database security essentials - lisuglisug.org/presentations/db2 and sql security.pdf · database...
TRANSCRIPT
© 2014 IBM Corporation
IBM Power Systems
Database Security Essentials
Rob Bestgen [email protected]
DB2 for i Center of Excellence
© 2014 IBM Corporation
IBM Power Systems
2
Who is the DB2 for i Center of Excellence?An experienced IBM Team delivering:
� Product Offerings Developed through Engagements
� Briefings, consulting and guidance on demand
� IBM i for Business Intelligence Installation Services
� DB2 Web Query Getting Started Services
� Query/400 Modernization Services
� DB2 for i Modernization Workshop(s)
� DB2 for i SQL Performance Workshop
� DB2 for i SQL Performance Health Check
� DB2 for i Very Large Database (VLDB) Assessment
� DB2 for i remote database administration and engineer services
For more information, contact Mike Cain ([email protected]) Or Doug Mack ([email protected])
© 2014 IBM Corporation
IBM Power Systems
3
Is Database Security Needed?
� Privacy Rights Clearinghouse reports over 867 million data records compromised in 4274 incidents since 2005
– http://www.privacyrights.org/ar/data-breach
– And that is only what was reported!
� Only large companies? Information Week states that small and mid-sized businesses (SMBs) were the victims in 40% of all data breaches last year
� Forrester Research estimates costs to remediate data breach is $90-305 per record
© 2014 IBM Corporation
IBM Power Systems
4
Is Database Security Needed?
�Data is not just Information, but an ASSET– What’s it worth?
– Secured like other business assets?
�Because Data is an Asset, securing data needs to be a regular cost of doing business
© 2014 IBM Corporation
IBM Power Systems
5
The Compliance Mandate
DDL = Data Definition Language (aka schema changes)DDL = Data Definition Language (aka schema changes)
DML = Data Manipulation Language (data value changes)DML = Data Manipulation Language (data value changes)
DCL = Data Control LanguageDCL = Data Control Language
© 2014 IBM Corporation
IBM Power Systems
6
Database Security Fundamentals
�Security Policy
– No policy, no plan for securing data
– No policy, no measurement
– No policy, expensive audits
�Resource Security
– Prevents data breaches from internal & external intrusions
– Closely tied to Security Policy definition
© 2014 IBM Corporation
IBM Power Systems
7
Security Policy Fundamentals
� Policy creation
– IT Staff should Help, NOT Drive – Corporate leaders legally responsible
– Learn which government & industry regulations apply (PCI, HIPAA, etc)
– Write and maintain policy
� Policy implementation
– Turn the policy into practice
� Which data can be changed and/or accessed
� Who can change and/or access data
– Ensure that IT assets remain correctly configured
� Compliance audits
– Explaining to auditors why the policy is compliant
– Showing that the policy is followed
– Responding to auditor change requests
© 2014 IBM Corporation
IBM Power Systems
8
DB2 for i – Current Security State
Middleware:
ODBC, .NET, JDBC, …
Query Tools
Mgmt Tools
© 2014 IBM Corporation
IBM Power Systems
9
DB2 for i – Current Security State with Exit Points
Middleware:
ODBC, .NET, JDBC, …
Query Tools
Mgmt Tools
© 2014 IBM Corporation
IBM Power Systems
10
DB2 for i – Desired Security State
Middleware:
ODBC, .NET, JDBC, …
Query Tools
Mgmt Tools
© 2014 IBM Corporation
IBM Power Systems
11
DB2 for i Resource Security Fundamentals
�Determine how data needs to be protected
– Everyone can update !?!?
– Everyone can read, authorized users can update
– No one can access by default, authorized users given access
�Approaches
– Private Authorities
– Adopted Authorities
– IBM i 7.2 – Separation of Duties
© 2014 IBM Corporation
IBM Power Systems
12
Private Authority Fundamentals
�Step #1 – Limit number of *ALLOBJ special authority users– No direct control to prevent *ALLOBJ user from accessing object
�Step #2 – Tighten down *PUBLIC authority– QCRTAUT System Value controls default behavior
– SQL interfaces can have different behavior
� *SQL Naming – *PUBLIC given *EXCLUDE
� *SYS Naming – follows QCRTAUT model
�Step #3 – Consider granularity of private authorities– Individual user profiles
– Group profiles
– Authorization lists
– Adopted authority
– Separation of Duties (v7.2)
© 2014 IBM Corporation
IBM Power Systems
13
IBM i Authority Verification Order
� Ignoring *ALLOBJ authority, IBM i verifies users authority to object in following order:
CheckUser
Private AuthorityAuthorization List
CheckGroups
Private AuthorityAuthorization List
Check*PUBLIC
Private AuthorityAuthorization List
Check for Adopted Authority
© 2014 IBM Corporation
IBM Power Systems
14
Private Authority Interfaces
�System commands
– EDTOBJAUT
– GRTOBJAUT
– CHGAUT
�SQL Statements
– GRANT
– REVOKE
– SQL has no interface for Authorization List
– RCAC (v7.2)
© 2014 IBM Corporation
IBM Power Systems
15
Private Authority – Group Profiles
�Group profiles can simplify administration of private authorities
– Authorities granted to groups of similar users
– Group profiles often created by department or business role (help desk,
teller, …)
– All users in the group have same authority to the DB2 object
– Credentials for an individual user & group profile are NOT additive
– If user profile belongs to many groups, the group authorities are additive
– Best practices
� Individual user profiles have no private authorities for DB2 object
� Create group profile with Password(*NONE), Status(*DISABLED), INLMNU(*SIGNOFF)
� Improve performance using CHGOBJPGP command
© 2014 IBM Corporation
IBM Power Systems
16
Private Authorities – Group Profiles Example
/* Create “group” user profiles */
CRTUSRPRF USRPRF(GPSALES) PASSWORD(*NONE) STATUS(*DISABLED)
INLMNU(*SIGNOFF)
CRTUSRPRF USRPRF(GPPAY) PASSWORD(*NONE) STATUS(*DISABLED)
INLMNU(*SIGNOFF)
/* Add user profiles to the groups */
CHGUSRPRF USRPRF(APPUSER1) GRPPRF(GPSALES)
CHGUSRPRF USRPRF(APPUSER2) GRPPRF(GPPAY)
…
CHGUSRPRF USRPRF(APPUSER3) GRPPRF(GPSALES) SUPGRPPRF(GPPAY)
/* Authorize group profiles to DB2 tables */
GRTOBJAUT OBJ(PAYTAB) OBJTYPE(*FILE) USER(GPPAY) AUT(*USE)
GRTOBJAUT OBJ(SALESTB) OBJTYPE(*FILE) USER(GPSALES) AUT(*CHANGE)
/* SQL version of granting table access to group profiles */
GRANT SELECT ON paytab TO gppay
GRANT SELECT,INSERT,UPDATE,DELETE ON salestb TO gpsales
© 2014 IBM Corporation
IBM Power Systems
17
Private Authority – Authorization Lists
� Authorization lists also simplify administration of private authorities
– Provide method to group objects with similar security requirements
– Authorization lists enable authorities to be changed even when DB2 objects are
open
– Different, not necessarily better than group profiles
– Authorization lists can reference group profiles
DW_AUTL
DWADMIN *CHANGEETL_GRP *CHANGERPT_GRP *USE*PUBLIC *EXCLUDE
ITEM_FACT
SALES_DIM
DATE_DIM
© 2014 IBM Corporation
IBM Power Systems
18
Private Authorities – Authorization List Example
/* Create authorization list */
CRTAUTL AUTL(DW_AUTL) AUT(*EXCLUDE)
/* Associate tables with authorization list */
GRTOBJAUT OBJ(ITEM_FACT) OBJTYPE(*FILE) AUTL(DW_AUTL)
GRTOBJAUT OBJ(SALES_DIM) OBJTYPE(*FILE) AUTL(DW_AUTL)
GRTOBJAUT OBJ(DATE_DIM) OBJTYPE(*FILE) AUTL(DW_AUTL)
/* Give users access to the authorization list */
ADDAUTLE AUTL(DW_AUTL) USER(DWADMIN) AUT(*CHANGE)
ADDAUTLE AUTL(DW_AUTL) USER(ETL_GRP) AUT(*CHANGE)
ADDAUTLE AUTL(DW_AUTL) USER(RPT_GRP) AUT(*USE)
© 2014 IBM Corporation
IBM Power Systems
19
Adopted Authority Approach
� Used to temporarily give “extra” authority to a user by augmenting with program owner authorities
– CRTPGM/CHGPGM USRPRF parameter
– SQL Interface support (next chart)
– Swap Profile API Set (QSYGETPH, QWTSETP, QSYRLSPH )
� Benefits
– Reduce number of authority grants for individual profiles
– Can force all data access to be done with program calls
� Tradeoffs
– Extra authority in effect as long as program on call stack
• Watch command line access
• CHGPGM USEADPAUT(*NO) to minimize authority propagation
– “Direct” data access interfaces not a good fit
© 2014 IBM Corporation
IBM Power Systems
20
Adopted Authority Approach – SQL Considerations
SQL Executable Objects can use adopted authority:
• By default, SQL Naming mode will adopt the executable object authority for Static SQL statements, BUT not adopt for Dynamic SQL
• System naming by default follows IBM i rules by default
• Default behavior can be overridden using the DYNUSRPRF and USRPRF keywords:
• Embedded SQL
Pre-Compiler parameters
SET OPTION in the language source
• SQL Functions, Procedures and Triggers
SET OPTION in the SQL CREATE and ALTER statements
© 2014 IBM Corporation
IBM Power Systems
21
pgmBOwner: SECTEAM
USRPRF: *OWNER
Adopted Authority Approach Example
JANE
pgmAOwner: WORKAPPS
USRPRF: *OWNER
Checked User
Profiles
pgmCOwner: WORKAPPS
USRPRF: *USER
USEADPAUT: *NO
JANE, WORKAPPS
JANE, WORKAPPS,
SECTEAM
JANE
© 2014 IBM Corporation
IBM Power Systems
22
Adopted Authority Approach Example
/* Authorize program owners to access DB2 tables */
GRTOBJAUT OBJ(WORKTAB) OBJTYPE(*FILE) USER(WORKAPPS) AUT(*CHANGE)
GRTOBJAUT OBJ(EMPTAB) OBJTYPE(*FILE) USER(SECTEAM) AUT(*CHANGE)
RVKOBJAUT OBJ(WORKTAB) OBJTYPE(*FILE) USER(*PUBLIC) AUT(*ALL)
RVKOBJAUT OBJ(EMPTAB) OBJTYPE(*FILE) USER(*PUBLIC) AUT(*ALL)
/* SQL version of Grant & Revoke for Program Owners */
GRANT ALL ON worktab TO workapps
GRANT ALL ON emptab TO workapps
REVOKE ALL ON worktab,emptab FROM PUBLIC
/* Get Program objects ready
CHGOBJOWN OBJ(PGMA) OBJTYPE(*PGM) NEWOWN(WORKAPPS)
CHGPGM PGM(PGMA) USRPRF(*OWNER)
CHGOBJOWN OBJ(PGMB) OBJTYPE(*PGM) NEWOWN(SECTEAM)
CHGPGM PGM(PGMB) USRPRF(*OWNER)
CHGOBJOWN OBJ(PGMC) OBJTYPE(*PGM) NEWOWN(WORKAPPS)
CHGPGM PGM(PGMC) USRPRF(*USER)
© 2014 IBM Corporation
IBM Power Systems
23
DB2 for i Security Control Levels
�Schema Level
�Table Level
�Column & Row Level
© 2014 IBM Corporation
IBM Power Systems
24
DB2 for i Security Control Values
*OBJOPR *OBJMGT *OBJEXIST *OBJALTER *OBJREF *READ *ADD *UPD *DLT *EXECUTE
*ALL X X X X X X X X X X
*CHANGE X X X X X X
*USE X X X
*EXCLUDE
© 2014 IBM Corporation
IBM Power Systems
25
*OBJOPR –
Object Operational
Look at object description and and Use the object according to data authorities for user
*OBJEXIST –
Object Existence
Change ownership, Delete object, Free storage, and Save/Restore operations
*OBJMGT –
Object Management
Move or Rename object and Add DB2 Tables
Superset of *OBJALTER & *OBJREF
*OBJALTER –
Object Alter
Add, Clear, Initialize and Reorganize DB2 Tables, Alter or Change DB2 Tables,
Add/Remove Triggers,
Change SQL Package attributes
*OBJREF –
Object Reference
Reference DB2 table as parent table in RI Constraint
DB2 for i Security – Object Authority Definitions
© 2014 IBM Corporation
IBM Power Systems
26
DB2 for i Security - Data Authority Definitions
*READ Display / view the contents of DB2 table
*ADD Add new rows to DB2 table
*UPD (Update)Update existing rows in DB2 table
*DLT (Delete) Delete existing rows in DB2 table
*EXECUTE Run Program or Search library
© 2014 IBM Corporation
IBM Power Systems
27
DB2 for i Security Control Levels - Schema
�Schema (Library) is a container for all DB2 data objects…– Data access can NOT be controlled at Schema-level
– User profile needs minimum *USE authority to access any object within schema
�Some differences between CREATE SCHEMA & CRTLIB– CRTLIB follows QCRTAUT system behavior
– CREATE SCHEMA only follows QCRTAUT with System Naming (*SYS)
© 2014 IBM Corporation
IBM Power Systems
28
DB2 for i Security Control Levels - Table
� Best Practice – Revoke Public access
– Grant Private Authorities to User Profile, Group Profile, Authorization List
– Consider forcing all application & user access thru Views/LFs
– IBM i 7.2 - consider using RCAC (Row and Column Access Control)
� Remember Object Ownership… Owner can do ANY operation on table– Avoid assigning object ownership to group profile
– Non-SQL Interfaces: User profile that creates DB2 object is the owner
– SQL Interfaces: Depends on Naming Format• System Naming (*SYS) same as Non-SQL Interface
• SQL Naming:
Owner of table is User Profile with same name as Schema that table created into
If User Profile does not match Schema name, use System Naming method
� Grant & Revoke not supported or needed on SQL Indexes for query optimization
© 2014 IBM Corporation
IBM Power Systems
29
DB2 for i Security Control Levels – Row & Column
� Column-Level
– Views (& LFs) used to prevent sensitive columns from being accessed by
specific applications and/or users
– UDFs can conditionally return column values
– Use Field Procedure to conditionally mask column values
– IBM i 7.2 – RCAC masking
� Row-level– Subsetting of table data best done with SQL View
– SQL Table Function can also subset rows
– IBM i 7.2 – RCAC row restrictions
© 2014 IBM Corporation
IBM Power Systems
30
DB2 for i Security Control – View Column Control Example
CREATE TABLE emp_tab (empid INTEGER,
empname VARCHAR(30), empsalary DECIMAL(7,2))
REVOKE ALL ON emp_tab FROM user1, hruser1, PUBLIC
CREATE VIEW empview AS
SELECT empid, empname FROM emp_tab
GRANT INSERT,UPDATE,DELETE,SELECT ON empview TO user1
CREATE VIEW empview_hr AS
SELECT empid, empname, empsalary FROM emp_tab
GRANT INSERT, UPDATE, DELETE, SELECT ON empview_hr TO hruser1
© 2014 IBM Corporation
IBM Power Systems
31
DB2 for i Security Control – View & UDF Example
CREATE VIEW secureDept(division,deptname,lname,fname,salary) AS
SELECT division, deptname, lname, fname,
protectSal(deptno,salary) AS salary
FROM employee a, org b
WHERE a.deptno = b.deptno AND division IN
(SELECT division FROM org c, staff d
WHERE c.deptno = d.deptno AND
emp_userid = SESSION_USER)CREATE FUNCTION protectSal
(indept SMALLINT, insalary DECIMAL(7,2))RETURNS DECIMAL(7,2)
LANGUAGE SQLBEGINDECLARE mymgrflag CHAR(1);SELECT '1' INTO mymgrflag FROM staff
WHERE usrprf = SESSION_USER AND
jobtitle='Mgr' AND dept=indept;IF mymgrflag = '1' THEN RETURN insalary ;ELSE RETURN 99999 ;
END IF;
END
© 2014 IBM Corporation
IBM Power Systems
32
DB2 Data Protection with Encryption
� Data Transmission Protection– TSL/SSL
– Secure VPN
– SSH/OpenSSH
– IBM tape encryption
– Home-grown encryption
� Disk-level Protection
– ASP Encryption introduced with IBM i 6.1
– Requires creation of User ASP or IASP and purchase of Licensed IBM i Program Feature (Option 45 - Encrypted ASP Enablement )
� Column-level protection
– DB2 7.1 - Field Procedures for Transparent solution
© 2014 IBM Corporation
IBM Power Systems
33
Field Procedures and Data EncryptionAllows for transparent encryption or encoding/decoding of data on SQL or native interfaces
Create a CUSTOMER table where the CCNBR column has a FIELDPROC.
CREATE TABLE CUSTOMER ( NAME VARCHAR(50),
ADDRESS VARCHAR(100), CCNBR CHAR(16) FIELDPROC ENCRYPTLIB.ENCRYPTPGM1 )
White Paper: Protecting IBM i data with encryption http://www-304.ibm.com/partnerworld/wps/servlet/ContentHandler/whitepaper/ibmi/db2/encryption
Articles:Enable Transparent Encryption with DB2 Field Procedureswww.mcpressonline.com/database/db2/enable-transparent-encryption-with-db2-field-procedures.html
DB2 Field Procedures Finally Support Conditional Maskingwww.mcpressonline.com/rpg/db2-field-procedures-finally-support-conditional-masking.html
Alter an existing CUSTOMER table to add a FIELDPROC to the CCNBR column.
ALTER TABLE CUSTOMER ALTER COLUMN CCNBR SET FIELDPROC ENCRYPTLIB.ENCRYPTPGM1
© 2014 IBM Corporation
IBM Power Systems
34
r3vS#45zt!J9*m$p6
Encrypt
1111 2222 3333 4444
1111 2222 3333 4444
Transparent FIELDPROC Encoding & Decoding
Decrypt
New Order
Authorized Access
FIELDPROC - Transparent Column-Level Encoding and Decoding
© 2014 IBM Corporation
IBM Power Systems
35
Security Controls for DB2 for i Tooling
� Good practice to limit the authorities & capabilities of DBAsand DB Engineers
� Some DB2 for i Performance Tools can provide access to sensitive data values (… WHERE cardnum = :hostvar… )
� You can mark some columns as sensitive
CALL SYSPROC.SET_COLUMN_ATTRIBUTE ('LIB1', 'ORDERS', 'CCNBR', 'SECURE YES')
– Sensitive column registration causes DB2 to only capture real data value for QSECOFR, all other users see ‘*SECURE’
– Sensitive column registrations can be found in QSYS2/SYSCOLUMNS2
– DB2 Monitor Files & Plan Cache Snapshots must also be properly secured
© 2014 IBM Corporation
IBM Power Systems
36
Security Controls for DB2 for i Tooling…
� Some DB2 for i Tools use to require *JOBCTL special authority
– Alternative: Function Usage Definitions
� QIBM_DB_SQLADM – Database Administrator
� QIBM_DB_SYSMON – Database Information
– Users enabled to use DB2 tools with CHGFCNUSG command
� Good practice to use group profiles
� Examples:
– Addtional Details:
ibm.com/systems/resources/systems_i_db2_navigator_security_controls.pdf
CHGFCNUSG FCNID(QIBM_DB_SQLADM) USER(DBAUSER1) USAGE(*ALLOWED)
CHGFCNUSG FCNID(QIBM_DB_SYSMON) USER(DBAGROUP) USAGE(*ALLOWED)
© 2014 IBM Corporation
IBM Power Systems
38
DB2 for i - 7.2 Enhancements by role - Security
Security & DB2 for i
– Column Masks � Deploy “need to know” logic
– Row Permissions � Simpler, faster security
– Violation clause for CHECK constraints � Protect data integrity
– Secure remote journal using SSL� Achieve HA & DR objectives without exposure
– SQL alternative to CHGOBJOWN� Embrace separation of duty, using SQL
– Use adopted authority identity within business logic � “Who am I?” conditional code using SQL
Data-Centric Security
• Comprehensive
• Auditable
• Sustainable
• Scalable
• Manageable
Data is an asset… what’s your data worth?
© 2014 IBM Corporation
IBM Power Systems
39
IBM i 7.2 – Security: Separation of DutiesBefore 7.2
In order to grant or revoke privileges, a user must have one of the following:
1. Object ownership
2. Object management (*OBJMGT) authority for the specified object. Note: A user with object management authority can grant to other users any authority that the user has, except object management authority
3. All object (*ALLOBJ) user special authority
Problem: Anyone that has the authority to grant privileges also has the authority to perform operations that require those privileges. If you are allowed to grant the SELECT privilege, you are also allowed to query the data.
IBM i 7.2
A user with security administration function usage (QIBM_DB_SECADM) will be able to grant or revoke privileges on any object to anyone, even if they do not have the SELECT privilege.
This enables the management of security, without exposing the data to be read or modified.
Note that:
� Audit the SECADM users for *SECURITY to ensure they are not granting themselves privileges to access the data
� Only QSECOFR or someone with *SECADM authority can grant the security administrator function usage.
Should the security administrator be able to access the data within tables to do their job?
© 2014 IBM Corporation
IBM Power Systems
40
Granting authority to QIBM_DB_SECADM
� Authorization works the same as QIBM_DB_SQLADM / QIBM_DB_SYSMON
� Authorization to the Database Security Administrator function of IBM i can be assigned through Application Administration in IBM Navigator for i and via the Change Function Usage (CHGFCNUSG) command.
� Navigator � Right click on the connection name and select Application Administration.
© 2014 IBM Corporation
IBM Power Systems
41
Security - Separation of Duties
Policy where separate users perform separate duties. Specifically, between security administration, system administration, and object authorities. The DB2 family defines different hierarchal levels of authorities each with the ability to perform a subset of administrative operations.
Authority DB2 Family DB2 for i
SYSADM
System Administrator
Control over all the resources created and maintained by the
database manager. Includes SYSCTRL, SYSMAINT, and SYSMON.
*SECOFR
SYSCTRL Control over operations that affects system resources. For example, create, update, start and stop an instance. Cannot access data. Includes SYSMON.
N/A
SYSMAINT Control over maintenance operations. For example, update the
database configuration, backup the database or table space, restore an existing database, and monitor a database. Cannot access data. Includes SYSMON.
*SAVRST, etc.
SYSMON Authority to use database system monitor information (LUW only). QIBM_DB_SYSMON
SQLADM Authority to monitor and see potentially sensitive data, such asSQL statement text and audit data (z/OS only).
QIBM_DB_SQLADM
DBADM
Database administrator
Administrative authority over a single database. For example, create objects and issue database commands.
*SECOFR
SECADM
Security administrator
Administrative authority over a single IBM i partition. Grant &revoke authorities using SQL or IBM i specific interfaces.
QIBM_DB_SECADM
7.2
© 2014 IBM Corporation
IBM Power Systems
42
DB2 for i - 7.2 Enhancements by role - Security
New Catalogs
– QSYS2/SYSCONTROLS
– QSYS2/SYSCONTROLSDEP
New Journal Entry TypesFor journal code D - Database file:
M1, M2, M3 for create/drop/alter mask
P1, P2, P3 for create/drop/alter permission
For journal code T – Audit trail:
AX for Row and Column Access Control
X2 for Query manager profile changes
New Boss Option
IBM Advanced Data Security for i
(Boss option 47)
No Charge
New SQL Statements for security
– CREATE PERMISSION
– ALTER PERMISSION
– CREATE MASK
– ALTER MASK
– ALTER TRIGGER
– TRANSFER OWNERSHIP
New tools in the toolbox…New Built-in Function
�VERIFY_GROUP_FOR_USER()
New Function Usage ID
– QIBM_DB_SECADM
© 2014 IBM Corporation
IBM Power Systems
43
DB2 for i 7.2 - RCAC (Row and Column Access Control) terminology
Base Table The table (physical file) containing business critical data.
Dependent Object Any object (file, schema, function, or other object) the permission or mask references.
Permission A row permission defines a row access control rule for rows of atable by setting an SQL search condition that describes the set of rows a user can access.
0 to many � permissions allowed per table
Mask A column mask defines a column access control rule for a specific column in a table by using an SQL CASE expression that describes what column values a user is permitted to see andunder what conditions.
0 or 1 ���� masks allowed per column
RULETEXT The expression to be used by the permission (WHERE clause predicates) or mask (selection CASE expression)
© 2014 IBM Corporation
IBM Power Systems
44
Row and Column Access Control (RCAC)
CREATE MASK SSN_MASK ON EMPLOYEEFOR COLUMN SSN RETURN
CASEWHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'PAYROLL') = 1)
THEN SSNWHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'MGR') = 1)
THEN 'XXX-XX-' CONCAT SUBSTR(SSN,8,4)ELSE NULL
ENDENABLE;
ALTER TABLE EMPLOYEEACTIVATE COLUMN ACCESS CONTROL;
IBM Advanced Data Security for i
(Boss option 47)
���� No Charge
CREATE PERMISSION PATIENT_TABLE_HMO_PERMISSION ON HOSPITAL.PATIENT_TABLEFOR ROWS WHERE((VERIFY_GROUP_FOR_USER(SESSION_USER,'PCP') = 1 AND
HOSPITAL.PATIENT_TABLE.PCP_ID = SESSION_USER) ORVERIFY_GROUP_FOR_USER(SESSION_USER,'ACCTGROUP') = 1 OR
VERIFY_GROUP_FOR_USER(SESSION_USER,‘RESGROUP') = 1) ENFORCED FOR ALL ACCESSENABLE;
ALTER TABLE HOSPITAL. PATIENT_TABLEACTIVATE ROW ACCESS CONTROL;
© 2014 IBM Corporation
IBM Power Systems
45
Contrasting DB2 for i - Data Security
Technology
Use case
Field
Procedures
Column
Masks
Row
Permissions
Views &
Logical Files
Supported IBM i OS releases 7.1, 7.2 7.2 7.2 6.1, 7.1, 7.2
Limit access to some/all data within a column
Yes Yes No Yes
Limit access to rows No No Yes Yes
Security logic payload(customer experience)
External program(complex)
SQL rule(simple)
SQL rule(simple)
DDS or SQL(varies)
Software Vendor component • Townsend Security
• Linoma• Enforcive
None at this time None at this time N/A
Data encrypted at rest Yes No No No
Data encrypted in journal Yes No No No
Masked values apply to selection criteria
Yes No N/A N/A
Data-Centric Solution Yes Yes Yes No
Success factors include: Strategy, Tuning &
Consulting
Yes Yes Yes No
© 2014 IBM Corporation
IBM Power Systems
46
Contrasting DB2 for i - Data ComplianceTechnology
Use case
Guardium Activity
Monitor for DB2 for i
Audit Journal Data Journal
Supported IBM i OS
releases
6.1, 7.1, 7.2 6.1, 7.1, 7.2 6.1, 7.1, 7.2
Analysis & Reporting InfoSphere Guardium
Security ISVs&
InfoSphere Guardium
Security ISVs
Solution
infrastructure beyond
IBM i
Yes No No
Capture SQL
statements
Yes No No
Capture SQL host variable values and
environment
Yes No No
Capture database
specific Audit Journal
details
Yes Yes No
Capture before and
after images of data
No No Yes
Able to track which
rows are seen by
users
No No No
Success factors
include: Strategy,
Tuning & Consulting
Yes Yes Yes
© 2014 IBM Corporation
IBM Power Systems
47
IBM Advanced Data Security for i (Boss Option 47)
� Option 47 must be installed to:
– CREATE PERMISSION and CREATE MASK (RCAC)
– Open a file that has RCAC activated
� RCAC is applied after checking object authorizationrequirements
– If you pass the object authorization check:
Row permissions reduce the set of rows returned
Column Masks limit full or partial access to sensitive column data
� RCAC constructs exist within the table (*FILE)
� When ENABLED & ACTIVATED, RCAC is automatically applied by SQE
� RCAC is comprehensive and applies to any interface (Native DB, SQL, RPG, APIs, Commands, etc)
© 2014 IBM Corporation
IBM Power Systems
48
Key points with RCAC� Users may be surprised to see less data!
� Tables which contain enabled RCAC permissions or masks can be restored regardless of whether option 47 is installed.
– However if the option is not installed, permissions and masks cannot be created and tables, views, or indexes cannot be accessed which contain active permissions or masks.
© 2014 IBM Corporation
IBM Power Systems
49
� Triggers are used for database integrity
� RCAC controls are used for securing business critical data
� Enabled row permissions and column masks are not applied to the initial values of transition variables or to transition tables referenced in the trigger body. The trigger program has access to unprotected data.
Secure triggers for row and column access control:
� To balance the needs of integrity and security…
The trigger must be created or altered to have the SECURED attribute.
� If a trigger is not secure, RCAC cannot be activated for the target table.
> ALTER TABLE EMPLOYEE ACTIVATE ROW ACCESS CONTROL
RCAC and Triggers
© 2014 IBM Corporation
IBM Power Systems
50
� Function invocations are allowed within RCAC rules and provide the ability to create more complex and modularized RCAC rule text logic
� This additional capability adds a level of complexity for the security administrator because the function must be reviewed and approved
Secure functions referenced by row and column access control:
� To balance the need of complex rule logic and security…
The function must be created or altered to have the SECURED attribute.
� If a function is not secure, the permission or mask cannot be enabled
> ALTER PERMISSION employee_perm1 ENABLE
RCAC and Functions
© 2014 IBM Corporation
IBM Power Systems
51
Separation of Duty & DB2 for i - Use case exploration
Meet the users:
• MARYSEC – A Security Officer responsible for granting and revoking security, including data security
CRTUSRPRF USRPRF(MARYSEC) PASSWORD(xxxxxxxx) USRCLS(*SECOFR) TEXT('Security Officer')
GRTOBJAUT OBJ(<data-libraries>) OBJTYPE(*LIB)USER(MARYSEC) AUT(*USE)
CHGFCNUSG FCNID(QIBM_DB_SECADM) USER(MARYSEC) USAGE(*ALLOWED)
• FRANKDBA – A Database Administrator with authority to do everything but change security settings
CRTUSRPRF USRPRF(FRANKDBA) PASSWORD(xxxxxxxx) USRCLS(*USER) TEXT('Database Administrator') SPCAUT(*ALLOBJ *JOBCTL *SAVSYS *SPLCTL)
• JOEUSER – An end user with no special authority
CRTUSRPRF USRPRF(JOEUSER) PASSWORD(xxxxxxxx) USRCLS(*USER) TEXT('User with no special authorities')
© 2014 IBM Corporation
IBM Power Systems
52
Separation of Duty & DB2 for i - Use case exploration
create or replace variable toystore22.job_title char() DEFAULT (select JOB_TITLE from toystore22.vemp where USER_PROFILE_NAME =USER) ;
create or replace variable toystore22.work_department char(3) DEFAULT(select WORKDEPT from toystore22.vemp where USER_PROFILE_NAME = USER) ;
grant read on variable toystore22.job_title to public;
grant read on variable toystore22.work_department to public;
create or replace permission toystore22.permission_project_byUser on toystore22.project for rows where
(toystore22.job_title = 'IT SEC' AND DEPTNO <> 'E21') OR
(toystore22.job_title = 'IT ADM') OR
(toystore22.job_title = 'APP TEAM' AND DEPTNO = toystore22.work_department)
enforced for all access enable;
alter table toystore22.project activate row access control;
© 2014 IBM Corporation
IBM Power Systems
59
Separation of Duty & DB2 for i - Use case exploration
� Masking salary detail in general
� Allow the HRTEAM group profile members to see all data
� Allow a manager to see their employees data
create or replace variable toystore22.manager_of_department char(3) DEFAULT(select DEPTNO from toystore22.vdept where MGRNO = (select EMPNO FROM toystore22.vemp
WHERE USER_PROFILE_NAME = USER)) ;
grant read on variable toystore22.manager_of_department to public;
CREATE OR REPLACE MASK toystore22.salary_mask ON CREATE OR REPLACE MASK toystore22.salary_mask ON CREATE OR REPLACE MASK toystore22.salary_mask ON CREATE OR REPLACE MASK toystore22.salary_mask ON toystore22.employee FOR COLUMN salary toystore22.employee FOR COLUMN salary toystore22.employee FOR COLUMN salary toystore22.employee FOR COLUMN salary
RETURN CASE RETURN CASE RETURN CASE RETURN CASE
WHEN VERIFY_GROUP_FOR_USER(SESSION_USER,'HRTEAM') = 1 THEN salarWHEN VERIFY_GROUP_FOR_USER(SESSION_USER,'HRTEAM') = 1 THEN salarWHEN VERIFY_GROUP_FOR_USER(SESSION_USER,'HRTEAM') = 1 THEN salarWHEN VERIFY_GROUP_FOR_USER(SESSION_USER,'HRTEAM') = 1 THEN salary y y y
WHEN WORKDEPT = toystore22.manager_of_department THEN salarWHEN WORKDEPT = toystore22.manager_of_department THEN salarWHEN WORKDEPT = toystore22.manager_of_department THEN salarWHEN WORKDEPT = toystore22.manager_of_department THEN salary y y y
ELSE 99999999.99 ELSE 99999999.99 ELSE 99999999.99 ELSE 99999999.99
END END END END
ENABLE ENABLE ENABLE ENABLE
© 2014 IBM Corporation
IBM Power Systems
60
Separation of Duty & DB2 for i - Use case exploration
� JOEUSER is the manager of dept ‘E11’
select lastname, salary, workdept
from toystore22.employee a
order by workdept desc, lastname asc
© 2014 IBM Corporation
IBM Power Systems
61
Special registers – similar names, different purposesUSER this, USER that… which one should I use?
The most recently adopted authorization ID within the
thread will be returned.
When no adopted authority has occurred, the effective user of the thread Is returned.
CURRENT USERorCURRENT_USER
The authorization ID that initiated the connection is returned.SYSTEM_USER
The effective user of the thread Is returned.USERor
SESSION_USER
DefinitionSpecial Register
© 2014 IBM Corporation
IBM Power Systems
62
TRANSFER OWNERSHIP
SQL statement that is similar to the CL command CHGOBJOWN
TRANSFER OWNERSHIP OF TABLE mjatst.t1 TO USER paul
PRESERVE PRIVILEGES
Operation can be run under commitment control and rolled back
Grant to GROUP and USER
Compatibility with DB2 Family
GRANT ALL ON council TO USER frank WITH GRANT OPTION
GRANT ALL ON council TO GROUP marketing WITH GRANT OPTION
Identifies whether the ID is a group or a user
Other security oriented SQL statements
© 2014 IBM Corporation
IBM Power Systems
63
Summary
� Define a security policy
� Implement DB2 for i object-level security
� Implement Row and Column level security as appropriate
� Consider encryption of sensitive data
© 2014 IBM Corporation
IBM Power Systems
64
Resources
� IBM STG Lab Services Security Team
� IBM i InfoCenter– IBM i Security Reference
– DB2 SQL Reference (http://ibm.com/systems/i/db2/books.html)
� DB2 for i developerWorks Forum
https://www.ibm.com/developerworks/forums/forum.jspa?forumID=292
� Articles & White papers– DB2 Data Protection Essentials
http://systeminetwork.com/article/db2-data-protection-options-and-essentials
– IBM i Encryption White Paper
ibm.com/partnerworld/wps/servlet/ContentHandler/partnerworld/wps/servlet/ContentHandler/whitepaper/i5os/db2_data/encryption
– Field Procedures
http://mcpressonline.com/database/db2/enable-transparent-encryption-with-db2-field-procedures.html
� RCAC Redbook/Redpiece coming in 2014
© 2014 IBM Corporation
IBM Power Systems
67
Compliance Monitoring – Compliance to What?
Company Policy and/or StandardsThese should define how systems should be built, maintained, monitored, and interacted with by its custodians and users. Another way of thinking about it, they are a Service Level Agreement (SLA) between Owners, Management and the people they have hired to “work” the business. Owners and Management derive a “sense of security”knowing that its employees are managing the business according to this agreement. Owners and Management must be involved in the creation and maintenance of these documents. Compliance monitoring then is simply demonstrating that the employees (and management) are doing what they have been hired to do.
67
21 May 2014
© 2014 IBM Corporation
IBM Power Systems
68
6
IBM InfoSphere Guardium V9 – DB2 for i as a data source
� New DB2 for i support with November 2012 Database Group PTFs for IBM i 6.1 & 7.1
– Guardium appliance receives IBM i centric data
• SQL statements & variables
• Audit entries from QSYS/QAUDJRN
– Extensive and meaningful filters
– Track the most privileged users
• Real-time data collection & alert capability
– Secure logging
– Heterogeneous, cross-DBMS solution
� Real-time Database Protection and Compliance
– Granular, real-time policies & auditing
• Who, what, when, where, how
– Proactive security (e.g. alerts signal critical tables changes )
– Simplified compliance process: HIPAA, PCI, SOX, …
– No DBMS or application changes
© 2014 IBM Corporation
IBM Power Systems
69
6
Collected Audit Journal & SQL information is streamed to the InfoSphereGuardium appliance
� Continuous monitoring of all database activities– Global SQL Monitor using a View & Instead of Trigger captures SQL information
– Audit server job receives QAUDJRN audit entries and puts them on a Unix queue
� Additional details:ibm.com/developerworks/ibmi/library/i-infosphere_guardium_db2/index.html
Guardium using DB2 for i as a data source
© 2014 IBM Corporation
IBM Power Systems
7070
PowerSC Tools for IBM i – Compliance Assessment and Reporting
Provides enterprise and system compliance monitoring of security
IBM i Lab Services - ibm.com/systems/services/labservices - [email protected]
Service Overview: Rapid security analysis of your IBM i system(s) providing dashboard observation and reporting on key areas of security concern
Key Features:
Profile Analysis:
� Special Authorities / Inherited Privileges
� Group Profiles / Ambiguous Profiles
� Default Passwords / Password Expiration
� Inactive Accounts
Administration / Configuration Settings:
� System Values / Audit Control Settings
� Invalid Signon attempts
� Work Management Analysis
Network Settings:
� Network attributes
� NetServer Configuration
� TCP/IP servers / Autostart values
� APPN Configuration / Server Authentication
Service Benefits:� Reduces cost and time involved in running system security checks
� Can minimize potential user errors that cause system exposures
� Offers an opportunity to review systems for security breaches and take action to address the issue
� Provides a new level of report automation and user interface that makes the tool easy-to-use, fast and accurate
� Easy enough to use that you can deploy it, and with your skills, a Business Partner’s skills, or Lab Services’ skills address any findings discovered.
� *PUBLICLY and Privately Authorized Profiles
� Initial Programs, Menus, and Attention Programs
� Command Line Access
Automated tool checks and reports hundreds of parameters in an IBM i environment
� DDM Password Requirements / SST Security
� Registered Exit Points / Function Usage
� Library Analysis/ *ALLOBJ Inheritance
� Listening ports / Network Encryption
� IP Datagram Forwarding / IP Source Routing
� Digital Certificate Expiration
� SSH / SSL Configuration
© 2014 IBM Corporation
IBM Power Systems
71
Trademarks and DisclaimersAdobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and are used under license therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
Information is provided "AS IS" without warranty of any kind.
The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.
Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products.
All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here.
Prices are suggested U.S. list prices and are subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.