SlideShare a Scribd company logo

DB2 Security Model

Download as PPTX, PDF
U
uniqueYGB

The document provides an overview of DB2 security features including authorization, authentication, LBAC, RCAC, backup and recovery, data encryption, trusted contexts, and InfoSphere data replication. It discusses authorization at the instance, database, and object levels and covers row and column access controls. The document also outlines different data encryption options in DB2, backup approaches, and trusted connections. It concludes with references for further information.

Technology
1 of 21
IN THE NAME OF ALLAH DB2 Security Model Class Presentation of Database Security Course At Tarbiat Modares University Presentators: Narges Poorkamali Yeganeh Ghayour Baghbani Professor: Dr. Sadegh Dorri Nogorani Fall Semester: 1398-99 Presentation Date: 1398/10/18 1
Headlines Authorization Authentication LBAC Backup and Recovery Data Encryption Trusted Context and Connection 2 InfoSphere Data Replication RCAC
Introducing IBM DB2 3 Why use DB2 Database?  Create by IBM company in 1993  The most powerful Database Engine  Relational Database  Data Warehouse  Free Version  Stuctured & UnStuctured  SQL & NO SQL  Data Mining  Disater Rcovery  Scalability  Security  In Memory  Replication  Encription  BLU Acceleration
Custom Plug-ins Kerberos User validation Group membership User validation Group membership User validation (GSS API) Group membership Protocols Operating system Authentication LDAP User validation only
IBM Data Server Manager (DSM) 5 A web-based integrated database management tool platform:  Database Administrator  Health and Performance Monitoring  Performance Management  Database Client Management
During an SQL statement processing, the permissions that the DB2 authorization model considers are the union of the following permissions:  The permissions granted to the primary authorization ID associated with the SQL statement The permissions granted to the secondary authorization IDs (groups or roles) associated with the SQL statement The permissions granted to PUBLIC, including roles that are granted to PUBLIC, directly or indirectly through other roles The permissions granted to the trusted context role, if applicable. 6 Authorization
7 DB2 manages authorizations at three different levels:  Instance  Database  Object Because of the changes in DB2 9.7, it is easiest to represent the permissions in multiple diagrams. First, the Permissions at the instance level for: 1) SYSADM(system administrator) 2) SYSCTRL(system controler) 3) SYSMAINT(system maintenance) 4) SYSMON(system monitoring) Authorization
8 Authorization Database Level Permission Now, the database level permissions :
9 Authorization Database Level Permission
Access Control 10 LBAC RCAC Role User Group Tag
When to use LBAC for row level authorization?  Government applications that manage classified information (intelligence, defense, etc.)  Non government applications where:  Data classification is known  Data classification can be represented by one or more LBAC security label components  Authorization rules can be mapped to the security label component rules  If any of the above is not possible, then views are a better alternative for row level authorization. 11 LBAC Label-Based Access Control
When to use LBAC for column level authorization?  Control access to a sensitive column (e.g., social security number, credit card number, etc.)  Protect the data in the table from access by table owner, or DBAs  Assign a security label to all columns in the table  Assign that security label to a role  Assign that role to all users who need access to the table  Only users members in that role will be able to access data in that table 12 LBAC Label-Based Access Control
13  Table controls to protect SQL access to individual row level & individual column level:  Establish a row policy for a table  Filter rows out of answer set  Policy can use session information, e.g. the SQL ID is in what group or user is using what role, to control which row is returned in result set  Applicable to SELECT, INSERT, UPDATE, DELETE, & MERGE  Defined as a row permission  Establish a column policy for a table  Mask column values in answer set  Policy can use session information, e.g. the SQL ID is in what group or user is using what role, to control what masked value is returned in result set  Applicable to the output of outermost subselect  Defined as column masks  Define table policies based on who or how table is being accessed  Managing row and column access controls RCAC Row and column access control
14 RCAC Row and column access control Rules about row and column access:  Not enforced for RI, CHECK, or UNIQUE CONSTRAINT  Preserve data integrity  Require secure triggers  CREATE or ALTER TRIGGER with the SECURED option  Managed by SECADM or new privilege CREATE_SECURE_OBJECT  Rebind trigger packages implicitly after ALTER TRIGGER  Require secure UDFs  Referenced in the row permission and column mask definition  CREATE or ALTER TRIGGER with the SECURED option  Managed by SECADM or new privilege CREATE_SECURE_OBJECT  Populate access control information in EXPLAIN tables  Can activate access control on EXPLAIN tables  No support for MQT and set operations
Online Backup vs Offline backup Target location specified when you invoke the backup utility. This location can be:  A directory in file system (for backups to disk or diskette)  A device (for backups to tape)  A Tivoli Storage Manager (TSM) server  Another vendor's server  Cloud 15 IBM Tivoli Storage Manager is an enterprise-wide storage management application. It provides automated storage management services to workstations, personal computers, and file servers from various vendors, with various operating systems. Backup and Recovery
DB2 Native Encryption IBM InfoSphere Gardium Encrypted File System(EFS) SSL Db2 native encryption provides a built-in encryption capability to protect database backup images and key database files from inappropriate access while they are at rest on external storage media. IBM InfoSphere Guardium Data Encryption is a comprehensive software data security solution that when used in conjunction with native Db2 security provides effective protection of the data and the database application against a broad array of threats. If you are running a Db2 system on the AIX operating system, you have the option to set up an encrypted database by using AIX encrypted file system (EFS). For detailed information about EFS, see your AIX documentation. The Db2 database system supports SSL, which means that a Db2 client application that also supports SSL can connect to a Db2 database by using a SSL socket. CLI, CLP, and .Net Data Provider client applications and applications that use the IBM Data Server Driver for JDBC and SQLJ (type 4 connections) support SSL. 16 Data Encryption
HIGHLIGHTS:  Encrypt online data  Encrypt backups  Transparent to application  Transparent to schema  Secure and transparent key management  Exploits hardware acceleration such as the Intel AES-NI  FIPS 140-2 certified encryption libraries  NIST compliant use of cryptography  Easy to deployed in cloud, software or appliance  Runs wherever DB2 runs 17 Key Management:  Industry standard 2- tier model  Actual data is encrypted with a data encryption key(DEK)  DEK is encrypted with a Master Key (MK)  DEK is managed within the database while the MK is manage externally  The MK is managed in a PKCS#12 compliant local GSKit based keystore Data Encryption DB2 Native Encryption
A trusted context is a new object that is defined based upon a system authorization ID, and one or more sets of connection trust attributes where each set defines at least one connection trust attribute:  System authorization ID  Connection trust attributes The trust relationship is based upon the following set of attributes: 1. System authorization ID: Represents the user that establishes a database connection 2. IP address (or domain name): Represents the host from which a database connection is established 3. Data stream encryption: Represents the encryption setting (if any) for the data communication between the database server and the database client Trusted connection allows the initiator of this trusted connection to acquire additional capabilities that may not be available outside the scope of the trusted connection. The additional capabilities vary depending on whether the trusted connection is explicit or implicit. The initiator of an explicit trusted connection has the ability to: 1. Switch the current user ID on the connection to a different user ID with or without authentication 2. Acquire additional privileges via the role inheritance feature of trusted contexts 18 Trusted Context and Connection
19  Database replication solution from IBM  Multi platform: Window, Linux, Unix  Changes to database captured in realtime  Captures inserts updates and deletes  Centralized platform  Low impact capture and fast delivery of changes to database  Helps reduce processing overhead by sending only changes thereby removing the need for additional steps to detect changes  Reduce network traffic by sending only changed or new data instead of entire data  Has three component:  Change data capture(CDC)  SQL replication: In SQL Replication, committed source changes are staged in relational tables before being replicated to target systems.  Q replication: In Q Replication, committed source changes are written in messages that are transported through MQ queues to target systems. InfoSphere Data Replication
Refrences 20  https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0021804. html  http://www.redbooks.ibm.com/technotes/tips1347.pdf  https://www.youtube.com/watch?v=am7tfN9x7Us  https://www.youtube.com/watch?v=1BMb2gS34fU  https://www.ibm.com/support/knowledgecenter/SS5Q8A_2.1.x/com.ibm.datatools.dsweb.ots.security.doc/topics/s ecure_architecture.html  https://www.javaworld.com/article/3388036/what-is-jdbc-introduction-to-java-database-connectivity.html  https://www.ibm.com/support/knowledgecenter/en/SSEPEK_10.0.0/seca/src/tpc/db2z_authorizationid.html  http://db2commerce.com/betasite/2013/03/01/db2-basics-users-authentication-and-authorization/  https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005478. html  https://www.ibm.com/support/knowledgecenter/ru/SSEPGG_9.7.0/com.ibm.db2.luw.admin.sec.doc/doc/c000630 7.html  https://www.slideshare.net/LauraHood/db2-10-security-enhancements  https://www.slideshare.net/asderww/db2securityslides  https://www.youtube.com/watch?v=aMnBCOq9qrk  https://querysurge.zendesk.com/hc/en-us/articles/206083403-Configuring-Connections-IBM-DB2-With-Security- Mechanism
Thank You 21

Recommended

Solving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration DilemmaSolving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration Dilemma
Randy Goering
 
DB2 TABLESPACES
DB2 TABLESPACESDB2 TABLESPACES
DB2 TABLESPACES
Rahul Anand
 
Db2
Db2Db2
Db2
yboren
 
Practical Recipes for Daily DBA Activities using DB2 9 and 10 for z/OS
Practical Recipes for Daily DBA Activities using DB2 9 and 10 for z/OSPractical Recipes for Daily DBA Activities using DB2 9 and 10 for z/OS
Practical Recipes for Daily DBA Activities using DB2 9 and 10 for z/OS
Cuneyt Goksu
 
Db2 tutorial
Db2 tutorialDb2 tutorial
Db2 tutorial
The Vision and Insight Corner
 
DB2 LUW - Backup and Recovery
DB2 LUW - Backup and RecoveryDB2 LUW - Backup and Recovery
DB2 LUW - Backup and Recovery
imranasayed
 
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guruIBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
Ravikumar Nandigam
 
Db2 recovery IDUG EMEA 2013
Db2 recovery IDUG EMEA 2013Db2 recovery IDUG EMEA 2013
Db2 recovery IDUG EMEA 2013
Dale McInnis
 

Recommended

Solving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration DilemmaSolving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration Dilemma
Randy Goering
 
DB2 TABLESPACES
DB2 TABLESPACESDB2 TABLESPACES
DB2 TABLESPACES
Rahul Anand
 
Db2
Db2Db2
Db2
yboren
 
Practical Recipes for Daily DBA Activities using DB2 9 and 10 for z/OS
Practical Recipes for Daily DBA Activities using DB2 9 and 10 for z/OSPractical Recipes for Daily DBA Activities using DB2 9 and 10 for z/OS
Practical Recipes for Daily DBA Activities using DB2 9 and 10 for z/OS
Cuneyt Goksu
 
Db2 tutorial
Db2 tutorialDb2 tutorial
Db2 tutorial
The Vision and Insight Corner
 
DB2 LUW - Backup and Recovery
DB2 LUW - Backup and RecoveryDB2 LUW - Backup and Recovery
DB2 LUW - Backup and Recovery
imranasayed
 
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guruIBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
Ravikumar Nandigam
 
Db2 recovery IDUG EMEA 2013
Db2 recovery IDUG EMEA 2013Db2 recovery IDUG EMEA 2013
Db2 recovery IDUG EMEA 2013
Dale McInnis
 
DB2 Interview Questions - Part 1
DB2 Interview Questions - Part 1DB2 Interview Questions - Part 1
DB2 Interview Questions - Part 1
ReKruiTIn.com
 
Db2 Important questions to read
Db2 Important questions to readDb2 Important questions to read
Db2 Important questions to read
Prasanth Dusi
 
DB2 DOCUMENT
DB2 DOCUMENTDB2 DOCUMENT
DB2 DOCUMENT
Nirmal Pati
 
Sql Server Basics
Sql Server BasicsSql Server Basics
Sql Server Basics
rainynovember12
 
Db2 blu acceleration and more
Db2 blu acceleration and moreDb2 blu acceleration and more
Db2 blu acceleration and more
IBM Sverige
 
Oracle dba interview questions with answer
Oracle dba interview questions with answerOracle dba interview questions with answer
Oracle dba interview questions with answer
upenpriti
 
online training for IBM DB2 LUW UDB DBA
online training for IBM DB2 LUW UDB DBAonline training for IBM DB2 LUW UDB DBA
online training for IBM DB2 LUW UDB DBA
Ravikumar Nandigam
 
IBM Spectrum Scale for File and Object Storage
IBM Spectrum Scale for File and Object StorageIBM Spectrum Scale for File and Object Storage
IBM Spectrum Scale for File and Object Storage
Tony Pearson
 
IBM DS8880 and IBM Z - Integrated by Design
IBM DS8880 and IBM Z - Integrated by DesignIBM DS8880 and IBM Z - Integrated by Design
IBM DS8880 and IBM Z - Integrated by Design
Stefan Lein
 
DB2 Basic Commands - UDB
DB2 Basic Commands - UDBDB2 Basic Commands - UDB
DB2 Basic Commands - UDB
Srinimf-Slides
 
2 db2 instance creation
2 db2 instance creation2 db2 instance creation
2 db2 instance creation
Ravikumar Nandigam
 
Presentation db2 best practices for optimal performance
Presentation db2 best practices for optimal performancePresentation db2 best practices for optimal performance
Presentation db2 best practices for optimal performance
solarisyougood
 
SKILLWISE-DB2 DBA
SKILLWISE-DB2 DBASKILLWISE-DB2 DBA
SKILLWISE-DB2 DBA
Skillwise Group
 
Ibm db2
Ibm db2Ibm db2
Ibm db2
aditi212
 
Best practices for DB2 for z/OS log based recovery
Best practices for DB2 for z/OS log based recoveryBest practices for DB2 for z/OS log based recovery
Best practices for DB2 for z/OS log based recovery
Florence Dubois
 
MySQL Storage Engines
MySQL Storage EnginesMySQL Storage Engines
MySQL Storage Engines
Karthik .P.R
 
IBM Tape the future of tape
IBM Tape the future of tapeIBM Tape the future of tape
IBM Tape the future of tape
Josef Weingand
 
DB2 and storage management
DB2 and storage managementDB2 and storage management
DB2 and storage management
Craig Mullins
 
Sql server basics
Sql server basicsSql server basics
Sql server basics
Dilfaroz Khan
 
DB2 utilities
DB2 utilitiesDB2 utilities
DB2 utilities
Udayakumar Suseendran
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
Marco Alamanni
 
2) security
2) security2) security
2) security
guptavikki99
 

More Related Content

What's hot

DB2 Interview Questions - Part 1
DB2 Interview Questions - Part 1DB2 Interview Questions - Part 1
DB2 Interview Questions - Part 1
ReKruiTIn.com
 
Db2 Important questions to read
Db2 Important questions to readDb2 Important questions to read
Db2 Important questions to read
Prasanth Dusi
 
DB2 DOCUMENT
DB2 DOCUMENTDB2 DOCUMENT
DB2 DOCUMENT
Nirmal Pati
 
Sql Server Basics
Sql Server BasicsSql Server Basics
Sql Server Basics
rainynovember12
 
Db2 blu acceleration and more
Db2 blu acceleration and moreDb2 blu acceleration and more
Db2 blu acceleration and more
IBM Sverige
 
Oracle dba interview questions with answer
Oracle dba interview questions with answerOracle dba interview questions with answer
Oracle dba interview questions with answer
upenpriti
 
online training for IBM DB2 LUW UDB DBA
online training for IBM DB2 LUW UDB DBAonline training for IBM DB2 LUW UDB DBA
online training for IBM DB2 LUW UDB DBA
Ravikumar Nandigam
 
IBM Spectrum Scale for File and Object Storage
IBM Spectrum Scale for File and Object StorageIBM Spectrum Scale for File and Object Storage
IBM Spectrum Scale for File and Object Storage
Tony Pearson
 
IBM DS8880 and IBM Z - Integrated by Design
IBM DS8880 and IBM Z - Integrated by DesignIBM DS8880 and IBM Z - Integrated by Design
IBM DS8880 and IBM Z - Integrated by Design
Stefan Lein
 
DB2 Basic Commands - UDB
DB2 Basic Commands - UDBDB2 Basic Commands - UDB
DB2 Basic Commands - UDB
Srinimf-Slides
 
2 db2 instance creation
2 db2 instance creation2 db2 instance creation
2 db2 instance creation
Ravikumar Nandigam
 
Presentation db2 best practices for optimal performance
Presentation db2 best practices for optimal performancePresentation db2 best practices for optimal performance
Presentation db2 best practices for optimal performance
solarisyougood
 
SKILLWISE-DB2 DBA
SKILLWISE-DB2 DBASKILLWISE-DB2 DBA
SKILLWISE-DB2 DBA
Skillwise Group
 
Ibm db2
Ibm db2Ibm db2
Ibm db2
aditi212
 
Best practices for DB2 for z/OS log based recovery
Best practices for DB2 for z/OS log based recoveryBest practices for DB2 for z/OS log based recovery
Best practices for DB2 for z/OS log based recovery
Florence Dubois
 
MySQL Storage Engines
MySQL Storage EnginesMySQL Storage Engines
MySQL Storage Engines
Karthik .P.R
 
IBM Tape the future of tape
IBM Tape the future of tapeIBM Tape the future of tape
IBM Tape the future of tape
Josef Weingand
 
DB2 and storage management
DB2 and storage managementDB2 and storage management
DB2 and storage management
Craig Mullins
 
Sql server basics
Sql server basicsSql server basics
Sql server basics
Dilfaroz Khan
 
DB2 utilities
DB2 utilitiesDB2 utilities
DB2 utilities
Udayakumar Suseendran
 

What's hot (20)

DB2 Interview Questions - Part 1
DB2 Interview Questions - Part 1DB2 Interview Questions - Part 1
DB2 Interview Questions - Part 1
 
Db2 Important questions to read
Db2 Important questions to readDb2 Important questions to read
Db2 Important questions to read
 
DB2 DOCUMENT
DB2 DOCUMENTDB2 DOCUMENT
DB2 DOCUMENT
 
Sql Server Basics
Sql Server BasicsSql Server Basics
Sql Server Basics
 
Db2 blu acceleration and more
Db2 blu acceleration and moreDb2 blu acceleration and more
Db2 blu acceleration and more
 
Oracle dba interview questions with answer
Oracle dba interview questions with answerOracle dba interview questions with answer
Oracle dba interview questions with answer
 
online training for IBM DB2 LUW UDB DBA
online training for IBM DB2 LUW UDB DBAonline training for IBM DB2 LUW UDB DBA
online training for IBM DB2 LUW UDB DBA
 
IBM Spectrum Scale for File and Object Storage
IBM Spectrum Scale for File and Object StorageIBM Spectrum Scale for File and Object Storage
IBM Spectrum Scale for File and Object Storage
 
IBM DS8880 and IBM Z - Integrated by Design
IBM DS8880 and IBM Z - Integrated by DesignIBM DS8880 and IBM Z - Integrated by Design
IBM DS8880 and IBM Z - Integrated by Design
 
DB2 Basic Commands - UDB
DB2 Basic Commands - UDBDB2 Basic Commands - UDB
DB2 Basic Commands - UDB
 
2 db2 instance creation
2 db2 instance creation2 db2 instance creation
2 db2 instance creation
 
Presentation db2 best practices for optimal performance
Presentation db2 best practices for optimal performancePresentation db2 best practices for optimal performance
Presentation db2 best practices for optimal performance
 
SKILLWISE-DB2 DBA
SKILLWISE-DB2 DBASKILLWISE-DB2 DBA
SKILLWISE-DB2 DBA
 
Ibm db2
Ibm db2Ibm db2
Ibm db2
 
Best practices for DB2 for z/OS log based recovery
Best practices for DB2 for z/OS log based recoveryBest practices for DB2 for z/OS log based recovery
Best practices for DB2 for z/OS log based recovery
 
MySQL Storage Engines
MySQL Storage EnginesMySQL Storage Engines
MySQL Storage Engines
 
IBM Tape the future of tape
IBM Tape the future of tapeIBM Tape the future of tape
IBM Tape the future of tape
 
DB2 and storage management
DB2 and storage managementDB2 and storage management
DB2 and storage management
 
Sql server basics
Sql server basicsSql server basics
Sql server basics
 
DB2 utilities
DB2 utilitiesDB2 utilities
DB2 utilities
 

Similar to DB2 Security Model

Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
Marco Alamanni
 
2) security
2) security2) security
2) security
guptavikki99
 
Lecture 15-16.pdf
Lecture 15-16.pdfLecture 15-16.pdf
Lecture 15-16.pdf
FumikageTokoyami4
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data Masking
SolidQ
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
G Prachi
 
Db2.security.slides
Db2.security.slidesDb2.security.slides
Db2.security.slides
asderww
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres Database
EDB
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-data
Kevin Mayo
 
Gradution Project
Gradution ProjectGradution Project
Gradution Project
Mina Nashaat
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
Vinod Kumar
 
Database security technique with database cache
Database security technique with database cacheDatabase security technique with database cache
Database security technique with database cache
IJARIIT
 
Database Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,ViewDatabase Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,View
Dr-Dipali Meher
 
Chapter23
Chapter23Chapter23
Chapter23
gourab87
 
Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017
Maximiliano Accotto
 
Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017
Maximiliano Accotto
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
Michael Noel
 
Database concepts
Database conceptsDatabase concepts
Database concepts
shanthishyam
 
DB2 10 Security Enhancements
DB2 10 Security EnhancementsDB2 10 Security Enhancements
DB2 10 Security Enhancements
Laura Hood
 
Concurrent And Independent Access To Encrypted Cloud Databases
Concurrent And Independent Access To Encrypted Cloud DatabasesConcurrent And Independent Access To Encrypted Cloud Databases
Concurrent And Independent Access To Encrypted Cloud Databases
Editor IJMTER
 

Similar to DB2 Security Model (20)

Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
2) security
2) security2) security
2) security
 
Lecture 15-16.pdf
Lecture 15-16.pdfLecture 15-16.pdf
Lecture 15-16.pdf
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data Masking
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
Db2.security.slides
Db2.security.slidesDb2.security.slides
Db2.security.slides
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres Database
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-data
 
Gradution Project
Gradution ProjectGradution Project
Gradution Project
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
 
Database security technique with database cache
Database security technique with database cacheDatabase security technique with database cache
Database security technique with database cache
 
Database Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,ViewDatabase Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,View
 
Chapter23
Chapter23Chapter23
Chapter23
 
Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017
 
Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
 
Database concepts
Database conceptsDatabase concepts
Database concepts
 
DB2 10 Security Enhancements
DB2 10 Security EnhancementsDB2 10 Security Enhancements
DB2 10 Security Enhancements
 
Concurrent And Independent Access To Encrypted Cloud Databases
Concurrent And Independent Access To Encrypted Cloud DatabasesConcurrent And Independent Access To Encrypted Cloud Databases
Concurrent And Independent Access To Encrypted Cloud Databases
 

Recently uploaded

dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
GDSC PJATK
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Jeffrey Haguewood
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 

Recently uploaded (20)

dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 

DB2 Security Model

  • 1. IN THE NAME OF ALLAH DB2 Security Model Class Presentation of Database Security Course At Tarbiat Modares University Presentators: Narges Poorkamali Yeganeh Ghayour Baghbani Professor: Dr. Sadegh Dorri Nogorani Fall Semester: 1398-99 Presentation Date: 1398/10/18 1
  • 2. Headlines Authorization Authentication LBAC Backup and Recovery Data Encryption Trusted Context and Connection 2 InfoSphere Data Replication RCAC
  • 3. Introducing IBM DB2 3 Why use DB2 Database?  Create by IBM company in 1993  The most powerful Database Engine  Relational Database  Data Warehouse  Free Version  Stuctured & UnStuctured  SQL & NO SQL  Data Mining  Disater Rcovery  Scalability  Security  In Memory  Replication  Encription  BLU Acceleration
  • 4. Custom Plug-ins Kerberos User validation Group membership User validation Group membership User validation (GSS API) Group membership Protocols Operating system Authentication LDAP User validation only
  • 5. IBM Data Server Manager (DSM) 5 A web-based integrated database management tool platform:  Database Administrator  Health and Performance Monitoring  Performance Management  Database Client Management
  • 6. During an SQL statement processing, the permissions that the DB2 authorization model considers are the union of the following permissions:  The permissions granted to the primary authorization ID associated with the SQL statement The permissions granted to the secondary authorization IDs (groups or roles) associated with the SQL statement The permissions granted to PUBLIC, including roles that are granted to PUBLIC, directly or indirectly through other roles The permissions granted to the trusted context role, if applicable. 6 Authorization
  • 7. 7 DB2 manages authorizations at three different levels:  Instance  Database  Object Because of the changes in DB2 9.7, it is easiest to represent the permissions in multiple diagrams. First, the Permissions at the instance level for: 1) SYSADM(system administrator) 2) SYSCTRL(system controler) 3) SYSMAINT(system maintenance) 4) SYSMON(system monitoring) Authorization
  • 8. 8 Authorization Database Level Permission Now, the database level permissions :
  • 11. When to use LBAC for row level authorization?  Government applications that manage classified information (intelligence, defense, etc.)  Non government applications where:  Data classification is known  Data classification can be represented by one or more LBAC security label components  Authorization rules can be mapped to the security label component rules  If any of the above is not possible, then views are a better alternative for row level authorization. 11 LBAC Label-Based Access Control
  • 12. When to use LBAC for column level authorization?  Control access to a sensitive column (e.g., social security number, credit card number, etc.)  Protect the data in the table from access by table owner, or DBAs  Assign a security label to all columns in the table  Assign that security label to a role  Assign that role to all users who need access to the table  Only users members in that role will be able to access data in that table 12 LBAC Label-Based Access Control
  • 13. 13  Table controls to protect SQL access to individual row level & individual column level:  Establish a row policy for a table  Filter rows out of answer set  Policy can use session information, e.g. the SQL ID is in what group or user is using what role, to control which row is returned in result set  Applicable to SELECT, INSERT, UPDATE, DELETE, & MERGE  Defined as a row permission  Establish a column policy for a table  Mask column values in answer set  Policy can use session information, e.g. the SQL ID is in what group or user is using what role, to control what masked value is returned in result set  Applicable to the output of outermost subselect  Defined as column masks  Define table policies based on who or how table is being accessed  Managing row and column access controls RCAC Row and column access control
  • 14. 14 RCAC Row and column access control Rules about row and column access:  Not enforced for RI, CHECK, or UNIQUE CONSTRAINT  Preserve data integrity  Require secure triggers  CREATE or ALTER TRIGGER with the SECURED option  Managed by SECADM or new privilege CREATE_SECURE_OBJECT  Rebind trigger packages implicitly after ALTER TRIGGER  Require secure UDFs  Referenced in the row permission and column mask definition  CREATE or ALTER TRIGGER with the SECURED option  Managed by SECADM or new privilege CREATE_SECURE_OBJECT  Populate access control information in EXPLAIN tables  Can activate access control on EXPLAIN tables  No support for MQT and set operations
  • 15. Online Backup vs Offline backup Target location specified when you invoke the backup utility. This location can be:  A directory in file system (for backups to disk or diskette)  A device (for backups to tape)  A Tivoli Storage Manager (TSM) server  Another vendor's server  Cloud 15 IBM Tivoli Storage Manager is an enterprise-wide storage management application. It provides automated storage management services to workstations, personal computers, and file servers from various vendors, with various operating systems. Backup and Recovery
  • 16. DB2 Native Encryption IBM InfoSphere Gardium Encrypted File System(EFS) SSL Db2 native encryption provides a built-in encryption capability to protect database backup images and key database files from inappropriate access while they are at rest on external storage media. IBM InfoSphere Guardium Data Encryption is a comprehensive software data security solution that when used in conjunction with native Db2 security provides effective protection of the data and the database application against a broad array of threats. If you are running a Db2 system on the AIX operating system, you have the option to set up an encrypted database by using AIX encrypted file system (EFS). For detailed information about EFS, see your AIX documentation. The Db2 database system supports SSL, which means that a Db2 client application that also supports SSL can connect to a Db2 database by using a SSL socket. CLI, CLP, and .Net Data Provider client applications and applications that use the IBM Data Server Driver for JDBC and SQLJ (type 4 connections) support SSL. 16 Data Encryption
  • 17. HIGHLIGHTS:  Encrypt online data  Encrypt backups  Transparent to application  Transparent to schema  Secure and transparent key management  Exploits hardware acceleration such as the Intel AES-NI  FIPS 140-2 certified encryption libraries  NIST compliant use of cryptography  Easy to deployed in cloud, software or appliance  Runs wherever DB2 runs 17 Key Management:  Industry standard 2- tier model  Actual data is encrypted with a data encryption key(DEK)  DEK is encrypted with a Master Key (MK)  DEK is managed within the database while the MK is manage externally  The MK is managed in a PKCS#12 compliant local GSKit based keystore Data Encryption DB2 Native Encryption
  • 18. A trusted context is a new object that is defined based upon a system authorization ID, and one or more sets of connection trust attributes where each set defines at least one connection trust attribute:  System authorization ID  Connection trust attributes The trust relationship is based upon the following set of attributes: 1. System authorization ID: Represents the user that establishes a database connection 2. IP address (or domain name): Represents the host from which a database connection is established 3. Data stream encryption: Represents the encryption setting (if any) for the data communication between the database server and the database client Trusted connection allows the initiator of this trusted connection to acquire additional capabilities that may not be available outside the scope of the trusted connection. The additional capabilities vary depending on whether the trusted connection is explicit or implicit. The initiator of an explicit trusted connection has the ability to: 1. Switch the current user ID on the connection to a different user ID with or without authentication 2. Acquire additional privileges via the role inheritance feature of trusted contexts 18 Trusted Context and Connection
  • 19. 19  Database replication solution from IBM  Multi platform: Window, Linux, Unix  Changes to database captured in realtime  Captures inserts updates and deletes  Centralized platform  Low impact capture and fast delivery of changes to database  Helps reduce processing overhead by sending only changes thereby removing the need for additional steps to detect changes  Reduce network traffic by sending only changed or new data instead of entire data  Has three component:  Change data capture(CDC)  SQL replication: In SQL Replication, committed source changes are staged in relational tables before being replicated to target systems.  Q replication: In Q Replication, committed source changes are written in messages that are transported through MQ queues to target systems. InfoSphere Data Replication
  • 20. Refrences 20  https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0021804. html  http://www.redbooks.ibm.com/technotes/tips1347.pdf  https://www.youtube.com/watch?v=am7tfN9x7Us  https://www.youtube.com/watch?v=1BMb2gS34fU  https://www.ibm.com/support/knowledgecenter/SS5Q8A_2.1.x/com.ibm.datatools.dsweb.ots.security.doc/topics/s ecure_architecture.html  https://www.javaworld.com/article/3388036/what-is-jdbc-introduction-to-java-database-connectivity.html  https://www.ibm.com/support/knowledgecenter/en/SSEPEK_10.0.0/seca/src/tpc/db2z_authorizationid.html  http://db2commerce.com/betasite/2013/03/01/db2-basics-users-authentication-and-authorization/  https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005478. html  https://www.ibm.com/support/knowledgecenter/ru/SSEPGG_9.7.0/com.ibm.db2.luw.admin.sec.doc/doc/c000630 7.html  https://www.slideshare.net/LauraHood/db2-10-security-enhancements  https://www.slideshare.net/asderww/db2securityslides  https://www.youtube.com/watch?v=aMnBCOq9qrk  https://querysurge.zendesk.com/hc/en-us/articles/206083403-Configuring-Connections-IBM-DB2-With-Security- Mechanism

Editor's Notes

  1. Data Server Manager (DSM) is a tool that consolidates many of the monitoring, tuning, configuration and administration tools for DB2 and adds some nice new features as well.  It allows you do to these tasks for all of your DB2 (LUW and Z) databases in one centralized tool. 
  2. Data Server Manager (DSM) is a tool that consolidates many of the monitoring, tuning, configuration and administration tools for DB2 and adds some nice new features as well.  It allows you do to these tasks for all of your DB2 (LUW and Z) databases in one centralized tool.