© 2001 International Business Machines Corporation. All rights reserved.
Reprinted with permission from DB2 Magazine .
Let's face it: The topic of database security just doesn't turn heads the way benchmarking world records and reports of ever-shorter downtimes do. When was the last time you read a scintillating article about security tokens and encryption? But security breaches do turn heads - and can undermine customer confidence, as last year's well-publicized thefts of credit card numbers from a few e-businesses showed. Even if it's not the most exciting topic, security is a vital consideration for any business that uses a database management system. And, as more businesses participate in the e-space, it becomes particularly important to separate private from public data.
For more information about DB2 UDB security features, see the DB2 Administration Guide .
The database system at any given company probably collects, stores, and analyzes millions of rows of information ranging in nature from public to private. With all that responsibility, the database must enable DBAs to grant and restrict access appropriately. And it must offer ways to keep unauthorized users from accessing classified data.
But sometimes, database security information is hard to come by or difficult to understand. Although you often hear about how scalable and robust DB2 Universal Database (UDB) is, how often do you hear details about DB2's security features?
Because securing data is one of the most important DBA responsibilities, you shouldn't try to learn about database security by trial and error. Securing your database involves:
- Preventing unauthorized access to classified data by anyone without a business need to know
- Preventing unauthorized users from committing mischief through malicious deletion or tampering of data
- Monitoring user access of data through auditing techniques
In this article, I'll walk you through the security features in DB2 UDB v.7.1 for Windows, Unix, and OS/2 and describe some internal controls that can help you maximize your security.
One of the most basic concepts in database security is authentication, which is quite simply the process by which a system verifies a user's identity. A user can respond to a request to authenticate by providing a proof of identity, or an authentication token.
You're probably already familiar with this concept. If you have ever been asked to show a photo ID (for example, when opening a bank account), you have been presented with a request for authentication. You proved your identity by showing your driver's license (or other photo ID). In this case, your driver's license served as your authentication token.
Figure 1. DB2 authorization roles
Despite what you see in the movies, most software programs can't use futuristic systems such as face recognition for authentication. Instead, most authentication requests ask you to provide a user ID and a password. Your user ID represents your claim to being a person authorized to access the environment, and the password provides your authentication. Of course, this kind of authentication assumes that your password is well protected and you are the only person who knows it.
User authentication is completed by a security facility outside DB2, often part of the operating system or a separate product. In fact, security is not just a database issue; operating system vendors spend a great deal of time, money, and care to ensure that their products are secure. However, some operating systems, including Microsoft Windows 95 and 98, have no native security mechanism. If you use an operating system that lacks security mechanisms, you can configure your environment to rely on the DB2 server on a more secure system to provide the security. For example, you can use trusted client options, which I'll discuss more later in the article. (For more information, refer to the DB2 Administration Guide .)
You can also use third-party products, such as Distributed Computing Environment (DCE) Security Services defined by the Open Group, to add a layer of security to your environment. DB2 can coordinate these external security efforts with its security initiatives to protect a transaction or analytic environment.
Once a user is successfully authenticated, DB2 makes note of the user's identity and other relevant security information, such as the user's group list. The user must be identified to DB2 using a SQL authorization name or authid, which can be the same as the user ID or a mapped value. This connection information is kept for the duration of the user's connection.
Because authentication can be handled either by the operating system or by third-party products, DB2 offers different authentication options that you can set in the database manager configuration (dbm cfg) file using the AUTHENTICATION parameter. DB2 uses this parameter to determine how and where authentication should take place.
The many settings for the dbm cfg AUTHENTICATION parameter can be logically grouped into four distinct categories: Server, Client, DCE, and Kerberos.
Server authentication . This group offers two main options:
- SERVER , the default security mechanism, specifies that the authentication is to occur on the server using the server's operating system. If a user ID and password are specified during the connection, DB2 calls an operating system function to validate the submitted user ID and password. (In a Windows-based environment, a user ID is often referred to as a username. The combination of a username and password is often referred to as a user account.)
- SERVER_ENCRYPT is essentially the same as the default option, except that the password passed from client to server is encrypted. DB2 uses 56-bit single DES encryption of the password and the Diffie-Hellman algorithm to generate a key for the encryption algorithm at connect time. The RSA BSAFE toolkit provides this support.
Client authentication . This group's only option, CLIENT, specifies that the authentication is to take place at the client. If this client resides on an operating system that has inherent security features (for example, AIX), it is considered a trusted client. In general, all clients are trusted except for Microsoft Windows 95 and 98, which are considered untrusted.
If a server receives requests from trusted and untrusted clients, the TRUST_ ALLCLNTS and TRUST_CLNTAUTH options allow trusted clients to gain access using client authentication while untrusted clients must provide a password for successful authentication. Please see the B2 Administration Guide for details.
DCE authentication options. Some administrators choose to implement DCE security services because DCE provides centralized administration of users and passwords, no transmission of clear text passwords and user IDs, and a single sign-on for users. DB2 provides integrated support for DCE security services using third-party DCE products. You can choose between two settings:
- DCE specifies that the user is authenticated using DCE security services. A DB2 client that has logged into DCE can obtain an encrypted "ticket" it can use to authenticate itself with the DB2 server.
- DCE_SERVER_ENCRYPT specifies that the server will accept DCE tickets or user ID and encrypted password as proof of authentication, as selected by the DB2 client.
Kerberos authentication options . Kerberos is a new authentication mechanism added to DB2 UDB v.7.1 as part of its tight integration with Microsoft Windows 2000.Using Kerberos security, DB2 authentication can be accomplished with single sign-on facilities. Once authenticated, a user will not be challenged again by any server that exists in the Kerberos environment. This method of authentication can only be used when both the DB2 client and the DB2 server are on Windows 2000.
DCE and Kerberos use essentially the same underlying technologies. When a client logs into the Kerberos security environment, the DB2 client can obtain an encrypted Kerberos ticket for use in authenticating itself with the specified DB2 server.
You can choose between two settings:
- KERBEROS specifies that the user is to be authenticated using Kerberos security services only.
- KRB_SERVER_ENCRYPT specifies that the server is to accept either Kerberos tickets or user ID and encrypted password as proof of authentication, as selected by the client.
An authenticated user goes through the second DB2 layer of security, authorization. Authorization is the process through which DB2 obtains information about the authenticated DB2 user, including which database operations that user may perform and which data objects that user may access.
Your driver's license is a perfect example of an authorization document. Though it can be used for authentication purposes, it also authorizes you to drive a certain class of car. Furthermore, the type of authorization you have gives you more or fewer privileges as far as driving a vehicle goes.
In Ontario, Canada, for example, a class G license gives you the privilege to drive a car practically wherever and whenever. The class G license sits at the top of the hierarchical structure of authorizations for driving cars. The lower-level G2 license allows a user to drive a car at any time of day, but with certain restrictions. (For example, a user with this authorization scheme is not allowed to drive after consuming any alcoholic beverages whatsoever.) Below the G2 license is the G1 license, which includes many restrictions (for example, the driver must be accompanied by a class-G licensed passenger, may not drive on highways, or drive after dark).
Your driver's license authorizes you to drive a vehicle and limits access to certain "objects" (for example, you cannot drive on a highway with a G2 license). DB2 works in much the same way.
Authorization can be broken down into two distinct categories: authorities and privileges.
Authorities, . Authorities provide a method of grouping privileges and control over higher-level database manager maintenance and utility operations. Database-specific authorities are stored in the database catalogs; system authorities are associated with group membership and are stored in the database manager configuration file for a given instance. DB2 has four predefined authority levels: SYSADM, SYSCTRL, SYSMAINT, and DBADM. Figure 1 illustrates the hierarchical scheme of the predefined authorization levels used in DB2. SYSADM, SYSCTRL, and SYSMAINT operate at the instance level and have a serverwide scope. Each has its own grouped privileges and authorized-access rules (much like the class G license). These authorities are defined in the database manager configuration file for each instance. The DBADM authorization level is linked to a specific database within the server instance and is automatically granted to a user who creates a database. A DBADM has all possible grouped privileges on the database and all the objects within that database. By default, a SYSADM has all possible grouped privileges for the entire system, including databases (it has implicit DBADM authority).
DB2 uses more than one vertical authorization stream. With each user request, there may be more than one authorization check, depending on the objects and operations involved. Authorization is performed using DB2 facilities. DB2 system catalogs contain a record of the privileges associated with each authorization name. The authorization name of an authenticated user, and the groups to which the user belongs, are compared with their recorded privileges. Based on this comparison, DB2 decides whether or not to allow the requested access.
Figure 2. An error message returned to a user not authorized to perform a specific command
For example, Figure 2 shows the results of entering a command that requires a user to have a particular authorization privilege.
The DB2 security mechanism blocks the TESTING user ID because it knows that this user does not have the authorization to perform such a command. In this case, it is obvious that TESTING is not a SYSADM, since that authority level is required to execute the command shown in Figure 2.
You gain SYSADM, SYSCTRL, and SYSMAINT authorities in DB2 by being a member of the group specified by the SYSADM_GROUP, SYSCTRL_GROUP, and SYSMAINT_GROUP database manager configuration parameters, respectively.
For a complete listing of all the authorization privileges granted to a user belonging to any of the DB2 predefined authorization groups, refer to the DB2 Administration Guide .
Privileges . A privilege defines a single permission for an authorization name, enabling a user to modify or access database resources. Privileges are stored in the database catalogs. Whereas authority groups have a predefined group of privileges that are implicitly granted to their members, privileges are single permissions.
Figure 3: Sample privileges available in DB2
DB2 can take advantage of the user groups maintained by an operating system's security feature. Groups help reduce the database system's total cost of ownership by allowing the database administrator to assign privileges to groups.
For example, if you wanted to allow the privileges of creating tables (CREATETAB) and connecting to the database (CONNECT) to 50 users, it would be easier to create a group and add the privileges to it than to explicitly grant each privilege to each individual user. And, anytime you needed to add or revoke privileges, you could do it once for the group and all the members of the group would be affected.
In general, group membership is applicable for dynamic SQL and nondatabase object authorizations (such as instance level commands and utilities). Dynamic SQL is SQL that is generated ad hoc, or on the fly. Group membership (except the PUBLIC group) is not applicable for static SQL. Static SQL is known to DB2 before execution and the access plan for the SQL has already been generated (by the DB2 optimizer) and stored as a package in the catalogs.
Each privilege can be granted or revoked from a specific authid, a specific group (PUBLIC) to which all users automatically belong, or more than one group. Figure 3 gives an example of some of the different privileges available in DB2. (Note: In the Tables and Views group, the ALTER, INDEX, REFERENCES, and UPDATE Column privileges are only available for tables.) For an in-depth discussion of these privileges, see the DB2 Administration Guide .
Access to all sorts of operations and objects is controlled through privileges. You must have the privilege to do something before DB2 lets you do it.
Access control methods
Now that you understand how DB2 manages authentication and authorization, let's look at the framework that DB2 provides to combine these options for strong access control. Access control methods are used to create subsets of the contents of information, so that the user can only see and access data that is relevant to their needs. You can use a number of different access control methods in DB2. Access controls exists for everything you do in a database.
Consider the row of a view in Table 1. You may want all users in the company to have access to the L_Name, F_Name, Phone, email, and Title columns. However, to minimize the risk of email spam, you may want users accessing a company directory over the Web to only see the L_Name, F_Name, and Phone columns. Finally, employees who are part of the Human Resources department should have access to all the rows in this table. Access controls provide a very important framework in securing your data in DB2 and providing row-level access to your data.
Access controls using packages . Packages, collections of information that pertain to one or more SQL statements, are the primary access control point for SQL within DB2. Packages include such information as the access plan generated by the optimizer and the authorization model. Any statement issued to the database engine is related to a specific package.
When a package is created, it is bound to the database with specific privileges. The person who creates a package must have the privileges required to execute all the static SQL statements in the package. Users who run the package must also have the EXECUTE privilege for the package, but they don't have to have the individual privileges for executing the static statements contained in it. For example, without the CREATETAB privilege, a user can't create a table in the database. However, a user with the privilege to run a package containing a static CREATE TABLE statement could create a table that way. Packages play a key role in controlling the access that users have to database objects.
Access control using views . Views are another major access control method to restrict low-level (also called row-level) access to data. Using a view, you can hide sensitive rows and columns of information that reside in the original table from SQL statements. You can give a user access to information by granting privileges on a view. Because these privileges are only for the view and do not affect the base table, the user's access is confined to the view, which is generated by creating a subset of the data contained in required table. The WITH CHECK option provides even more security because it will not let a particular SQL statement change rows that the user is not privileged to read in the view.
Table 1. A row of a view
Access control using triggers . Using a trigger, you can create a more complex security mechanism that gets initiated whenever a certain event happens. An INSERT statement on a table is one example of an event that can be used to fire a trigger. Furthermore, the trigger can fire before or after a specified event, to provide even more rigorous security checks. If the user's statement fails to pass a security check in a trigger, an error can be signaled from within the body of the trigger to prevent the table from being modified.
Access control using the USER special register . DB2 provides a special register, called USER, which contains the user ID used to connect to the database for the current session. You can use the value stored in the special register in a view to make customizations for the view for a particular user. Using the special register, you can make the view, which is based on a table, look different from user to user. You can also use this technique with triggers and SQL statements.
DB2's auditing facility lets you maintain an audit trail of events that occurred within an instance. Successful monitoring of data access attempts and subsequent analysis can lead to improvements in the control of data access and the ultimate prevention of malicious or careless unauthorized access to the data. These recorded events can then be extracted into a report for analysis. Auditing is detailed in the DB2 Administration Guide .
Trust the database
DB2's many features and mechanisms let you trust the database engine with even your most secure and confidential data. When your data is stored and managed by DB2, you can be confident that your business can run in a scalable, robust, and secure environment. And, if you're in charge of database security, that means a better night's sleep for you.
About the author