SlideShare a Scribd company logo

Security best practices for informix

I
IBM_Info_Management

The document discusses security best practices for IBM Informix including: 1) Enabling role separation to restrict access and privileges for database administrators, application administrators, and backup administrators. 2) Configuring file permissions and ownership for key Informix directories and files to restrict access. 3) Enabling encrypted connections using SSL or other encryption mechanisms to protect data in transit. 4) Configuring firewalls, virtual private networks, and the sqlhosts file to control which clients and users can connect to the database server.

Technology
1 of 48
Download to read offline
© 2015 IBM Corporation Security Best Practices for Informix 2050A Jonathan Leffler jleffler@us.ibm.com
• IBM‘s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM‘s sole discretion. • Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. • The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. • The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user‘s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. Please Note: 2
2 Agenda • Server Administration • Access to Server Files • Connection Security • Access to Server Data • Audit • Server Log
3 Users root and informix • The root user can ultimately do anything  Who knows the root password?  How do users become root? • The informix user is omnipotent on the IDS server  Who knows the informix password?  How do administrators become informix? • sudo • Use Role Separation as an alternative
4 Role Separation • Alternative to all administrators using user informix • Do not add users to group informix • DBSA depends on group of INFORMIXDIR/etc • DBSSO group depends on group of INFORMIXDIR/dbssodir • AAO group depends on group of INFORMIXDIR/aaodir • Backup and Recovery group — bargroup
5 How to Enable Role Separation • On Windows, role separation is enabled during install  Re-install IDS if necessary  No other supported way of doing it • On Unix, role separation can be set during install  Choose the option (AAO and DBSSO only)
6 How to Enable Role Separation • On Unix, role separation can be changed after install  DBSA etc  AAO aaodir  DBSSO dbssodir  Change group that owns relevant directory • Set SGID bit on directory • Restart IDS  Fix permissions on oninit for the DBSA group • chmod o+x $INFORMIXDIR/bin/oninit  Fix group permissions on $ONCONFIG (dbsa group)  Fix group permissions on aaodir/adtcfg (aao group)
7 Server File Access • IDS depends on several files  Server installation  Configuration files  Data files — chunks • Required owner, group, mode  World access – NO • onsecurity utility
8 Server Installation and Setup • Isolate the Data Server  Place the data server on its own machine • Use appropriate controls on who can access the server machine • Use firewalls as appropriate • Don‘t let arbitrary users on arbitrary machines access the server ports  Separate the data server from application servers • Especially web servers  When not possible to use separate hardware • Split client INFORMIXDIR from server
9 Insulate Servers from Change • Always install new versions in a new directory  This limits downtime  And provides safe backout strategy • Make sure INFORMIXDIR is a symbolic link • Standardize the ONCONFIG file • If you have multiple instances on a single machine  Keep each one in a separate INFORMIXDIR • Always deny public write access • Usually deny public read access
10 Insulate Servers from Change • Keep things that stay constant out of INFORMIXDIR  Device files  Log files • Think of INFORMIXDIR as ‗long-term temporary‘  It will be removed after next upgrade
11 Insulate Servers from Change • DUMPDIR should not point to /tmp • DUMPDIR big enough for 2 shared memory dumps • Use standard names and locations for chunks  Always use symbolic links to the actual chunks • Ensure security of sub-directories of $INFORMIXDIR  Also security of directories to device (chunk) directory • Use a separate directory for user informix‘s home  Do not use $INFORMIXDIR
12 The onsecurity Utility (UNIX and Linux) • onsecurity utility checks the security of a file, directory, or path • Troubleshoots security problems if any are detected • Use the onsecurity command to:  Check the security of the path leading to a directory or a file  Generate diagnostic output to explain the security problems  Generate a script that can be run by root to fix the problems • You can use the script as generated • Or modify it to your environment‘s security needs
13 The onsecurity Utility (UNIX and Linux) • For special circumstances only: • Specify that particular users, groups, or directories can be trusted:  Add the information to files in the /etc/informix directory • trusted.users • trusted.groups • trusted.insecure.directories • Normally, you will be told that the path is secure • If the path is secure, you do not need to do anything more
14 An example of onsecurity at work $ onsecurity /work/informix/ids-11 # !!! SECURITY PROBLEM !!! # /work/informix/ids-11 (path is not trusted) # Analysis: # User Group Mode Type Secure Name # 0 root 0 root 0755 DIR YES / # 0 root 0 root 0755 DIR YES /work # 203 unknown 8714 ccusers 0777 DIR NO /work/informix # 200 informix 102 informix 0755 DIR NO /work/informix/ids-11 # Name: /work/informix # Problem: owner <unknown> (uid 203) is not trusted # Problem: group ccusers (gid 8714) is not trusted but can modify the directory # Problem: the permissions 0777 include public write access
• The informix directory of the path /work/informix has problems:  the owner of this directory is not a trusted user  the group that controls the directory is not trusted  the directory has public write access • Possible fixes:  Change the owner to root or informix  Change the group to a system group or informix  Remove public write access • Or grant exemptions  Dangerous, in general! The onsecurity Utility example 15
16 • At server startup, oninit checks the security of key directories: Subdirectory Owner Group Permissions INFORMIXDIR informix informix 755 bin informix informix 755 lib informix informix 755 gls informix informix 755 msg informix informix 755 etc informix DBSA 775 aaodir informix AAO 775 dbssodir informix DBSSO 775 tmp informix informix 770 Security checking at server startup
17 INFORMIXDIR permissions • Many Informix utilities check file permissions at startup • Errors detected at this point will be reported  And the program will exit • Run onsecurity with appropriate options • Refer to Chapter 1, IBM Informix Security Guide
18 Backup and Restore (BAR) • Members of bargroup are allowed to do backup and restore  bargroup is a Unix group with a fixed name • Backup is just as sensitive as live data  Data has been compromised by loss of backup media  Protect the backup copy
19 Connection Security • Control who can connect to the server  by default anyone with login access to machine  or a ―trusted‖ machine (hosts.equiv, .rhosts) • Think about using PAM  even for UNIX type access  can be used to deny access to certain accounts • e.g. Linux pam_access.so • Encrypted connections to server  Without encryption, passwords are sent in plain text.  ENCCSM  SPWDCSM  SSL
• Avoid using the old r-command configuration files • Use new configuration parameters  REMOTE_SERVER_CONFIG • Which remote machines should be trusted  REMOTE_USERS_CONFIG • Which remote users should be trusted • Instead of /etc/hosts.equiv and ~/.rhosts Connection Security 20
21 Enabling Encrypted Communications • Create or modify server entry in sqlhosts file  server_1_enc olsoctcp host 9089 csm=(s1_enc) • Create or modify concsm.cfg file  s1_enc("/usr/informix/lib/csm/libixenc.so", "cipher[aes:cbc],timeout[cipher:1440,key=60], mac[levels:<high,medium>,files:<builtin>]”) • Add new server alias to ONCONFIG • Restart IDS
22 Enabling Encrypted Communications • ODBC can use ENCCSM • JDBC can use an equivalent of ENCCSM  String Url = "jdbc:informix- sqli://host:9089/sysmaster:informixserver=serve r_1_enc;user=bob;password=bobpass;csm=(classnam e=com.informix.jdbc.Crypto,config=concsm.cfg"; • For more details, see Informix Security Guide
23 JCC and JDBC • Java Common Client (JCC) provides encryption  Using GSKit and SSL • http://tinyurl.com/467gpr • http://tinyurl.com/4jr4yu • Legacy JDBC type IV driver provides encryption  Password encryption • SPWDCSM  Full encryption • ENCCSM
• New communication protocol  drsocssl — SSL for DRDA clients  olsocssl — SSL for SQLI client • Also supported for server to server communications • I-Star, HDR, ER, RSS, SDS • Example sqlhosts file entries  horus_31_ol_ssl olsocssl horus horus_ol_ssl  horus_31_dr_ssl drsocssl horus horus_dr_ssl Setting up SSL — sqlhosts 24
• SSL_KEYSTORE_LABEL  Specifies label of server digital certificate in keystore • If not specified in ONCONFIG, uses default label in keystore • But default label is officially deprecated — be explicit • SSL_KEYSTORE_LABEL ids_ssl_label • Extra options for NETTYPE  NETTYPE protocol, poll threads, connections, VP class • Specify the protocol as iiippp • Where: – iii=[ipc||soc|tlli] – ppp=[shm|str|tcp|spx|ssl] • NETTYPE socssl, 3, 50, NET Setting up SSL — onconfig 25
• All encryption/decryption options performed on encrypt VPs • Encrypt VPs configured via VPCLASS  VPCLASS encrypt,num=5 • Support encrypted and non-encrypted connections  DBSERVERNAME horus_31  DBSERVERALIASES horus_31_ol_ssl,horus_31_dr_ssl Setting up SSL — onconfig 26
• IBM‘s Global Security Kit, GSKit, is installed with Informix  Server  ClientSDK and Connect • GSKit contains gsk8capicmd_64 utility  Used to create keystores and manage digital certificates  Needed for SSL communication • More information on gsk8capicmd_64 at  http://www- 01.ibm.com/support/knowledgecenter/SSVJJU_6.2.0/com.ibm.IB MDS.doc/admin_gd174.htm Keystores and Digital Certificates 27
• The keystore for server is password protected • Password is stored encrypted in stash file  Also created by gsk8capicmd_64 utility • One keystore per server instance.  It stores server‘s digital certificate  And root CA certificates of other servers it connects to • As in I-STAR, HDR, ER, SDS, RSS Keystores and Digital Certificates 28
• The location and name of the files are fixed  Server keystore • $INFORMIXDIR/ssl/server.kdb  Server password stash • $INFORMIXDIR/ssl/server.sth  Based on value of DBSERVERNAME • Ownership and permissions must be correct  User informix, group informix, 660 Keystores and Digital Certificates 29
• Client keystore stores root CA certificates  For all servers the client connects to • SQLI and DRDA clients can share same keystore • Password is optional for client keystore • Location and name of client keystore and its password stash file can be configured via new configuration file:  $INFORMIXDIR/etc/conssl.cfg • Note you need to set the permissions on client files correctly Setting up SSL — Client 30
• Configuration parameters in conssl.cfg  SSL_KEYSTORE_FILE • Absolute path name for client keystore file  SSL_KEYSTORE_STH • Absolute path name for client stash file • If conssl.cfg does not exist, defaults to  $INFORMIXDIR/etc/client.kdb  $INFORMIXDIR/etc/client.sth • Permissions on these files should be:  User informix, group informix, permissions 664 Setting up SSL — Client 31
32 Access to Data • Who creates databases?  DBCREATE_PERMISSION  Add a DBCREATE_PERMISSION entry • For each user who needs to create databases • Discretionary Access Control  Users should be granted appropriate level of access to databases and database objects.  Use roles for ease of administration • GRANT privilege to role • GRANT role to user • GRANT default role  Privileges can be granted at DATABASE and TABLE level
33 Other ONCONFIG parameters • IFX_EXTEND_ROLE  Controls whether administrators can use the EXTEND role to specify which users can register external routines. • 0 Any user can register external routines • 1 Only users granted the EXTEND role can register external routines (Default) • DB_LIBRARY_PATH  Specifies the locations from which Informix can use UDR or UDT shared libraries.
34 Other ONCONFIG parameters • SECURITY_LOCALCONNECTION  Specifies whether IDS performs security checking for local connections. • 0 Off • 1 Validate userid • 2 Validate userid and port • UNSECURE_ONSTAT  Controls whether non-DBSA users are allowed to run all onstat commands. • 0 Disabled (Default) • 1 Enabled
35 Other ONCONFIG parameters • ADMIN_USER_MODE_WITH_DBSA  Controls who can connect to IDS in administrative mode • 0 Only informix user (Default) • 1 DBSAs, users specified by ADMIN_MODE_USERS, and user informix • ADMIN_MODE_USERS  Specifies the user names who can connect to IDS in administrative mode, • SSL_KEYSTORE_LABEL  The label, up to 512 characters, of the IDS certificate used in Secure Sockets Layer (SSL) protocol communications.
36 Column Level Encryption (CLE) • Column-level encryption stores sensitive data as encrypted strings • Use it to selectively encrypt sensitive data  Such as credit card numbers • Only users who can provide the password can decrypt the data • Use the ENCRYPT_AES() and ENCRYPT_TDES() functions to encrypt data in columns • You can sometimes use SET ENCRYPTION PASSWORD  To set an encryption password for a session • INSERT INTO tab1(ssn) VALUES (ENCRYPT_AES("111-22-3333", "password")); • SELECT DECRYPT(ssn, "password") from tab1;
37 Label Based Access Control – LBAC • Label-based access control (LBAC)  Enterprise Edition only  An implementation of multi-level security (MLS)  You control who has read access and who has write access • To individual rows and columns of data • MLS systems process information with different security levels  Permit simultaneous access by users with different security clearances  Allow users access only to information for which they have authorization
38 Label Based Access Control – LBAC • Create Security Policy and attach it to a table • Create Security Labels and attach labels to data • Grant labels to users • Users can only access data with labels that ―match‖ theirs
39 Audit • Audit allows you to keep a log of important server events • You should enable IDS auditing  Decide which events need to be audited  Decide which users need to be audited • Audit the DBSA  Setup Appropriate Audit Masks • Examine the audit logs for unexpected events  onshowaudit • Save the audit logs  Easily compressible  Event generated when change to next audit log file • Protect the audit logs carefully
40 IDS Server Log • Lots of valuable information is written to the server log  Failed login attempts  Audit Mode changes  Audit log file changes • But you have to look!  Be sure to monitor its contents
41 IBM Data Server Security Blueprint
42 IDS Security Guide • Read and follow the IDS Security Guide
© 2015 IBM Corporation Questions? Best Security Practices for Informix 43
We Value Your Feedback! Don‘t forget to submit your Insight session and speaker feedback! Your feedback is very important to us – we use it to continually improve the conference. Access the Insight Conference Connect tool at insight2015survey.com to quickly submit your surveys from your smartphone, laptop or conference kiosk. 44
45 Notices and Disclaimers Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer‘s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer‘s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
46 Notices and Disclaimers (con‘t) Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM‘s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. • IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
© 2015 IBM Corporation Thank You

Recommended

PostgreSQL Extensions: A deeper look
PostgreSQL Extensions: A deeper lookPostgreSQL Extensions: A deeper look
PostgreSQL Extensions: A deeper look
Jignesh Shah
 
Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.
Mydbops
 
The Great Debate: PostgreSQL vs MySQL
The Great Debate: PostgreSQL vs MySQLThe Great Debate: PostgreSQL vs MySQL
The Great Debate: PostgreSQL vs MySQL
EDB
 
5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance
Command Prompt., Inc
 
Improve speed and performance of informix 11.xx part 2
Improve speed and performance of informix 11.xx part 2Improve speed and performance of informix 11.xx part 2
Improve speed and performance of informix 11.xx part 2
am_prasanna
 
MySQL GTID 시작하기
MySQL GTID 시작하기MySQL GTID 시작하기
MySQL GTID 시작하기
I Goo Lee
 
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Markus Michalewicz
 
10 ways to improve your rman script
10 ways to improve your rman script10 ways to improve your rman script
10 ways to improve your rman script
Maris Elsins
 

Recommended

PostgreSQL Extensions: A deeper look
PostgreSQL Extensions: A deeper lookPostgreSQL Extensions: A deeper look
PostgreSQL Extensions: A deeper look
Jignesh Shah
 
Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.
Mydbops
 
The Great Debate: PostgreSQL vs MySQL
The Great Debate: PostgreSQL vs MySQLThe Great Debate: PostgreSQL vs MySQL
The Great Debate: PostgreSQL vs MySQL
EDB
 
5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance
Command Prompt., Inc
 
Improve speed and performance of informix 11.xx part 2
Improve speed and performance of informix 11.xx part 2Improve speed and performance of informix 11.xx part 2
Improve speed and performance of informix 11.xx part 2
am_prasanna
 
MySQL GTID 시작하기
MySQL GTID 시작하기MySQL GTID 시작하기
MySQL GTID 시작하기
I Goo Lee
 
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Markus Michalewicz
 
10 ways to improve your rman script
10 ways to improve your rman script10 ways to improve your rman script
10 ways to improve your rman script
Maris Elsins
 
PostgreSQL High_Performance_Cheatsheet
PostgreSQL High_Performance_CheatsheetPostgreSQL High_Performance_Cheatsheet
PostgreSQL High_Performance_Cheatsheet
Lucian Oprea
 
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
Aurimas Mikalauskas
 
High Availability and Disaster Recovery in PostgreSQL - EQUNIX
High Availability and Disaster Recovery in PostgreSQL - EQUNIXHigh Availability and Disaster Recovery in PostgreSQL - EQUNIX
High Availability and Disaster Recovery in PostgreSQL - EQUNIX
Julyanto SUTANDANG
 
Planning for Disaster Recovery (DR) with Galera Cluster
Planning for Disaster Recovery (DR) with Galera ClusterPlanning for Disaster Recovery (DR) with Galera Cluster
Planning for Disaster Recovery (DR) with Galera Cluster
Codership Oy - Creators of Galera Cluster
 
Waits monitoring in PostgreSQL
Waits monitoring in PostgreSQLWaits monitoring in PostgreSQL
Waits monitoring in PostgreSQL
Ildus Kurbangaliev
 
MySQL Performance Schema in MySQL 8.0
MySQL Performance Schema in MySQL 8.0MySQL Performance Schema in MySQL 8.0
MySQL Performance Schema in MySQL 8.0
Mayank Prasad
 
Patroni - HA PostgreSQL made easy
Patroni - HA PostgreSQL made easyPatroni - HA PostgreSQL made easy
Patroni - HA PostgreSQL made easy
Alexander Kukushkin
 
Fail-Safe Cluster for FirebirdSQL and something more
Fail-Safe Cluster for FirebirdSQL and something moreFail-Safe Cluster for FirebirdSQL and something more
Fail-Safe Cluster for FirebirdSQL and something more
Alexey Kovyazin
 
Architectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyondArchitectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyond
Stefan Kopf
 
10 things, an Oracle DBA should care about when moving to PostgreSQL
10 things, an Oracle DBA should care about when moving to PostgreSQL10 things, an Oracle DBA should care about when moving to PostgreSQL
10 things, an Oracle DBA should care about when moving to PostgreSQL
PostgreSQL-Consulting
 
Vacuum in PostgreSQL
Vacuum in PostgreSQLVacuum in PostgreSQL
Vacuum in PostgreSQL
Rafia Sabih
 
Troubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming ReplicationTroubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming Replication
Alexey Lesovsky
 
MariaDB Galera Cluster presentation
MariaDB Galera Cluster presentationMariaDB Galera Cluster presentation
MariaDB Galera Cluster presentation
Francisco Gonçalves
 
High Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando PatroniHigh Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando Patroni
Zalando Technology
 
AWS 환경에서 MySQL BMT
AWS 환경에서 MySQL BMTAWS 환경에서 MySQL BMT
AWS 환경에서 MySQL BMT
I Goo Lee
 
What is new in MariaDB 10.6?
What is new in MariaDB 10.6?What is new in MariaDB 10.6?
What is new in MariaDB 10.6?
Mydbops
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory model
SeongJae Park
 
Understanding PostgreSQL LW Locks
Understanding PostgreSQL LW LocksUnderstanding PostgreSQL LW Locks
Understanding PostgreSQL LW Locks
Jignesh Shah
 
PostgreSQL replication
PostgreSQL replicationPostgreSQL replication
PostgreSQL replication
NTT DATA OSS Professional Services
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIX
Noel McKeown
 

More Related Content

What's hot

PostgreSQL High_Performance_Cheatsheet
PostgreSQL High_Performance_CheatsheetPostgreSQL High_Performance_Cheatsheet
PostgreSQL High_Performance_Cheatsheet
Lucian Oprea
 
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
Aurimas Mikalauskas
 
High Availability and Disaster Recovery in PostgreSQL - EQUNIX
High Availability and Disaster Recovery in PostgreSQL - EQUNIXHigh Availability and Disaster Recovery in PostgreSQL - EQUNIX
High Availability and Disaster Recovery in PostgreSQL - EQUNIX
Julyanto SUTANDANG
 
Planning for Disaster Recovery (DR) with Galera Cluster
Planning for Disaster Recovery (DR) with Galera ClusterPlanning for Disaster Recovery (DR) with Galera Cluster
Planning for Disaster Recovery (DR) with Galera Cluster
Codership Oy - Creators of Galera Cluster
 
Waits monitoring in PostgreSQL
Waits monitoring in PostgreSQLWaits monitoring in PostgreSQL
Waits monitoring in PostgreSQL
Ildus Kurbangaliev
 
MySQL Performance Schema in MySQL 8.0
MySQL Performance Schema in MySQL 8.0MySQL Performance Schema in MySQL 8.0
MySQL Performance Schema in MySQL 8.0
Mayank Prasad
 
Patroni - HA PostgreSQL made easy
Patroni - HA PostgreSQL made easyPatroni - HA PostgreSQL made easy
Patroni - HA PostgreSQL made easy
Alexander Kukushkin
 
Fail-Safe Cluster for FirebirdSQL and something more
Fail-Safe Cluster for FirebirdSQL and something moreFail-Safe Cluster for FirebirdSQL and something more
Fail-Safe Cluster for FirebirdSQL and something more
Alexey Kovyazin
 
Architectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyondArchitectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyond
Stefan Kopf
 
10 things, an Oracle DBA should care about when moving to PostgreSQL
10 things, an Oracle DBA should care about when moving to PostgreSQL10 things, an Oracle DBA should care about when moving to PostgreSQL
10 things, an Oracle DBA should care about when moving to PostgreSQL
PostgreSQL-Consulting
 
Vacuum in PostgreSQL
Vacuum in PostgreSQLVacuum in PostgreSQL
Vacuum in PostgreSQL
Rafia Sabih
 
Troubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming ReplicationTroubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming Replication
Alexey Lesovsky
 
MariaDB Galera Cluster presentation
MariaDB Galera Cluster presentationMariaDB Galera Cluster presentation
MariaDB Galera Cluster presentation
Francisco Gonçalves
 
High Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando PatroniHigh Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando Patroni
Zalando Technology
 
AWS 환경에서 MySQL BMT
AWS 환경에서 MySQL BMTAWS 환경에서 MySQL BMT
AWS 환경에서 MySQL BMT
I Goo Lee
 
What is new in MariaDB 10.6?
What is new in MariaDB 10.6?What is new in MariaDB 10.6?
What is new in MariaDB 10.6?
Mydbops
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory model
SeongJae Park
 
Understanding PostgreSQL LW Locks
Understanding PostgreSQL LW LocksUnderstanding PostgreSQL LW Locks
Understanding PostgreSQL LW Locks
Jignesh Shah
 
PostgreSQL replication
PostgreSQL replicationPostgreSQL replication
PostgreSQL replication
NTT DATA OSS Professional Services
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder
 

What's hot (20)

PostgreSQL High_Performance_Cheatsheet
PostgreSQL High_Performance_CheatsheetPostgreSQL High_Performance_Cheatsheet
PostgreSQL High_Performance_Cheatsheet
 
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
 
High Availability and Disaster Recovery in PostgreSQL - EQUNIX
High Availability and Disaster Recovery in PostgreSQL - EQUNIXHigh Availability and Disaster Recovery in PostgreSQL - EQUNIX
High Availability and Disaster Recovery in PostgreSQL - EQUNIX
 
Planning for Disaster Recovery (DR) with Galera Cluster
Planning for Disaster Recovery (DR) with Galera ClusterPlanning for Disaster Recovery (DR) with Galera Cluster
Planning for Disaster Recovery (DR) with Galera Cluster
 
Waits monitoring in PostgreSQL
Waits monitoring in PostgreSQLWaits monitoring in PostgreSQL
Waits monitoring in PostgreSQL
 
MySQL Performance Schema in MySQL 8.0
MySQL Performance Schema in MySQL 8.0MySQL Performance Schema in MySQL 8.0
MySQL Performance Schema in MySQL 8.0
 
Patroni - HA PostgreSQL made easy
Patroni - HA PostgreSQL made easyPatroni - HA PostgreSQL made easy
Patroni - HA PostgreSQL made easy
 
Fail-Safe Cluster for FirebirdSQL and something more
Fail-Safe Cluster for FirebirdSQL and something moreFail-Safe Cluster for FirebirdSQL and something more
Fail-Safe Cluster for FirebirdSQL and something more
 
Architectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyondArchitectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyond
 
10 things, an Oracle DBA should care about when moving to PostgreSQL
10 things, an Oracle DBA should care about when moving to PostgreSQL10 things, an Oracle DBA should care about when moving to PostgreSQL
10 things, an Oracle DBA should care about when moving to PostgreSQL
 
Vacuum in PostgreSQL
Vacuum in PostgreSQLVacuum in PostgreSQL
Vacuum in PostgreSQL
 
Troubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming ReplicationTroubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming Replication
 
MariaDB Galera Cluster presentation
MariaDB Galera Cluster presentationMariaDB Galera Cluster presentation
MariaDB Galera Cluster presentation
 
High Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando PatroniHigh Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando Patroni
 
AWS 환경에서 MySQL BMT
AWS 환경에서 MySQL BMTAWS 환경에서 MySQL BMT
AWS 환경에서 MySQL BMT
 
What is new in MariaDB 10.6?
What is new in MariaDB 10.6?What is new in MariaDB 10.6?
What is new in MariaDB 10.6?
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory model
 
Understanding PostgreSQL LW Locks
Understanding PostgreSQL LW LocksUnderstanding PostgreSQL LW Locks
Understanding PostgreSQL LW Locks
 
PostgreSQL replication
PostgreSQL replicationPostgreSQL replication
PostgreSQL replication
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
 

Similar to Security best practices for informix

UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIX
Noel McKeown
 
MySQL & noSQL Conference: MySQL for Sysadmins
MySQL & noSQL Conference: MySQL for SysadminsMySQL & noSQL Conference: MySQL for Sysadmins
MySQL & noSQL Conference: MySQL for Sysadmins
Javier Tomas Zon
 
Ibm informix security functionality overview
Ibm informix security functionality overviewIbm informix security functionality overview
Ibm informix security functionality overview
BeGooden-IT Consulting
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: Overview
Cloudera, Inc.
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
MongoDB
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
CA_Module_3.pptx
CA_Module_3.pptxCA_Module_3.pptx
CA_Module_3.pptx
OnyemaobiAmarachi
 
Windows Operating System.pptx
Windows Operating System.pptxWindows Operating System.pptx
Windows Operating System.pptx
OnyemaobiAmarachi
 
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Cloudera, Inc.
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
Dhruv Sharma
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
ContainerDay Security 2023
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Webinar NETGEAR - Acronis e Netgear per le Aziende - Acronis backup 12 e ReadyDR
Webinar NETGEAR - Acronis e Netgear per le Aziende - Acronis backup 12 e ReadyDRWebinar NETGEAR - Acronis e Netgear per le Aziende - Acronis backup 12 e ReadyDR
Webinar NETGEAR - Acronis e Netgear per le Aziende - Acronis backup 12 e ReadyDR
Netgear Italia
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
Eric Vanderburg
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
Sumit Tambe
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
HelpSystems
 
Deploying FuseMQ with Fuse Fabric
Deploying FuseMQ with Fuse FabricDeploying FuseMQ with Fuse Fabric
Deploying FuseMQ with Fuse Fabric
dejanb
 

Similar to Security best practices for informix (20)

UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIX
 
MySQL & noSQL Conference: MySQL for Sysadmins
MySQL & noSQL Conference: MySQL for SysadminsMySQL & noSQL Conference: MySQL for Sysadmins
MySQL & noSQL Conference: MySQL for Sysadmins
 
Ibm informix security functionality overview
Ibm informix security functionality overviewIbm informix security functionality overview
Ibm informix security functionality overview
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: Overview
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
CA_Module_3.pptx
CA_Module_3.pptxCA_Module_3.pptx
CA_Module_3.pptx
 
Windows Operating System.pptx
Windows Operating System.pptxWindows Operating System.pptx
Windows Operating System.pptx
 
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Webinar NETGEAR - Acronis e Netgear per le Aziende - Acronis backup 12 e ReadyDR
Webinar NETGEAR - Acronis e Netgear per le Aziende - Acronis backup 12 e ReadyDRWebinar NETGEAR - Acronis e Netgear per le Aziende - Acronis backup 12 e ReadyDR
Webinar NETGEAR - Acronis e Netgear per le Aziende - Acronis backup 12 e ReadyDR
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
Deploying FuseMQ with Fuse Fabric
Deploying FuseMQ with Fuse FabricDeploying FuseMQ with Fuse Fabric
Deploying FuseMQ with Fuse Fabric
 

More from IBM_Info_Management

World of Watson - DB2 for Linux, UNIX and Windows Roadmap
World of Watson - DB2 for Linux, UNIX and Windows RoadmapWorld of Watson - DB2 for Linux, UNIX and Windows Roadmap
World of Watson - DB2 for Linux, UNIX and Windows Roadmap
IBM_Info_Management
 
Choosing the right platform for your Internet -of-Things solution
Choosing the right platform for your Internet -of-Things solutionChoosing the right platform for your Internet -of-Things solution
Choosing the right platform for your Internet -of-Things solution
IBM_Info_Management
 
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
IBM_Info_Management
 
Informix on ARM and informix Timeseries - producing an Internet-of-Things sol...
Informix on ARM and informix Timeseries - producing an Internet-of-Things sol...Informix on ARM and informix Timeseries - producing an Internet-of-Things sol...
Informix on ARM and informix Timeseries - producing an Internet-of-Things sol...
IBM_Info_Management
 
IBM Internet-of-Things architecture and capabilities
IBM Internet-of-Things architecture and capabilitiesIBM Internet-of-Things architecture and capabilities
IBM Internet-of-Things architecture and capabilities
IBM_Info_Management
 
Highly successful performance tuning of an informix database
Highly successful performance tuning of an informix databaseHighly successful performance tuning of an informix database
Highly successful performance tuning of an informix database
IBM_Info_Management
 
Developing hybrid applications with informix
Developing hybrid applications with informixDeveloping hybrid applications with informix
Developing hybrid applications with informix
IBM_Info_Management
 
Always on high availability best practices for informix
Always on high availability best practices for informixAlways on high availability best practices for informix
Always on high availability best practices for informix
IBM_Info_Management
 
End-to-end solution demonstration: From concept to delivery-Intel/IBM
End-to-end solution demonstration: From concept to delivery-Intel/IBMEnd-to-end solution demonstration: From concept to delivery-Intel/IBM
End-to-end solution demonstration: From concept to delivery-Intel/IBM
IBM_Info_Management
 
Business value Drivers for IoT Solutions
Business value Drivers for IoT SolutionsBusiness value Drivers for IoT Solutions
Business value Drivers for IoT Solutions
IBM_Info_Management
 
Ibm_IoT_Architecture_and_Capabilities
Ibm_IoT_Architecture_and_CapabilitiesIbm_IoT_Architecture_and_Capabilities
Ibm_IoT_Architecture_and_Capabilities
IBM_Info_Management
 

More from IBM_Info_Management (11)

World of Watson - DB2 for Linux, UNIX and Windows Roadmap
World of Watson - DB2 for Linux, UNIX and Windows RoadmapWorld of Watson - DB2 for Linux, UNIX and Windows Roadmap
World of Watson - DB2 for Linux, UNIX and Windows Roadmap
 
Choosing the right platform for your Internet -of-Things solution
Choosing the right platform for your Internet -of-Things solutionChoosing the right platform for your Internet -of-Things solution
Choosing the right platform for your Internet -of-Things solution
 
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
 
Informix on ARM and informix Timeseries - producing an Internet-of-Things sol...
Informix on ARM and informix Timeseries - producing an Internet-of-Things sol...Informix on ARM and informix Timeseries - producing an Internet-of-Things sol...
Informix on ARM and informix Timeseries - producing an Internet-of-Things sol...
 
IBM Internet-of-Things architecture and capabilities
IBM Internet-of-Things architecture and capabilitiesIBM Internet-of-Things architecture and capabilities
IBM Internet-of-Things architecture and capabilities
 
Highly successful performance tuning of an informix database
Highly successful performance tuning of an informix databaseHighly successful performance tuning of an informix database
Highly successful performance tuning of an informix database
 
Developing hybrid applications with informix
Developing hybrid applications with informixDeveloping hybrid applications with informix
Developing hybrid applications with informix
 
Always on high availability best practices for informix
Always on high availability best practices for informixAlways on high availability best practices for informix
Always on high availability best practices for informix
 
End-to-end solution demonstration: From concept to delivery-Intel/IBM
End-to-end solution demonstration: From concept to delivery-Intel/IBMEnd-to-end solution demonstration: From concept to delivery-Intel/IBM
End-to-end solution demonstration: From concept to delivery-Intel/IBM
 
Business value Drivers for IoT Solutions
Business value Drivers for IoT SolutionsBusiness value Drivers for IoT Solutions
Business value Drivers for IoT Solutions
 
Ibm_IoT_Architecture_and_Capabilities
Ibm_IoT_Architecture_and_CapabilitiesIbm_IoT_Architecture_and_Capabilities
Ibm_IoT_Architecture_and_Capabilities
 

Recently uploaded

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 

Recently uploaded (20)

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 

Security best practices for informix

  • 1. © 2015 IBM Corporation Security Best Practices for Informix 2050A Jonathan Leffler jleffler@us.ibm.com
  • 2. • IBM‘s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM‘s sole discretion. • Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. • The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. • The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user‘s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. Please Note: 2
  • 3. 2 Agenda • Server Administration • Access to Server Files • Connection Security • Access to Server Data • Audit • Server Log
  • 4. 3 Users root and informix • The root user can ultimately do anything  Who knows the root password?  How do users become root? • The informix user is omnipotent on the IDS server  Who knows the informix password?  How do administrators become informix? • sudo • Use Role Separation as an alternative
  • 5. 4 Role Separation • Alternative to all administrators using user informix • Do not add users to group informix • DBSA depends on group of INFORMIXDIR/etc • DBSSO group depends on group of INFORMIXDIR/dbssodir • AAO group depends on group of INFORMIXDIR/aaodir • Backup and Recovery group — bargroup
  • 6. 5 How to Enable Role Separation • On Windows, role separation is enabled during install  Re-install IDS if necessary  No other supported way of doing it • On Unix, role separation can be set during install  Choose the option (AAO and DBSSO only)
  • 7. 6 How to Enable Role Separation • On Unix, role separation can be changed after install  DBSA etc  AAO aaodir  DBSSO dbssodir  Change group that owns relevant directory • Set SGID bit on directory • Restart IDS  Fix permissions on oninit for the DBSA group • chmod o+x $INFORMIXDIR/bin/oninit  Fix group permissions on $ONCONFIG (dbsa group)  Fix group permissions on aaodir/adtcfg (aao group)
  • 8. 7 Server File Access • IDS depends on several files  Server installation  Configuration files  Data files — chunks • Required owner, group, mode  World access – NO • onsecurity utility
  • 9. 8 Server Installation and Setup • Isolate the Data Server  Place the data server on its own machine • Use appropriate controls on who can access the server machine • Use firewalls as appropriate • Don‘t let arbitrary users on arbitrary machines access the server ports  Separate the data server from application servers • Especially web servers  When not possible to use separate hardware • Split client INFORMIXDIR from server
  • 10. 9 Insulate Servers from Change • Always install new versions in a new directory  This limits downtime  And provides safe backout strategy • Make sure INFORMIXDIR is a symbolic link • Standardize the ONCONFIG file • If you have multiple instances on a single machine  Keep each one in a separate INFORMIXDIR • Always deny public write access • Usually deny public read access
  • 11. 10 Insulate Servers from Change • Keep things that stay constant out of INFORMIXDIR  Device files  Log files • Think of INFORMIXDIR as ‗long-term temporary‘  It will be removed after next upgrade
  • 12. 11 Insulate Servers from Change • DUMPDIR should not point to /tmp • DUMPDIR big enough for 2 shared memory dumps • Use standard names and locations for chunks  Always use symbolic links to the actual chunks • Ensure security of sub-directories of $INFORMIXDIR  Also security of directories to device (chunk) directory • Use a separate directory for user informix‘s home  Do not use $INFORMIXDIR
  • 13. 12 The onsecurity Utility (UNIX and Linux) • onsecurity utility checks the security of a file, directory, or path • Troubleshoots security problems if any are detected • Use the onsecurity command to:  Check the security of the path leading to a directory or a file  Generate diagnostic output to explain the security problems  Generate a script that can be run by root to fix the problems • You can use the script as generated • Or modify it to your environment‘s security needs
  • 14. 13 The onsecurity Utility (UNIX and Linux) • For special circumstances only: • Specify that particular users, groups, or directories can be trusted:  Add the information to files in the /etc/informix directory • trusted.users • trusted.groups • trusted.insecure.directories • Normally, you will be told that the path is secure • If the path is secure, you do not need to do anything more
  • 15. 14 An example of onsecurity at work $ onsecurity /work/informix/ids-11 # !!! SECURITY PROBLEM !!! # /work/informix/ids-11 (path is not trusted) # Analysis: # User Group Mode Type Secure Name # 0 root 0 root 0755 DIR YES / # 0 root 0 root 0755 DIR YES /work # 203 unknown 8714 ccusers 0777 DIR NO /work/informix # 200 informix 102 informix 0755 DIR NO /work/informix/ids-11 # Name: /work/informix # Problem: owner <unknown> (uid 203) is not trusted # Problem: group ccusers (gid 8714) is not trusted but can modify the directory # Problem: the permissions 0777 include public write access
  • 16. • The informix directory of the path /work/informix has problems:  the owner of this directory is not a trusted user  the group that controls the directory is not trusted  the directory has public write access • Possible fixes:  Change the owner to root or informix  Change the group to a system group or informix  Remove public write access • Or grant exemptions  Dangerous, in general! The onsecurity Utility example 15
  • 17. 16 • At server startup, oninit checks the security of key directories: Subdirectory Owner Group Permissions INFORMIXDIR informix informix 755 bin informix informix 755 lib informix informix 755 gls informix informix 755 msg informix informix 755 etc informix DBSA 775 aaodir informix AAO 775 dbssodir informix DBSSO 775 tmp informix informix 770 Security checking at server startup
  • 18. 17 INFORMIXDIR permissions • Many Informix utilities check file permissions at startup • Errors detected at this point will be reported  And the program will exit • Run onsecurity with appropriate options • Refer to Chapter 1, IBM Informix Security Guide
  • 19. 18 Backup and Restore (BAR) • Members of bargroup are allowed to do backup and restore  bargroup is a Unix group with a fixed name • Backup is just as sensitive as live data  Data has been compromised by loss of backup media  Protect the backup copy
  • 20. 19 Connection Security • Control who can connect to the server  by default anyone with login access to machine  or a ―trusted‖ machine (hosts.equiv, .rhosts) • Think about using PAM  even for UNIX type access  can be used to deny access to certain accounts • e.g. Linux pam_access.so • Encrypted connections to server  Without encryption, passwords are sent in plain text.  ENCCSM  SPWDCSM  SSL
  • 21. • Avoid using the old r-command configuration files • Use new configuration parameters  REMOTE_SERVER_CONFIG • Which remote machines should be trusted  REMOTE_USERS_CONFIG • Which remote users should be trusted • Instead of /etc/hosts.equiv and ~/.rhosts Connection Security 20
  • 22. 21 Enabling Encrypted Communications • Create or modify server entry in sqlhosts file  server_1_enc olsoctcp host 9089 csm=(s1_enc) • Create or modify concsm.cfg file  s1_enc("/usr/informix/lib/csm/libixenc.so", "cipher[aes:cbc],timeout[cipher:1440,key=60], mac[levels:<high,medium>,files:<builtin>]”) • Add new server alias to ONCONFIG • Restart IDS
  • 23. 22 Enabling Encrypted Communications • ODBC can use ENCCSM • JDBC can use an equivalent of ENCCSM  String Url = "jdbc:informix- sqli://host:9089/sysmaster:informixserver=serve r_1_enc;user=bob;password=bobpass;csm=(classnam e=com.informix.jdbc.Crypto,config=concsm.cfg"; • For more details, see Informix Security Guide
  • 24. 23 JCC and JDBC • Java Common Client (JCC) provides encryption  Using GSKit and SSL • http://tinyurl.com/467gpr • http://tinyurl.com/4jr4yu • Legacy JDBC type IV driver provides encryption  Password encryption • SPWDCSM  Full encryption • ENCCSM
  • 25. • New communication protocol  drsocssl — SSL for DRDA clients  olsocssl — SSL for SQLI client • Also supported for server to server communications • I-Star, HDR, ER, RSS, SDS • Example sqlhosts file entries  horus_31_ol_ssl olsocssl horus horus_ol_ssl  horus_31_dr_ssl drsocssl horus horus_dr_ssl Setting up SSL — sqlhosts 24
  • 26. • SSL_KEYSTORE_LABEL  Specifies label of server digital certificate in keystore • If not specified in ONCONFIG, uses default label in keystore • But default label is officially deprecated — be explicit • SSL_KEYSTORE_LABEL ids_ssl_label • Extra options for NETTYPE  NETTYPE protocol, poll threads, connections, VP class • Specify the protocol as iiippp • Where: – iii=[ipc||soc|tlli] – ppp=[shm|str|tcp|spx|ssl] • NETTYPE socssl, 3, 50, NET Setting up SSL — onconfig 25
  • 27. • All encryption/decryption options performed on encrypt VPs • Encrypt VPs configured via VPCLASS  VPCLASS encrypt,num=5 • Support encrypted and non-encrypted connections  DBSERVERNAME horus_31  DBSERVERALIASES horus_31_ol_ssl,horus_31_dr_ssl Setting up SSL — onconfig 26
  • 28. • IBM‘s Global Security Kit, GSKit, is installed with Informix  Server  ClientSDK and Connect • GSKit contains gsk8capicmd_64 utility  Used to create keystores and manage digital certificates  Needed for SSL communication • More information on gsk8capicmd_64 at  http://www- 01.ibm.com/support/knowledgecenter/SSVJJU_6.2.0/com.ibm.IB MDS.doc/admin_gd174.htm Keystores and Digital Certificates 27
  • 29. • The keystore for server is password protected • Password is stored encrypted in stash file  Also created by gsk8capicmd_64 utility • One keystore per server instance.  It stores server‘s digital certificate  And root CA certificates of other servers it connects to • As in I-STAR, HDR, ER, SDS, RSS Keystores and Digital Certificates 28
  • 30. • The location and name of the files are fixed  Server keystore • $INFORMIXDIR/ssl/server.kdb  Server password stash • $INFORMIXDIR/ssl/server.sth  Based on value of DBSERVERNAME • Ownership and permissions must be correct  User informix, group informix, 660 Keystores and Digital Certificates 29
  • 31. • Client keystore stores root CA certificates  For all servers the client connects to • SQLI and DRDA clients can share same keystore • Password is optional for client keystore • Location and name of client keystore and its password stash file can be configured via new configuration file:  $INFORMIXDIR/etc/conssl.cfg • Note you need to set the permissions on client files correctly Setting up SSL — Client 30
  • 32. • Configuration parameters in conssl.cfg  SSL_KEYSTORE_FILE • Absolute path name for client keystore file  SSL_KEYSTORE_STH • Absolute path name for client stash file • If conssl.cfg does not exist, defaults to  $INFORMIXDIR/etc/client.kdb  $INFORMIXDIR/etc/client.sth • Permissions on these files should be:  User informix, group informix, permissions 664 Setting up SSL — Client 31
  • 33. 32 Access to Data • Who creates databases?  DBCREATE_PERMISSION  Add a DBCREATE_PERMISSION entry • For each user who needs to create databases • Discretionary Access Control  Users should be granted appropriate level of access to databases and database objects.  Use roles for ease of administration • GRANT privilege to role • GRANT role to user • GRANT default role  Privileges can be granted at DATABASE and TABLE level
  • 34. 33 Other ONCONFIG parameters • IFX_EXTEND_ROLE  Controls whether administrators can use the EXTEND role to specify which users can register external routines. • 0 Any user can register external routines • 1 Only users granted the EXTEND role can register external routines (Default) • DB_LIBRARY_PATH  Specifies the locations from which Informix can use UDR or UDT shared libraries.
  • 35. 34 Other ONCONFIG parameters • SECURITY_LOCALCONNECTION  Specifies whether IDS performs security checking for local connections. • 0 Off • 1 Validate userid • 2 Validate userid and port • UNSECURE_ONSTAT  Controls whether non-DBSA users are allowed to run all onstat commands. • 0 Disabled (Default) • 1 Enabled
  • 36. 35 Other ONCONFIG parameters • ADMIN_USER_MODE_WITH_DBSA  Controls who can connect to IDS in administrative mode • 0 Only informix user (Default) • 1 DBSAs, users specified by ADMIN_MODE_USERS, and user informix • ADMIN_MODE_USERS  Specifies the user names who can connect to IDS in administrative mode, • SSL_KEYSTORE_LABEL  The label, up to 512 characters, of the IDS certificate used in Secure Sockets Layer (SSL) protocol communications.
  • 37. 36 Column Level Encryption (CLE) • Column-level encryption stores sensitive data as encrypted strings • Use it to selectively encrypt sensitive data  Such as credit card numbers • Only users who can provide the password can decrypt the data • Use the ENCRYPT_AES() and ENCRYPT_TDES() functions to encrypt data in columns • You can sometimes use SET ENCRYPTION PASSWORD  To set an encryption password for a session • INSERT INTO tab1(ssn) VALUES (ENCRYPT_AES("111-22-3333", "password")); • SELECT DECRYPT(ssn, "password") from tab1;
  • 38. 37 Label Based Access Control – LBAC • Label-based access control (LBAC)  Enterprise Edition only  An implementation of multi-level security (MLS)  You control who has read access and who has write access • To individual rows and columns of data • MLS systems process information with different security levels  Permit simultaneous access by users with different security clearances  Allow users access only to information for which they have authorization
  • 39. 38 Label Based Access Control – LBAC • Create Security Policy and attach it to a table • Create Security Labels and attach labels to data • Grant labels to users • Users can only access data with labels that ―match‖ theirs
  • 40. 39 Audit • Audit allows you to keep a log of important server events • You should enable IDS auditing  Decide which events need to be audited  Decide which users need to be audited • Audit the DBSA  Setup Appropriate Audit Masks • Examine the audit logs for unexpected events  onshowaudit • Save the audit logs  Easily compressible  Event generated when change to next audit log file • Protect the audit logs carefully
  • 41. 40 IDS Server Log • Lots of valuable information is written to the server log  Failed login attempts  Audit Mode changes  Audit log file changes • But you have to look!  Be sure to monitor its contents
  • 42. 41 IBM Data Server Security Blueprint
  • 43. 42 IDS Security Guide • Read and follow the IDS Security Guide
  • 44. © 2015 IBM Corporation Questions? Best Security Practices for Informix 43
  • 45. We Value Your Feedback! Don‘t forget to submit your Insight session and speaker feedback! Your feedback is very important to us – we use it to continually improve the conference. Access the Insight Conference Connect tool at insight2015survey.com to quickly submit your surveys from your smartphone, laptop or conference kiosk. 44
  • 46. 45 Notices and Disclaimers Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer‘s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer‘s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
  • 47. 46 Notices and Disclaimers (con‘t) Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM‘s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. • IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
  • 48. © 2015 IBM Corporation Thank You