DB2Locksmith

DB2 9.7, the Big Easy and Sad Clown Paintings

Rebecca Bond — Fri, 13 Aug 2010 00:11:06 +0000

Recently, I experienced what I can only describe as a brain mashup. Four totally unrelated thoughts came together in an unusual way after I started learning how easy it is to change a column name in DB2 LUW 9.7.

Thought #1: Someone once told me that a lazy person would spend a lot of time finding easier ways to do things.

Thought #2: I spend a lot of time in New Orleans. The Big Easy nickname fits the culture of the city perfectly. Life there is Big and Easy (unless there is a hurricane or an oil spill).

Thought #3: Sad Clown paintings make me…well…sad.

Thought #4: Changing a column name is easy.

The mashup outcome? You can read about it here: http://bit.ly/easychange

Knowing About DB2 LUW Auditing

Rebecca Bond — Mon, 09 Aug 2010 00:53:07 +0000

Sometimes I start one small article and it leads me to the realization that the topic can’t be covered effectively without much more effort. The whole topic of “knowing” about database security steps could fill several books, but I have to start somewhere. This time I started with DB2 LUW auditing.

How do you know about DB2 Auditing?
Where can you find more information?
What are some of the ways to investigate DB2 auditing setup?

If you’ve setup and then turned off DB2 LUW auditing in the past, or if you just decided DB2 auditing wasn’t a valid approach for your databases, I would encourage you to reconsider now. Auditing is a foundational security approach for every layer of the architecture and, as of DB2 9.5, DB2 auditing is more robust, easier to manage and a good way to “know” about database activities.

If you’d like to read the article I wrote on “knowing” about DB2 LUW auditing, you can find it here:

http://bit.ly/Audit_knowing

DB2 Security Magic Tricks

Rebecca Bond — Sun, 20 Jun 2010 18:58:10 +0000

Welcome to the first DB2 Security Magic Tricks Show. Today, I will demonstrate how I can read your mind.

Studio Audience: As I ask the questions, please think hard so that I can pick up the vibes that you are sending.

What operating system ports are you using for DB2? Please concentrate on the answer. No, I don’t mean the value for the DBM CFG svcename parameter. I mean the actual port; but that was a good question. Yes, I can see a number now, but your answer is a little bit cloudy. You’re thinking either 50000 or 60000. It is one of those. Sorry, that’s the best I can do since you seem to be sending mixed messages.

Let me try another. Think about the DB2 instance names. Thank you for thinking so hard. This is much clearer. Is one of them db2inst1?

Oh, I didn’t even need to ask this, you just started thinking it on your own. You have a DBA with an authorization ID of DB2ADMIN, don’t you?

Did I get any of these magic tricks right?

Ok, I admit it. No magic was actually involved. My tricks relied on the fact that many shops use defaults and don’t go back and change them. I was hoping that I would be wrong with every answer, but based on what I see in my consulting work, I suspected that would not be the case. My experience says I can guess correctly on these questions about 60% of the time. Those are good odds for a first attempt with most magic tricks.

If I guessed correctly, I know too much about your environment. If I know too much, then those who work on the dark side of security know too much about your architecture too and that part of this magic trick should bother you.

If I got it wrong….my congratulations to you and your team. Keep up the good work!

Comments? Suggestions? Concerns? My email is always open. db2locksmith@securedb2.com

The Security Focused DB2 DBA ?

Rebecca Bond — Tue, 15 Jun 2010 06:14:51 +0000

Many employers seem to believe that about five years of solid DB2 DBA experience puts a potential employee into an “advanced” or “senior” DB2 DBA role. Those with less experience are typically slotted for positions that will have some oversight from a more senior DBA. If the employers are right, then the act of just learning how to do the typical DBA tasks is equivalent to the years most of us apply toward acquiring a college degree. In other words, becoming a DBA requires a serious commitment just to learn the aspects of product information that drive the database engine itself. Then with the constant updates to the product and applications being supported, the DB2 DBA quickly becomes focused on keeping current. DBAs are, by definition of their job responsibilities, constantly learning new things.

How does this relate to security?

Learning security principles and keeping up with all the new security information in an attempt to keep up with evolving threats to the data is also a significant learning “opportunity”. One reason I like to talk to DBAs about security is because I know they “know how to learn” and grow their skills. I suspect most DBAs are curious about more than just how the databases “work” and that they enjoy their profession immensely and want to continue to advance their knowledge and their careers.

For DB2 DBAs, IBM has built in some robust security options that we can use to harden our databases and provide a layer of protection at the database layer. DB2 9.7, for instance, gives us the ability, for the first time, to truly apply the security principles of Separation of Duties to our databases. DB2 9.1 introduced us to a new Security Administrator (SECADM) authority and with DB2 9.7, that SECADM job function has evolved to allow a true separation/delegation of database security responsibilities which can be performed without the need for additional high level privileges. DB2 9.5 introduced a greatly enhanced auditing capability, with highly granular options, to help us design an auditing approach that matched our specific requirements without overwhelming us with unnecessary data. There is no additional charge for any of these security features and they are available for our use as soon as we complete the installation steps.

Fortunately, I am starting to see more and more DBAs signing up to learn about database security. The awareness of this particular need is just now starting to come into focus. I think we may be approaching a tipping point.

As more breaches occur, as more regulations are written, as more “bottom line”, financial damage is done to companies who “lose” data, I see a new opportunity for DBAs to grow their careers by focusing on security protections specific to the database layer.

This is good news for DB2 DBAs and good news for the organizations who need to harden their database security posture.

Do you agree? Disagree? Want to comment?

My email is open 24×7. db2locksmith@securedb2.com

Thought Morsels from my IDUG trip

Rebecca Bond — Thu, 10 Jun 2010 23:24:14 +0000

Sometimes seemingly tiny pieces of information can yield big dividends. I picked up a few of these tiny knowledge morsels at IDUG. Read my Database Journal article to find out what I learned. bit.ly/IDUG_INFO