Information contained in this material has not been submitted to any formal IBM review and is distributed on "as is" basis without any warranty either expressed or implied. Measurements data have been obtained in laboratory environment. Information in this presentation about IBM's future plans reflect current thinking and is subject to change at IBM's business discretion. You should not rely on such information to make business plans. The use of this information is a customer responsibility.
IBM MAY HAVE PATENTS OR PENDING PATENT APPLICATIONS COVERING SUBJECT MATTER IN THIS DOCUMENT. THE FURNISHING OF THIS DOCUMENT DOES NOT IMPLY GIVING LICENSE TO THESE PATENTS.
TRADEMARKS: THE FOLLOWING TERMS ARE TRADEMARKS OR ® REGISTERED TRADEMARKS OF THE IBM CORPORATION IN THE UNITED STATES AND/OR OTHER COUNTRIES: AIX, AS/400, DATABASE 2, DB2, e-business logo, Enterprise Storage Server, ESCON, FICON, OS/390, OS/400, ES/9000, MVS/ESA, Netfinity, RISC, RISC SYSTEM/6000, iSeries, pSeries, xSeries, SYSTEM/390, IBM, Lotus, NOTES, WebSphere, z/Architecture, z/OS, System z, System p
The FOLLOWING TERMS ARE TRADEMARKS OR REGISTERED TRADEMARKS OF THE MICROSOFT CORPORATION IN THE UNITED STATES AND/OR OTHER COUNTRIES: MICROSOFT, WINDOWS, WINDOWS NT, ODBC, WINDOWS 95
For additional information see ibm.com/legal/copytrade.phtml
Database servers are the primary source of breached dataFocus limited resources on the most threatened data source
It’s really not surprising that servers seem to have a lock on first place when it comes to the types of assets impacted by data breaches. They store and process data, and that fact isn’t lost on data thieves.“
Categories of compromised assets by percent of breaches and percent of records
Sources: Verizon Business Data Breach Investigations Report 2011
" Overloading applications with security logic– Security logic can be bypassed by malicious users– Hampers the ability to use ad-hoc query tools– Difficult to maintain
" Different views for different groups of users– Views updatability may not reflect security policies– Can be bypassed by malicious users– Difficult to maintain
" Evolution of security policies– Affect the security logic in applications– Affect the organization and number of views
– New SECADM authority to manage security of data• Does not have access to the data• Is able to manage GRANTS on all objects
– New Administrative authorities• DATAACCESS – to control who can see data• ACCESSCTRL – to control who can govern access to the data
– New DBADM ON SYSTEM authority• Gives the individual or role the ability to
– Manage all user tables in the subsystem > With or without DATAACCESS – default is with DATAACCESS> With or without ACCESSCTRL - default is with ACCESSCTRL
– Administrative authorities can be divided among individuals without overlapping responsibilities
– Allows security administrator to grant the minimum privilege to a user to perform a specific task
– New DB2 10 Audit privileges• SELECT, INSERT, UPDATE, DELETE on new SYSIBM.SYSAUDITPOLICIES table
– New DB2 10 row and column access• CREATE, ALTER, COMMENT, DROP row permissions and column masks• ALTER TABLE to activate row and column level access control • CREATE_SECURE_OBJECT privilege
" Provides additional controls regarding cascading effects of a REVOKE statement– INCLUDING DEPENDENT PRIVILEGES – NOT INCLUDING DEPENDENT PRIVILEGES
• When ACCESSCTRL, DATAACCESS, or DBADM ON SYSTEM is revoked, – the default is always NOT INCLUDING DEPENDENT PRIVILEGES and – the NOT INCLUDING DEPENDENT PRIVILEGES clause must be explicitly
DB2 Audit Capability …" New audit capabilities without additional data collectors
" New Audit Policies are managed in the catalog– Audit policy provides wild carding of table names
" Ability to audit (associated column names identified in upper case)– Privileged users (SYSADMIN, DBADMIN)
• Audit policy records each use of a administrative system authority• For DBADMIN, optional DBNAME or COLLID (for PACKADM)
– SQL activity against a table (EXECUTE)• Audit policy does not require AUDIT clause to be specified• Audit policy generates records for all read and update access, not just first access
in the transaction• UTS, Classic Partitioned, and Segmented table space support
– Trusted Context use (VALIDATE)• When established or used by another different user (ASUSER connection)
" Ability to audit (continued)– Authorization & authentication failures (CHECKING)– The alter or drop of a table (OBJMAINT + OBJ* identification columns)– Utility start, change, or end (CONTEXT)– Grants, revokes, or create/alter of a Trusted Context (SECMAINT)
" Various IFCIDs created for the different audit types
" External collectors only report users with a system authority
" Audit Policies can be started at DB2 start– DB2START
• Y: Starts at DB2 start• S: Starts at DB2 start and can only be changed by SECADM
" To create a new AUDITADMIN1 policy to audit the SYSADM authority (S) and the SYSOPR authority (O), you can specify SYSADMIN as the category:
" You can also use the SQL LIKE predicate to audit tables of the same characteristics. For example, you can audit all tables that start with E_P in schema TSCHEMA by issuing the following INSERT statement:
– OBJECTTYPE ‘T’ means table– EXECUTE ‘C’ means Audit on all INSERT,UPDATE,DELETE statements– EXECUTE ‘A’ means Audit all access on the table
New audit policies provide needed flexibility and functionality# Auditor can define an audit policy to audit any access to specific
tables for specific programs during day # Audit policy does not require AUDIT clause to be specified using DDL # Audit policy generate records for all read and update access for statements with unique statement identifier #Audit policy provides wildcarding of based on schema and table names
# Auditor can define an audit policy to identify any unusual use of a privileged authority#Records each use of a system authority #Audit records written only when authority is used for access#External collectors only report users with a system authority
# Security administrator using the new SECADM authority maintains DB2 audit policies in a new catalog table# SYSIBM.SYSAUDITPOLICIES
# Audit policies enabled using –STA TRACE command# Audit policies disabled using –STO TRACE command# Up to 8 audit policies can be specified to auto start or auto start
as secure during DB2 start up# Only user with SECADM authority can stop a secure audit policy
Satisfy Your Auditor:New table controls to protect against unplanned SQL access# Define additional data controls at the row and column level
# Security policies are defined using SQL# Separate security logic from application logic
# Security policies based on real time session attributes# Protects against SQL injection attacks# Determines how column values are returned# Determines which rows are returned
# All access via SQL including privileged users, adhoc query tools, report generation tools is protected
# Policies can be added, modified, or removed to meet current company rules without change to applications
Table controls to protect SQL access to individual row levelEstablish a row policy for a table# Filter rows out of answer set# Policy can use session information, e.g. the SQL ID is in what
group or user is using what role, to control which row is returned in result set
# Applicable to SELECT, INSERT, UPDATE, DELETE, & MERGE# Defined as a row permission:
CREATE PERMISSION policy-name ON table-nameFOR ROWS WHERE search-conditionENFORCED FOR ALL ACCESS ENABLE;
Optimizer inserts search condition in all SQL statements accessing table. If row satisfies search-condition, row is returned in answer set.
Table controls to protect SQL access to individual column levelEstablish a column policy for a table# Mask column values in answer set# Policy can use session information, e.g. the SQL ID is in what
group or user is using what role, to control what masked value is returned in result set
# Applicable to the output of outermost subselect# Defined as column masks :
CREATE MASK mask-name ON table-nameFOR COLUMN column-name RETURN CASE-expression
ENABLE;
Optimizer inserts CASE expression in all SQL statements accessing table to determine mask value to return in answer set
Managing row and column access controls# When activated row and column access controls:
# All row permissions and column masks become effective in all DML# All row permissions are connected with ‘OR’ to filter out rows# All column masks are applied to mask output# All access to the table is prevented if no user-defined row permissions
# When deactivated row and column access controls:# Make row permissions and column masks become ineffective in DML
# Opens all access to the table
ALTER TABLE table-name ACTIVATE ROW ACCESS CONTROLACTIVATE COLUMN ACCESS CONTROL;
ALTER TABLE table-name DEACTIVATE ROW ACCESS CONTROLDEACTIVATE COLUMN ACCESS CONTROL;
" What is the purpose of row level security?– Filter rows out of answer set– Policy can use session information like SQL ID is in what group or user is using
what role to control when row is returned in result set– Applicable to SELECT,INSERT, UPDATE,DELETE & MERGE– Defined as a row permission:
– Optimizer inserts search condition in all SQL statements accessing table. If row satisfies search-condition, row is returned in the answer set
Row and Column level access" Row and Column Access Control
– When activated row and column access controls:• Make row permissions and column masks become effective in all DML
– All row permissions are connected with ‘OR’ to filter out rows– All column masks are applied to mask output– Rebind required for dependent packages– Modified statements shown in DSN_PREDICAT_TABLE– IFCID 145 names the Mask / Permission enabled at prepare / bind time
• Halts all access to the table if no user-defined row permissions
• When deactivated row and column access controls: – Make row permissions and column masks become ineffective in DML
Row and Column level access – Banking example …"Determine access control rules for customer service rep
" Allow access to all customers of the bank (a row permission)" Mask all INCOME values (a column mask)
" Return value 0 for incomes of 25000 and below " Return value 1 for incomes between 25000 and 75000" Return value 2 for incomes between 75000 and 150000" Return value 3 for incomes above 150000
" All are in the CSR group (who)"Create a row permission for customer service representatives
" “Organizations overlook the most imminent threat to their databases: authorized users.” (Dark Reading)
" “No one group seems to own database security … This is not a recipe for strong database security” … 63% depend primarily on manual processes.” (ESG)
" Most organizations (62%) cannot prevent super users from reading or tampering with sensitive information …most are unable to even detect such incidents … only 1 out of 4 believe their data assets are securely configured (Independent Oracle User Group).
xxx: At least 45.7 million credit and debit card numbers were stolen by hackers who accessed the Mainframe computer systems at the xxx. The cost of breach Financial Impact: $256 Million Remediation (2007)
xxx: At least 45.7 million credit and debit card numbers were stolen by hackers who accessed the Mainframe computer systems at the xxx. The cost of breach Financial Impact: $256 Million Remediation (2007)
Cost of a Data BreachUnderstand What’s at Stake – Top 5 Breaches by Cost
RankRank CompanyCompany Records Records BreachedBreached
Estimated Estimated CostCost
1Major
consumer retailer
100 Million Records
$2 Billion
2Multichannel
Marketer 150 Million
Records$225 Million to $4 Billion
3Major
consumer retailer
45 Million Records
$256 Million
4Credit card payment processor
100 Million Records
$140 Million
5US
Government Agency
17 Million Records
$30 Million
Cost / Breached Record BreakdownCost / Breached Record Breakdown
$134
$51
$15 $13
0
20
40
60
80
100
120
140
160
Lost Business Post Response Notification Detection
Breach Cost / Record
Mainframe BreachMainframe BreachMainframe Breach
Total Cost of Breached Record 2011: $214Total Cost of Breached Record 2011: $214
