IBM's Database Security Strategy: A Closer Look

After years of paying little attention to DB security, Big Blue steps up
[The following is excerpted from "DB2 Gets Safer...Finally; IBM Makes Security a Priority," a new, free, downloadable report now available on Dark Reading's Database Security Tech Center.]

Today's largest enterprises still rely on one of the industry's oldest and most established databases to store their most sensitive and business-critical data. DB2 has traditionally been at the heart of the data center, literally and figuratively.

DB2 on z/OS and iSeries were the very definition of a "moat"-based security model, with a single application interface and local administration. The database served a limited number of applications, all confined to the corporate data center. A firewall separated the company from the rest of the world, and the internal network topology further cordoned off DB2 from general WAN connections. The database was simply more difficult to get to, and in most cases was not accessible from Internet-facing applications.

But adoption of DB2 on iSeries in virtual server environments, including “Blue Cloud” deployments of DB2 databases on Amazon's EC2 platform, the z/VM hypervisor, and WebSphere Web App Server on z/OS, has changed the DB2 security model. The moat is gone -- and along with it, the perimeter security concept. Ten years ago, most people thought mainframes and the iSeries were dead, but they continue to thrive in virtual cloud environments—with increased exposure to attacks.

The evolution of DB2, and the security threats to both the database and its underlying platforms, have led DB2 administrators down a different path from their Oracle, Microsoft, MySQL, and Sybase counterparts. Threats to the DB2 platform and, correspondingly, customer demand for security features, have been slow to emerge. While competitors have scrambled to address vulnerabilities and add security and compliance features, IBM has been slower to implement database security.

Over the past 10 years, IBM has produced only a few new DB2 security features. Highlights of the past decade include labeling -- a well-designed, if not widely used, tool to control data access -- and table-based encryption to secure data at rest. Other in-house development efforts, such as Audit Management Expert (AME), were well-intended additions, but failed to meet the performance and ease-of-use expectations of database administrators (DBAs), and so remain on the shelf.

IBM began supplementing database security features in 2007 with a steady series of data and application security acquisitions, including Guardium, Netezza, Ounce Labs, Princeton Softech, and Watchfire. With these and a few incremental product enhancements, IBM has closed all the major gaps in its security portfolio. Integrating these tools with Tivoli infrastructure management, security fits easily with workflow and compliance systems already in place. Access controls and user authorization top the list as IBM’s front-line defenses for data and database usage.

For a detailed look at the emerging practices and technologies available for securing IBM database environments, particularly DB2, download the full report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.