECT privilege.

This enables the management of security, without exposing the data to be read or modified.

Note that:

� Audit the SECADM users for *SECURITY to ensure they are not granting themselves privileges to access the data

� Only QSECOFR or someone with *SECADM authority can grant the security administrator function usage.

Should the security administrator be able to access the data within tables to do their job?


IBM Power Systems

40

Granting authority to QIBM_DB_SECADM

� Authorization works the same as QIBM_DB_SQLADM / QIBM_DB_SYSMON

� Authorization to the Database Security Administrator function of IBM i can be assigned through Application Administration in IBM Navigator for i and via the Change Function Usage (CHGFCNUSG) command.

� Navigator � Right click on the connection name and select Application Administration.


IBM Power Systems

41

Security - Separation of Duties

Policy where separate users perform separate duties. Specifically, between security administration, system administration, and object authorities. The DB2 family defines different hierarchal levels of authorities each with the ability to perform a subset of administrative operations.

Authority DB2 Family DB2 for i

SYSADM

System Administrator

Control over all the resources created and maintained by the

database manager. Includes SYSCTRL, SYSMAINT, and SYSMON.

*SECOFR

SYSCTRL Control over operations that affects system resources. For example, create, update, start and stop an instance. Cannot access data. Includes SYSMON.

N/A

SYSMAINT Control over maintenance operations. For example, update the

database configuration, backup the database or table space, restore an existing database, and monitor a database. Cannot access data. Includes SYSMON.

*SAVRST, etc.

SYSMON Authority to use database system monitor information (LUW only). QIBM_DB_SYSMON

SQLADM Authority to monitor and see potentially sensitive data, such asSQL statement text and audit data (z/OS only).

QIBM_DB_SQLADM

DBADM

Database administrator

Administrative authority over a single database. For example, create objects and issue database commands.

*SECOFR

SECADM

Security administrator

Administrative authority over a single IBM i partition. Grant &revoke authorities using SQL or IBM i specific interfaces.

QIBM_DB_SECADM

7.2


IBM Power Systems

42

DB2 for i - 7.2 Enhancements by role - Security

New Catalogs

– QSYS2/SYSCONTROLS

– QSYS2/SYSCONTROLSDEP

New Journal Entry TypesFor journal code D - Database file:

M1, M2, M3 for create/drop/alter mask

P1, P2, P3 for create/drop/alter permission

For journal code T – Audit trail:

AX for Row and Column Access Control

X2 for Query manager profile changes

New Boss Option

IBM Advanced Data Security for i

(Boss option 47)

No Charge

New SQL Statements for security

– CREATE PERMISSION

– ALTER PERMISSION

– CREATE MASK

– ALTER MASK

– ALTER TRIGGER

– TRANSFER OWNERSHIP

New tools in the toolbox…New Built-in Function

�VERIFY_GROUP_FOR_USER()

New Function Usage ID

– QIBM_DB_SECADM


IBM Power Systems

43

DB2 for i 7.2 - RCAC (Row and Column Access Control) terminology

Base Table The table (physical file) containing business critical data.

Dependent Object Any object (file, schema, function, or other object) the permission or mask references.

Permission A row permission defines a row access control rule for rows of atable by setting an SQL search condition that describes the set of rows a user can access.

0 to many � permissions allowed per table

Mask A column mask defines a column access control rule for a specific column in a table by using an SQL CASE expression that describes what column values a user is permitted to see andunder what conditions.

0 or 1 �� masks allowed per column

RULETEXT The expression to be used by the permission (WHERE clause predicates) or mask (selection CASE expression)


IBM Power Systems

44

Row and Column Access Control (RCAC)

CREATE MASK SSN_MASK ON EMPLOYEEFOR COLUMN SSN RETURN

CASEWHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'PAYROLL') = 1)

THEN SSNWHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'MGR') = 1)

THEN 'XXX-XX-' CONCAT SUBSTR(SSN,8,4)ELSE NULL

ENDENABLE;

ALTER TABLE EMPLOYEEACTIVATE COLUMN ACCESS CONTROL;

IBM Advanced Data Security for i

(Boss option 47)

�� No Charge

CREATE PERMISSION PATIENT_TABLE_HMO_PERMISSION ON HOSPITAL.PATIENT_TABLEFOR ROWS WHERE((VERIFY_GROUP_FOR_USER(SESSION_USER,'PCP') = 1 AND

HOSPITAL.PATIENT_TABLE.PCP_ID = SESSION_USER) ORVERIFY_GROUP_FOR_USER(SESSION_USER,'ACCTGROUP') = 1 OR

VERIFY_GROUP_FOR_USER(SESSION_USER,‘RESGROUP') = 1) ENFORCED FOR ALL ACCESSENABLE;

ALTER TABLE HOSPITAL. PATIENT_TABLEACTIVATE ROW ACCESS CONTROL;


IBM Power Systems

45

Contrasting DB2 for i - Data Security

Technology

Use case

Field

Procedures

Column

Masks

Row

Permissions

Views &

Logical Files

Supported IBM i OS releases 7.1, 7.2 7.2 7.2 6.1, 7.1, 7.2

Limit access to some/all data within a column

Yes Yes No Yes

Limit access to rows No No Yes Yes

Security logic payload(customer experience)

External program(complex)

SQL rule(simple)

SQL rule(simple)

DDS or SQL(varies)

Software Vendor component • Townsend Security

• Linoma• Enforcive

None at this time None at this time N/A

Data encrypted at rest Yes No No No

Data encrypted in journal Yes No No No

Masked values apply to selection criteria

Yes No N/A N/A

Data-Centric Solution Yes Yes Yes No

Success factors include: Strategy, Tuning &

Consulting

Yes Yes Yes No


IBM Power Systems

46

Contrasting DB2 for i - Data ComplianceTechnology

Use case

Guardium Activity

Monitor for DB2 for i

Audit Journal Data Journal

Supported IBM i OS

releases

6.1, 7.1, 7.2 6.1, 7.1, 7.2 6.1, 7.1, 7.2

Analysis & Reporting InfoSphere Guardium

Security ISVs&

InfoSphere Guardium

Security ISVs

Solution

infrastructure beyond

IBM i

Yes No No

Capture SQL

statements

Yes No No

Capture SQL host variable values and

environment

Yes No No

Capture database

specific Audit Journal

details

Yes Yes No

Capture before and

after images of data

No No Yes

Able to track which

rows are seen by

users

No No No

Success factors

include: Strategy,

Tuning & Consulting

Yes Yes Yes


IBM Power Systems

47

IBM Advanced Data Security for i (Boss Option 47)

� Option 47 must be installed to:

– CREATE PERMISSION and CREATE MASK (RCAC)

– Open a file that has RCAC activated

� RCAC is applied after checking object authorizationrequirements

– If you pass the object authorization check:

Row permissions reduce the set of rows returned

Column Masks limit full or partial access to sensitive column data

� RCAC constructs exist within the table (*FILE)

� When ENABLED & ACTIVATED, RCAC is automatically applied by SQE

� RCAC is comprehensive and applies to any interface (Native DB, SQL, RPG, APIs, Commands, etc)


IBM Power Systems

48

Key points with RCAC� Users may be surprised to see less data!

� Tables which contain enabled RCAC permissions or masks can be restored regardless of whether option 47 is installed.

– However if the option is not installed, permissions and masks cannot be created and tables, views, or indexes cannot be accessed which contain active permissions or masks.


IBM Power Systems

49

� Triggers are used for database integrity

� RCAC controls are used for securing business critical data

� Enabled row permissions and column masks are not applied to the initial values of transition variables or to transition tables referenced in the trigger body. The trigger program has access to unprotected data.

Secure triggers for row and column access control:

� To balance the needs of integrity and security…

The trigger must be created or altered to have the SECURED attribute.

� If a trigger is not secure, RCAC cannot be activated for the target table.

> ALTER TABLE EMPLOYEE ACTIVATE ROW ACCESS CONTROL

RCAC and Triggers


IBM Power Systems

50

� Function invocations are allowed within RCAC rules and provide the ability to create more complex and modularized RCAC rule text logic

� This additional capability adds a level of complexity for the security administrator because the function must be reviewed and approved

Secure functions referenced by row and column access control:

� To balance the need of complex rule logic and security…

The function must be created or altered to have the SECURED attribute.

� If a function is not secure, the permission or mask cannot be enabled

> ALTER PERMISSION employee_perm1 ENABLE

RCAC and Functions


IBM Power Systems

51

Separation of Duty & DB2 for i - Use case exploration

Meet the users:

• MARYSEC – A Security Officer responsible for granting and revoking security, including data security

CRTUSRPRF USRPRF(MARYSEC) PASSWORD(xxxxxxxx) USRCLS(*SECOFR) TEXT('Security Officer')

GRTOBJAUT OBJ(<data-libraries>) OBJTYPE(*LIB)USER(MARYSEC) AUT(*USE)

CHGFCNUSG FCNID(QIBM_DB_SECADM) USER(MARYSEC) USAGE(*ALLOWED)

• FRANKDBA – A Database Administrator with authority to do everything but change security settings

CRTUSRPRF USRPRF(FRANKDBA) PASSWORD(xxxxxxxx) USRCLS(*USER) TEXT('Database Administrator') SPCAUT(*ALLOBJ *JOBCTL *SAVSYS *SPLCTL)

• JOEUSER – An end user with no special authority

CRTUSRPRF USRPRF(JOEUSER) PASSWORD(xxxxxxxx) USRCLS(*USER) TEXT('User with no special authorities')


IBM Power Systems

52


create or replace variable toystore22.job_title char() DEFAULT (select JOB_TITLE from toystore22.vemp where USER_PROFILE_NAME =USER) ;

create or replace variable toystore22.work_department char(3) DEFAULT(select WORKDEPT from toystore22.vemp where USER_PROFILE_NAME = USER) ;

grant read on variable toystore22.job_title to public;

grant read on variable toystore22.work_department to public;

create or replace permission toystore22.permission_project_byUser on toystore22.project for rows where

(toystore22.job_title = 'IT SEC' AND DEPTNO <> 'E21') OR

(toystore22.job_title = 'IT ADM') OR

(toystore22.job_title = 'APP TEAM' AND DEPTNO = toystore22.work_department)

enforced for all access enable;

alter table toystore22.project activate row access control;


IBM Power Systems

53



IBM Power Systems

54



IBM Power Systems

55



IBM Power Systems

56



IBM Power Systems

57



IBM Power Systems

58



IBM Power Systems

59


� Masking salary detail in general

� Allow the HRTEAM group profile members to see all data

� Allow a manager to see their employees data

create or replace variable toystore22.manager_of_department char(3) DEFAULT(select DEPTNO from toystore22.vdept where MGRNO = (select EMPNO FROM toystore22.vemp

WHERE USER_PROFILE_NAME = USER)) ;

grant read on variable toystore22.manager_of_department to public;

CREATE OR REPLACE MASK toystore22.salary_mask ON CREATE OR REPLACE MASK toystore22.salary_mask ON CREATE OR REPLACE MASK toystore22.salary_mask ON CREATE OR REPLACE MASK toystore22.salary_mask ON toystore22.employee FOR COLUMN salary toystore22.employee FOR COLUMN salary toystore22.employee FOR COLUMN salary toystore22.employee FOR COLUMN salary

RETURN CASE RETURN CASE RETURN CASE RETURN CASE

WHEN VERIFY_GROUP_FOR_USER(SESSION_USER,'HRTEAM') = 1 THEN salarWHEN VERIFY_GROUP_FOR_USER(SESSION_USER,'HRTEAM') = 1 THEN salarWHEN VERIFY_GROUP_FOR_USER(SESSION_USER,'HRTEAM') = 1 THEN salarWHEN VERIFY_GROUP_FOR_USER(SESSION_USER,'HRTEAM') = 1 THEN salary y y y

WHEN WORKDEPT = toystore22.manager_of_department THEN salarWHEN WORKDEPT = toystore22.manager_of_department THEN salarWHEN WORKDEPT = toystore22.manager_of_department THEN salarWHEN WORKDEPT = toystore22.manager_of_department THEN salary y y y

ELSE 99999999.99 ELSE 99999999.99 ELSE 99999999.99 ELSE 99999999.99

END END END END

ENABLE ENABLE ENABLE ENABLE


IBM Power Systems

60


� JOEUSER is the manager of dept ‘E11’

select lastname, salary, workdept

from toystore22.employee a

order by workdept desc, lastname asc


IBM Power Systems

61

Special registers – similar names, different purposesUSER this, USER that… which one should I use?

The most recently adopted authorization ID within the

thread will be returned.

When no adopted authority has occurred, the effective user of the thread Is returned.

CURRENT USERorCURRENT_USER

The authorization ID that initiated the connection is returned.SYSTEM_USER

The effective user of the thread Is returned.USERor

SESSION_USER

DefinitionSpecial Register


IBM Power Systems

62

TRANSFER OWNERSHIP

SQL statement that is similar to the CL command CHGOBJOWN

TRANSFER OWNERSHIP OF TABLE mjatst.t1 TO USER paul

PRESERVE PRIVILEGES

Operation can be run under commitment control and rolled back

Grant to GROUP and USER

Compatibility with DB2 Family

GRANT ALL ON council TO USER frank WITH GRANT OPTION

GRANT ALL ON council TO GROUP marketing WITH GRANT OPTION

Identifies whether the ID is a group or a user

Other security oriented SQL statements


IBM Power Systems

63

Summary

� Define a security policy

� Implement DB2 for i object-level security

� Implement Row and Column level security as appropriate

� Consider encryption of sensitive data


IBM Power Systems

64

Resources

� IBM STG Lab Services Security Team

� IBM i InfoCenter– IBM i Security Reference

– DB2 SQL Reference (http://ibm.com/systems/i/db2/books.html)

� DB2 for i developerWorks Forum

https://www.ibm.com/developerworks/forums/forum.jspa?forumID=292

� Articles & White papers– DB2 Data Protection Essentials

http://systeminetwork.com/article/db2-data-protection-options-and-essentials

– IBM i Encryption White Paper

ibm.com/partnerworld/wps/servlet/ContentHandler/partnerworld/wps/servlet/ContentHandler/whitepaper/i5os/db2_data/encryption

– Field Procedures

http://mcpressonline.com/database/db2/enable-transparent-encryption-with-db2-field-procedures.html

� RCAC Redbook/Redpiece coming in 2014


IBM Power Systems

65

Thank you!


IBM Power Systems

66

Monitoring Tools


IBM Power Systems

67

Compliance Monitoring – Compliance to What?

Company Policy and/or StandardsThese should define how systems should be built, maintained, monitored, and interacted with by its custodians and users. Another way of thinking about it, they are a Service Level Agreement (SLA) between Owners, Management and the people they have hired to “work” the business. Owners and Management derive a “sense of security”knowing that its employees are managing the business according to this agreement. Owners and Management must be involved in the creation and maintenance of these documents. Compliance monitoring then is simply demonstrating that the employees (and management) are doing what they have been hired to do.

67

21 May 2014


IBM Power Systems

68

6

IBM InfoSphere Guardium V9 – DB2 for i as a data source

� New DB2 for i support with November 2012 Database Group PTFs for IBM i 6.1 & 7.1

– Guardium appliance receives IBM i centric data

• SQL statements & variables

• Audit entries from QSYS/QAUDJRN

– Extensive and meaningful filters

– Track the most privileged users

• Real-time data collection & alert capability

– Secure logging

– Heterogeneous, cross-DBMS solution

� Real-time Database Protection and Compliance

– Granular, real-time policies & auditing

• Who, what, when, where, how

– Proactive security (e.g. alerts signal critical tables changes )

– Simplified compliance process: HIPAA, PCI, SOX, …

– No DBMS or application changes


IBM Power Systems

69

6

Collected Audit Journal & SQL information is streamed to the InfoSphereGuardium appliance

� Continuous monitoring of all database activities– Global SQL Monitor using a View & Instead of Trigger captures SQL information

– Audit server job receives QAUDJRN audit entries and puts them on a Unix queue

� Additional details:ibm.com/developerworks/ibmi/library/i-infosphere_guardium_db2/index.html

Guardium using DB2 for i as a data source


IBM Power Systems

7070

PowerSC Tools for IBM i – Compliance Assessment and Reporting

Provides enterprise and system compliance monitoring of security

IBM i Lab Services - ibm.com/systems/services/labservices - [email protected]

Service Overview: Rapid security analysis of your IBM i system(s) providing dashboard observation and reporting on key areas of security concern

Key Features:

Profile Analysis:

� Special Authorities / Inherited Privileges

� Group Profiles / Ambiguous Profiles

� Default Passwords / Password Expiration

� Inactive Accounts

Administration / Configuration Settings:

� System Values / Audit Control Settings

� Invalid Signon attempts

� Work Management Analysis

Network Settings:

� Network attributes

� NetServer Configuration

� TCP/IP servers / Autostart values

� APPN Configuration / Server Authentication

Service Benefits:� Reduces cost and time involved in running system security checks

� Can minimize potential user errors that cause system exposures

� Offers an opportunity to review systems for security breaches and take action to address the issue

� Provides a new level of report automation and user interface that makes the tool easy-to-use, fast and accurate

� Easy enough to use that you can deploy it, and with your skills, a Business Partner’s skills, or Lab Services’ skills address any findings discovered.

� *PUBLICLY and Privately Authorized Profiles

� Initial Programs, Menus, and Attention Programs

� Command Line Access

Automated tool checks and reports hundreds of parameters in an IBM i environment

� DDM Password Requirements / SST Security

� Registered Exit Points / Function Usage

� Library Analysis/ *ALLOBJ Inheritance

� Listening ports / Network Encryption

� IP Datagram Forwarding / IP Source Routing

� Digital Certificate Expiration

� SSH / SSL Configuration


IBM Power Systems

71

Trademarks and DisclaimersAdobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and are used under license therefrom.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

Information is provided "AS IS" without warranty of any kind.

The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products.

All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here.

Prices are suggested U.S. list prices and are subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.

Documents

Database Security Essentials - LISUGlisug.org/presentations/DB2 and SQL Security.pdf · Database Security Essentials Rob Bestgen [email protected] DB2 for i Center of Excellence