IBM Informix Database Security 15 June 2011 © 2011 IBM Corporation

advertisement
IBM Informix Database Security
15 June 2011
© 2011 IBM Corporation
Securing Your Data
 Database Security - protection from malicious attempts to view
or modify data.
 Importance of data security:
– Security breaches are bad for you.
– Expensive to manage.
– Damages ‘good will’.
 Government Regulations and compliance.
2
© 2011 IBM Corporation
Government Regulations
 USA
–
–
–
–
HIPAA (Health Insurance Portability and Accountability Act), 1996
Sarbanes-Oxley (aka Sarbox or Sox), 2002
Gramm-Leach-Bliley Act (GLBA), 1999
California SB 1386 ‘Personal Information: Privacy’, 2002
 Canada
– Personal Information Protection and Electronic Documents Act
• PIPEDA (2000)
 Europe
– European Union Directive on Data Protection
• Directive 95/46/EC (1995)
3
© 2011 IBM Corporation
User Authentication
 Authentication is the process of verifying the identity of a user
or application when connecting to a database.
 Informix supports:
– OS username/password authentication.
– PAM authentication framework.
– Single Sign-On (Kerberos) authentication.
I am Sam
Prove It
$%^&*!@#@
Encrypted password
4
© 2011 IBM Corporation
PAM authentication
 PAM framework provides a generic way to authenticate the
user to system entry services.
 PAM can be used to integrate services with different
authentication technologies, such as RSA, DCE, Kerberos,
S/Key, and smart card based authentication.
5
© 2011 IBM Corporation
Enable PAM in Informix

Sample SQLHOSTS file:

§
#server-name
idsserver
service machinename
ontlitcp
idc1ul14
portno
Options
3454 s=4,pam_serv=(pam_chal),pamauth=(challenge)
§

Compile PAM module used for authentication and update the
pam configuration file
–
§

#service
#
login
Module
Control
Module
Type Flag Path
auth required
pam_unix_auth.so
pam_chal
auth required
Options
nowarn
/usr/lib/security/pam_chal.so
Developerworks Article
–
–
6
Example /etc/pam.conf:
http://www.ibm.com/developerworks/data/library/techarticle/dm-0704anbalagan/
http://www.ibm.com/developerworks/data/zones/informix/library/techarticle/0306mathur/0306mathur.html
© 2011 IBM Corporation
Single Sign-On Authentication
 How many login IDs and passwords do you have?
– Can you remember them all?
 People would like to login (sign-on) once:
– And then have appropriate access everywhere.
 Kerberos provides that functionality:
– Used in Microsoft Active Directory.
– See http://www.kerberos.org/
7
© 2011 IBM Corporation
Enable Single Sign-On Authentication in Informix
 Informix servers configured to use Kerberos
– In sqlhosts file - server alias configured with GSS CSM:
• ol_ids_1150 onsoctcp toru ol_ids_1150 s=7,csm=(GSSCSM)
 Define a SSO GSSCSM
– concsm.cfg file defines the csm configuration information:
• GSSCSM("/work/informixdir/lib/csm/igsss11a.so", "", "c=1,i=1")
 Configure the Informix server principal in the KDC.
 Informix client programs:
– Configured via sqlhosts file.
 Both depend on a working Kerberos environment.
 Developerworks Article:
– http://www.ibm.com/developerworks/data/library/techarticle/dm-0809govindarajan
8
© 2011 IBM Corporation
Agenda







9
User Authentication
Authorization and Access Control
Auditing
Data Encryption
Mapped Users
Trusted Context
Row Level Auditing
© 2011 IBM Corporation
Granting Privileges
 The authorization to use a database is called an access
privilege:
– Example:
• An authorization to use a database is called the Connect privilege.
 Groups of privileges control the actions a user can perform on
data and on database objects.
– Example:
•
•
•
•
Database-level privileges.
Ownership privileges.
Table-level privileges.
Column-level privileges.
 Use the GRANT / REVOKE statement to grant/ revoke
privileges on a database, table, view, or procedure or to revoke
a role from a user or from another role.
10
© 2011 IBM Corporation
About Roles
 A role is a classification of access privileges that the DBA
assigns, such as payroll.
 Most compliance rules require separation of roles:
– So distinct jobs are handled by different people.
 This means you must separate those groups:
– And the best method is by the use of roles.
 Default roles:
–
–
–
–
DBSA – Database System Administrator Group.
DBSSO – Database System Security Officer Group.
AAO – Audit Analysis Officer Group.
Bargroup is not officially a role.
 Role separation can be enabled during Install.
11
© 2011 IBM Corporation
Access Control Requirements
 Access to the DBMS is a major part of compliance:
– It is far from the only issue.
 Only authorized users should be able to do anything:
– And even they should have minimum permissions.
 Do not grant RESOURCE or DBA to PUBLIC:
– Don’t even grant CONNECT to PUBLIC usually.
 Grant SELECT to PUBLIC on non-sensitive tables:
– Don’t even grant that on sensitive tables.
 Exploit roles to control permissions:
–
–
–
–
12
Create a separate role for each class of user.
Grant that role the necessary permissions for the job.
Assign the permitted users the role.
Write the application to set the correct role.
© 2011 IBM Corporation
Why use LBAC?
 Will need to grant permissions to user:
– Specific users, not generic users.
 Need a finer grain of control than “public”.
 To take advantage of setting default authorization.
13
© 2011 IBM Corporation
What is LBAC?
 Label-based access control (LBAC) is a form of Mandatory
Access Control that enables you to control who has read
access and who has write access to individual rows and
columns of data:
– Data is Labeled.
– Users are granted labels.
– Based on Label comparison, users can access data.
 You get finer control than just the table level.
 Compliance rules dictate who can see what:
– Only certain users can see certain rows or columns.
 Developerworks Article:
– http://www.ibm.com/developerworks/data/library/techarticle/dm-0807mohan/
14
© 2011 IBM Corporation
Agenda






15
User Authentication
Authorization and Access Control
Auditing
Data Encryption
Mapped Users
Trusted Context
© 2011 IBM Corporation
Why Use Auditing?
 You need to know which data is modified by:
– Applications.
– Users.
 You need to monitor who uses each Informix utility.
 Sometimes you need to track who sees data:
– Identity theft takes a copy of information.
– It does not alter the information.
 Database auditing can track DBAs too.
 Auditing Requirements
– You need to be confident that you can track changes:
• Who changed what structurally.
• Only a very few staff can make schema changes.
 Row level auditing for all tables or selected tables.
16
© 2011 IBM Corporation
Basic Auditing
 Informix has the ON-Audit and ON-ShowAudit utilities:
– ON-Audit controls what is audited.
– ON-Audit also controls how the audit results are recorded.
– ON-ShowAudit shows what auditable events occurred.
 Can be controlled by separate roles
– DBSSO: Database Security Officer:
• Controls who is audited.
• Controls which events are audited.
– AAO: Audit Analysis Officer:
• Controls whether auditing is in use or not.
• Analyzes audit logs.
17
© 2011 IBM Corporation
Agenda






18
User Authentication
Authorization and Access Control
Auditing
Data Encryption
Mapped Users
Trusted Context
© 2011 IBM Corporation
Encryption of Data
 Some data must not be stored in the database:
– PCI says the CVV number cannot be stored after authentication.
 Other data must be stored encrypted:
– Typically, the credit card number and the social security number.
 If an old database uses SSN as a key for joins
– Redesign your database with an arbitrary number for the joins:
• Use a SERIAL column (employee number).
• Or a SEQUENCE.
 Data encryption slows things down:
– It is a necessary evil.
– Do not use it unless it is necessary.
19
© 2011 IBM Corporation
Encryption of Data
 Encrypted Communications
– Passwords encryption:
• Simple Password encryption.
– Fully encrypted communications:
• ENCCSM
• SSL
 Data Encryption:
– Column Level Encryption.
– Encrypt Data at Rest.
– Full encryption for all Informix
data storage via Vormetric
Encryption Expert for Informix.
20
© 2011 IBM Corporation
Encrypted Communications
 Encrypts communications between client and server:
– Using standard encryption techniques to establish session keys.
 Also used for distributed database access – I-Star.
 ER (Enterprise Replication) can be encrypted:
– Often replicating over WAN.
 HDR (Heterogeneous Data Replication) will support
encryption.
21
© 2011 IBM Corporation
Enable Encrypted Communications
 Create or modify server entry in sqlhosts file:
– server_1_enc olsoctcp host 9089 csm=(s1_enc)
 Create or modify concsm.cfg file:
– s1_enc("/usr/informix/lib/csm/libixenc.so","cipher[aes:cbc],
timeout[cipher:1440,key=60], mac[levels:<high,medium>,files:<builtin>]")
 Developerworks Article:
– http://www.ibm.com/developerworks/data/library/techarticle/dm-0401dandekar
 Enabling Simple Password Encryption is similar to ENCCSM.
22
© 2011 IBM Corporation
Secure Socket Layer (SSL)
 Communication protocol that provides privacy and integrity
for data communication over the network.
 Uses encryption to provide end-to-end secure connection.
 SSL feature in Informix uses digital certificates to exchange
keys for encryption and server authentication.
 Digital certificates are stored in a key database (also known as
keystore).
 IBM’s Global Security Kit bundled with Informix server and
client provides an iKeyman utility that can be used to create
keystores and manage digital certificates.
 Both client and server must have keystore for housing digital
certificates.
23
© 2011 IBM Corporation
Enable SSL in Informix
 sqlhosts for client and server:
– menlo_on
onsocssl
pinchy
menlo_serv
 onconfig for server:
– e.g. SSL_KEYSTORE_LABEL ids_label
 conssl.cfg for client:
– SSL_KEYSTORE_FILE
– SSL_KEYSTORE_STH
 Create keystores and digital certificates for client and server:
– gsk7cmd -keydb -create -db menlo_on.kdb -pw snoopy -type cms -stash
– gsk7cmd -cert -create -db menlo_on.kdb -pw snoopy -label ids_label -dn
"CN=menlo.ibm.com,O=ibm,C=US" -size 1024 -default_cert yes
– gsk7cmd -cert -extract -db menlo_on.kdb -format ascii -label ids_label -pw
snoopy -target ids_label.cert
24
© 2011 IBM Corporation
Column-Level Encryption
 Data can be stored in encrypted format:
–
–
–
–
Using SQL functions ENCRYPT and DECRYPT.
Data encrypted using either Triple-DES or AES.
Data encrypted under application control.
DBMS is not aware that data is encrypted.
 Assists in legislative compliance:
–
–
–
–
–
HIPAA (Health Insurance Portability and Accountability Act), 1996.
Sarbanes-Oxley (aka Sarbox or Sox), 2002.
Basel II, 2001.
Gramm-Leach-Bliley Act (GLBA), 1999.
California SB 1386 ‘Personal Information: Privacy’, 2002.
 Developerworks Article:
– http://www.ibm.com/developerworks/data/library/techarticle/dm-0711mohan
25
© 2011 IBM Corporation
Agenda






26
User Authentication
Authorization and Access Control
Auditing
Data Encryption
Mapped Users
Trusted Context
© 2011 IBM Corporation
Overview
 As a user without Host Operating System Accounts, I
should be able to connect to Informix.
 As a DBSA, I should be able to grant Dynamic Server
access to externally authenticated users by mapping
them to the appropriate user and group privileges,
regardless of whether these users have operating
system accounts on the Dynamic Server host
computer.
27
© 2011 IBM Corporation
Enabling Mapped Users
 When a DBSA turns on the USERMAPPING parameter of the
onconfig file.
 Onconfig variable:
–
USERMAPPING OFF|ADMIN|BASIC
• OFF is the default.
• ADMIN can grant administrative privileges to mapped users.
• BASIC is what it says, basic access.
 DBSA should verify that the users whom you want to map to
surrogate user properties for Informix access can externally
authenticate with single sign-on (SSO) or a pluggable
authentication module (PAM).
28
© 2011 IBM Corporation
Granting Informix Access to Mapped Users

GRANT ACCESS TO statement:
– Use the GRANT statement with the ACCESS TO clause to
map users to user properties required for access to Informix
resources.

User mapping tables:
– The following system catalog tables in the SYSUSER
database map users to OS-level properties that enable
Informix access and control level of privileges:
– sysusermap
– syssurrogates
– syssurrogategroups

Open Admin Tool:
– Server Administration  User Privileges -> Mapped Users
29
© 2011 IBM Corporation
Examples

GRANT ACCESS TO bob PROPERTIES USER fred;
– This means that when 'bob' connects to Informix, as far as the
operating system access is concerned, Informix will use the
UID, GID(s) and home directory for user 'fred' (which must be
a user name known to the O/S).

GRANT ACCESS TO bob PROPERTIES UID 101,
GROUP 10011;
– This means that 'bob' will use the anonymous UID 101 and
the anonymous group 10011 when an O/S identity is required.
30
© 2011 IBM Corporation
Examples

GRANT ACCESS TO PUBLIC PROPERTIES USER dbuser;
– Anyone who can authenticate but does not have an explicit entry
designating the mapped (surrogate) user will use the identity of
dbuser.

REVOKE ACCESS FROM bob;
– This means that 'bob' no longer has access to the machine via
user mapping unless user PUBLIC is given mapped access, in
which case 'bob' now uses the same privileges that PUBLIC uses.
– Alternatively, 'bob' may have been created as an O/S user, in
which case those privileges override anything set in sysusermap
and syssurrogates.
31
© 2011 IBM Corporation
Agenda






32
User Authentication
Authorization and Access Control
Auditing
Data Encryption
Mapped Users
Trusted Context
© 2011 IBM Corporation
Trusted Context – What is it?
 Connection reuse is allowed with a different userid with
authentication:
– Avoids the overhead of establishing a new connection.
– Accommodate application servers needing to connect on behalf of
an end-user but lack access to that end-user’s password to
establish a new connection on their behalf.
– Typically used in 3 tier Client/Server environments.
 Allow users to gain additional privileges when their
connection satisfies certain database server defined
conditions.
33
© 2011 IBM Corporation
Current State without Trusted Context (1)
 Loss of user identity:
– Some enterprises need to know the identity of the actual user
accessing the database for access control purposes.
 Diminished user accountability:
– Accountability through auditing is a basic principle in database
security.
– Not knowing the user’s identity makes it difficult to distinguish the
transactions performed by the middle tier for its own purpose from
those performed by the middle tier on behalf of some user.
34
© 2011 IBM Corporation
Current State without Trusted Context (2)
 Over granting of privileges to the middle tier’s userid:
– The middle tier’s userid must have all the privileges needed to
execute all the requests from all the users.
– This has the security issue of enabling users who do not need
access to certain information to obtain access to them.
 Weakened security:
– The current approach requires that the userid used by the middle
tier to connect must be granted privileges on all resources that
might be accessed by user requests.
– If that middle-tier userid is ever compromised, then all those
resources will be exposed.
35
© 2011 IBM Corporation
Trusted Context Features
 Typically an application server has to connect to the
database server as the “application user”.
 This gives the application all the privileges associated
with that user – usually everything.
 Control the machine(s) a trusted connection can be
established from.
 With trusted context, application users can access the
database with their own level of privilege.
 Discretionary Access Control (DAC) applies to the
current userid.
 Audit records apply to the current user.
 Different levels of privilege (roles) can be given to
different users.
36
© 2011 IBM Corporation
What is a Trusted Context?
 A Trusted Context is a database object created by the database
security administrator (DBSECADM) that defines a set of
properties for a connection that when met, allow that
connection to be a “trusted connection” with special
properties.
 The connection must be established by a specific user.
 The connection must come from a trusted client machine.
 The connection connecting port must have required
encryption.
 If these criteria are met, the connection will allow changes in
userid and privileges as defined in the trusted context.
37
© 2011 IBM Corporation
Typical Usage Scenario

Step 1: Create Trusted Context Objects:
– Created at database level.
– Must be created by DBSECADM before Trusted Connections
can be established.
– Can use O/S users or Mapped Users.

Step 2: Establish Trusted Connections:
– Must satisfy criteria defined in Trusted Context.
– Provision to Switch User.
– Use transactions within switched user session.
38
© 2011 IBM Corporation
Creating Trusted Context Objects
39
© 2011 IBM Corporation
Create Trusted Context

40
CREATE TRUSTED CONTEXT CTX1

BASED UPON CONNECTION USING SYSTEM AUTHID BOB

DEFAULT ROLE MANAGER

ENABLE

ATTRIBUTES (ADDRESS '9.26.113.204')

WITH USE FOR JOE, MARY WITHOUT AUTHENTICATION

Creates an Trusted Context object named CTX1

Will allow connections from 9.26.113.204

Can switch to user Joe or Mary once Trusted
Connection established.
© 2011 IBM Corporation
Creating Trusted Connections

API Support in ESQL/C, JDBC and ODBC

ESQL/C Example:
–


A trusted connection is possible only when the application
specifically invokes an API designed to make such a
connection (known as an explicit connection).
The connection request attributes must match those of a
trusted context defined on the DBMS as follows:
–
–
–
41
EXEC SQL CONNECT TO "dbname@online1" TRUSTED
System authorization ID: Represents the user that establishes a
database connection.
IP address (or domain name): Represents the host from which a
database connection is established.
Data stream encryption: Represents the encryption setting (if any)
for the data communication between the database server and the
database client.
© 2011 IBM Corporation
Switching Users
 Switch to any user defined in the Trusted Context
Object scope.
 Perform database operations.
 Audit records will show the switched user as the
originator of the operations.
 If using transactions, commit or rollback before
switching to a new user.
42
© 2011 IBM Corporation
Summary
 IBM aims to avoid security alert headlines:
– Bad for business confidence.
 To do so, IBM Informix:
– Provides a securable system.
– Installs it securely by default.
– Provides guidance and training on security.
43
© 2011 IBM Corporation
Resources
 The Online Informix Information Center
http://publib.boulder.ibm.com/infocenter/idshelp/v117/index.jsp
– One-stop shop for Informix product documentation.
– Supports book marking favorite topics, narrowing the scope to refine
searches, printing subsets of topics.
 IBM Informix DeveloperWorks Technical Articles
–
–
–
–
http://www.ibm.com/developerworks/db2/products/informix/index.html
Premium technical resource site for DBAs and developers.
Features explained with examples/sample code.
Contributions from IBM experts as well as customers.
 IBM DeveloperWorks Informix Blogs
– http://www-128.ibm.com/developerworks/blogs/page/roundrep (Informix
Replication)
– http://www-128.ibm.com/developerworks/blogs/page/gbowerman (Informix
Application Development)
– http://www-128.ibm.com/developerworks/blogs/page/idsteam (Informix
Experts Blog)
44
© 2011 IBM Corporation
Download