DB2 Database Security, Risk, and Control: An IT Auditor’s Vision

The security, risks, and controls of the IBM DB2 database are discussed below from the point of view of an IT auditor. This area is especially relevant due to persistent attacks on DB2 and other commercial databases that result in the disclosure of large amounts of confidential data.

IT audits are planned taking into account the risks related to the technology and controls that are expected to be in place. The controls are then tested to determine their effectiveness. This approach to risk and control is critical to IT auditing and critical to effective security.

Next, we will discuss the most critical DB2 risks and controls taken from different sources of DB2 security best practices. In general, there is substantial agreement on database security and the underlying risks and controls used in a DB2 audit.

Two valuable sources of guidance on DB2 risks and controls are an article in the IBM Technical Library titled ’12 DB2 Security Best Practices ‘and a whitepaper from Imperva, a security vendor titled’ The Top Ten Database Security Threats of data ‘. Both sources are recommended to IT auditors as well as database administrators for guidance on DB2 security.

The discussion below draws on these two sources in correlation with our professional IT audit experience in this area. We will highlight the main topics in DB2 security, without going through the detail of each risk and control.

DB2 risks. Threats and vulnerabilities are the main components of risk. DB2 threats are related to unauthorized user access, faulty authentication, and the misuse of privileges. Network threats stem from the potential for denial of service attacks targeting a database. One of the most serious threats is SQL injection, which is correlated with the top annual SANS cybersecurity risks.

There are vulnerabilities in the underlying operating system database and network settings. Although these vulnerabilities are actually in the supporting infrastructure surrounding the database, the direct impact of an attack or compromise on the database must be clearly understood. If these risks are addressed effectively, an organization can obtain reasonable assurance that safety and compliance requirements will be met in even the most regulated industries.

DB2 controls. IBM and Imperva sources refer to critical DB2 controls. Remember that risks are mitigated or reduced with specific controls.

DB2 controls are implemented to reduce the risks described above. Controls are required to protect user access, authentication, and privileges. SQL injection is identified as high risk requiring strict controls.

An important control is applying the most up-to-date DB2 FixPaks, which consist of bug fixes and performance improvements. A final check is a random security audit in which the database records are scanned for access patterns such as user validation, authorization verification, and system administration.

Common DB2 security topics. As mentioned earlier, there is a degree of consensus on the security, risk, and control of DB2 databases. An organization that understands the risks of DB2 and implements the proper controls, as mentioned above, will go a long way toward achieving a secure DB2 environment.

References:

12 DB2 Security Best Practices from Ted Wasserman. IBM technical library

‘developerWorks’.

Top 10 Database Security Threats: How to Mitigate the Biggest

Database vulnerabilities. Imperva White Paper.

WITHOUT the major cyber security risks.