Don't Wait To Lock Down DB2

Existing access control, trusted context features in DB2 are not widely deployed

Special to Dark Reading

As pundits ponder how IBM will leverage its acquisition of database security vendor Guardium to add more security features and functionalities to its in-house DB2 databases, now is the time for organizations to re-examine their DB2 security strategies. But many haven't even tapped the security features they already have available in DB2.

Many organizations don't take advantage of the existing capabilities that DB2 provides for locking down access to information, IBM executives say. Among DB2's extant security controls, some of the most powerful features that organizations often leave untouched -- to their detriment -- revolve around access control. These include two biggies: utilities label-based access control (LBAC) and trusted context.

LBAC, which is designed to offer fine-grained access control, lets DB2 administrators extend controls over data that reach far beyond the simple masking of rows or columns. Administrators can use LBAC to control table objects by attaching security labels to them. Users who try to access these objects must have the corresponding security label granted to them in order to view that data.

"I think that's one of the newer areas where, in my experience with clients, they haven't leveraged a lot of it yet," says Jim Lee, director of product management and strategy for IBM's Information Management division. "I think LBAC is not commonly used today."

Similarly, many DB2 administrators are also forgoing the platform's ability to offer trusted context to access roles. "The thing that I see as one big glaring gap in DB2 practices, for example, [is in using] a thing called trusted content," says Curt Cotner, IBM fellow and vice president and CTO for database servers.

Trusted content "basically gives the DBA a way to grant privileges to a role, and then applications accessing the database from the network would inherit the role based on whether they came from a trusted application server or not," he says.

As Cotner puts it, the whole purpose of trusted context is to allow organizations to get out of the habit of simply giving application servers hooking into the DB2 network some kind of system user ID and then granting all privileges to that ID. Though the idea behind this practice greatly simplifies application access, amps up performance, and, in theory, only allows the servers the ability to update tables and not the end users, the security is not sound in today's highly regulated environments.

"The problem is that if you implement it that way, now when all of these applications are running, they all look to the database like it's just the system user ID that's running," Cotner says. "You really can't do auditing like you'd like to because you don't know which end user is running [through the application] at a given time. All you know is the system user ID that's running."

Cotner says trusted context lets you take the user's system privileges and attach roles to them so when the end user runs the application, he connects to the database via his identity rather than via a generic application system ID. Given that many of these security features in DB2 are often ignored by DB2 administrators, speculation as to what kind of technical features IBM will integrate from Guardium seems almost superfluous. Even so, analysts wonder whether IBM will be able to take advantage of Guardium's previously close relationship with DB2 technology and those who administer it to help shepherd use of both existing and future technical controls in the database product.

"Guardium has spent a lot of time thinking about DB2 and thinking about Z," says Nick Selby, managing director of consultancy Trident Risk Management. "In the past they've done partnerships where they've needed to, but now there's the ability to have IBM internal knowledge helping Guardium with its R&D around specific products that target IBM database products. It's going to be a no-brainer."

Even more important, though, could be the added ingredient of IT cultural awareness that Guardium brings to the mix. In a world where DBAs and security pros are at odds -- the former focusing on performance, the latter on data privacy and integrity -- Guardium brings the added ability to "speak DBA" to the IBM mix, Selby explains.

"I do think IBM is positioned to leverage not just the technology, but the ability of the Guardium people to really communicate the benefit of the product category and get people thinking in a more holistic way about how databases themselves and the security of database and database applications work together to increase an organization's overall security posture," Selby says.

IBM's Lee confirms that this is, in fact, the strategic direction in which IBM is headed.

"I think the biggest gap I've seen with clients is not necessarily a specific DB2 function, but rather understanding overall security," Lee says. "What is overall protection? Is it just locking down access to a table? Or is it the overall security that includes locking down data, backing up and encrypting data, and understanding access to data? That's what we call overall security, and that's what we're trying to get clients to understand."

The fact is many of the security lapses made within organizations are hardly fixated just on DB2. "I don't think there are any specific DB2 things that people aren't doing anymore than they're not doing in MySQL or Oracle or whatever," Selby says. "I think that what it comes down to is understanding good configuration practices and good application practices."

And this is why IBM is planning a lot of its Guardium integration not just around DB2 enhancement, but on integrating monitoring and configuration controls into the overall IT security and operations management features of tool sets such as Tivoli, Lee says.

"As much as I'd love to say that everybody only uses DB2, it's not true. And we have to face the reality that, at the end of the day, the drive behind what we do is what our clients want," Lee says. "And what they're looking for is a solution that, yes, protects the IBM database, but now when you go pass the single database, what else can it do for you?"

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights