This document discusses new security features in IBM Informix Dynamic Server (IDS), including mapped users, trusted context, and selective row-level auditing. Mapped users allow authenticating external users without an operating system account by mapping them to an existing OS user or database-defined UID/GID pair. Trusted context allows reusing a database connection for a different user without establishing a new connection. Selective row-level auditing provides more granular auditing capabilities.
Resource Access Control Facility (RACF) in MainframesAayush Singh
This document provides an overview of RACF (Resource Access Control Facility), an IBM product that controls access to system resources on z/OS. It describes the different types of profiles (user, group, dataset, generic) stored in the RACF database and the commands used to manage them. Authorities like SPECIAL, OPERATIONS, and AUDITOR are assigned to users and groups. RACF enforces access based on these profiles and can revoke or protect access.
The document discusses security best practices for businesses. It recommends taking a holistic approach to security that involves training, systems for verification of identity and information, and controlling communications. The threats to businesses include bots, phishing, malware, and identity theft. To improve security, businesses should create risk reduction programs led by leaders, secure internal operations through data and staff controls, and continuously monitor, review, and evolve security systems. The new approach to security should define what is normal and look for abnormalities rather than just focusing on what should not be allowed.
J. J. Keller's Training certificate confirms that Bagavdin Akhmedov completed their online Hazmat Security Awareness course on 9/22/2014 and scored 92% on the final exam. The certificate is issued to P B Industries Inc. located in City, State, Zip and notes that course completion does not guarantee competency, only that the training was finished.
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312Phil Agcaoili
The document announces a monthly chapter call for the Cloud Security Alliance to discuss security issues and initiatives. It provides the date, time, call-in information, and encourages submitting agenda item ideas on the CSA website for the upcoming call. The call will provide updates from the CSA and an open forum for chapters to discuss activities and address any concerns.
Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she works on a broad range of digital civil liberties issues including computer security, electronic privacy, free expression, and copyright. She is also a non-residential fellow at the Stanford Law School Center for Internet and Society and an adjunct professor at the University of California Hastings College of the Law. She tweets about law and technology issues at @marciahofmann.
Proving Properties of Security Protocols by InductionLawrence Paulson
This document describes an inductive approach for proving the security of cryptographic protocols. It defines operations like parts, analz, and synth to symbolically represent message components and encryption/decryption. It shows how protocols can be modeled as traces of events and defined inductively. Properties like regularity, unicity, and secrecy are proved by simplifying formulas with the defined operations. The approach is applied to prove guarantees for variants of protocols like Otway-Rees and Yahalom.
Data Science ATL Meetup - Risk I/O Security Data ScienceMichael Roytman
This is a talk about data science operations and the applications of Risk I/Os insights to the security industry - how we went about mining insights from our large dataset
Resource Access Control Facility (RACF) in MainframesAayush Singh
This document provides an overview of RACF (Resource Access Control Facility), an IBM product that controls access to system resources on z/OS. It describes the different types of profiles (user, group, dataset, generic) stored in the RACF database and the commands used to manage them. Authorities like SPECIAL, OPERATIONS, and AUDITOR are assigned to users and groups. RACF enforces access based on these profiles and can revoke or protect access.
The document discusses security best practices for businesses. It recommends taking a holistic approach to security that involves training, systems for verification of identity and information, and controlling communications. The threats to businesses include bots, phishing, malware, and identity theft. To improve security, businesses should create risk reduction programs led by leaders, secure internal operations through data and staff controls, and continuously monitor, review, and evolve security systems. The new approach to security should define what is normal and look for abnormalities rather than just focusing on what should not be allowed.
J. J. Keller's Training certificate confirms that Bagavdin Akhmedov completed their online Hazmat Security Awareness course on 9/22/2014 and scored 92% on the final exam. The certificate is issued to P B Industries Inc. located in City, State, Zip and notes that course completion does not guarantee competency, only that the training was finished.
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312Phil Agcaoili
The document announces a monthly chapter call for the Cloud Security Alliance to discuss security issues and initiatives. It provides the date, time, call-in information, and encourages submitting agenda item ideas on the CSA website for the upcoming call. The call will provide updates from the CSA and an open forum for chapters to discuss activities and address any concerns.
Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she works on a broad range of digital civil liberties issues including computer security, electronic privacy, free expression, and copyright. She is also a non-residential fellow at the Stanford Law School Center for Internet and Society and an adjunct professor at the University of California Hastings College of the Law. She tweets about law and technology issues at @marciahofmann.
Proving Properties of Security Protocols by InductionLawrence Paulson
This document describes an inductive approach for proving the security of cryptographic protocols. It defines operations like parts, analz, and synth to symbolically represent message components and encryption/decryption. It shows how protocols can be modeled as traces of events and defined inductively. Properties like regularity, unicity, and secrecy are proved by simplifying formulas with the defined operations. The approach is applied to prove guarantees for variants of protocols like Otway-Rees and Yahalom.
Data Science ATL Meetup - Risk I/O Security Data ScienceMichael Roytman
This is a talk about data science operations and the applications of Risk I/Os insights to the security industry - how we went about mining insights from our large dataset
This document discusses data security in the cloud. It notes that encryption, along with centralized policy and key management, are essential for protecting sensitive data in cloud environments and meeting regulatory requirements. Centralized key management provides benefits like secure key storage, lifecycle management, separation of duties, and compliance with standards. Customers can choose between managing keys on-premise or using a key management as a service provider, but must consider tradeoffs in risk, cost, and separation of duties. Encryption combined with proper key management makes data more secure when migrating to cloud computing.
Carter Brothers is a leading provider of fire and life safety, access control, and video systems with over 20 offices nationwide. Founded in 2001, Carter Brothers has experienced rapid growth, with revenue topping $50 million in 2006 and $80 million in 2008. In 2007, Carter Brothers acquired Edwards Service from GE Security, adding ten additional offices. Carter Brothers has managed over $1 billion in fire and security projects nationwide since 2001.
Practical Measures for Measuring SecurityChris Mullins
Security is often a frustrating field for business and IT decision makers. It can be difficult to quantify, difficult to get visibility, and it’s difficult to know when you have “enough”. Do you really need that latest threat feed subscription or state of the art malware protection device? Do you need to add another security analyst to your team? And if so, how can you understand, in business terms, the value these investments bring to the business? This session will explore practical methods for the application of metrics in security to support business decision making, and provide a framework to implement straightforward security metrics, whether inside your wall or at a service provider.
The Open Science Grid Consortium aims to build a sustainable national production Grid infrastructure in the United States that will support scientific collaborations. It will build upon existing Grid infrastructures like Grid3 and SAMGrid by integrating distributed computing facilities at laboratories and universities. The Consortium plans to evolve this infrastructure to meet the long-term computational needs of the experimental physics community in the US, which will require increasing its scale, performance, and capabilities by an order of magnitude or more. It also seeks to accommodate the needs of other science partners by developing a flexible framework of services and ensuring the coherent operation of the whole system.
Climate change will exacerbate regional and local tensions in ‘hot-zones’ around the world. In these regions, the impacts of a changing climate will act as an accelerant of instability by multiplying problems like water scarcity, food shortages, and overpopulation.
As a global superpower with military forces deployed around the world, the interests of the U.S. and its allies will be impacted by a changing climate, especially in certain ‘hot-zones’ detailed within this part.
This document provides a job performance evaluation form for a hospital security officer. It includes sections for performance planning and review, rating performance factors such as administration, knowledge, communication, and more. It also includes sections for noting employee strengths and areas for improvement, developing a plan for improved performance, and obtaining employee and supervisor signatures. Sample phrases are provided to help evaluate different aspects of performance such as attitude, creativity, decision-making, and more. The form and phrases are intended to help structure an annual job performance review for a hospital security officer.
One problem that every information security organization faces is how to accurately quantify the risks that they manage. In most cases, there is not enough information available to do this. There is now enough known about data breaches to let us draw interesting conclusions, some of which may even have implications in other areas of information security. This talk describes what we can learn from a careful analysis of the available information on data breaches, how we can extend what we learn about data breaches to other aspects of information security, and why doing this makes sense.
Luther Martin, Chief Security Architect, Voltage Security, Inc.
Luther Martin is the Chief Security Architect at Voltage Security, Inc., a vendor of encryption technology and products. He began his career in information security at the National Security Agency, where he graduated from the NSA's Cryptologic Mathematician Program in 1991, and eventually became the Technical Director of the NSA's Engineering and Physical Sciences Security Division.
After leaving the NSA, he has worked at both security consulting and product companies. Notable accomplishments during this period include creating the security code review for consulting firm Ernst & Young, running the first commercial security code review projects, and creating the public-key infrastructure technology that was used in the U.S. Postal Service's PC Postage program.
He is the author of Introduction to Identity-based Encryption, and has contributed to seven other books and over 100 articles on the topics of information security and risk management.
The document discusses standards and best practices for conducting security investigations in high-stakes testing programs. It covers planning investigations, preparing by reviewing materials and developing interview protocols, conducting interviews consistently, and writing a report summarizing the findings based on evidence. Maintaining confidentiality is important. Investigations can help determine the extent of any fraudulent activities and damage from them.
Improved cross-platform accessibility of a flagship application for world's l...Mindtree Ltd.
The document discusses Mindtree helping a global medical and travel security services provider improve the cross-platform accessibility of their flagship application. The application helped identify at-risk travelers during critical events but was only accessible through limited browsers and operating systems. Mindtree collaborated with the customer to automate cross-browser testing using their Selenium Automation Framework, reducing test execution time from over 4 weeks to under 2 days and ensuring compatibility across browsers and devices.
The document discusses security issues related to cloud computing data storage. It examines how companies can make informed decisions about storing data in the cloud and ensure sufficient privacy protection and regulatory compliance. The purpose is to look at basic security methods and how compliance is controlled. It recommends companies consider the security, availability, scalability, and stability of cloud providers before contracting with them. Privacy, security, and compliance are major concerns since companies lose direct oversight of their data and may not know where it is located or who the external providers are. Cloud computing storage may not be suitable for all businesses due to these issues.
The document is a series of 25 sections from the blog "Next in Security" by Ing. Sijmen Ruwhof discussing various topics relating to security. Each section is dated May 11, 2011 and numbered. The sections discuss concerns over security, how things could be worse, and asking where one's worries come from.
Automated Validation of Internet Security Protocols and Applications (AVISPA) Krassen Deltchev
This is my first B.Sc. term paper, 2006. Back in the days my English was bad, which is obvious, while reading the paper, but i still love it, cuz this was my academic starting point on the topic of IT-Security. Enjoy!
This B.Sc. term paper is presented to the
Department of Electrical Engineering and Information Sciences
of the Ruhr-University of Bochum
Chair of Network and Data Security
of the Ruhr-University of Bochum,
Horst-Görtz Institute,
Prof. Jörg Schwenk
Abstract:
The AVISPA Model Checker is a tool for automated validation and verification of security
protocols. It provides a push-button web-based software- and hardware-independent interface and
installation binaries for UNIX-based Operating Systems.
It belongs to the group of the state-of-the-art Model Checkers and uses a modular and descriptive
formal language for specifying industrial-scale security protocols.
The different back-ends of the AVISPA tool implement new optimized analysing techniques for
automated protocol verification.
Therefore the researcher/scientist can prove even bigger in their specification protocols in a short
time and in a user-friendly way.
New cryptographic attacks are explored using the AVISPA tool and the Model-Checker covers
widest range of the modern authentication internet protocols, regarding their security validation.
The document discusses new features in Informix 11.70, including:
- Table and storage space defragmentation tools to improve performance.
- Enhancements to storage space administration through utilities to generate schemas and commands.
- Tools for deploying and embedding Informix instances through the Deployment Assistant and Utility.
- Increased usability through features like automatic DBA procedures, table location, and event alarms.
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Nicolas Desachy
Informix 11.70 includes several new features to improve administration, performance, and availability. Key features include:
1) A table defragmenter (OLTR) that can reorganize tables online with no downtime.
2) Enhancements to storage provisioning and the ability to generate schemas for dbspaces, chunks, and logs.
3) An embeddability toolkit including a deployment assistant and utility to rapidly deploy packaged Informix instances.
4) Performance improvements such as forest of trees indexing, multi-index scans, and fragment-level statistics.
Data Tracking: On the Hunt for Information about Your DatabaseMichael Rosenblum
Behind the scenes, Oracle databases hide a myriad of processes to ensure that your data can be safely stored and retrieved. These processes also leave “tracks” (or they COULD leave tracks if you set them up properly). These tracks, together with application-specific data, create a complete representation of the system’s day-to-day activity. Too often this representation is lost at the DBA/Developer borderline, mostly because one side is not aware of the needs of the other. This presentation strives to bridge this gap. It focuses on key sources of database information and techniques that are useful for both DBAs and developers:
- Data Dictionary
- Oracle Logging
- Oracle Tracing
- Advanced code instrumentation
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorization and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention.
Note: this session is delivered in French
We will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data. Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
Best practices for authentication (trust, certificate, MD5, Scram, etc).
Advanced approaches, such as password profiles.
Deep dive of authorization and data access control for roles, database objects (tables etc), view usage, row level security and data redaction.
Auditing, encryption and SQL injection attack prevention.
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorization and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention.
Note: this session is delivered in German
Speaker:
Borys Neselovskyi, Sales Engineer, EDB
Addressing the Top 10 IBM i Security ThreatsPrecisely
This document discusses the top 10 IBM i security threats. It begins with an overview of why IBM i security is important and examines the top vulnerabilities. It then explains how Syncsort can help address these threats through solutions like encryption and access monitoring. Some of the key security threats covered include insecure user passwords, excessive user authorities, unrestricted library and file authorities, unencrypted backups, and production data on test systems.
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Identity Days
Une conférence proposée par Xuan Ahehehinnou, Nicolas Bonnet & Hakim Taoussi
Sur les ordinateurs et les serveurs, tout compte utilisateur/ système / de service, avec privilège d’administrateur local présente un très haut niveau de risque.
Ces risques de sécurité pouvant ouvrir la porte à des attaques pass-the-hash et autres vols d’informations d’identification, exécution de malware, mouvement latéral, désactivation des mécanismes de défense comme l’antivirus ou l’EDR, impersonation, chiffrement des données, etc.
Dans cette session, nous vous détaillerons donc les bonnes pratiques ainsi que des outils et fonctionnalités Microsoft comme : LAPS, Endpoint Privilege Management, Account protection
BigDataTech 2016 How to manage authorization rules on Hadoop cluster with Apa...Krzysztof Adamski
Once the proof of concept is successful in terms of performance and scalability many start asking questions how Hadoop can become a part of a corporate ecosystem. It is also quite common for Hadoop to store vast amount of sensitive data becoming a central repository (data lake) shared with multiple tenants. There is a challenge to secure not a single platform, but the whole framework.
In this session I would like to show how Ranger, Kerberos and built-in Hadoop security mechanisms can help you to meet some of these objectives and share our experience in this area.
This document discusses data security in the cloud. It notes that encryption, along with centralized policy and key management, are essential for protecting sensitive data in cloud environments and meeting regulatory requirements. Centralized key management provides benefits like secure key storage, lifecycle management, separation of duties, and compliance with standards. Customers can choose between managing keys on-premise or using a key management as a service provider, but must consider tradeoffs in risk, cost, and separation of duties. Encryption combined with proper key management makes data more secure when migrating to cloud computing.
Carter Brothers is a leading provider of fire and life safety, access control, and video systems with over 20 offices nationwide. Founded in 2001, Carter Brothers has experienced rapid growth, with revenue topping $50 million in 2006 and $80 million in 2008. In 2007, Carter Brothers acquired Edwards Service from GE Security, adding ten additional offices. Carter Brothers has managed over $1 billion in fire and security projects nationwide since 2001.
Practical Measures for Measuring SecurityChris Mullins
Security is often a frustrating field for business and IT decision makers. It can be difficult to quantify, difficult to get visibility, and it’s difficult to know when you have “enough”. Do you really need that latest threat feed subscription or state of the art malware protection device? Do you need to add another security analyst to your team? And if so, how can you understand, in business terms, the value these investments bring to the business? This session will explore practical methods for the application of metrics in security to support business decision making, and provide a framework to implement straightforward security metrics, whether inside your wall or at a service provider.
The Open Science Grid Consortium aims to build a sustainable national production Grid infrastructure in the United States that will support scientific collaborations. It will build upon existing Grid infrastructures like Grid3 and SAMGrid by integrating distributed computing facilities at laboratories and universities. The Consortium plans to evolve this infrastructure to meet the long-term computational needs of the experimental physics community in the US, which will require increasing its scale, performance, and capabilities by an order of magnitude or more. It also seeks to accommodate the needs of other science partners by developing a flexible framework of services and ensuring the coherent operation of the whole system.
Climate change will exacerbate regional and local tensions in ‘hot-zones’ around the world. In these regions, the impacts of a changing climate will act as an accelerant of instability by multiplying problems like water scarcity, food shortages, and overpopulation.
As a global superpower with military forces deployed around the world, the interests of the U.S. and its allies will be impacted by a changing climate, especially in certain ‘hot-zones’ detailed within this part.
This document provides a job performance evaluation form for a hospital security officer. It includes sections for performance planning and review, rating performance factors such as administration, knowledge, communication, and more. It also includes sections for noting employee strengths and areas for improvement, developing a plan for improved performance, and obtaining employee and supervisor signatures. Sample phrases are provided to help evaluate different aspects of performance such as attitude, creativity, decision-making, and more. The form and phrases are intended to help structure an annual job performance review for a hospital security officer.
One problem that every information security organization faces is how to accurately quantify the risks that they manage. In most cases, there is not enough information available to do this. There is now enough known about data breaches to let us draw interesting conclusions, some of which may even have implications in other areas of information security. This talk describes what we can learn from a careful analysis of the available information on data breaches, how we can extend what we learn about data breaches to other aspects of information security, and why doing this makes sense.
Luther Martin, Chief Security Architect, Voltage Security, Inc.
Luther Martin is the Chief Security Architect at Voltage Security, Inc., a vendor of encryption technology and products. He began his career in information security at the National Security Agency, where he graduated from the NSA's Cryptologic Mathematician Program in 1991, and eventually became the Technical Director of the NSA's Engineering and Physical Sciences Security Division.
After leaving the NSA, he has worked at both security consulting and product companies. Notable accomplishments during this period include creating the security code review for consulting firm Ernst & Young, running the first commercial security code review projects, and creating the public-key infrastructure technology that was used in the U.S. Postal Service's PC Postage program.
He is the author of Introduction to Identity-based Encryption, and has contributed to seven other books and over 100 articles on the topics of information security and risk management.
The document discusses standards and best practices for conducting security investigations in high-stakes testing programs. It covers planning investigations, preparing by reviewing materials and developing interview protocols, conducting interviews consistently, and writing a report summarizing the findings based on evidence. Maintaining confidentiality is important. Investigations can help determine the extent of any fraudulent activities and damage from them.
Improved cross-platform accessibility of a flagship application for world's l...Mindtree Ltd.
The document discusses Mindtree helping a global medical and travel security services provider improve the cross-platform accessibility of their flagship application. The application helped identify at-risk travelers during critical events but was only accessible through limited browsers and operating systems. Mindtree collaborated with the customer to automate cross-browser testing using their Selenium Automation Framework, reducing test execution time from over 4 weeks to under 2 days and ensuring compatibility across browsers and devices.
The document discusses security issues related to cloud computing data storage. It examines how companies can make informed decisions about storing data in the cloud and ensure sufficient privacy protection and regulatory compliance. The purpose is to look at basic security methods and how compliance is controlled. It recommends companies consider the security, availability, scalability, and stability of cloud providers before contracting with them. Privacy, security, and compliance are major concerns since companies lose direct oversight of their data and may not know where it is located or who the external providers are. Cloud computing storage may not be suitable for all businesses due to these issues.
The document is a series of 25 sections from the blog "Next in Security" by Ing. Sijmen Ruwhof discussing various topics relating to security. Each section is dated May 11, 2011 and numbered. The sections discuss concerns over security, how things could be worse, and asking where one's worries come from.
Automated Validation of Internet Security Protocols and Applications (AVISPA) Krassen Deltchev
This is my first B.Sc. term paper, 2006. Back in the days my English was bad, which is obvious, while reading the paper, but i still love it, cuz this was my academic starting point on the topic of IT-Security. Enjoy!
This B.Sc. term paper is presented to the
Department of Electrical Engineering and Information Sciences
of the Ruhr-University of Bochum
Chair of Network and Data Security
of the Ruhr-University of Bochum,
Horst-Görtz Institute,
Prof. Jörg Schwenk
Abstract:
The AVISPA Model Checker is a tool for automated validation and verification of security
protocols. It provides a push-button web-based software- and hardware-independent interface and
installation binaries for UNIX-based Operating Systems.
It belongs to the group of the state-of-the-art Model Checkers and uses a modular and descriptive
formal language for specifying industrial-scale security protocols.
The different back-ends of the AVISPA tool implement new optimized analysing techniques for
automated protocol verification.
Therefore the researcher/scientist can prove even bigger in their specification protocols in a short
time and in a user-friendly way.
New cryptographic attacks are explored using the AVISPA tool and the Model-Checker covers
widest range of the modern authentication internet protocols, regarding their security validation.
The document discusses new features in Informix 11.70, including:
- Table and storage space defragmentation tools to improve performance.
- Enhancements to storage space administration through utilities to generate schemas and commands.
- Tools for deploying and embedding Informix instances through the Deployment Assistant and Utility.
- Increased usability through features like automatic DBA procedures, table location, and event alarms.
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Nicolas Desachy
Informix 11.70 includes several new features to improve administration, performance, and availability. Key features include:
1) A table defragmenter (OLTR) that can reorganize tables online with no downtime.
2) Enhancements to storage provisioning and the ability to generate schemas for dbspaces, chunks, and logs.
3) An embeddability toolkit including a deployment assistant and utility to rapidly deploy packaged Informix instances.
4) Performance improvements such as forest of trees indexing, multi-index scans, and fragment-level statistics.
Data Tracking: On the Hunt for Information about Your DatabaseMichael Rosenblum
Behind the scenes, Oracle databases hide a myriad of processes to ensure that your data can be safely stored and retrieved. These processes also leave “tracks” (or they COULD leave tracks if you set them up properly). These tracks, together with application-specific data, create a complete representation of the system’s day-to-day activity. Too often this representation is lost at the DBA/Developer borderline, mostly because one side is not aware of the needs of the other. This presentation strives to bridge this gap. It focuses on key sources of database information and techniques that are useful for both DBAs and developers:
- Data Dictionary
- Oracle Logging
- Oracle Tracing
- Advanced code instrumentation
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorization and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention.
Note: this session is delivered in French
We will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data. Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
Best practices for authentication (trust, certificate, MD5, Scram, etc).
Advanced approaches, such as password profiles.
Deep dive of authorization and data access control for roles, database objects (tables etc), view usage, row level security and data redaction.
Auditing, encryption and SQL injection attack prevention.
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorization and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention.
Note: this session is delivered in German
Speaker:
Borys Neselovskyi, Sales Engineer, EDB
Addressing the Top 10 IBM i Security ThreatsPrecisely
This document discusses the top 10 IBM i security threats. It begins with an overview of why IBM i security is important and examines the top vulnerabilities. It then explains how Syncsort can help address these threats through solutions like encryption and access monitoring. Some of the key security threats covered include insecure user passwords, excessive user authorities, unrestricted library and file authorities, unencrypted backups, and production data on test systems.
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Identity Days
Une conférence proposée par Xuan Ahehehinnou, Nicolas Bonnet & Hakim Taoussi
Sur les ordinateurs et les serveurs, tout compte utilisateur/ système / de service, avec privilège d’administrateur local présente un très haut niveau de risque.
Ces risques de sécurité pouvant ouvrir la porte à des attaques pass-the-hash et autres vols d’informations d’identification, exécution de malware, mouvement latéral, désactivation des mécanismes de défense comme l’antivirus ou l’EDR, impersonation, chiffrement des données, etc.
Dans cette session, nous vous détaillerons donc les bonnes pratiques ainsi que des outils et fonctionnalités Microsoft comme : LAPS, Endpoint Privilege Management, Account protection
BigDataTech 2016 How to manage authorization rules on Hadoop cluster with Apa...Krzysztof Adamski
Once the proof of concept is successful in terms of performance and scalability many start asking questions how Hadoop can become a part of a corporate ecosystem. It is also quite common for Hadoop to store vast amount of sensitive data becoming a central repository (data lake) shared with multiple tenants. There is a challenge to secure not a single platform, but the whole framework.
In this session I would like to show how Ranger, Kerberos and built-in Hadoop security mechanisms can help you to meet some of these objectives and share our experience in this area.
The document discusses security best practices for IBM Informix including:
1) Enabling role separation to restrict access and privileges for database administrators, application administrators, and backup administrators.
2) Configuring file permissions and ownership for key Informix directories and files to restrict access.
3) Enabling encrypted connections using SSL or other encryption mechanisms to protect data in transit.
4) Configuring firewalls, virtual private networks, and the sqlhosts file to control which clients and users can connect to the database server.
This document summarizes key concepts around access control techniques including identity management, password management, account management, profile management, directory management, and single sign-on. It discusses decentralized access control, the goals of identity management including consolidating user IDs, bindings users to policies and privileges. It also covers technical aspects of password management, account locking, and challenges of full deployment of account management systems.
Centralizing users’ authentication at Active Directory level Hossein Sarshar
Nowadays, network structure of most companies is based on Active Directory. Developers can benefit from this advantage by developing applications compatible with Active Directory user management system and its authentication protocols. Consequently, a users’ single domain logon is enough to access your application securely. The resulting system causes reduction in significant development and administrative efforts.
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
In this presentation from her webinar, renowned cybersecurity expert Paula Januszkiewicz delves into what a truly holistic vulnerability management program should look like. When all parts are correctly established and working together, organizations can dramatically dial down their risk exposure. This presentation covers:
- The key phases and activities of the vulnerability management lifecycle
- The tools you need for an effective vulnerability management program
- How to prioritize your VM needs
- How an effective VM program can help you measurably reduce risk and meet compliance objectives
You can watch the full webinar here: https://www.beyondtrust.com/resources/webinar/tips-remediate-vulnerability-management-program
Cognitive data capture with Elis - Rossum's technical webinarPetr Baudis
The document discusses cognitive data capture using Elis, an AI platform for automating invoice processing. Elis can automate up to 95% of data entry tasks using AI rather than manual work. It allows importing documents, AI processing to extract data, human review if needed, and exporting the captured data. Elis supports customization through extensions and has user management, queue, workspace and schema configuration options that can be managed through its API or command line interface.
Top Ten Settings that Leave your IBM i VulnerablePrecisely
Contrary to popular belief, IBM i is NOT secure by default. Thankfully, it IS secure-able.
View this on-demand webinar to explore the top configuration settings that leave your IBM i vulnerable – to accidental misconfiguration, being infected with malware (including ransomware), an outside attacker, or an ill-intentioned insider.
During this webinar, Carol Woodbury, President and CTO of DXR Security describes the vulnerability, provides considerations prior to changing settings, and high-level instructions for eliminating each vulnerability.
Linux allows multiple users to access the system simultaneously. Users are uniquely identified by their UID, and can be regular users or superusers. Superusers have full access while regular users have limited access. The system administrator manages users and groups. Users can be created with the useradd command and assigned to primary and supplementary groups. User properties like login, UID, home directory and shell are set during creation. Users can be modified, locked, unlocked and deleted using related commands. Groups organize users and are managed using groupadd, groupmod, and groupdel. Permissions allow controlling access for users and groups.
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorisation, Auditing) framework EnterpriseDB will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorisation and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention
This document provides interview questions and answers related to configuring and administering a Windows Server 2003 network with Microsoft Exchange Server 2003. It addresses topics such as required Windows Server 2003 components, preparing an Active Directory forest for Exchange deployment, Exchange processes that communicate with Active Directory, domain controller types accessed by Exchange, and optimizing Exchange 2003 memory usage. Additional questions cover Exchange queue monitoring, standard port numbers, process names, database hosting limits, and NNTP use with Exchange.
The document provides an overview of IBM Informix database security from both an operating system and database perspective. It discusses how Informix uses OS authentication, permissions, and network security capabilities. On the database side, it describes how Informix implements discretionary access control using SQL GRANT/REVOKE statements and label-based access control using security policies and labels. The document also outlines the seven distinct security roles in Informix and how to separate them, and provides details on configuring and using the Informix auditing functionality.
Similar to UGIF 12 2010 - new security features in IDS - nov 2010 (20)
Ugif 09 2013 new environment and dynamic setting in ids 12.10UGIF
The document discusses new features in Informix Dynamic Server (IDS) 12.10 related to environment and configuration management. It describes how IDS 12.10 allows administrators to start the database server by reading settings from a file rather than setting environment variables manually. It also details how more configuration parameters can now be modified dynamically at runtime using new onstat and SQL administration API commands, without needing to restart the server. Exporting and importing configuration settings to files is also introduced as a way to manage multiple parameter changes.
The document outlines the agenda for a meeting of the User Group Informix France on September 12, 2013. The agenda includes presentations on Informix strategies within IBM's offerings, open source solutions with Informix, analytics technologies for analyzing data via IWA, new configuration and startup methods in Informix version 12, indexing techniques in Informix, and solutions and support updates. It also lists upcoming Informix events and details the new editions, bundles, and trade-up options available in Informix 12.1 being released on March 26, 2013.
PSM (Primary Storage Manager) bundled with Informix 12.1 provides faster and easier backup and restore capabilities compared to previous methods. PSM integrates tightly with onbar to allow parallel backups to file devices with performance similar to or better than ontape. It maintains a catalog of backup objects and can expire backups, addressing limitations of previous methods. Setting the transfer buffer size higher in PSM further improves performance for onbar backups.
User Group Informix France - Axional Web Studio - Informix Warehouse Accelerator, IWA
Axional Analytics Une manière facile pour analyser vos données via IWA
This document discusses Informix's new partition defragmenter feature. It begins with background on partitions and extents, and explains how fragmented partitions can degrade performance. The defragmenter works by using new SQL functions to consolidate partition extents, logging the process. It can run online and is recoverable. Considerations include avoiding locks and logging overhead. The feature is available via SQL APIs and in OAT for automated optimization. An example demonstrates defragmenting three fragmented tables.
The document summarizes an IBM presentation on benchmarks performed at the IBM PSSC Customer Center in Montpellier, France. It discusses an Informix benchmark on POWER7 systems published in 2012 that showed scalability up to 330% growth. It also describes IBM System x servers like the Flex System x240 and blade servers like the HS23 that are suited for enterprise workloads.
The document discusses the on-disk structures of an Informix database instance. It describes how data is stored across partitions, pages, chunks, and dbspaces. It provides examples of using oncheck commands to view the root chunk, pages, and partitions that make up an Informix instance on disk. The key concepts covered include how partitions, pages, and extents are used to store and organize table and index data across a database server's storage devices.
Ugif 10 2012 lycia2 introduction in 45 minutesUGIF
Querix provides tools for modernizing 4GL applications and migrating them to new platforms. This includes tools for Java, ESQL/C, C, C++ and other languages on databases and operating systems. Querix also offers consulting services to help with application migration. Migrating to Lycia 4GL provides benefits like modernized interfaces, improved development lifecycles, faster time to market for new applications, and maximized returns on existing investments.
This document discusses IBM's Informix database and provides updates on recent developments. It notes that IBM continues investing in Informix, which runs on IBM's PureSystems platform and features new in-memory and columnar technologies. The document outlines IBM's business imperatives for Informix, including delighting existing customers, differentiating the product, creating a proactive sales culture, and building new revenue streams. It highlights some major Informix customers and a benchmark test showing Informix TimeSeries' ability to efficiently manage smart meter data for millions of meters.
Update Statistics provides concise summaries of document changes in 3 sentences:
The document discusses changes to statistics collection and use in Informix versions 11.10, 11.50, and 11.70, including "Smart Statistics" which only updates statistics if data changes exceed a threshold. It also describes the "Auto Update Statistics" scheduler tasks which automatically determine and run appropriate UPDATE STATISTICS commands based on guidelines. The document provides examples showing how statistics are updated and not updated depending on whether the UPDATE STATISTICS command is run or data change thresholds are exceeded.
This document discusses managing large amounts of data from smart utility meters. It notes that smart meters can generate huge volumes of data as readings become more frequent. It introduces IBM's Informix TimeSeries database as a solution, highlighting its performance, space savings, and support for time series data. Key benefits include handling high data insertion rates, reducing storage needs by 50% compared to a standard relational layout, and providing functions optimized for time series analysis.
The document discusses trends in data warehousing and analytics, including the rise of data warehouse appliances, column-oriented databases, and in-memory databases. It then introduces Informix Warehouse Accelerator, which combines row and columnar storage, compression, and in-memory technologies to provide extreme performance for data warehousing workloads. Key technologies of the accelerator include 3:1 data compression, frequency partitioning for efficient parallel scanning, and predicate evaluation directly on compressed data.
The document provides an overview of new features in IBM Informix TimeSeries versions xC3 and xC4. Some key new features in xC3 include support for additional platforms, a demo that populates smart meter data, removal of an 18-character limit on names, pre-defined calendars, container statistics, and improved delete performance. New features in xC4 are also presented but not described in detail.
Informix 11.7 delivers smarter data management through three key capabilities:
1) Informix Flexible Grid provides high availability, scalability and workload management.
2) The Informix Warehouse Accelerator delivers unprecedented query response times.
3) Informix Genero enables faster development of mobile and cloud applications.
ScyllaDB is making a major architecture shift. We’re moving from vNode replication to tablets – fragments of tables that are distributed independently, enabling dynamic data distribution and extreme elasticity. In this keynote, ScyllaDB co-founder and CTO Avi Kivity explains the reason for this shift, provides a look at the implementation and roadmap, and shares how this shift benefits ScyllaDB users.
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Ukraine
Під час доповіді відповімо на питання, навіщо потрібно підвищувати продуктивність аплікації і які є найефективніші способи для цього. А також поговоримо про те, що таке кеш, які його види бувають та, основне — як знайти performance bottleneck?
Відео та деталі заходу: https://bit.ly/45tILxj
In our second session, we shall learn all about the main features and fundamentals of UiPath Studio that enable us to use the building blocks for any automation project.
📕 Detailed agenda:
Variables and Datatypes
Workflow Layouts
Arguments
Control Flows and Loops
Conditional Statements
💻 Extra training through UiPath Academy:
Variables, Constants, and Arguments in Studio
Control Flow in Studio
From Natural Language to Structured Solr Queries using LLMsSease
This talk draws on experimentation to enable AI applications with Solr. One important use case is to use AI for better accessibility and discoverability of the data: while User eXperience techniques, lexical search improvements, and data harmonization can take organizations to a good level of accessibility, a structural (or “cognitive” gap) remains between the data user needs and the data producer constraints.
That is where AI – and most importantly, Natural Language Processing and Large Language Model techniques – could make a difference. This natural language, conversational engine could facilitate access and usage of the data leveraging the semantics of any data source.
The objective of the presentation is to propose a technical approach and a way forward to achieve this goal.
The key concept is to enable users to express their search queries in natural language, which the LLM then enriches, interprets, and translates into structured queries based on the Solr index’s metadata.
This approach leverages the LLM’s ability to understand the nuances of natural language and the structure of documents within Apache Solr.
The LLM acts as an intermediary agent, offering a transparent experience to users automatically and potentially uncovering relevant documents that conventional search methods might overlook. The presentation will include the results of this experimental work, lessons learned, best practices, and the scope of future work that should improve the approach and make it production-ready.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
"Scaling RAG Applications to serve millions of users", Kevin GoedeckeFwdays
How we managed to grow and scale a RAG application from zero to thousands of users in 7 months. Lessons from technical challenges around managing high load for LLMs, RAGs and Vector databases.
Session 1 - Intro to Robotic Process Automation.pdfUiPathCommunity
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program:
https://bit.ly/Automation_Student_Kickstart
In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC.
📕 Detailed agenda:
What is RPA? Benefits of RPA?
RPA Applications
The UiPath End-to-End Automation Platform
UiPath Studio CE Installation and Setup
💻 Extra training through UiPath Academy:
Introduction to Automation
UiPath Business Automation Platform
Explore automation development with UiPath Studio
👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...AlexanderRichford
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation Functions to Prevent Interaction with Malicious QR Codes.
Aim of the Study: The goal of this research was to develop a robust hybrid approach for identifying malicious and insecure URLs derived from QR codes, ensuring safe interactions.
This is achieved through:
Machine Learning Model: Predicts the likelihood of a URL being malicious.
Security Validation Functions: Ensures the derived URL has a valid certificate and proper URL format.
This innovative blend of technology aims to enhance cybersecurity measures and protect users from potential threats hidden within QR codes 🖥 🔒
This study was my first introduction to using ML which has shown me the immense potential of ML in creating more secure digital environments!
Introducing BoxLang : A new JVM language for productivity and modularity!Ortus Solutions, Corp
Just like life, our code must adapt to the ever changing world we live in. From one day coding for the web, to the next for our tablets or APIs or for running serverless applications. Multi-runtime development is the future of coding, the future is to be dynamic. Let us introduce you to BoxLang.
Dynamic. Modular. Productive.
BoxLang redefines development with its dynamic nature, empowering developers to craft expressive and functional code effortlessly. Its modular architecture prioritizes flexibility, allowing for seamless integration into existing ecosystems.
Interoperability at its Core
With 100% interoperability with Java, BoxLang seamlessly bridges the gap between traditional and modern development paradigms, unlocking new possibilities for innovation and collaboration.
Multi-Runtime
From the tiny 2m operating system binary to running on our pure Java web server, CommandBox, Jakarta EE, AWS Lambda, Microsoft Functions, Web Assembly, Android and more. BoxLang has been designed to enhance and adapt according to it's runnable runtime.
The Fusion of Modernity and Tradition
Experience the fusion of modern features inspired by CFML, Node, Ruby, Kotlin, Java, and Clojure, combined with the familiarity of Java bytecode compilation, making BoxLang a language of choice for forward-thinking developers.
Empowering Transition with Transpiler Support
Transitioning from CFML to BoxLang is seamless with our JIT transpiler, facilitating smooth migration and preserving existing code investments.
Unlocking Creativity with IDE Tools
Unleash your creativity with powerful IDE tools tailored for BoxLang, providing an intuitive development experience and streamlining your workflow. Join us as we embark on a journey to redefine JVM development. Welcome to the era of BoxLang.
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Keywords: AI, Containeres, Kubernetes, Cloud Native
Event Link: https://meine.doag.org/events/cloudland/2024/agenda/#agendaId.4211
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsScyllaDB
ScyllaDB monitoring provides a lot of useful information. But sometimes it’s not easy to find the root of the problem if something is wrong or even estimate the remaining capacity by the load on the cluster. This talk shares our team's practical tips on: 1) How to find the root of the problem by metrics if ScyllaDB is slow 2) How to interpret the load and plan capacity for the future 3) Compaction strategies and how to choose the right one 4) Important metrics which aren’t available in the default monitoring setup.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
"What does it really mean for your system to be available, or how to define w...Fwdays
We will talk about system monitoring from a few different angles. We will start by covering the basics, then discuss SLOs, how to define them, and why understanding the business well is crucial for success in this exercise.
4. Why do we need this feature ?
Local Account Look-up Availability
– Although IDS has supported PAM since 9.40.xC2, users have
had to enable look up of the user account on the host
Operating System
Redundant Password Comparaison
– Even though PAM or Windows AD has authenticated the users,
IDS obtains the users' hashed password and does a redundant
password comparison
• The users password (encrypted) must be accessible to IDS
• LDAP users have had to enable the password property for the
LDAP “proxy” user
• Where customers use Windows AD, they have had to turn on Unix
password property for the users.
Customers unhappy to do either of the two
User Group Informix France
5. User Story
Microsoft Active Directory (LDAP)
– As a DBSA, I need to allow users identified in MS Active
Directory (AD) to connect to IDS without being forced to create
a Unix login account for the users
Users with PCs
– We use PAM to authenticate our users. Why do we need to
create accounts in the local operating system?
Administrator Roles for External Users
– As a DBSA, I should be able to grant an externally
authenticated users server administrator roles
User Group Informix France
6. Feature Quick Reference
Authenticate external users without an OS account
– Database users no longer need
• An account Look-up in the local OS
• Enable password properties for external authenticators
The DBSA “maps” an external user to:
• An existing OS user or
• A database defined UIG/GID pair
Uses an extension to the GRANT/REVOKE SQL statement
Requires PAM or SSO authentication
Traditional password based authentication is still available
Windows support is pending
User Group Informix France
7. Feature Details – 1-2-3!!!
Enable USERMAPPING in ONCONFIG
Setup PAM or SSO via SQLHosts
GRANT ACCESS TO <users> PROPERTIES
That is it...!!
User Group Informix France
8. Feature Details – ONCONFIG
New ONCONFIG parameter
USERMAPPING { OFF | BASIC | ADMIN }
• OFF
This feature is turned off – this is the default
• BASIC
IDS non-privileged users – not DBSA, DBSSO or AAO
• ADMIN
Enabled privileged users
User Group Informix France
9. Feature Details – Syntax
Extension to GRANT statement
– GRANT ACCESS TO {username} PROPERTIES
[ USER OS_username | UID uid ]
GROUP (OS_groupname | gid),
HOMEDIR ‘homedir’,
AUTHORIZATION (userauth);
– 'userauth' is an OR pattern of DBSA, DBSSO, AAO,
BARGROUP
User Group Informix France
10. Feature Details – Syntax (cont)
Examples
– GRANT ACCESS TO user1 PROPERTIES USER ravik;
– GRANT ACCESS TO user2 PROPERTIES UID 100, GROUP (200);
– GRANT ACCESS TO user3 PROPERTIES USER ravik, HOME
'/home/user4’;
– GRANT ACCESS TO user4 PROPERTIES USER ravik
AUTHORIZATION (dbsa);
– GRANT ACCESS TO PUBLIC PROPERTIES USER ravik;
User Group Informix France
11. Feature Details – Syntax (cont)
Extension to REVOKE statement
– REVOKE ACCESS FROM { PUBLIC | <username> }
Example
– REVOKE ACCESS FROM user1;
To alter a user mapping revoke and re-grant access
– Error: -26107 User name (%s) has already been granted
User Group Informix France
12. Feature Details - Capabilities
OS processes
– SYSTEM commands in a procedure will run as the surrogate user
OS Files
– Sqexplain Files will be created as the surrogate user
– Debug Files will be created as the surrogate user
– Unload and Output Files will be created as the surrogate user
Home Directory (optional)
– If the home directory is not specified, IDS will create a directory for user file in
$INFORMIXDIR/users/uid.<id_number>
– If user is mapped to non-existent uid/gid pair, file will be created using that
UID/GID only if the directory is publicly writable
Role Separation
– IXUSERS group in $INFORMIXDIR/dbssodir/seccfg
• A Mapped User cannot be part of IXUSERS group if surrogate user is invalid:
Error -25571 “cannot create a user thread”.
User Group Informix France
13. Example Setup
ONCONFIG
####################################################################
# USERMAPPING - Control access to IDS for users without operating
# system accounts.
####################################################################
# OFF - users without operating system accounts cannot use IDS
# BASIC - users without operating system accounts can use IDS but
# not as privileged users
# ADMIN - users without operating system accounts can use IDS as
# privileged users
####################################################################
USERMAPPING BASIC
PAM Configuration /etc/pam.d/idspam
# LDAP authentication
auth required pam_ldap.so
account required pam_ldap.so
SQLHosts
idsserver onsoctcp linx idsservice s=4, pam_serv=(idspam), pamauth=(challenge)
User Group Informix France
14. Example – LDAP Mapped User
LDAP Configuration /etc/ldap.conf
# LDAP server
host ldapserver
...
# The distinguished name of the search base
base dc=yobldap-domain,dc=com
User Mapping Definition
[informix@linx]$ dbaccess stores_demo <<EOF
GRANT ACCESS TO ldap_user PROPERTIES
USER yob;
EOF
IDS Connection
[informix@linx ]$ dbaccess - -
> connect to ‘stores_demo@idsserver’ user 'ldap_user'
> Password: <- type ldap password
Connected.
User Group Informix France
15. Open Admin Tool Support (OAT)
GUI Interface support is provided through Open Admin Tool
– Server Administration
• User Privileges
– Add, Edit, Delete, Show SQL
User Group Informix France
16. System Tables
New system tables in 'sysuser' database
– SYSUSERMAP
– SYSSURROGATES
– SYSSURROGATEGROUPS
DBSA should use the GRANT ACCESS TO / REVOKE
ACCESS FROM statements to manage the system
tables as there are cross-references !
User Group Informix France
17. System Tables (cont)
SYSUSERMAP
Column name Type Nulls
username nchar(32) yes
surrogate_id integer yes
User Group Informix France
18. System Tables (cont)
SYSSURROGATES
Column name Type Nulls
surrogate_id serial no
os_username nchar(32) yes
uid integer yes
gid integer yes
groupname nchar(32) yes
homedir nvarchar(255) yes
userauth char(10) yes
User Group Informix France
19. System Tables (cont)
'userauth' Entry in SYSSURROGATES
– An OR pattern of
• Position 1: s = DBSA
• Position 2: o = DBSSO
• Position 3: a = AAO
• Position 4: b = BARGROUP
• Other positions reserved for future use
• Attributes in lower case only
Example
s--b------ The user is a DBSA and belongs to BARGROUP
-o-------- The user is an AAO
If the 'userauth' entry is not specified, the user is non-privileged
User Group Informix France
20. System Tables (cont)
SYSSURROGATEGROUPS
Column name Type Nulls
surrogate_id integer yes
gid integer yes
groupname nchar(32) yes
groupseq smallint yes
User Group Informix France
21. Agenda
Trusted Context
User Group Informix France
22. Why do we need this feature ?
In a 3-tiers architecture, the middle-tier's user must have all the
privileges needed to execute all the requests from all users
There is a security issue of accessing resources on behalf of
users if the middle-tier's user is compromised
There is a lost of information when auditing needs to
distinguish end-users from middle-tier's user
Establishing new connection may suffer performance drop
which is also the case when using connection pool
User Group Informix France
23. Feature Quick Reference
This feature allow to reuse a connection for a different user without the
need to establish a new connection
The purpose is to avoid connection overhead when there is a need to
connect on behalf of new users, which is the case in application server
This also provide higher security level and better auditing granularity,
as each user connect and switch on a trusted connection with their
own credentials and privilege
New SQL statement are provided and/or enhanced to create trusted
context, establish trusted connection and provide connection switch
capabilities
All users properties are reported for the switched connection user
when established
User Group Informix France
24. Trusted Context Object
A Trusted Context is a database object created by the
database security administrator (DBSECADM) that defines a
set of properties for a connection that when met, allow that
connection to be a “trusted connection” with special
properties.
– The connection must be established by a specific user.
– The connection must come from a trusted client machine.
– The port over which the connection is made must have the
required encryption.
If these criteria are met, the connection will allow changes in
userid and privileges as defined in the trusted context.
User Group Informix France
25. Trusted Context Setup
Step1 : Create Trusted Context Object
– Created at database level
– Must be created by DBSECADM
– Can use OS users or Mapped Users
– Provision to Switch User
Step 2: Establish Trusted Connections
– Use SQL statement to establish trusted connection
– Must satisfy criteria defined in Trusted Context
Step 3: Switch Connections
– Use SQL Statement to switch user over a trusted connection
– New operations performed for the switched user
User Group Informix France
26. Trusted Context Syntax
Syntax (simplified)
– CREATE TRUSTED CONTEXT <ctx>
BASED UPON CONNECTION USING SYSTEM AUTHID <user>
ATTRIBUTES (ADDRESS <host>, WITH ENCRYPTION <value>)
DEFAULT ROLE <role>
WITH USE FOR <user list> [WITH | WITHOUT] AUTHENTIFICATION
ENABLE | DISABLE
Users with DBSECADM role can perform following
operations
– CREATE TRUSTED CONTEXT
– ALTER TRUSTED CONTEXT
– DROP TRUSTED CONTEXT
User Group Informix France
27. Trusted Context Creation
New SQL statement to create a trusted context
CREATE TRUSTED CONTEXT mytcx
BASED UPON CONNECTION USING SYSTEM AUTHID yob
DEFAULT ROLE employee
ATTRIBUTES (ADDRESS 'linx.swglab.fr.ibm.com')
WITH USE FOR PUBLIC WITHOUT AUTHENTICATION
ENABLE
– Creates an Trusted Context object named 'mytcx'
– The connection can be established by user 'yob'
– Will allow connections from 'linx.swglab.fr.ibm.com'
– Can switch to any users (PUBLIC) once Trusted
Connection established
User Group Informix France
28. Trusted Connection Establishment
New keyword in the “connect” SQL statement to
establish a trusted connection
– EXEC SQL CONNECT TO “stores_demo@ids1170” TRUSTED
– Detail in online.log
• 18:21:07 TESTMODE: trust context address 9.101.46.52 matched
• 18:23:12 listener-thread: err = -28021: oserr = 0: errstr = : Trusted
Connection request rejected.
Front-End API Support
– ESQL/C
– ODBC
– JDBC
User Group Informix France
29. Trusted Connection Switch
There is a SQL statement to switch over a trusted
connection
– EXEC SQL SET SESSION AUTHORIZATION to <user> [ USING <passwd> ]
– EXEC SQL SET SESSION AUTHORIZATION to “joe”
Switch to any user defined in the Trusted Context
Object scope
Audit records will show the switched user as the
originator of the operations
Need to commit or rollback before switching to a
new user when using transactions
User Group Informix France
30. Open Admin Tool Support (OAT)
GUI Interface support is provided through Open Admin Tool
– Server Administration
• Trusted context
– Create, Modify, Delete, Enable, Show SQL
User Group Informix France
32. Trusted Context Wizard (OAT)
Trusted Context > Create
– STEP 1
User Group Informix France
33. Trusted Context Wizard (OAT)
Trusted Context > Create
– STEP 2
User Group Informix France
34. Trusted Context Wizard (OAT)
Trusted Context > Create
– STEP 3
User Group Informix France
35. Trusted Context Wizard (OAT)
Trusted Context > Create
– STEP 4
User Group Informix France
36. System Tables
New Tables In Database ‘sysuser’
– table systrustedcontext (
contextid serial,
contextname varchar(128),
database char(128),
authid char(32),
defaultrole char(32),
enabled char(1) not null,
encryption char(1));
– table systcxattributes (
contextid integer not null,
address char(64),
encryption char(1));
– table systcxusers (
contextid integer not null,
username char(32),
usertype char(1),
userrole char(32),
authreq char(1));
User Group Informix France
37. System Table Query
Trusted Context Definition in 'sysuser' database
– [root@linx trustedContext]# cat sel_trusted_ctx.sql
SELECT a.contextid, contextname, database, authid, defaultrole, enabled, a.encryption,
address, username, usertype, userrole, authreq
FROM systrustedcontext a, systcxattributes b, systcxusers c
WHERE a.contextid = b.contextid AND b.contextid = c.contextid
– [root@linx trustedContext]# dbaccess sysuser sel_trusted_ctx.sql
Database selected.
contextid 1
contextname mytcx1
database stores_demo
authid informix
defaultrole
enabled Y
encryption N
address 9.101.46.52
username PUBLIC
usertype G
userrole
authreq N
1 row(s) retrieved.
Database closed. User Group Informix France
38. Agenda
Selective Row Level Auditing
User Group Informix France
39. Why do we need this feature ?
Row level auditing produce huge amount of useless
data because audited tables are not all important to
system security.
Some Customer have reported 30% database
performance drop when turning on row level auditing for
insert/update/delete operation
The information in the current row-level audit records
contains table_id and row_id. These can change over
time which can make looking back at audit records
meaningless.
User Group Informix France
40. Feature Quick Reference
This feature allow to specify which tables are audited at row
level
The purpose is to avoid performance drop during auditing
whenever all tables and rows are audited
This feature is turned on by setting ADTROWS in adtcfg file, or
dynamically with onaudit -R <value>
– Backward compatibility
New SQL command are provided to define which tables are
audited at row level
An audit trail file is generated and filtered with onshowaudit
utility
User Group Informix France
41. Audit Event
IDS 11.70 has 159 Audit Event
Audit Event Naming Convention
– 'aaoo'
• with 'aa' : 2 letter code for action
• 'oo' : 2 letter code for the object
There is a mapping for audit event id to event
mnemonic
The feature is implemented for 4 audit event mnemonic
– INRW : Insert Row
– UPRW : Update Row
– DLRW : Delete Row
– RDRW : Select Row
User Group Informix France
42. SRLA Setup
There is a new parameter called ADTROWS in adtcfg file
– 0: old behavior i.e. no changes in row level auditing (default)
– 1: SRLA is enabled and only "audit" enabled tables
will generate row-level audit records.
– 2: SRLA + include integer-primary key in the audit records
The feature can be turned on dynamically
– onaudit -R 1
User Group Informix France
43. Audit SQL Syntax
There is new SQL statements to specify which
table to audit
– CREATE TABLE {existing syntax} | with AUDIT
– ALTER TABLE {existing syntax} [ add | drop ] AUDIT
Anyone with RESOURCE or DBA permission
can either
– Create the table «WITH AUDIT »
– Alter the table to « ADD AUDIT »
Only a DBSSO can « DROP AUDIT » on a
table.
User Group Informix France
44. Example
Setup Auditing with SRLA feature in adtcfg file
Setup Audit Event with onaudit utility
Add a table audit property to enable auditing on
a specific table
Execute a select statement against the specific
table
Monitor auditing file to verify only specific table
is beeing audited
User Group Informix France
45. Example (cont)
$INFORMIXDIR/aaodir/adtcfg configuration file
ADTMODE 1 # auditing mode
ADTPATH /opt/informix/aaodir # audit trails file
ADTSIZE 50000 # Max size of any single audit trail file
ADTERR 0 # Error handling modes.
ADTROWS 2 # 0 - For legacy auditing
# 1 - log audit tables
# 2 - 1+log primary key
Enable auditing and mask definition
[informix@linx]$ onaudit -R 2
[informix@linx]$ onaudit -p /opt/informix/aaodir
[informix@linx]$ onaudit -l 1
[informix@linx]$ onaudit -a -u yob -e +INRW,UPRW,DLRW,RDRW
Setup table property for auditing
[informix@linx]$ echo 'alter table customer add audit' | dbaccess stores_demo
User Group Informix France
46. Example (cont)
Audit Event caught for table read
[yob@linx ~]$ echo 'select * from customer' | dbaccess stores_demo
[informix@linx aaodir]$ cat ids.0
ONLN|2010-03-18 10:58:43.000|linx|5359|ids|yob|0:RDRW:stores_demo:100:1048976:257:101
ONLN|2010-03-18 10:58:43.000|linx|5359|ids|yob|0:RDRW:stores_demo:100:1048976:258:102
ONLN|2010-03-18 10:58:43.000|linx|5359|ids|yob|0:RDRW:stores_demo:100:1048976:259:103
ONLN|2010-03-18 10:58:43.000|linx|5359|ids|yob|0:RDRW:stores_demo:100:1048976:260:104
...
ONLN|2010-03-18 10:58:43.000|linx|5359|ids|yob|0:RDRW:stores_demo:100:1048976:525:127
ONLN|2010-03-18 10:58:43.000|linx|5359|ids|yob|0:RDRW:stores_demo:100:1048976:526:128
Audit Record Format
– Fixed Part
• tag, date, host, pid, informixserver, user
– Variable Part :
• errno, event, database, tabid, partnum, rowid, primary key
User Group Informix France
47. Merci
Yoram Benchetrit
yoram.benchetrit@fr.ibm.com
Mardi 30 novembre 2010
User Group Informix France