Rebecca Bond, Kevin Yeung-Kuen See, Carmen Ka Man Wong, Yuk-Kuen Henry Chan0131345907, 9780131345904
Table of contents :
Understanding DB2 9 security……Page 1
Table of Contents……Page 13
Introduction……Page 28
A Personal Experience Provides Lessons Learned……Page 29
New Regulations, New Responsibilities, New Opportunities……Page 32
Sarbanes-Oxley……Page 33
What Internal Controls?……Page 34
Changing DBA Responsibilities……Page 35
DB2 DBAs and the SOX Mitigation Effort……Page 36
HIPAA……Page 40
Gramm-Leach-Bliley……Page 44
Federal Information Security Management Act……Page 45
First Words—What’s the Plan?……Page 48
The DB2 Security Plan……Page 49
Security Plan Meeting Participants……Page 50
Meeting Goals and Desired Outcomes……Page 53
Next Steps……Page 61
Review, Approve, Implement, Maintain……Page 62
General Guidelines—Building the DB2 Database Security Policies……Page 63
Change Control—Things Are Gonna Change……Page 66
Last Words……Page 67
First Words: Why Is Authentication Critical to Database Security?……Page 68
Overview of the Default DB2 Authentication Mechanism……Page 69
Authentication Type……Page 70
Understanding Authentication—In General……Page 71
SRVCON_AUTH Database Manager Configuration Parameter……Page 73
Authentication Type Negotiation Between the Client and Server……Page 74
How to Determine the Authentication Type Used for a Connection……Page 79
Introduction to Security Plug-Ins……Page 80
Type and Categories of Security Plug-Ins……Page 81
IBM-Shipped Default Plug-In……Page 83
Client-Side Auth Plug-Ins on the Database Server……Page 84
DB2 Security Plug-In APIs……Page 85
GSS APIs……Page 87
Security Plug-In-Specific Database Manager Configuration Parameters (DBM CFG Parameters)……Page 89
Enabling Security Plug-Ins……Page 90
Other Features Available in Customized Security Plug-Ins……Page 93
The Basic Flow of GSS API and DB2 Security Plug-In API……Page 94
Restrictions Imposed on GSS API Plug-Ins by DB2……Page 95
Kerberos—An IBM-Shipped GSS API-Based Security Plug-In……Page 97
Customized Kerberos-Based Security Plug-In……Page 99
The Lightweight Directory Access Protocol (LDAP)—Yet Another IBM-Shipped User ID/Password-Based Security Plug-In……Page 100
Step 1: Include the Security Plug-In Header Files in Your Plug-In……Page 103
Step 2: Write the APIs Constituting Your Plug-In……Page 104
Step 4: Compile the Plug-In Source and Create a Shared Library……Page 105
Step 5: Place the Library in the Appropriate Directory……Page 106
Proposed Design……Page 107
Detailed Implementation Information……Page 110
Sample Scenarios……Page 114
Scenario 1: Mixed Use of Pre-8.2 and 9 Clients with the GSS API Plug-In……Page 115
Scenario 2: DB2 9 Client Communicating with a Database in a Different Instance with a Different Authentication Setting……Page 116
Scenario 3: Using Kerberos for Authenticating DB2 (Linux/UNIX/Windows) Client in an Environment That Also Has a DB2 for z/OS Client……Page 118
Last Words……Page 119
First Words……Page 120
Scope of This Chapter……Page 121
Documentation Is Necessary……Page 122
Thinking “Security”—Planning the Windows Install……Page 123
DB2_EXTSECURITY……Page 132
The Windows Operating System—The Important Stuff……Page 133
Review Windows Account Policy Settings……Page 134
Lock Down and Protect Windows Accounts……Page 135
Lock Down Unneeded Features for the Windows Registry……Page 137
The Local System Account (LSA)……Page 139
Physical Security for Windows Servers……Page 140
The Dilemma……Page 141
Last Words……Page 142
Terminology……Page 144
Authorization ID……Page 145
Need-to-Know……Page 146
Least Privilege……Page 147
Processes to Control and Review……Page 148
Documentation Made Easy (or at Least Easier)……Page 149
Using Schemas for Control and Management of Database Objects……Page 150
Restricting the PUBLIC from the Start……Page 152
Without the Protection of “Restrictive”……Page 153
Easy Public Revokes……Page 154
Instance-Level Authority……Page 156
Database-Level Authority……Page 161
How Can Current Authorities Be Determined?……Page 164
SQL Objects and Their Privileges……Page 165
Implicit Granted Authorities and Privileges……Page 171
Statement Authorization ID……Page 174
Different Authorization Models Available in DB2……Page 175
Retrieving the Group Membership List for a Given Authorization ID……Page 176
More Ways to Encapsulate……Page 182
When Will Those Grants and Revokes Take Effect?……Page 183
Object Ownership Management……Page 185
SYSIBMADM.OBJECTOWNERS……Page 186
Last Words……Page 190
What Is LBAC? A High-Level Overview……Page 192
The LBAC Architecture……Page 193
Security Label Components……Page 194
Security Labels……Page 195
Exemptions……Page 196
Protected Table……Page 197
Read Access Rules……Page 198
Write Access Rules……Page 199
Array Security Label Component……Page 200
Set Security Label Component……Page 201
Exemptions……Page 202
Designing the Security Solution……Page 204
Activity Overview for Implementing an LBAC Solution……Page 205
Manipulating Data in Protected Tables……Page 206
Retrieve Data Records from a Protected Table……Page 207
Update Data Records in a Protected Table……Page 208
Inserting with a Security Label of SET Security Label Component……Page 209
Retrieve Data Records Protected by SET Security LabelComponent Elements……Page 212
Updating Data Records Protected by SET Security Label Component……Page 215
Deleting Data Records Protected by SET Security Label Component……Page 217
Inserting with a Security Label Of ARRAY Component……Page 218
Retrieve Data with a Security Label of ARRAY Security Label Component……Page 221
Update Data with a Security Label Of ARRAY Security Label Component……Page 223
Delete Data with a Security Label of ARRAY Security Label Component……Page 224
Scenario……Page 226
Retrieve Data with a Security Label of TREE Security Label Component……Page 231
Update Data with a Security Label of TREE Security Label Component……Page 232
Delete Data with a Security Label of TREE Security Label Component……Page 233
Use Case Scenario……Page 234
Analyzing Data Restrictions……Page 236
Designing the Security Solution……Page 237
Implementing the Security Solution……Page 238
Runtime Usage……Page 241
Review Security Labels……Page 244
Dropping Security Labels……Page 245
Dropping Security Policy……Page 246
Dropping Security Label Component……Page 247
Granting Security Labels to Users……Page 248
Revoking Exemptions from Users……Page 249
Review List of Protected Tables……Page 250
Altering Table Protection: Adding Row Protection……Page 251
Altering Table Protection: Drop Column Protection……Page 252
Remove Protection from Protected Tables……Page 253
Query Through Views……Page 254
INSERT through Views……Page 258
Load……Page 259
Stored Procedure: ADMIN_COPY_SCHEMA……Page 260
Referential Integrity Constraints……Page 261
Reference Material……Page 263
First Words……Page 264
Private Key Cryptography……Page 265
Encryption for User IDs and Passwords Passed in the Connect Statement……Page 266
Encryption for Sensitive Data Sent Through the Network……Page 268
Encrypting Sensitive Data Stored on Disk……Page 270
Last Words……Page 281
First Words: Just Start…but Where ?……Page 282
Keeping It Real—No One Size Fits All……Page 283
Password Authentication and Maintenance……Page 284
How Sensitive Are You?……Page 285
Where Design Meets Implementation……Page 286
Watch Out for the Public (What Does the Public Need to Know and When Do They Need to Know It?)……Page 287
Choosing the SHOW SQL option……Page 293
Security and Database Performance……Page 294
Last Words……Page 295
First Words……Page 296
Crisis Mode……Page 297
Discovery……Page 298
For DBAs Only……Page 300
From Analysis to Physical Design……Page 303
Before db2audit—Think—Test—Learn……Page 304
db2audit Facility Safeguards……Page 305
The db2audit Facility Command Syntax……Page 306
Triggers……Page 326
Stored Procedures, UDFs, and Other Programmatic Approaches to Auditing……Page 328
Last Words……Page 329
Secure Shell (SSH) for Data-Partitioning Feature on UNIX……Page 330
The Setup Steps……Page 331
Public Key Authentication (per User Account)……Page 332
Host-Based Authentication (per Machine)……Page 333
How to Configure DB2 to Use SSH……Page 334
Last Words……Page 335
Diligence……Page 336
DB2 User Community Resources……Page 337
Fixpacks……Page 339
Keeping Current Goes beyond DB2……Page 340
Vulnerability Assessments……Page 341
Intrusion Detection……Page 342
Prepare for a Breach……Page 343
Preparing for the Future……Page 344
Last Words……Page 345
First Words……Page 346
For Geeks Only……Page 347
For the “Normal” Folks……Page 348
Social Engineering……Page 349
Publish and/or Perish?……Page 350
Last Words……Page 352
Appendix A: Independent Security Packages……Page 354
Configuring the NAS Kit on UNIX®/Linux® Systems for the IBMKrb5 Plug-In……Page 356
Configuring the Windows® Client and Domain Controller to Enable the Windows Native Kerberos Environment……Page 359
Interoperability……Page 360
Useful Links……Page 361
Appendix C: DB2 Audit Scope Record Layouts……Page 364
Appendix D: DB2 Audit – Additional Documentation……Page 376
Gaining Access to Data Through Indirect Means……Page 390
Default Privileges Granted upon Creating a Database……Page 392
Windows Platform Security Considerations for Users (Sourced from Administration Guide: Implementation)……Page 394
Security Considerations for Active Directory (Sourced from Administration Guide: Implementation)……Page 395
Security Considerations for Routines (Sourced from SQL Guide)……Page 396
Security Risks……Page 397
Security Considerations for DB2 Administration Server (DAS) on Windows (Sourced from Administration Guide: Implementation)……Page 399
Security Considerations for User Mapping Plug-In for a Federated Environment (Sourced from Websphere Information Integration Documentation)……Page 400
Appendix F: Glossary of Authorization ID……Page 402
Appendix G: LBAC-Related SYSCAT Views……Page 406
Appendix H: Security Plug-In Return Codes……Page 410
db2secGroupPluginInit……Page 416
db2secGetGroupsForUser (Internal Name: Log_get_groups)……Page 417
db2secServerAuthPluginInit……Page 418
db2secValidatePassword (Internal Name: Log_validatePassword)……Page 419
db2secFreeErrormsg (Internal Name: Log_free_error_message)……Page 420
A……Page 422
C……Page 423
D……Page 424
E……Page 425
I……Page 426
L……Page 427
P……Page 428
Q–R……Page 429
S……Page 430
W–Z……Page 433
Reviews
There are no reviews yet.