Database Security Essentials

Database Security Essentials Rob Bestgen bestgen@us.ibm.com DB2 for i Center of Excellence

2 Who is the DB2 for i Center of Excellence? An experienced IBM Team delivering: Product Offerings Developed through Engagements Briefings, consulting and guidance on demand IBM i for Business Intelligence Installation Services DB2 Web Query Getting Started Services Query/400 Modernization Services DB2 for i Modernization Workshop(s) DB2 for i SQL Performance Workshop DB2 for i SQL Performance Health Check DB2 for i Very Large Database (VLDB) Assessment For more information, contact Mike Cain (cain@us.ibm.com) Or Doug Mack (mackd@us.ibm.com) DB2 for i remote database administration and engineer services

Is Database Security Needed? Privacy Rights Clearinghouse reports over 867 million data records compromised in 4274 incidents since 2005 http://www.privacyrights.org/ar/data-breach And that is only what was reported! Only large companies? Information Week states that small and mid-sized businesses (SMBs) were the victims in 40% of all data breaches last year Forrester Research estimates costs to remediate data breach is $90-305 per record 3

Is Database Security Needed? Data is not just Information, but an ASSET What s it worth? Secured like other business assets? Because Data is an Asset, securing data needs to be a regular cost of doing business 4

The Compliance Mandate DDL = Data Definition Language (aka schema changes) DML = Data Manipulation Language (data value changes) DCL = Data Control Language 5

Database Security Fundamentals Security Policy No policy, no plan for securing data No policy, no measurement No policy, expensive audits Resource Security Prevents data breaches from internal & external intrusions Closely tied to Security Policy definition 6

Security Policy Fundamentals Policy creation IT Staff should Help, NOT Drive Corporate leaders legally responsible Learn which government & industry regulations apply (PCI, HIPAA, etc) Write and maintain policy Policy implementation Turn the policy into practice Which data can be changed and/or accessed Who can change and/or access data Ensure that IT assets remain correctly configured Compliance audits Explaining to auditors why the policy is compliant Showing that the policy is followed Responding to auditor change requests 7

DB2 for i Current Security State Middleware: ODBC,.NET, JDBC, Query Tools Mgmt Tools 8

DB2 for i Current Security State with Exit Points Middleware: ODBC,.NET, JDBC, Query Tools Mgmt Tools 9

DB2 for i Desired Security State Middleware: ODBC,.NET, JDBC, Query Tools Mgmt Tools 10

DB2 for i Resource Security Fundamentals Determine how data needs to be protected Everyone can update!?!? Everyone can read, authorized users can update No one can access by default, authorized users given access Approaches Private Authorities Adopted Authorities IBM i 7.2 Separation of Duties 11

Private Authority Fundamentals Step #1 Limit number of *ALLOBJ special authority users No direct control to prevent *ALLOBJ user from accessing object Step #2 Tighten down *PUBLIC authority QCRTAUT System Value controls default behavior SQL interfaces can have different behavior *SQL Naming *PUBLIC given *EXCLUDE *SYS Naming follows QCRTAUT model Step #3 Consider granularity of private authorities 12 Individual user profiles Group profiles Authorization lists Adopted authority Separation of Duties (v7.2)

IBM i Authority Verification Order Ignoring *ALLOBJ authority, IBM i verifies users authority to object in following order: Check User Check Groups Check *PUBLIC Private Authority Authorization List Private Authority Authorization List Private Authority Authorization List Check for Adopted Authority 13

Private Authority Interfaces System commands EDTOBJAUT GRTOBJAUT CHGAUT SQL Statements GRANT REVOKE SQL has no interface for Authorization List RCAC (v7.2) 14

Private Authority Group Profiles Group profiles can simplify administration of private authorities Authorities granted to groups of similar users Group profiles often created by department or business role (help desk, teller, ) All users in the group have same authority to the DB2 object Credentials for an individual user & group profile are NOT additive If user profile belongs to many groups, the group authorities are additive Best practices Individual user profiles have no private authorities for DB2 object Create group profile with Password(*NONE), Status(*DISABLED), INLMNU(*SIGNOFF) Improve performance using CHGOBJPGP command 15

Private Authorities Group Profiles Example /* Create group user profiles */ CRTUSRPRF USRPRF(GPSALES) PASSWORD(*NONE) STATUS(*DISABLED) INLMNU(*SIGNOFF) CRTUSRPRF USRPRF(GPPAY) PASSWORD(*NONE) STATUS(*DISABLED) INLMNU(*SIGNOFF) /* Add user profiles to the groups */ CHGUSRPRF USRPRF(APPUSER1) GRPPRF(GPSALES) CHGUSRPRF USRPRF(APPUSER2) GRPPRF(GPPAY) CHGUSRPRF USRPRF(APPUSER3) GRPPRF(GPSALES) SUPGRPPRF(GPPAY) /* Authorize group profiles to DB2 tables */ GRTOBJAUT OBJ(PAYTAB) OBJTYPE(*FILE) USER(GPPAY) AUT(*USE) GRTOBJAUT OBJ(SALESTB) OBJTYPE(*FILE) USER(GPSALES) AUT(*CHANGE) /* SQL version of granting table access to group profiles */ GRANT SELECT ON paytab TO gppay GRANT SELECT,INSERT,UPDATE,DELETE ON salestb TO gpsales 16

Private Authority Authorization Lists Authorization lists also simplify administration of private authorities Provide method to group objects with similar security requirements Authorization lists enable authorities to be changed even when DB2 objects are open Different, not necessarily better than group profiles Authorization lists can reference group profiles DW_AUTL DWADMIN *CHANGE ETL_GRP *CHANGE RPT_GRP *USE *PUBLIC *EXCLUDE ITEM_FACT DATE_DIM SALES_DIM 17

Private Authorities Authorization List Example /* Create authorization list */ CRTAUTL AUTL(DW_AUTL) AUT(*EXCLUDE) /* Associate tables with authorization list */ GRTOBJAUT OBJ(ITEM_FACT) OBJTYPE(*FILE) AUTL(DW_AUTL) GRTOBJAUT OBJ(SALES_DIM) OBJTYPE(*FILE) AUTL(DW_AUTL) GRTOBJAUT OBJ(DATE_DIM) OBJTYPE(*FILE) AUTL(DW_AUTL) /* Give users access to the authorization list */ ADDAUTLE AUTL(DW_AUTL) USER(DWADMIN) AUT(*CHANGE) ADDAUTLE AUTL(DW_AUTL) USER(ETL_GRP) AUT(*CHANGE) ADDAUTLE AUTL(DW_AUTL) USER(RPT_GRP) AUT(*USE) 18

Adopted Authority Approach Used to temporarily give extra authority to a user by augmenting with program owner authorities CRTPGM/CHGPGM USRPRF parameter SQL Interface support (next chart) Swap Profile API Set (QSYGETPH, QWTSETP, QSYRLSPH ) Benefits Reduce number of authority grants for individual profiles Can force all data access to be done with program calls Tradeoffs Extra authority in effect as long as program on call stack Watch command line access CHGPGM USEADPAUT(*NO) to minimize authority propagation Direct data access interfaces not a good fit 19

Adopted Authority Approach SQL Considerations SQL Executable Objects can use adopted authority: By default, SQL Naming mode will adopt the executable object authority for Static SQL statements, BUT not adopt for Dynamic SQL System naming by default follows IBM i rules by default Default behavior can be overridden using the DYNUSRPRF and USRPRF keywords: Embedded SQL Pre-Compiler parameters SET OPTION in the language source SQL Functions, Procedures and Triggers SET OPTION in the SQL CREATE and ALTER statements 20

Adopted Authority Approach Example JANE pgma Owner: WORKAPPS USRPRF: *OWNER Checked User Profiles JANE, WORKAPPS pgmb Owner: SECTEAM USRPRF: *OWNER JANE, WORKAPPS, SECTEAM pgmc Owner: WORKAPPS USRPRF: *USER USEADPAUT:*NO JANE 21

Adopted Authority Approach Example /* Get Program objects ready CHGOBJOWN OBJ(PGMA) OBJTYPE(*PGM) NEWOWN(WORKAPPS) CHGPGM PGM(PGMA) USRPRF(*OWNER) CHGOBJOWN OBJ(PGMB) OBJTYPE(*PGM) NEWOWN(SECTEAM) CHGPGM PGM(PGMB) USRPRF(*OWNER) CHGOBJOWN OBJ(PGMC) OBJTYPE(*PGM) NEWOWN(WORKAPPS) CHGPGM PGM(PGMC) USRPRF(*USER) /* Authorize program owners to access DB2 tables */ GRTOBJAUT OBJ(WORKTAB) OBJTYPE(*FILE) USER(WORKAPPS) AUT(*CHANGE) GRTOBJAUT OBJ(EMPTAB) OBJTYPE(*FILE) USER(SECTEAM) AUT(*CHANGE) RVKOBJAUT OBJ(WORKTAB) OBJTYPE(*FILE) USER(*PUBLIC) AUT(*ALL) RVKOBJAUT OBJ(EMPTAB) OBJTYPE(*FILE) USER(*PUBLIC) AUT(*ALL) /* SQL version of Grant & Revoke for Program Owners */ GRANT ALL ON worktab TO workapps GRANT ALL ON emptab TO workapps REVOKE ALL ON worktab,emptab FROM PUBLIC 22

DB2 for i Security Control Levels Schema Level Table Level Column & Row Level 23

DB2 for i Security Control Values *OBJOPR *OBJMGT *OBJEXIST *OBJALTER *OBJREF *READ *ADD *UPD *DLT *EXECUTE *ALL X X X X X X X X X X *CHANGE X X X X X X *USE X X X *EXCLUDE 24

DB2 for i Security Object Authority Definitions *OBJOPR Object Operational *OBJEXIST Object Existence *OBJMGT Object Management Look at object description and and Use the object according to data authorities for user Change ownership, Delete object, Free storage, and Save/Restore operations Move or Rename object and Add DB2 Tables Superset of *OBJALTER & *OBJREF *OBJALTER Object Alter *OBJREF Object Reference Add, Clear, Initialize and Reorganize DB2 Tables, Alter or Change DB2 Tables, Add/Remove Triggers, Change SQL Package attributes Reference DB2 table as parent table in RI Constraint 25

DB2 for i Security - Data Authority Definitions *READ Display / view the contents of DB2 table *ADD Add new rows to DB2 table *UPD (Update) Update existing rows in DB2 table *DLT (Delete) Delete existing rows in DB2 table *EXECUTE Run Program or Search library 26

DB2 for i Security Control Levels - Schema Schema (Library) is a container for all DB2 data objects Data access can NOT be controlled at Schema-level User profile needs minimum *USE authority to access any object within schema Some differences between CREATE SCHEMA & CRTLIB CRTLIB follows QCRTAUT system behavior CREATE SCHEMA only follows QCRTAUT with System Naming (*SYS) 27

DB2 for i Security Control Levels - Table Best Practice Revoke Public access Grant Private Authorities to User Profile, Group Profile, Authorization List Consider forcing all application & user access thru Views/LFs IBM i 7.2 - consider using RCAC (Row and Column Access Control) Remember Object Ownership Owner can do ANY operation on table Avoid assigning object ownership to group profile Non-SQL Interfaces: User profile that creates DB2 object is the owner SQL Interfaces: Depends on Naming Format System Naming (*SYS) same as Non-SQL Interface SQL Naming: Owner of table is User Profile with same name as Schema that table created into If User Profile does not match Schema name, use System Naming method Grant & Revoke not supported or needed on SQL Indexes for query optimization 28

DB2 for i Security Control Levels Row & Column Column-Level Views (& LFs) used to prevent sensitive columns from being accessed by specific applications and/or users UDFs can conditionally return column values Use Field Procedure to conditionally mask column values IBM i 7.2 RCAC masking Row-level Subsetting of table data best done with SQL View SQL Table Function can also subset rows IBM i 7.2 RCAC row restrictions 29

DB2 for i Security Control View Column Control Example CREATE TABLE emp_tab (empid INTEGER, empname VARCHAR(30), empsalary DECIMAL(7,2)) REVOKE ALL ON emp_tab FROM user1, hruser1, PUBLIC CREATE VIEW empview AS SELECT empid, empname FROM emp_tab GRANT INSERT,UPDATE,DELETE,SELECT ON empview TO user1 CREATE VIEW empview_hr AS SELECT empid, empname, empsalary FROM emp_tab GRANT INSERT, UPDATE, DELETE, SELECT ON empview_hr TO hruser1 30

DB2 for i Security Control View & UDF Example CREATE VIEW securedept(division,deptname,lname,fname,salary) AS SELECT division, deptname, lname, fname, protectsal(deptno,salary) AS salary FROM employee a, org b WHERE a.deptno = b.deptno AND division IN (SELECT division FROM org c, staff d WHERE c.deptno = d.deptno AND emp_userid = SESSION_USER) CREATE FUNCTION protectsal (indept SMALLINT, insalary DECIMAL(7,2)) RETURNS DECIMAL(7,2) LANGUAGE SQL BEGIN DECLARE mymgrflag CHAR(1); SELECT '1' INTO mymgrflag FROM staff WHERE usrprf = SESSION_USER AND jobtitle='mgr' AND dept=indept; IF mymgrflag = '1' THEN RETURN insalary ; ELSE RETURN 99999 ; END IF; END 31

DB2 Data Protection with Encryption Data Transmission Protection TSL/SSL Secure VPN SSH/OpenSSH IBM tape encryption Home-grown encryption Disk-level Protection ASP Encryption introduced with IBM i 6.1 Requires creation of User ASP or IASP and purchase of Licensed IBM i Program Feature (Option 45 - Encrypted ASP Enablement ) Column-level protection DB2 7.1 - Field Procedures for Transparent solution 32

Field Procedures and Data Encryption Create a CUSTOMER table where the CCNBR column has a FIELDPROC. CREATE TABLE CUSTOMER ( NAME VARCHAR(50), ADDRESS VARCHAR(100), CCNBR CHAR(16) FIELDPROC ENCRYPTLIB.ENCRYPTPGM1 ) Allows for transparent encryption or encoding/decoding of data on SQL or native interfaces Alter an existing CUSTOMER table to add a FIELDPROC to the CCNBR column. ALTER TABLE CUSTOMER ALTER COLUMN CCNBR SET FIELDPROC ENCRYPTLIB.ENCRYPTPGM1 White Paper: Protecting IBM i data with encryption http://www-304.ibm.com/partnerworld/wps/servlet/contenthandler/whitepaper/ibmi/db2/encryption Articles: Enable Transparent Encryption with DB2 Field Procedures www.mcpressonline.com/database/db2/enable-transparent-encryption-with-db2-field-procedures.html DB2 Field Procedures Finally Support Conditional Masking www.mcpressonline.com/rpg/db2-field-procedures-finally-support-conditional-masking.html 33

FIELDPROC - Transparent Column-Level Encoding and Decoding Authorized Access New Order 1111 2222 3333 4444 Decrypt 1111 2222 3333 4444 Transparent FIELDPROC Encoding & Decoding Encrypt r3vs#45zt!j9*m$p6 34

Security Controls for DB2 for i Tooling Good practice to limit the authorities & capabilities of DBAs and DB Engineers Some DB2 for i Performance Tools can provide access to sensitive data values ( WHERE cardnum = :hostvar ) You can mark some columns as sensitive CALL SYSPROC.SET_COLUMN_ATTRIBUTE ('LIB1', 'ORDERS', 'CCNBR', 'SECURE YES') Sensitive column registration causes DB2 to only capture real data value for QSECOFR, all other users see *SECURE Sensitive column registrations can be found in QSYS2/SYSCOLUMNS2 DB2 Monitor Files & Plan Cache Snapshots must also be properly secured 35

Security Controls for DB2 for i Tooling Some DB2 for i Tools use to require *JOBCTL special authority Alternative: Function Usage Definitions QIBM_DB_SQLADM Database Administrator QIBM_DB_SYSMON Database Information Users enabled to use DB2 tools with CHGFCNUSG command Good practice to use group profiles Examples: CHGFCNUSG FCNID(QIBM_DB_SQLADM) USER(DBAUSER1) USAGE(*ALLOWED) CHGFCNUSG FCNID(QIBM_DB_SYSMON) USER(DBAGROUP) USAGE(*ALLOWED) Addtional Details: ibm.com/systems/resources/systems_i_db2_navigator_security_controls.pdf 36

IBM i 7.2 and RCAC 37

DB2 for i - 7.2 Enhancements by role - Security Security & DB2 for i Column Masks Deploy need to know logic Row Permissions Simpler, faster security Violation clause for CHECK constraints Protect data integrity Data-Centric Security Comprehensive Auditable Sustainable Scalable Manageable Secure remote journal using SSL Achieve HA & DR objectives without exposure SQL alternative to CHGOBJOWN Embrace separation of duty, using SQL 38 Use adopted authority identity within business logic Who am I? conditional code using SQL Data is an asset what s your data worth?

IBM i 7.2 Security: Separation of Duties Before 7.2 In order to grant or revoke privileges, a user must have one of the following: 1. Object ownership 2. Object management (*OBJMGT) authority for the specified object. Note: A user with object management authority can grant to other users any authority that the user has, except object management authority 3. All object (*ALLOBJ) user special authority Problem: Anyone that has the authority to grant privileges also has the authority to perform operations that require those privileges. If you are allowed to grant the SELECT privilege, you are also allowed to query the data. IBM i 7.2 Should the security administrator be able to access the data within tables to do their job? A user with security administration function usage (QIBM_DB_SECADM) will be able to grant or revoke privileges on any object to anyone, even if they do not have the SELECT privilege. This enables the management of security, without exposing the data to be read or modified. Note that: Audit the SECADM users for *SECURITY to ensure they are not granting themselves privileges to access the data Only QSECOFR or someone with *SECADM authority can grant the security administrator function usage. 39

Granting authority to QIBM_DB_SECADM Authorization works the same as QIBM_DB_SQLADM / QIBM_DB_SYSMON Authorization to the Database Security Administrator function of IBM i can be assigned through Application Administration in IBM Navigator for i and via the Change Function Usage (CHGFCNUSG) command. Navigator Right click on the connection name and select Application Administration. 40

Security - Separation of Duties Policy where separate users perform separate duties. Specifically, between security administration, system administration, and object authorities. The DB2 family defines different hierarchal levels of authorities each with the ability to perform a subset of administrative operations. Authority DB2 Family DB2 for i SYSADM System Administrator SYSCTRL SYSMAINT Control over all the resources created and maintained by the database manager. Includes SYSCTRL, SYSMAINT, and SYSMON. Control over operations that affects system resources. For example, create, update, start and stop an instance. Cannot access data. Includes SYSMON. Control over maintenance operations. For example, update the database configuration, backup the database or table space, restore an existing database, and monitor a database. Cannot access data. Includes SYSMON. *SECOFR N/A *SAVRST, etc. SYSMON Authority to use database system monitor information (LUW only). QIBM_DB_SYSMON SQLADM Authority to monitor and see potentially sensitive data, such as SQL statement text and audit data (z/os only). QIBM_DB_SQLADM DBADM Database administrator SECADM Security administrator Administrative authority over a single database. For example, create objects and issue database commands. Administrative authority over a single IBM i partition. Grant & revoke authorities using SQL or IBM i specific interfaces. *SECOFR QIBM_DB_SECADM 7.2 41

DB2 for i - 7.2 Enhancements by role - Security New SQL Statements for security CREATE PERMISSION New Catalogs QSYS2/SYSCONTROLS 42 ALTER PERMISSION CREATE MASK ALTER MASK ALTER TRIGGER TRANSFER OWNERSHIP New Built-in Function VERIFY_GROUP_FOR_USER() New Function Usage ID QIBM_DB_SECADM QSYS2/SYSCONTROLSDEP New Boss Option IBM Advanced Data Security for i (Boss option 47) No Charge New tools in the toolbox New Journal Entry Types For journal code D - Database file: M1, M2, M3 for create/drop/alter mask P1, P2, P3 for create/drop/alter permission For journal code T Audit trail: AX for Row and Column Access Control X2 for Query manager profile changes

DB2 for i 7.2 - RCAC (Row and Column Access Control) terminology Base Table The table (physical file) containing business critical data. Dependent Object Permission Any object (file, schema, function, or other object) the permission or mask references. A row permission defines a row access control rule for rows of a table by setting an SQL search condition that describes the set of rows a user can access. Mask 0 to many permissions allowed per table A column mask defines a column access control rule for a specific column in a table by using an SQL CASE expression that describes what column values a user is permitted to see and under what conditions. RULETEXT 0 or 1 masks allowed per column The expression to be used by the permission (WHERE clause predicates) or mask (selection CASE expression) 43

Row and Column Access Control (RCAC) CREATE MASK SSN_MASK ON EMPLOYEE FOR COLUMN SSN RETURN CASE WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'PAYROLL') = 1) THEN SSN WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'MGR') = 1) THEN 'XXX-XX-' CONCAT SUBSTR(SSN,8,4) ELSE NULL END ENABLE; ALTER TABLE EMPLOYEE ACTIVATE COLUMN ACCESS CONTROL; IBM Advanced Data Security for i (Boss option 47) No Charge CREATE PERMISSION PATIENT_TABLE_HMO_PERMISSION ON HOSPITAL.PATIENT_TABLE FOR ROWS WHERE((VERIFY_GROUP_FOR_USER(SESSION_USER,'PCP') = 1 AND HOSPITAL.PATIENT_TABLE.PCP_ID = SESSION_USER) OR VERIFY_GROUP_FOR_USER(SESSION_USER,'ACCTGROUP') = 1 OR VERIFY_GROUP_FOR_USER(SESSION_USER, RESGROUP') = 1) ENFORCED FOR ALL ACCESS ENABLE; ALTER TABLE HOSPITAL. PATIENT_TABLE ACTIVATE ROW ACCESS CONTROL; 44

Contrasting DB2 for i - Data Security Use case Technology Field Procedures Column Masks Row Permissions Views & Logical Files Supported IBM i OS releases 7.1, 7.2 7.2 7.2 6.1, 7.1, 7.2 Limit access to some/all data within a column Yes Yes No Yes Limit access to rows No No Yes Yes Security logic payload (customer experience) External program (complex) SQL rule (simple) SQL rule (simple) DDS or SQL (varies) Software Vendor component Townsend Security Linoma Enforcive None at this time None at this time N/A Data encrypted at rest Yes No No No Data encrypted in journal Yes No No No Masked values apply to selection criteria Yes No N/A N/A Data-Centric Solution Yes Yes Yes No Success factors include: Strategy, Tuning & Consulting Yes Yes Yes No 45

Use case Technology Supported IBM i OS releases Analysis & Reporting Solution infrastructure beyond IBM Capture i SQL statements Capture SQL host variable values and environment Capture database specific Audit Journal details Capture before and after images of data Able to track which rows are seen by users Success factors include: Strategy, Tuning & Consulting Contrasting DB2 for i - Data Compliance Guardium Activity Monitor for DB2 for i Audit Journal Data Journal 6.1, 7.1, 7.2 6.1, 7.1, 7.2 6.1, 7.1, 7.2 InfoSphere Guardium Security ISVs & InfoSphere Guardium Security ISVs Yes No No Yes No No Yes No No Yes Yes No No No Yes No No No Yes Yes Yes 46

IBM Advanced Data Security for i (Boss Option 47) Option 47 must be installed to: CREATE PERMISSION and CREATE MASK (RCAC) Open a file that has RCAC activated 47 RCAC is applied after checking object authorization requirements If you pass the object authorization check: Row permissions reduce the set of rows returned Column Masks limit full or partial access to sensitive column data RCAC constructs exist within the table (*FILE) When ENABLED & ACTIVATED, RCAC is automatically applied by SQE RCAC is comprehensive and applies to any interface (Native DB, SQL, RPG, APIs, Commands, etc)

Key points with RCAC Users may be surprised to see less data! Tables which contain enabled RCAC permissions or masks can be restored regardless of whether option 47 is installed. However if the option is not installed, permissions and masks cannot be created and tables, views, or indexes cannot be accessed which contain active permissions or masks. 48

RCAC and Triggers Triggers are used for database integrity RCAC controls are used for securing business critical data Enabled row permissions and column masks are not applied to the initial values of transition variables or to transition tables referenced in the trigger body. The trigger program has access to unprotected data. Secure triggers for row and column access control: To balance the needs of integrity and security The trigger must be created or altered to have the SECURED attribute. If a trigger is not secure, RCAC cannot be activated for the target table. > ALTER TABLE EMPLOYEE ACTIVATE ROW ACCESS CONTROL 49

RCAC and Functions Function invocations are allowed within RCAC rules and provide the ability to create more complex and modularized RCAC rule text logic This additional capability adds a level of complexity for the security administrator because the function must be reviewed and approved Secure functions referenced by row and column access control: To balance the need of complex rule logic and security The function must be created or altered to have the SECURED attribute. If a function is not secure, the permission or mask cannot be enabled > ALTER PERMISSION employee_perm1 ENABLE 50

Separation of Duty & DB2 for i - Use case exploration Meet the users: MARYSEC A Security Officer responsible for granting and revoking security, including data security CRTUSRPRF USRPRF(MARYSEC) PASSWORD(xxxxxxxx) USRCLS(*SECOFR) TEXT('Security Officer') GRTOBJAUT OBJ(<data-libraries>) OBJTYPE(*LIB) USER(MARYSEC) AUT(*USE) CHGFCNUSG FCNID(QIBM_DB_SECADM) USER(MARYSEC) USAGE(*ALLOWED) FRANKDBA A Database Administrator with authority to do everything but change security settings CRTUSRPRF USRPRF(FRANKDBA) PASSWORD(xxxxxxxx) USRCLS(*USER) TEXT('Database Administrator') SPCAUT(*ALLOBJ *JOBCTL *SAVSYS *SPLCTL) JOEUSER An end user with no special authority CRTUSRPRF USRPRF(JOEUSER) PASSWORD(xxxxxxxx) USRCLS(*USER) TEXT('User with no special authorities') 51

Separation of Duty & DB2 for i - Use case exploration create or replace variable toystore22.job_title char() DEFAULT (select JOB_TITLE from toystore22.vemp where USER_PROFILE_NAME = USER) ; create or replace variable toystore22.work_department char(3) DEFAULT (select WORKDEPT from toystore22.vemp where USER_PROFILE_NAME = USER) ; grant read on variable toystore22.job_title to public; grant read on variable toystore22.work_department to public; create or replace permission toystore22.permission_project_byuser on toystore22.project for rows where (toystore22.job_title = 'IT SEC' AND DEPTNO <> 'E21') OR (toystore22.job_title = 'IT ADM') OR (toystore22.job_title = 'APP TEAM' AND DEPTNO = toystore22.work_department) enforced for all access enable; alter table toystore22.project activate row access control; 52

Separation of Duty & DB2 for i - Use case exploration 53

Separation of Duty & DB2 for i - Use case exploration 54

Separation of Duty & DB2 for i - Use case exploration 55

Separation of Duty & DB2 for i - Use case exploration 56

Separation of Duty & DB2 for i - Use case exploration 57

Separation of Duty & DB2 for i - Use case exploration 58

Separation of Duty & DB2 for i - Use case exploration Masking salary detail in general Allow the HRTEAM group profile members to see all data Allow a manager to see their employees data create or replace variable toystore22.manager_of_department char(3) DEFAULT(select DEPTNO from toystore22.vdept where MGRNO = (select EMPNO FROM toystore22.vemp WHERE USER_PROFILE_NAME = USER)) ; grant read on variable toystore22.manager_of_department to public; CREATE OR REPLACE MASK toystore22.salary_mask ON toystore22.employee FOR COLUMN salary RETURN CASE WHEN VERIFY_GROUP_FOR_USER(SESSION_USER,'HRTEAM') = 1 THEN salary WHEN WORKDEPT = toystore22.manager_of_department THEN salary ELSE 99999999.99 END ENABLE 59

Separation of Duty & DB2 for i - Use case exploration JOEUSER is the manager of dept E11 select lastname, salary, workdept from toystore22.employee a order by workdept desc, lastname asc 60

Special registers similar names, different purposes USER this, USER that which one should I use? Special Register Definition USER or SESSION_USER SYSTEM_USER The effective user of the thread Is returned. The authorization ID that initiated the connection is returned. CURRENT USER or CURRENT_USER The most recently adopted authorization ID within the thread will be returned. When no adopted authority has occurred, the effective user of the thread Is returned. 61

Other security oriented SQL statements TRANSFER OWNERSHIP SQL statement that is similar to the CL command CHGOBJOWN TRANSFER OWNERSHIP OF TABLE mjatst.t1 TO USER paul PRESERVE PRIVILEGES Operation can be run under commitment control and rolled back Grant to GROUP and USER Compatibility with DB2 Family GRANT ALL ON council TO USER frank WITH GRANT OPTION GRANT ALL ON council TO GROUP marketing WITH GRANT OPTION Identifies whether the ID is a group or a user 62

Summary Define a security policy Implement DB2 for i object-level security Implement Row and Column level security as appropriate Consider encryption of sensitive data 63

Resources IBM STG Lab Services Security Team IBM i InfoCenter IBM i Security Reference DB2 SQL Reference (http://ibm.com/systems/i/db2/books.html) DB2 for i developerworks Forum https://www.ibm.com/developerworks/forums/forum.jspa?forumid=292 Articles & White papers DB2 Data Protection Essentials http://systeminetwork.com/article/db2-data-protection-options-and-essentials IBM i Encryption White Paper ibm.com/partnerworld/wps/servlet/contenthandler/partnerworld/wps/servlet/contenthan dler/whitepaper/i5os/db2_data/encryption Field Procedures http://mcpressonline.com/database/db2/enable-transparent-encryption-with-db2-fieldprocedures.html RCAC Redbook/Redpiece coming in 2014 64

Thank you! 65

Monitoring Tools 66

Compliance Monitoring Compliance to What? Company Policy and/or Standards These should define how systems should be built, maintained, monitored, and interacted with by its custodians and users. Another way of thinking about it, they are a Service Level Agreement (SLA) between Owners, Management and the people they have hired to work the business. Owners and Management derive a sense of security knowing that its employees are managing the business according to this agreement. Owners and Management must be involved in the creation and maintenance of these documents. Compliance monitoring then is simply demonstrating that the employees (and management) are doing what they have been hired to do. 67 67 21 May 2014

IBM InfoSphere Guardium V9 DB2 for i as a data source Real-time Database Protection and Compliance Granular, real-time policies & auditing Who, what, when, where, how Proactive security (e.g. alerts signal critical tables changes ) Simplified compliance process: HIPAA, PCI, SOX, No DBMS or application changes New DB2 for i support with November 2012 Database Group PTFs for IBM i 6.1 & 7.1 Guardium appliance receives IBM i centric data SQL statements & variables Audit entries from QSYS/QAUDJRN Extensive and meaningful filters Track the most privileged users Real-time data collection & alert capability Secure logging Heterogeneous, cross-dbms solution 68 6

Guardium using DB2 for i as a data source Collected Audit Journal & SQL information is streamed to the InfoSphere Guardium appliance Continuous monitoring of all database activities Global SQL Monitor using a View & Instead of Trigger captures SQL information Audit server job receives QAUDJRN audit entries and puts them on a Unix queue Additional details: ibm.com/developerworks/ibmi/library/i-infosphere_guardium_db2/index.html 69 6

PowerSC Tools for IBM i Compliance Assessment and Reporting Provides enterprise and system compliance monitoring of security Service Overview: Rapid security analysis of your IBM i system(s) providing dashboard observation and reporting on key areas of security concern Key Features: Automated tool checks and reports hundreds of parameters in an IBM i environment Profile Analysis: Special Authorities / Inherited Privileges Group Profiles / Ambiguous Profiles Default Passwords / Password Expiration Inactive Accounts Administration / Configuration Settings: System Values / Audit Control Settings Invalid Signon attempts Work Management Analysis Network Settings: Network attributes NetServer Configuration TCP/IP servers / Autostart values APPN Configuration / Server Authentication *PUBLICLY and Privately Authorized Profiles Initial Programs, Menus, and Attention Programs Command Line Access DDM Password Requirements / SST Security Registered Exit Points / Function Usage Library Analysis/ *ALLOBJ Inheritance Listening ports / Network Encryption IP Datagram Forwarding / IP Source Routing Digital Certificate Expiration SSH / SSL Configuration Service Benefits: Reduces cost and time involved in running system security checks Can minimize potential user errors that cause system exposures Offers an opportunity to review systems for security breaches and take action to address the issue Provides a new level of report automation and user interface that makes the tool easy-to-use, fast and accurate Easy enough to use that you can deploy it, and with your skills, a Business Partner s skills, or Lab Services skills address any findings discovered. IBM 70 70 i Lab Services - ibm.com/systems/services/labservices - stgls@us.ibm.com

Trademarks and Disclaimers Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and are used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. Information is provided "AS IS" without warranty of any kind. The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Information concerning non-ibm products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-ibm list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-ibm products. Questions on the capability of non-ibm products should be addressed to the supplier of those products. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here. Prices are suggested U.S. list prices and are subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography. 71