SlideShare a Scribd company logo

DB2 Security Model

Download as PPTX, PDF
U
uniqueYGB

The document provides an overview of DB2 security features including authorization, authentication, LBAC, RCAC, backup and recovery, data encryption, trusted contexts, and InfoSphere data replication. It discusses authorization at the instance, database, and object levels and covers row and column access controls. The document also outlines different data encryption options in DB2, backup approaches, and trusted connections. It concludes with references for further information.

Technology
1 of 21
IN THE NAME OF ALLAH DB2 Security Model Class Presentation of Database Security Course At Tarbiat Modares University Presentators: Narges Poorkamali Yeganeh Ghayour Baghbani Professor: Dr. Sadegh Dorri Nogorani Fall Semester: 1398-99 Presentation Date: 1398/10/18 1
Headlines Authorization Authentication LBAC Backup and Recovery Data Encryption Trusted Context and Connection 2 InfoSphere Data Replication RCAC
Introducing IBM DB2 3 Why use DB2 Database?  Create by IBM company in 1993  The most powerful Database Engine  Relational Database  Data Warehouse  Free Version  Stuctured & UnStuctured  SQL & NO SQL  Data Mining  Disater Rcovery  Scalability  Security  In Memory  Replication  Encription  BLU Acceleration
Custom Plug-ins Kerberos User validation Group membership User validation Group membership User validation (GSS API) Group membership Protocols Operating system Authentication LDAP User validation only
IBM Data Server Manager (DSM) 5 A web-based integrated database management tool platform:  Database Administrator  Health and Performance Monitoring  Performance Management  Database Client Management
During an SQL statement processing, the permissions that the DB2 authorization model considers are the union of the following permissions:  The permissions granted to the primary authorization ID associated with the SQL statement The permissions granted to the secondary authorization IDs (groups or roles) associated with the SQL statement The permissions granted to PUBLIC, including roles that are granted to PUBLIC, directly or indirectly through other roles The permissions granted to the trusted context role, if applicable. 6 Authorization
7 DB2 manages authorizations at three different levels:  Instance  Database  Object Because of the changes in DB2 9.7, it is easiest to represent the permissions in multiple diagrams. First, the Permissions at the instance level for: 1) SYSADM(system administrator) 2) SYSCTRL(system controler) 3) SYSMAINT(system maintenance) 4) SYSMON(system monitoring) Authorization
8 Authorization Database Level Permission Now, the database level permissions :
9 Authorization Database Level Permission
Access Control 10 LBAC RCAC Role User Group Tag
When to use LBAC for row level authorization?  Government applications that manage classified information (intelligence, defense, etc.)  Non government applications where:  Data classification is known  Data classification can be represented by one or more LBAC security label components  Authorization rules can be mapped to the security label component rules  If any of the above is not possible, then views are a better alternative for row level authorization. 11 LBAC Label-Based Access Control
When to use LBAC for column level authorization?  Control access to a sensitive column (e.g., social security number, credit card number, etc.)  Protect the data in the table from access by table owner, or DBAs  Assign a security label to all columns in the table  Assign that security label to a role  Assign that role to all users who need access to the table  Only users members in that role will be able to access data in that table 12 LBAC Label-Based Access Control
13  Table controls to protect SQL access to individual row level & individual column level:  Establish a row policy for a table  Filter rows out of answer set  Policy can use session information, e.g. the SQL ID is in what group or user is using what role, to control which row is returned in result set  Applicable to SELECT, INSERT, UPDATE, DELETE, & MERGE  Defined as a row permission  Establish a column policy for a table  Mask column values in answer set  Policy can use session information, e.g. the SQL ID is in what group or user is using what role, to control what masked value is returned in result set  Applicable to the output of outermost subselect  Defined as column masks  Define table policies based on who or how table is being accessed  Managing row and column access controls RCAC Row and column access control
14 RCAC Row and column access control Rules about row and column access:  Not enforced for RI, CHECK, or UNIQUE CONSTRAINT  Preserve data integrity  Require secure triggers  CREATE or ALTER TRIGGER with the SECURED option  Managed by SECADM or new privilege CREATE_SECURE_OBJECT  Rebind trigger packages implicitly after ALTER TRIGGER  Require secure UDFs  Referenced in the row permission and column mask definition  CREATE or ALTER TRIGGER with the SECURED option  Managed by SECADM or new privilege CREATE_SECURE_OBJECT  Populate access control information in EXPLAIN tables  Can activate access control on EXPLAIN tables  No support for MQT and set operations
Online Backup vs Offline backup Target location specified when you invoke the backup utility. This location can be:  A directory in file system (for backups to disk or diskette)  A device (for backups to tape)  A Tivoli Storage Manager (TSM) server  Another vendor's server  Cloud 15 IBM Tivoli Storage Manager is an enterprise-wide storage management application. It provides automated storage management services to workstations, personal computers, and file servers from various vendors, with various operating systems. Backup and Recovery
DB2 Native Encryption IBM InfoSphere Gardium Encrypted File System(EFS) SSL Db2 native encryption provides a built-in encryption capability to protect database backup images and key database files from inappropriate access while they are at rest on external storage media. IBM InfoSphere Guardium Data Encryption is a comprehensive software data security solution that when used in conjunction with native Db2 security provides effective protection of the data and the database application against a broad array of threats. If you are running a Db2 system on the AIX operating system, you have the option to set up an encrypted database by using AIX encrypted file system (EFS). For detailed information about EFS, see your AIX documentation. The Db2 database system supports SSL, which means that a Db2 client application that also supports SSL can connect to a Db2 database by using a SSL socket. CLI, CLP, and .Net Data Provider client applications and applications that use the IBM Data Server Driver for JDBC and SQLJ (type 4 connections) support SSL. 16 Data Encryption
HIGHLIGHTS:  Encrypt online data  Encrypt backups  Transparent to application  Transparent to schema  Secure and transparent key management  Exploits hardware acceleration such as the Intel AES-NI  FIPS 140-2 certified encryption libraries  NIST compliant use of cryptography  Easy to deployed in cloud, software or appliance  Runs wherever DB2 runs 17 Key Management:  Industry standard 2- tier model  Actual data is encrypted with a data encryption key(DEK)  DEK is encrypted with a Master Key (MK)  DEK is managed within the database while the MK is manage externally  The MK is managed in a PKCS#12 compliant local GSKit based keystore Data Encryption DB2 Native Encryption
A trusted context is a new object that is defined based upon a system authorization ID, and one or more sets of connection trust attributes where each set defines at least one connection trust attribute:  System authorization ID  Connection trust attributes The trust relationship is based upon the following set of attributes: 1. System authorization ID: Represents the user that establishes a database connection 2. IP address (or domain name): Represents the host from which a database connection is established 3. Data stream encryption: Represents the encryption setting (if any) for the data communication between the database server and the database client Trusted connection allows the initiator of this trusted connection to acquire additional capabilities that may not be available outside the scope of the trusted connection. The additional capabilities vary depending on whether the trusted connection is explicit or implicit. The initiator of an explicit trusted connection has the ability to: 1. Switch the current user ID on the connection to a different user ID with or without authentication 2. Acquire additional privileges via the role inheritance feature of trusted contexts 18 Trusted Context and Connection
19  Database replication solution from IBM  Multi platform: Window, Linux, Unix  Changes to database captured in realtime  Captures inserts updates and deletes  Centralized platform  Low impact capture and fast delivery of changes to database  Helps reduce processing overhead by sending only changes thereby removing the need for additional steps to detect changes  Reduce network traffic by sending only changed or new data instead of entire data  Has three component:  Change data capture(CDC)  SQL replication: In SQL Replication, committed source changes are staged in relational tables before being replicated to target systems.  Q replication: In Q Replication, committed source changes are written in messages that are transported through MQ queues to target systems. InfoSphere Data Replication
Refrences 20  https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0021804. html  http://www.redbooks.ibm.com/technotes/tips1347.pdf  https://www.youtube.com/watch?v=am7tfN9x7Us  https://www.youtube.com/watch?v=1BMb2gS34fU  https://www.ibm.com/support/knowledgecenter/SS5Q8A_2.1.x/com.ibm.datatools.dsweb.ots.security.doc/topics/s ecure_architecture.html  https://www.javaworld.com/article/3388036/what-is-jdbc-introduction-to-java-database-connectivity.html  https://www.ibm.com/support/knowledgecenter/en/SSEPEK_10.0.0/seca/src/tpc/db2z_authorizationid.html  http://db2commerce.com/betasite/2013/03/01/db2-basics-users-authentication-and-authorization/  https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005478. html  https://www.ibm.com/support/knowledgecenter/ru/SSEPGG_9.7.0/com.ibm.db2.luw.admin.sec.doc/doc/c000630 7.html  https://www.slideshare.net/LauraHood/db2-10-security-enhancements  https://www.slideshare.net/asderww/db2securityslides  https://www.youtube.com/watch?v=aMnBCOq9qrk  https://querysurge.zendesk.com/hc/en-us/articles/206083403-Configuring-Connections-IBM-DB2-With-Security- Mechanism
Thank You 21

Recommended

Db2 recovery IDUG EMEA 2013
Db2 recovery IDUG EMEA 2013Db2 recovery IDUG EMEA 2013
Db2 recovery IDUG EMEA 2013Dale McInnis
 
Db2
Db2Db2
Db2yboren
 
Solving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration DilemmaSolving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration DilemmaRandy Goering
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW AuditingDB2Locksmith
 
ASM
ASMASM
ASMVINAY PANDEY
 
ALL ABOUT DB2 DSNZPARM
ALL ABOUT DB2 DSNZPARMALL ABOUT DB2 DSNZPARM
ALL ABOUT DB2 DSNZPARMIBM
 
JCL MAINFRAMES
JCL MAINFRAMESJCL MAINFRAMES
JCL MAINFRAMESkamaljune
 
Ipl process
Ipl processIpl process
Ipl processThousif "thousif329@gmail.com"
 

Recommended

Db2 recovery IDUG EMEA 2013
Db2 recovery IDUG EMEA 2013Db2 recovery IDUG EMEA 2013
Db2 recovery IDUG EMEA 2013Dale McInnis
 
Db2
Db2Db2
Db2yboren
 
Solving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration DilemmaSolving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration DilemmaRandy Goering
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW AuditingDB2Locksmith
 
ASM
ASMASM
ASMVINAY PANDEY
 
ALL ABOUT DB2 DSNZPARM
ALL ABOUT DB2 DSNZPARMALL ABOUT DB2 DSNZPARM
ALL ABOUT DB2 DSNZPARMIBM
 
JCL MAINFRAMES
JCL MAINFRAMESJCL MAINFRAMES
JCL MAINFRAMESkamaljune
 
Ipl process
Ipl processIpl process
Ipl processThousif "thousif329@gmail.com"
 
Mainframe interview
Mainframe interviewMainframe interview
Mainframe interviewShivankoo Sharma
 
DB2 TABLESPACES
DB2 TABLESPACESDB2 TABLESPACES
DB2 TABLESPACESRahul Anand
 
SKILLWISE-DB2 DBA
SKILLWISE-DB2 DBASKILLWISE-DB2 DBA
SKILLWISE-DB2 DBASkillwise Group
 
Skillwise-IMS DB
Skillwise-IMS DBSkillwise-IMS DB
Skillwise-IMS DBSkillwise Group
 
DB2 Basic Commands - UDB
DB2 Basic Commands - UDBDB2 Basic Commands - UDB
DB2 Basic Commands - UDBSrinimf-Slides
 
Presentation upgrade, migrate & consolidate to oracle database 12c &amp...
Presentation upgrade, migrate & consolidate to oracle database 12c &amp...Presentation upgrade, migrate & consolidate to oracle database 12c &amp...
Presentation upgrade, migrate & consolidate to oracle database 12c &amp...solarisyougood
 
DB2 DOCUMENT
DB2 DOCUMENTDB2 DOCUMENT
DB2 DOCUMENTNirmal Pati
 
DB2 and storage management
DB2 and storage managementDB2 and storage management
DB2 and storage managementCraig Mullins
 
RACF - The Basics (v1.2)
RACF - The Basics (v1.2)RACF - The Basics (v1.2)
RACF - The Basics (v1.2)Rui Miguel Feio
 
Oracle 12c and its pluggable databases
Oracle 12c and its pluggable databasesOracle 12c and its pluggable databases
Oracle 12c and its pluggable databasesGustavo Rene Antunez
 
Oracle backup and recovery
Oracle backup and recoveryOracle backup and recovery
Oracle backup and recoveryYogiji Creations
 
Advanced pg_stat_statements: Filtering, Regression Testing & more
Advanced pg_stat_statements: Filtering, Regression Testing & moreAdvanced pg_stat_statements: Filtering, Regression Testing & more
Advanced pg_stat_statements: Filtering, Regression Testing & moreLukas Fittl
 
Z4R: Intro to Storage and DFSMS for z/OS
Z4R: Intro to Storage and DFSMS for z/OSZ4R: Intro to Storage and DFSMS for z/OS
Z4R: Intro to Storage and DFSMS for z/OSTony Pearson
 
DB2 LUW - Backup and Recovery
DB2 LUW - Backup and RecoveryDB2 LUW - Backup and Recovery
DB2 LUW - Backup and Recoveryimranasayed
 
Db2 for z os trends
Db2 for z os trendsDb2 for z os trends
Db2 for z os trendsCuneyt Goksu
 
Oracle Database 12c : Multitenant
Oracle Database 12c : MultitenantOracle Database 12c : Multitenant
Oracle Database 12c : MultitenantDigicomp Academy Suisse Romande SA
 
Parallel Sysplex Implement2
Parallel Sysplex Implement2Parallel Sysplex Implement2
Parallel Sysplex Implement2ggddggddggdd
 
Oracle 12c Multitenant architecture
Oracle 12c Multitenant architectureOracle 12c Multitenant architecture
Oracle 12c Multitenant architecturenaderattia
 
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오PgDay.Seoul
 
[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.
[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.
[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.NAVER D2
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database VaultMarco Alamanni
 
2) security
2) security2) security
2) securityguptavikki99
 

More Related Content

What's hot

DB2 Basic Commands - UDB
DB2 Basic Commands - UDBDB2 Basic Commands - UDB
DB2 Basic Commands - UDBSrinimf-Slides
 
Presentation upgrade, migrate & consolidate to oracle database 12c &amp...
Presentation upgrade, migrate & consolidate to oracle database 12c &amp...Presentation upgrade, migrate & consolidate to oracle database 12c &amp...
Presentation upgrade, migrate & consolidate to oracle database 12c &amp...solarisyougood
 
DB2 and storage management
DB2 and storage managementDB2 and storage management
DB2 and storage managementCraig Mullins
 
RACF - The Basics (v1.2)
RACF - The Basics (v1.2)RACF - The Basics (v1.2)
RACF - The Basics (v1.2)Rui Miguel Feio
 
Oracle 12c and its pluggable databases
Oracle 12c and its pluggable databasesOracle 12c and its pluggable databases
Oracle 12c and its pluggable databasesGustavo Rene Antunez
 
Oracle backup and recovery
Oracle backup and recoveryOracle backup and recovery
Oracle backup and recoveryYogiji Creations
 
Advanced pg_stat_statements: Filtering, Regression Testing & more
Advanced pg_stat_statements: Filtering, Regression Testing & moreAdvanced pg_stat_statements: Filtering, Regression Testing & more
Advanced pg_stat_statements: Filtering, Regression Testing & moreLukas Fittl
 
Z4R: Intro to Storage and DFSMS for z/OS
Z4R: Intro to Storage and DFSMS for z/OSZ4R: Intro to Storage and DFSMS for z/OS
Z4R: Intro to Storage and DFSMS for z/OSTony Pearson
 
DB2 LUW - Backup and Recovery
DB2 LUW - Backup and RecoveryDB2 LUW - Backup and Recovery
DB2 LUW - Backup and Recoveryimranasayed
 
Db2 for z os trends
Db2 for z os trendsDb2 for z os trends
Db2 for z os trendsCuneyt Goksu
 
Parallel Sysplex Implement2
Parallel Sysplex Implement2Parallel Sysplex Implement2
Parallel Sysplex Implement2ggddggddggdd
 
Oracle 12c Multitenant architecture
Oracle 12c Multitenant architectureOracle 12c Multitenant architecture
Oracle 12c Multitenant architecturenaderattia
 
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오PgDay.Seoul
 
[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.
[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.
[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.NAVER D2
 

What's hot (20)

Mainframe interview
Mainframe interviewMainframe interview
Mainframe interview
 
DB2 TABLESPACES
DB2 TABLESPACESDB2 TABLESPACES
DB2 TABLESPACES
 
SKILLWISE-DB2 DBA
SKILLWISE-DB2 DBASKILLWISE-DB2 DBA
SKILLWISE-DB2 DBA
 
Skillwise-IMS DB
Skillwise-IMS DBSkillwise-IMS DB
Skillwise-IMS DB
 
DB2 Basic Commands - UDB
DB2 Basic Commands - UDBDB2 Basic Commands - UDB
DB2 Basic Commands - UDB
 
Presentation upgrade, migrate & consolidate to oracle database 12c &amp...
Presentation upgrade, migrate & consolidate to oracle database 12c &amp...Presentation upgrade, migrate & consolidate to oracle database 12c &amp...
Presentation upgrade, migrate & consolidate to oracle database 12c &amp...
 
DB2 DOCUMENT
DB2 DOCUMENTDB2 DOCUMENT
DB2 DOCUMENT
 
DB2 and storage management
DB2 and storage managementDB2 and storage management
DB2 and storage management
 
RACF - The Basics (v1.2)
RACF - The Basics (v1.2)RACF - The Basics (v1.2)
RACF - The Basics (v1.2)
 
Oracle 12c and its pluggable databases
Oracle 12c and its pluggable databasesOracle 12c and its pluggable databases
Oracle 12c and its pluggable databases
 
Oracle backup and recovery
Oracle backup and recoveryOracle backup and recovery
Oracle backup and recovery
 
Advanced pg_stat_statements: Filtering, Regression Testing & more
Advanced pg_stat_statements: Filtering, Regression Testing & moreAdvanced pg_stat_statements: Filtering, Regression Testing & more
Advanced pg_stat_statements: Filtering, Regression Testing & more
 
Z4R: Intro to Storage and DFSMS for z/OS
Z4R: Intro to Storage and DFSMS for z/OSZ4R: Intro to Storage and DFSMS for z/OS
Z4R: Intro to Storage and DFSMS for z/OS
 
DB2 LUW - Backup and Recovery
DB2 LUW - Backup and RecoveryDB2 LUW - Backup and Recovery
DB2 LUW - Backup and Recovery
 
Db2 for z os trends
Db2 for z os trendsDb2 for z os trends
Db2 for z os trends
 
Oracle Database 12c : Multitenant
Oracle Database 12c : MultitenantOracle Database 12c : Multitenant
Oracle Database 12c : Multitenant
 
Parallel Sysplex Implement2
Parallel Sysplex Implement2Parallel Sysplex Implement2
Parallel Sysplex Implement2
 
Oracle 12c Multitenant architecture
Oracle 12c Multitenant architectureOracle 12c Multitenant architecture
Oracle 12c Multitenant architecture
 
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
 
[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.
[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.
[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.
 

Similar to DB2 Security Model

Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingSolidQ
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft CloudEuropean Collaboration Summit
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networksG Prachi
 
Db2.security.slides
Db2.security.slidesDb2.security.slides
Db2.security.slidesasderww
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseEDB
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-dataKevin Mayo
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server SecurityVinod Kumar
 
Database security technique with database cache
Database security technique with database cacheDatabase security technique with database cache
Database security technique with database cacheIJARIIT
 
Database Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,ViewDatabase Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,ViewDr-Dipali Meher
 
Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Maximiliano Accotto
 
Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Maximiliano Accotto
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...Michael Noel
 
DB2 10 Security Enhancements
DB2 10 Security EnhancementsDB2 10 Security Enhancements
DB2 10 Security EnhancementsLaura Hood
 
Concurrent And Independent Access To Encrypted Cloud Databases
Concurrent And Independent Access To Encrypted Cloud DatabasesConcurrent And Independent Access To Encrypted Cloud Databases
Concurrent And Independent Access To Encrypted Cloud DatabasesEditor IJMTER
 

Similar to DB2 Security Model (20)

Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
2) security
2) security2) security
2) security
 
Lecture 15-16.pdf
Lecture 15-16.pdfLecture 15-16.pdf
Lecture 15-16.pdf
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data Masking
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
Db2.security.slides
Db2.security.slidesDb2.security.slides
Db2.security.slides
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres Database
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-data
 
Gradution Project
Gradution ProjectGradution Project
Gradution Project
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
 
Database security technique with database cache
Database security technique with database cacheDatabase security technique with database cache
Database security technique with database cache
 
Database Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,ViewDatabase Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,View
 
Chapter23
Chapter23Chapter23
Chapter23
 
Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017
 
Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
 
Database concepts
Database conceptsDatabase concepts
Database concepts
 
DB2 10 Security Enhancements
DB2 10 Security EnhancementsDB2 10 Security Enhancements
DB2 10 Security Enhancements
 
Concurrent And Independent Access To Encrypted Cloud Databases
Concurrent And Independent Access To Encrypted Cloud DatabasesConcurrent And Independent Access To Encrypted Cloud Databases
Concurrent And Independent Access To Encrypted Cloud Databases
 

Recently uploaded

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

DB2 Security Model

  • 1. IN THE NAME OF ALLAH DB2 Security Model Class Presentation of Database Security Course At Tarbiat Modares University Presentators: Narges Poorkamali Yeganeh Ghayour Baghbani Professor: Dr. Sadegh Dorri Nogorani Fall Semester: 1398-99 Presentation Date: 1398/10/18 1
  • 2. Headlines Authorization Authentication LBAC Backup and Recovery Data Encryption Trusted Context and Connection 2 InfoSphere Data Replication RCAC
  • 3. Introducing IBM DB2 3 Why use DB2 Database?  Create by IBM company in 1993  The most powerful Database Engine  Relational Database  Data Warehouse  Free Version  Stuctured & UnStuctured  SQL & NO SQL  Data Mining  Disater Rcovery  Scalability  Security  In Memory  Replication  Encription  BLU Acceleration
  • 4. Custom Plug-ins Kerberos User validation Group membership User validation Group membership User validation (GSS API) Group membership Protocols Operating system Authentication LDAP User validation only
  • 5. IBM Data Server Manager (DSM) 5 A web-based integrated database management tool platform:  Database Administrator  Health and Performance Monitoring  Performance Management  Database Client Management
  • 6. During an SQL statement processing, the permissions that the DB2 authorization model considers are the union of the following permissions:  The permissions granted to the primary authorization ID associated with the SQL statement The permissions granted to the secondary authorization IDs (groups or roles) associated with the SQL statement The permissions granted to PUBLIC, including roles that are granted to PUBLIC, directly or indirectly through other roles The permissions granted to the trusted context role, if applicable. 6 Authorization
  • 7. 7 DB2 manages authorizations at three different levels:  Instance  Database  Object Because of the changes in DB2 9.7, it is easiest to represent the permissions in multiple diagrams. First, the Permissions at the instance level for: 1) SYSADM(system administrator) 2) SYSCTRL(system controler) 3) SYSMAINT(system maintenance) 4) SYSMON(system monitoring) Authorization
  • 8. 8 Authorization Database Level Permission Now, the database level permissions :
  • 11. When to use LBAC for row level authorization?  Government applications that manage classified information (intelligence, defense, etc.)  Non government applications where:  Data classification is known  Data classification can be represented by one or more LBAC security label components  Authorization rules can be mapped to the security label component rules  If any of the above is not possible, then views are a better alternative for row level authorization. 11 LBAC Label-Based Access Control
  • 12. When to use LBAC for column level authorization?  Control access to a sensitive column (e.g., social security number, credit card number, etc.)  Protect the data in the table from access by table owner, or DBAs  Assign a security label to all columns in the table  Assign that security label to a role  Assign that role to all users who need access to the table  Only users members in that role will be able to access data in that table 12 LBAC Label-Based Access Control
  • 13. 13  Table controls to protect SQL access to individual row level & individual column level:  Establish a row policy for a table  Filter rows out of answer set  Policy can use session information, e.g. the SQL ID is in what group or user is using what role, to control which row is returned in result set  Applicable to SELECT, INSERT, UPDATE, DELETE, & MERGE  Defined as a row permission  Establish a column policy for a table  Mask column values in answer set  Policy can use session information, e.g. the SQL ID is in what group or user is using what role, to control what masked value is returned in result set  Applicable to the output of outermost subselect  Defined as column masks  Define table policies based on who or how table is being accessed  Managing row and column access controls RCAC Row and column access control
  • 14. 14 RCAC Row and column access control Rules about row and column access:  Not enforced for RI, CHECK, or UNIQUE CONSTRAINT  Preserve data integrity  Require secure triggers  CREATE or ALTER TRIGGER with the SECURED option  Managed by SECADM or new privilege CREATE_SECURE_OBJECT  Rebind trigger packages implicitly after ALTER TRIGGER  Require secure UDFs  Referenced in the row permission and column mask definition  CREATE or ALTER TRIGGER with the SECURED option  Managed by SECADM or new privilege CREATE_SECURE_OBJECT  Populate access control information in EXPLAIN tables  Can activate access control on EXPLAIN tables  No support for MQT and set operations
  • 15. Online Backup vs Offline backup Target location specified when you invoke the backup utility. This location can be:  A directory in file system (for backups to disk or diskette)  A device (for backups to tape)  A Tivoli Storage Manager (TSM) server  Another vendor's server  Cloud 15 IBM Tivoli Storage Manager is an enterprise-wide storage management application. It provides automated storage management services to workstations, personal computers, and file servers from various vendors, with various operating systems. Backup and Recovery
  • 16. DB2 Native Encryption IBM InfoSphere Gardium Encrypted File System(EFS) SSL Db2 native encryption provides a built-in encryption capability to protect database backup images and key database files from inappropriate access while they are at rest on external storage media. IBM InfoSphere Guardium Data Encryption is a comprehensive software data security solution that when used in conjunction with native Db2 security provides effective protection of the data and the database application against a broad array of threats. If you are running a Db2 system on the AIX operating system, you have the option to set up an encrypted database by using AIX encrypted file system (EFS). For detailed information about EFS, see your AIX documentation. The Db2 database system supports SSL, which means that a Db2 client application that also supports SSL can connect to a Db2 database by using a SSL socket. CLI, CLP, and .Net Data Provider client applications and applications that use the IBM Data Server Driver for JDBC and SQLJ (type 4 connections) support SSL. 16 Data Encryption
  • 17. HIGHLIGHTS:  Encrypt online data  Encrypt backups  Transparent to application  Transparent to schema  Secure and transparent key management  Exploits hardware acceleration such as the Intel AES-NI  FIPS 140-2 certified encryption libraries  NIST compliant use of cryptography  Easy to deployed in cloud, software or appliance  Runs wherever DB2 runs 17 Key Management:  Industry standard 2- tier model  Actual data is encrypted with a data encryption key(DEK)  DEK is encrypted with a Master Key (MK)  DEK is managed within the database while the MK is manage externally  The MK is managed in a PKCS#12 compliant local GSKit based keystore Data Encryption DB2 Native Encryption
  • 18. A trusted context is a new object that is defined based upon a system authorization ID, and one or more sets of connection trust attributes where each set defines at least one connection trust attribute:  System authorization ID  Connection trust attributes The trust relationship is based upon the following set of attributes: 1. System authorization ID: Represents the user that establishes a database connection 2. IP address (or domain name): Represents the host from which a database connection is established 3. Data stream encryption: Represents the encryption setting (if any) for the data communication between the database server and the database client Trusted connection allows the initiator of this trusted connection to acquire additional capabilities that may not be available outside the scope of the trusted connection. The additional capabilities vary depending on whether the trusted connection is explicit or implicit. The initiator of an explicit trusted connection has the ability to: 1. Switch the current user ID on the connection to a different user ID with or without authentication 2. Acquire additional privileges via the role inheritance feature of trusted contexts 18 Trusted Context and Connection
  • 19. 19  Database replication solution from IBM  Multi platform: Window, Linux, Unix  Changes to database captured in realtime  Captures inserts updates and deletes  Centralized platform  Low impact capture and fast delivery of changes to database  Helps reduce processing overhead by sending only changes thereby removing the need for additional steps to detect changes  Reduce network traffic by sending only changed or new data instead of entire data  Has three component:  Change data capture(CDC)  SQL replication: In SQL Replication, committed source changes are staged in relational tables before being replicated to target systems.  Q replication: In Q Replication, committed source changes are written in messages that are transported through MQ queues to target systems. InfoSphere Data Replication
  • 20. Refrences 20  https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0021804. html  http://www.redbooks.ibm.com/technotes/tips1347.pdf  https://www.youtube.com/watch?v=am7tfN9x7Us  https://www.youtube.com/watch?v=1BMb2gS34fU  https://www.ibm.com/support/knowledgecenter/SS5Q8A_2.1.x/com.ibm.datatools.dsweb.ots.security.doc/topics/s ecure_architecture.html  https://www.javaworld.com/article/3388036/what-is-jdbc-introduction-to-java-database-connectivity.html  https://www.ibm.com/support/knowledgecenter/en/SSEPEK_10.0.0/seca/src/tpc/db2z_authorizationid.html  http://db2commerce.com/betasite/2013/03/01/db2-basics-users-authentication-and-authorization/  https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005478. html  https://www.ibm.com/support/knowledgecenter/ru/SSEPGG_9.7.0/com.ibm.db2.luw.admin.sec.doc/doc/c000630 7.html  https://www.slideshare.net/LauraHood/db2-10-security-enhancements  https://www.slideshare.net/asderww/db2securityslides  https://www.youtube.com/watch?v=aMnBCOq9qrk  https://querysurge.zendesk.com/hc/en-us/articles/206083403-Configuring-Connections-IBM-DB2-With-Security- Mechanism

Editor's Notes

  1. Data Server Manager (DSM) is a tool that consolidates many of the monitoring, tuning, configuration and administration tools for DB2 and adds some nice new features as well.  It allows you do to these tasks for all of your DB2 (LUW and Z) databases in one centralized tool. 
  2. Data Server Manager (DSM) is a tool that consolidates many of the monitoring, tuning, configuration and administration tools for DB2 and adds some nice new features as well.  It allows you do to these tasks for all of your DB2 (LUW and Z) databases in one centralized tool.