SlideShare a Scribd company logo

DB2 10 Security Enhancements

Laura Hood, profile picture
Laura Hood

The document outlines the security enhancements in DB2 10 for z/OS, detailing new granular authorities to minimize superuser access, enhance audit policies, and implement row and column access controls. It emphasizes measures for data protection, audit flexibility, and compliance with regulations through improved auditing capabilities. Additionally, various examples illustrate how to set up and manage these new security features effectively.

1 of 37
Downloaded 108 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
DB2 for z/OS DB2 10 Security Enhancements Julian Stuhler Triton Consulting, DB2 Specialist, IBM Gold Consultant, IBM Data Champion Mike Bracey DB2 for z/OS Systems Engineer, IBM UK 0
Acknowledgements and Disclaimers: Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. © Copyright IBM Corporation 2011. All rights reserved. – U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, ibm.com, z/OS and DB2 are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml Other company, product, or service names may be trademarks or service marks of others. 1
Satisfy Your Auditor: Plan, Protect and Audit Data Access Minimize the use of a superuser authorities such as SYSADM Database Security Administrator Administrator A different group should manage Tasks Tasks access to restricted data than the owner of the data Data Auditing Any dynamic access or use of a privileged authority needs to be included in your audit trail SQL based Maintain historical versions of data for Row & Column Auditing years or during a business period Access Controls Data Privacy All dynamic access to tables containing Today’s Mainframe: restricted data needs to be protected The power of industry-leading security, the simplicity of centralised management 2
Reduce risk by minimizing use of SYSADM New granular system authorities Prior to DB2 10 New in DB2 10 SYSADM System DBADM DBADM ACCESSCTRL DBCTRL DATAACCESS SECADM DBMAINT SQLADM SYSCTRL EXPLAIN PACKADM SYSOPR 3
Install Security Parameters Prevents SYSADM and SYSCTRL from granting or revoking privileges New SEPARATE_SECURITY install parameter New install SECADM authority manages subsystem security SYSADM and SYSCTRL can no longer implicitly grant or revoke privileges Install SYSADM authority not impacted Control cascading effect of revokes New REVOKE_DEP_PRIVILEGES install parameter New INCLUDING / NOT INCLUDING DEPENDENT PRIVILEGES clause on SQL REVOKE statements 4
New authority for performing security tasks without ability to change or access data SECADM authority Allows the user to Issue SQL GRANT, REVOKE statements on all grantable privileges and administrative authorities Manage DB2 9 roles and trusted contexts Manage DB2 10 row permissions and column masks Manage DB2 10 Audit policies Access catalog tables Issue START, STOP, and DISPLAY TRACE commands Can access DB2 in ACCESS(MAINT) mode. 5
New authority for managing objects without ability to access data or control access to data System DBADM authority Allows the user to Issue SQL CREATE, ALTER, DROP statements to manage most objects in the DB2 subsystem Exception: Security objects, system objects Additional privileges required to create objects such as views, functions, triggers Issue most DB2 commands Execute system defined stored procedures and functions Access catalog tables 6
New authority for accessing data without the ability to manage data or control access to data DATAACCESS authority Allows the user to Issue SQL SELECT, INSERT, UPDATE, DELETE statements on all user tables, views, materialized query tables Execute all plans, packages and routines Run RECOVERDB, REORG, REPAIR, LOAD utilities on all user databases Issue ALTER and TERM UTILITY commands Access catalog tables 7
New authority for controlling access to data without ability to manage or access data ACCESSCTRL authority Allows the user to Issue SQL GRANT, REVOKE statements on most grantable privileges and administrative authorities Exceptions: System DBADM, DATAACCESS, ACCESSCTRL authorities Security privilege, CREATE_SECURE_OBJECT Access catalog tables 8
New authority for monitoring and tuning SQL without ability to change or access data SQLADM authority Allows the user to Issue SQL EXPLAIN statements Issue START, STOP, and DISPLAY PROFILE commands Execute system defined stored procedures and functions Access catalog tables Perform actions involving: EXPLAIN privilege STATS privilege on all user databases MONITOR2 privilege Cannot access data, perform DDL or execute 9
New privilege to validate SQL before moving application into production without risk to data EXPLAIN privilege Allows the user to Issue SQL EXPLAIN ALL statement without having the privileges to execute that SQL statement Issue SQL PREPARE and DESCRIBE TABLE statements without requiring any privileges on the object. Specify new BIND EXPLAIN(ONLY) and SQLERROR(CHECK) options Explain dynamic SQL statements executing under new special register, CURRENT EXPLAIN MODE = EXPLAIN 10
RACF support for the new Administrative Authorities RACF Access Control Module (‘SYS1.SDSNSAMP (DSNXRXAC)’) has been enhanced to Honor the setting of SEPARATE_SECURITY Implement the new DB2 administrative authorities as RACF resource checks DB2 Authority Resource Class SECADM <subsystem>.SECADM DSNADM System DBADM <subsystem>.SYSDBADM DSNADM DATAACCESS <subsystem>.DATAACCESS DSNADM ACCESSCTRL <subsystem>.ACCESSCTRL DSNADM SQLADM <subsystem>.SQLADM MDSNSM EXPLAIN <subsystem>.EXPLAIN MDSNSM 11
Satisfy Your Auditor: New audit policies provide needed flexibility and functionality Auditor can define an audit policy to audit any access to specific tables for specific programs during day Audit policy does not require AUDIT clause to be specified using DDL Audit policy generate records for all read and update access for statements with unique statement identifier Audit policy provides wildcarding of based on schema and table names Auditor can define an audit policy to identify any unusual use of a privileged authority Records each use of a system authority Audit records written only when authority is used for access External collectors only report users with a system authority 12
How to exploit Audit policies Security administrator using the new SECADM authority maintains DB2 audit policies in a new catalog table SYSIBM.SYSAUDITPOLICIES Audit policies enabled using –STA TRACE command Audit policies disabled using –STO TRACE command Up to 8 audit policies can be specified to auto start or auto start as secure during DB2 start up Only user with SECADM authority can stop a secure audit policy trace (APAR PM28296) 13
Audit policy categories Category Description IFCID CHECKING Authorisation failures 140, 83 VALIDATE New or changed authorisation IDs, new or user switching within 55, 83, trusted context 87, 169, 269, 312 CONTEXT Utility start, objects or phase change, and end 23, 24, 25 EXECUTE Any table change or read (all DML) 143,144, 145 OBJMAINT Table ALTER or DROP (DDL) 142 SECMAINT Grant and revoke of admin auths, create and alter roles and TC. 141, 270 Create, alter drop row permissions and column masks DBADMIN DBMAINT, DBCTRL, DBADM, PACKADM, SQLADM, SYSTEM. 361 DBADM, DATAACCESS, ACCESSCTRL, SECADM SYSADMIN installation SYSADM, installation SYSOPR 361 SYSCTRL, or SYSADM 14
Example: Dynamic auditing of tables Audit all the tables that start with ‘PAY’ in EMPLOYEE schema Does not require AUDIT clause to be specified during table definition IFCID 145 trace record contains full SQL statement text and unique statement ID IFCID 143 and 144 trace records contain the unique statement ID that can be used to identify the SQL statement in IFCID 145 record. INSERT INTO SYSIBM.SYSAUDITPOLICIES (AUDITPOLICYNAME, OBJECTSCHEMA, OBJECTNAME, OBJECTTYPE, EXECUTE) VALUES ('TABADT1',‘EMPLOYEE','’’PAY%’’','T','A'); -STA TRACE (AUDIT) DEST (GTF) AUDTPLCY(TABADT1); 15
Example: Audit Administrative Authority New IFCID 361 trace record audits successful execution of all access to DB2 Audit policy provides the capability to specify the administrative authority to be audited Trace started using IFCID or CLASS keyword audits successful execution by all users If Access Control Authorization Exit is active, then only operations performed by installation SYSADM and installation SYSOPR are audited by IFCID 314 trace. RACF provides similar capability with AUDIT(ALL) keyword for the profiles. INSERT INTO SYSIBM.SYSAUDITPOLICIES (AUDITPOLICYNAME, SYSADMIN, DBADMIN) VALUES(‘AUDITADMIN',’*',‘BD'); -STA TRACE (AUDIT) DEST (GTF) AUDTPLCY(AUDITADMIN); 16
Satisfy Your Auditor: New table controls to protect against unplanned SQL access Define additional data controls at the row and column level Security policies are defined using SQL Separate security logic from application logic Security policies based on real time session attributes Protects against SQL injection attacks Determines how column values are returned Determines which rows are returned All access via SQL including privileged users, adhoc query tools, report generation tools is protected Policies can be added, modified, or removed to meet current company rules without change to applications 17
Table controls to protect SQL access to individual row level Establish a row policy for a table Filter rows out of answer set Policy can use session information, e.g. the SQL ID is in what group or user is using what role, to control which row is returned in result set Applicable to SELECT, INSERT, UPDATE, DELETE, & MERGE Defined as a row permission: CREATE PERMISSION policy-name ON table-name FOR ROWS WHERE search-condition ENFORCED FOR ALL ACCESS ENABLE; Optimizer inserts search condition in all SQL statements accessing table. If row satisfies search-condition, row is returned in answer set. 18
Table controls to protect SQL access to individual column level Establish a column policy for a table Mask column values in answer set Policy can use session information, e.g. the SQL ID is in what group or user is using what role, to control what masked value is returned in result set Applicable to the output of outermost subselect Defined as column masks : CREATE MASK mask-name ON table-name FOR COLUMN column-name RETURN CASE-expression ENABLE; Optimizer inserts CASE expression in all SQL statements accessing table to determine mask value to return in answer set 19
Define table policies based on who or how table is being accessed SESSION_USER - Primary authorization ID of the process CURRENT SQLID - SQL authorization ID of the process SET CURRENT SQLID = string-constant VERIFY_GROUP_FOR_USER function Get the authorization IDs for the value in SESSION_USER Includes both primary and secondary authorization IDs Return 1 if any of those authorization IDs is in the argument list WHERE VERIFY_GROUP_FOR_USER (SESSION_USER, ‘MGR’, ‘PAYROLL’) = 1 VERIFY_ROLE_FOR_USER function Get the role for the value in SESSION_USER Return 1 if the role is in the argument list WHERE VERIFY_ROLE_FOR_USER (SESSION_USER, ’MGR’, ‘PAYROLL’) = 1 20
Managing row and column access controls When activated row and column access controls: All row permissions and column masks become effective in all DML All row permissions are connected with ‘OR’ to filter out rows All column masks are applied to mask output All access to the table is prevented if no user-defined row permissions ALTER TABLE table-name ACTIVATE ROW ACCESS CONTROL ACTIVATE COLUMN ACCESS CONTROL; When deactivated row and column access controls: Make row permissions and column masks become ineffective in DML Opens all access to the table ALTER TABLE table-name DEACTIVATE ROW ACCESS CONTROL DEACTIVATE COLUMN ACCESS CONTROL; 21
Example – A simple banking scenario Only allow customer service representatives to see customer data but always with masked income Table: CUSTOMER Account Name Phone Income Branch 1111-2222-3333-4444 Alice 111-1111 22,000 A 2222-3333-4444-5555 Bob 222-2222 71,000 B 3333-4444-5555-6666 Louis 333-3333 123,000 B 4444-5555-6666-7777 David 444-4444 172,000 C 22
Define row and column access control on customer table Define row and column policies for customer service representatives Allow access to all customers of the bank (a row permission) Mask all INCOME values (a column mask) Return value 0 for incomes of 25000 and below Return value 1 for incomes between 25000 and 75000 Return value 2 for incomes between 75000 and 150000 Return value 3 for incomes above 150000 Customer service representatives are in the CSR group (who) 23
Create a row permission for customer service representatives CREATE PERMISSION CSR_ROW_ACCESS ON CUSTOMER FOR ROWS WHERE VERIFY_GROUP_FOR_USER (SESSION_USER, ’CSR’) = 1 ENFORCED FOR ALL ACCESS ENABLE; Create a column mask on INCOME column for customer service representatives CREATE MASK INCOME_COLUMN_MASK ON CUSTOMER FOR COLUMN INCOME RETURN CASE WHEN (VERIFY_GROUP_FOR_USER (SESSION_USER, ‘CSR’) = 1) THEN CASE WHEN (INCOME > 150000) THEN 3 WHEN (INCOME > 75000) THEN 2 WHEN (INCOME > 25000) THEN 1 ELSE 0 END ELSE NULL END ENABLE; 24
Start enforcing row and column access control on customer table Activate Row and Column Access Control ALTER TABLE CUSTOMER ACTIVATE ROW ACCESS CONTROL ACTIVATE COLUMN ACCESS CONTROL; COMMIT; What happens in DB2? A default row permission is created implicitly to prevent all access to table CUSTOMER (WHERE 1=0) except for users in the CSR group All packages and cached statements that reference table CUSTOMER are invalidated 25
Selecting from customer table … after row and column access control activated SELECT ACCOUNT, NAME, INCOME, PHONE FROM CUSTOMER; ACCOUNT NAME INCOME PHONE 1111-2222-3333-4444 Alice 0 111-1111 2222-3333-4444-5555 Bob 1 222-2222 3333-4444-5555-6666 Louis 2 333-3333 4444-5555-6666-7777 David 3 444-4444 INCOME automatically masked by DB2! 26
DB2 effectively evaluates the following revised query SELECT ACCOUNT, NAME, CASE WHEN (VERIFY_GROUP_FOR_USER (SESSION_USER, ‘CSR’) = 1) THEN CASE WHEN (INCOME > 150000) THEN 3 WHEN (INCOME > 75000) THEN 2 WHEN (INCOME > 25000) THEN 1 ELSE 0 END ELSE NULL END INCOME, PHONE FROM CUSTOMER WHERE VERIFY_GROUP_FOR_USER (SESSION_USER, ‘CSR’) = 1 OR 1 = 0 ; 27
Rules about row and column access Not enforced for RI, CHECK, or UNIQUE CONSTRAINT Preserve data integrity Require secure triggers CREATE or ALTER TRIGGER with the SECURED option Managed by SECADM or new privilege CREATE_SECURE_OBJECT Rebind trigger packages implicitly after ALTER TRIGGER Require secure UDFs Referenced in the row permission and column mask definition CREATE or ALTER TRIGGER with the SECURED option Managed by SECADM or new privilege CREATE_SECURE_OBJECT Populate access control information in EXPLAIN tables Can activate access control on EXPLAIN tables No support for MQT and set operations 28
DB2 10 for z/OS Security Enhancements Help Satisfy Your Auditors using new features New granular authorities to reduce data exposure for administrators New auditing features using new audit policies comply with new laws New row and column access table controls to safe guard your data Questions ? 29
DB2 Security updates PM26966 – System DBADM updates PM28296 – Secure audit policy trace support – Prevent privileged users from stopping audit traces – No implicit system privileges for DBADM PM30394 – IFCID 361 support for commands PM32217 – SQLCODE +4726 updates to provide granular information Connection security PM17665 – DB2 server authentication behavior change for DB2 for z/OS requestor clients PM37300 – Provides option for private protocol like authentication behavior for DB2 for z/OS clients PM43292 – Allows RACF protected userids to be PASSTICKET authenticated 30
DB2 / RACF Access Control Authorization Exit updates RACF APARs PM02054 - Authorization cache support. XAPLUCHK implicit ownership check for the object is suppressed when caching is enabled. PM17673 – View resource name updates for INSERT, UPDATE, and DELETE operations. The first resource that RACF checks is: db2-subsystem.table-qualifier.table-name.view- qualifier.view-name.privilege DB2 APARs PM95112 (V9), PM02841 (V8) – View updates for exit PK92315, PM05218, PM25115 - Authorization cache changes for exit. DB2 checks and caches the primary authorization ID, if a role is not in effect. PM27835 - Provides the capability for IMS to communicate ACEE to DB2 for RACF authorization. PM28543 – System DBADM updates using the exit 31
References • Security Functions of IBM DB2 10 for z/OS (SG24-7959-00) http://www.redbooks.ibm.com • DB2 10 for z/OS Technical Overview (SG24-7892-00) http://www.redbooks.ibm.com • DB2 10 for z/OS Administration Guide (SC19-2968-02) http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/topic/com.ibm.db2z10.doc.admin/src/admin/db2z _admin.htm • DB2 10 for z/OS RACF Access Control Module Guide (SC19-2982-02) http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/topic/com.ibm.db2z10.doc.racf/src/racf/db2z_racf. htm • DB2 V10: A new standard in data protection, by Mark Nelson, Randy Love, Gayathiri Chandran, zJournal, February 2011 http://publibz.boulder.ibm.com/zoslib/pdf/EOZ2N1C0.pdf • DB2 9 for z/OS: Configuring SSL for Secure Client-Server communications - Red paper http://www.redbooks.ibm.com/abstracts/redp4630.html?Open • DB2 for z/OS Information Center http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/index.jsp 32
Useful DB2 for z/OS URLs • DB2 10 Launch Website http://bit.ly/DB210Launch • DB2 for z/OS Website http://www-01.ibm.com/software/data/db2/zos/ • DB2 Product Library http://www.ibm.com/software/data/db2/zos/library.html • DB2 Newsletter http://www.ibm.com/vrm/newsletter/11065 • Latest Whitepapers – Business Value of DB2 10 – Julian Stuhler – A Matter of Time: Temporal Data Management – Why DB2 for z/OS is BETTER than Oracle RAC ? • DB2 for z/OS e-Kit • Upcoming Conferences/Events http://bit.ly/DB210e-Kit – IDUG DB2 Tech Conference AG Denver - 14th -16th May 2012 – IDUG 10 Migration Planning Workshop Denver - 13th May 2012 33
Top DB2 for z/OS e-Communities World of DB2 for z/OS - 1700+ members http://db2forzos.ning.com/ http://linkd.in/IBMDB210 DB2 10 LinkedIn - 1000+ members DB2 for z/OS What’s On LinkedIn – 2000+ members http://linkd.in/kd05LH http://www.youtube.com/user/IBMDB2forzOS DB2 for z/OS YouTube WW IDUG LinkedIn Group - 2000 +members http://linkd.in/IDUGLinkedIn http://www.ibm.com/developerworks/data/community/ IBM DeveloperWorks 34
DB2 10 is Here ! Customers seeing reduced costs, simplified workloads through proven technology Reduced Costs Simplified Workloads Proven Technology “Based on the performance metrics from our “With DB2 10 able to handle 5-10 times as “Every single SQL statement we have controlled test environment, we see a significant many threads as the previous version, the tested has been better or the same as amount of CPU and Elapsed time savings. This upgrade will immediately give the bank some our current optimal paths – we have release has many features that will help bring down much-needed room for future workload growth yet to see any significant access path our operating costs.” while simultaneously reducing their data regression. We had to spend a lot of sharing overhead.” time tuning SQL with DB2 9, but we expect that to disappear when we upgrade to DB2 10.” Paulo Sahadi - Senior Production Manager, Philipp Nowak, Morgan Stanley DB2 Team Information Management Division at Banco do Brasil BMW DB2 Product Manager “We are particularly interested in the performance “The new temporal functionality in DB2 10 for The new audit capabilities in DB2 10 improvements due to the potential CPU reductions z/OS will allow us to drastically simplify our will allow tables to be audited as soon that we realized during our DB2 10 Beta testing. date-related queries. In addition, we’ll be able as they are created, which is an obvious Our early testing has shown out-of-the-box to reduce our storage costs by using cheaper benefit for the business and will reduce processing cost reductions of between 5% - 10% storage for inactive rows and reduce our costs and simplify our processes” and for some workloads as high as 30%. Potential processing cost by having DB2 handle data cost savings of this magnitude cannot be ignored movement more efficiently than the custom given today’s business climate.” code we’ve written to do the same work in the Guenter Schinkel -Postbank Systems AG past” Large Insurance Company Large Global Bank For more customer references visit : http://www.ibm.com/software/data/db2/zos/testimonials.html 35 35
Thank You! Your Feedback is Important to Us • Visit Us at www.ibm.com/software/data/db2/db210 36 36

More Related Content

PPT
DB2 LUW Auditing
DB2Locksmith
 
PDF
Db2.security.slides
asderww
 
PPTX
DB2 Security Model
uniqueYGB
 
PDF
Access Control Facilities in Oracle Database 11g r2
Amin Saqi
 
PDF
Material modulo02 asf6501(6425-b_01)
JSantanderQ
 
PDF
Material modulo01 asf6501(6419-a_01)
JSantanderQ
 
PDF
Material modulo03 asf6501(6425-b_02)
JSantanderQ
 
PDF
Material modulo04 asf6501(6425-a_01)
JSantanderQ
 
DB2 LUW Auditing
DB2Locksmith
 
Db2.security.slides
asderww
 
DB2 Security Model
uniqueYGB
 
Access Control Facilities in Oracle Database 11g r2
Amin Saqi
 
Material modulo02 asf6501(6425-b_01)
JSantanderQ
 
Material modulo01 asf6501(6419-a_01)
JSantanderQ
 
Material modulo03 asf6501(6425-b_02)
JSantanderQ
 
Material modulo04 asf6501(6425-a_01)
JSantanderQ
 

What's hot (15)

PDF
RACF - The Basics (v1.2)
Rui Miguel Feio
 
PPT
Sql 2005 high availability
Information Technology
 
PPTX
Upgrading AD from Windows Server 2003 to Windows Server 2008 R2
Amit Gatenyo
 
PDF
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot
 
PPT
Mcts chapter 4
Sadegh Nakhjavani
 
PPTX
WINDOWS SERVER 2008
Tawose Olamide Timothy
 
PDF
Server 2008 r2 ppt
Raj Solanki
 
PPT
70 640 Lesson06 Ppt 041009
Coffeyville Community College
 
PDF
Remote Desktop Manager suite
Anne-Marie Mongeon
 
PPTX
Ad ds ws2008 r2
MICTT Palma
 
DOCX
Rodc features
pothurajr
 
DOCX
Ad ds rodc
Kartik. Solanki
 
PPT
0505 Windows Server 2008 一日精華營 PartI
Timothy Chen
 
PDF
MICROSOFT SQL Server
webhostingguy
 
PDF
Windows server 2008_setting up step -by- step
salomemegrelishvili
 
RACF - The Basics (v1.2)
Rui Miguel Feio
 
Sql 2005 high availability
Information Technology
 
Upgrading AD from Windows Server 2003 to Windows Server 2008 R2
Amit Gatenyo
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot
 
Mcts chapter 4
Sadegh Nakhjavani
 
WINDOWS SERVER 2008
Tawose Olamide Timothy
 
Server 2008 r2 ppt
Raj Solanki
 
70 640 Lesson06 Ppt 041009
Coffeyville Community College
 
Remote Desktop Manager suite
Anne-Marie Mongeon
 
Ad ds ws2008 r2
MICTT Palma
 
Rodc features
pothurajr
 
Ad ds rodc
Kartik. Solanki
 
0505 Windows Server 2008 一日精華營 PartI
Timothy Chen
 
MICROSOFT SQL Server
webhostingguy
 
Windows server 2008_setting up step -by- step
salomemegrelishvili
 
Ad

Similar to DB2 10 Security Enhancements (20)

PPT
2) security
guptavikki99
 
PPT
Oracle Database Vault
Marco Alamanni
 
PPT
DB2UDB_the_Basics Day 3
Pranav Prakash
 
PDF
OTech magazine article - Principle of Least Privilege
Biju Thomas
 
PPT
SQL Server 2008 Security Overview
ukdpe
 
PPSX
Solving the DB2 LUW Administration Dilemma
Randy Goering
 
PPSX
Solving the DB2 LUW Administration Dilemma
Randy Goering
 
PPT
Windows Server 2008 (Active Directory Yenilikleri)
ÇözümPARK
 
ODP
MySQL Administration and Monitoring
Mark Leith
 
PDF
Administrators manual
ScrumDesk
 
PDF
Administrators manual
ScrumDesk
 
PPT
Sql Server Security
Vinod Kumar
 
PPTX
Oracle Data Redaction
Alex Zaballa
 
PPTX
SQL Server Admin Best Practices with DMV's
Sparkhound Inc.
 
PPT
Less11 Security
vivaankumar
 
PPTX
Data Redaction - OTN TOUR LA 2015
Alex Zaballa
 
PPTX
Odv oracle customer_demo
Viaggio Italia
 
PPTX
Privilege Analysis with the Oracle Database
Markus Flechtner
 
PPTX
Creating a Multi-Layered Secured Postgres Database
EDB
 
PDF
DBA Tasks in Oracle Autonomous Database
SinanPetrusToma
 
2) security
guptavikki99
 
Oracle Database Vault
Marco Alamanni
 
DB2UDB_the_Basics Day 3
Pranav Prakash
 
OTech magazine article - Principle of Least Privilege
Biju Thomas
 
SQL Server 2008 Security Overview
ukdpe
 
Solving the DB2 LUW Administration Dilemma
Randy Goering
 
Solving the DB2 LUW Administration Dilemma
Randy Goering
 
Windows Server 2008 (Active Directory Yenilikleri)
ÇözümPARK
 
MySQL Administration and Monitoring
Mark Leith
 
Administrators manual
ScrumDesk
 
Administrators manual
ScrumDesk
 
Sql Server Security
Vinod Kumar
 
Oracle Data Redaction
Alex Zaballa
 
SQL Server Admin Best Practices with DMV's
Sparkhound Inc.
 
Less11 Security
vivaankumar
 
Data Redaction - OTN TOUR LA 2015
Alex Zaballa
 
Odv oracle customer_demo
Viaggio Italia
 
Privilege Analysis with the Oracle Database
Markus Flechtner
 
Creating a Multi-Layered Secured Postgres Database
EDB
 
DBA Tasks in Oracle Autonomous Database
SinanPetrusToma
 
Ad

More from Laura Hood (20)

PDF
Top 10 DB2 Support Nightmares #10
Laura Hood
 
PDF
Top 10 DB2 Support Nightmares #9
Laura Hood
 
PDF
Top 10 DB2 Support Nightmares #8
Laura Hood
 
PDF
Top 10 DB2 Support Nightmares #7
Laura Hood
 
PDF
Top 10 db2 support nightmares #6
Laura Hood
 
PDF
Consultancy on Demand - Infographic
Laura Hood
 
PDF
A Time Traveller's Guide to DB2: Technology Themes for 2014 and Beyond
Laura Hood
 
PDF
Top 10 DB2 Support Nightmares #1
Laura Hood
 
PDF
Db2 10 memory management uk db2 user group june 2013 [read-only]
Laura Hood
 
PDF
DbB 10 Webcast #3 The Secrets Of Scalability
Laura Hood
 
PDF
DB2 10 Webcast #2 - Justifying The Upgrade
Laura Hood
 
PDF
DB2 10 Webcast #1 - Overview And Migration Planning
Laura Hood
 
PDF
Time Travelling With DB2 10 For zOS
Laura Hood
 
PDF
DB2DART - DB2Night Show October 2011
Laura Hood
 
PDF
DB2 z/OS &amp; Java - What\'s New?
Laura Hood
 
PDF
Temporal And Other DB2 10 For Z Os Highlights
Laura Hood
 
PDF
DB210 Smarter Database IBM Tech Forum 2011
Laura Hood
 
PDF
UKGSE DB2 pureScale
Laura Hood
 
PPTX
UKCMG DB2 pureScale
Laura Hood
 
PDF
Episode 4 DB2 pureScale Performance Webinar Oct 2010
Laura Hood
 
Top 10 DB2 Support Nightmares #10
Laura Hood
 
Top 10 DB2 Support Nightmares #9
Laura Hood
 
Top 10 DB2 Support Nightmares #8
Laura Hood
 
Top 10 DB2 Support Nightmares #7
Laura Hood
 
Top 10 db2 support nightmares #6
Laura Hood
 
Consultancy on Demand - Infographic
Laura Hood
 
A Time Traveller's Guide to DB2: Technology Themes for 2014 and Beyond
Laura Hood
 
Top 10 DB2 Support Nightmares #1
Laura Hood
 
Db2 10 memory management uk db2 user group june 2013 [read-only]
Laura Hood
 
DbB 10 Webcast #3 The Secrets Of Scalability
Laura Hood
 
DB2 10 Webcast #2 - Justifying The Upgrade
Laura Hood
 
DB2 10 Webcast #1 - Overview And Migration Planning
Laura Hood
 
Time Travelling With DB2 10 For zOS
Laura Hood
 
DB2DART - DB2Night Show October 2011
Laura Hood
 
DB2 z/OS &amp; Java - What\'s New?
Laura Hood
 
Temporal And Other DB2 10 For Z Os Highlights
Laura Hood
 
DB210 Smarter Database IBM Tech Forum 2011
Laura Hood
 
UKGSE DB2 pureScale
Laura Hood
 
UKCMG DB2 pureScale
Laura Hood
 
Episode 4 DB2 pureScale Performance Webinar Oct 2010
Laura Hood
 

DB2 10 Security Enhancements

  • 1. DB2 for z/OS DB2 10 Security Enhancements Julian Stuhler Triton Consulting, DB2 Specialist, IBM Gold Consultant, IBM Data Champion Mike Bracey DB2 for z/OS Systems Engineer, IBM UK 0
  • 2. Acknowledgements and Disclaimers: Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. © Copyright IBM Corporation 2011. All rights reserved. – U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, ibm.com, z/OS and DB2 are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml Other company, product, or service names may be trademarks or service marks of others. 1
  • 3. Satisfy Your Auditor: Plan, Protect and Audit Data Access Minimize the use of a superuser authorities such as SYSADM Database Security Administrator Administrator A different group should manage Tasks Tasks access to restricted data than the owner of the data Data Auditing Any dynamic access or use of a privileged authority needs to be included in your audit trail SQL based Maintain historical versions of data for Row & Column Auditing years or during a business period Access Controls Data Privacy All dynamic access to tables containing Today’s Mainframe: restricted data needs to be protected The power of industry-leading security, the simplicity of centralised management 2
  • 4. Reduce risk by minimizing use of SYSADM New granular system authorities Prior to DB2 10 New in DB2 10 SYSADM System DBADM DBADM ACCESSCTRL DBCTRL DATAACCESS SECADM DBMAINT SQLADM SYSCTRL EXPLAIN PACKADM SYSOPR 3
  • 5. Install Security Parameters Prevents SYSADM and SYSCTRL from granting or revoking privileges New SEPARATE_SECURITY install parameter New install SECADM authority manages subsystem security SYSADM and SYSCTRL can no longer implicitly grant or revoke privileges Install SYSADM authority not impacted Control cascading effect of revokes New REVOKE_DEP_PRIVILEGES install parameter New INCLUDING / NOT INCLUDING DEPENDENT PRIVILEGES clause on SQL REVOKE statements 4
  • 6. New authority for performing security tasks without ability to change or access data SECADM authority Allows the user to Issue SQL GRANT, REVOKE statements on all grantable privileges and administrative authorities Manage DB2 9 roles and trusted contexts Manage DB2 10 row permissions and column masks Manage DB2 10 Audit policies Access catalog tables Issue START, STOP, and DISPLAY TRACE commands Can access DB2 in ACCESS(MAINT) mode. 5
  • 7. New authority for managing objects without ability to access data or control access to data System DBADM authority Allows the user to Issue SQL CREATE, ALTER, DROP statements to manage most objects in the DB2 subsystem Exception: Security objects, system objects Additional privileges required to create objects such as views, functions, triggers Issue most DB2 commands Execute system defined stored procedures and functions Access catalog tables 6
  • 8. New authority for accessing data without the ability to manage data or control access to data DATAACCESS authority Allows the user to Issue SQL SELECT, INSERT, UPDATE, DELETE statements on all user tables, views, materialized query tables Execute all plans, packages and routines Run RECOVERDB, REORG, REPAIR, LOAD utilities on all user databases Issue ALTER and TERM UTILITY commands Access catalog tables 7
  • 9. New authority for controlling access to data without ability to manage or access data ACCESSCTRL authority Allows the user to Issue SQL GRANT, REVOKE statements on most grantable privileges and administrative authorities Exceptions: System DBADM, DATAACCESS, ACCESSCTRL authorities Security privilege, CREATE_SECURE_OBJECT Access catalog tables 8
  • 10. New authority for monitoring and tuning SQL without ability to change or access data SQLADM authority Allows the user to Issue SQL EXPLAIN statements Issue START, STOP, and DISPLAY PROFILE commands Execute system defined stored procedures and functions Access catalog tables Perform actions involving: EXPLAIN privilege STATS privilege on all user databases MONITOR2 privilege Cannot access data, perform DDL or execute 9
  • 11. New privilege to validate SQL before moving application into production without risk to data EXPLAIN privilege Allows the user to Issue SQL EXPLAIN ALL statement without having the privileges to execute that SQL statement Issue SQL PREPARE and DESCRIBE TABLE statements without requiring any privileges on the object. Specify new BIND EXPLAIN(ONLY) and SQLERROR(CHECK) options Explain dynamic SQL statements executing under new special register, CURRENT EXPLAIN MODE = EXPLAIN 10
  • 12. RACF support for the new Administrative Authorities RACF Access Control Module (‘SYS1.SDSNSAMP (DSNXRXAC)’) has been enhanced to Honor the setting of SEPARATE_SECURITY Implement the new DB2 administrative authorities as RACF resource checks DB2 Authority Resource Class SECADM <subsystem>.SECADM DSNADM System DBADM <subsystem>.SYSDBADM DSNADM DATAACCESS <subsystem>.DATAACCESS DSNADM ACCESSCTRL <subsystem>.ACCESSCTRL DSNADM SQLADM <subsystem>.SQLADM MDSNSM EXPLAIN <subsystem>.EXPLAIN MDSNSM 11
  • 13. Satisfy Your Auditor: New audit policies provide needed flexibility and functionality Auditor can define an audit policy to audit any access to specific tables for specific programs during day Audit policy does not require AUDIT clause to be specified using DDL Audit policy generate records for all read and update access for statements with unique statement identifier Audit policy provides wildcarding of based on schema and table names Auditor can define an audit policy to identify any unusual use of a privileged authority Records each use of a system authority Audit records written only when authority is used for access External collectors only report users with a system authority 12
  • 14. How to exploit Audit policies Security administrator using the new SECADM authority maintains DB2 audit policies in a new catalog table SYSIBM.SYSAUDITPOLICIES Audit policies enabled using –STA TRACE command Audit policies disabled using –STO TRACE command Up to 8 audit policies can be specified to auto start or auto start as secure during DB2 start up Only user with SECADM authority can stop a secure audit policy trace (APAR PM28296) 13
  • 15. Audit policy categories Category Description IFCID CHECKING Authorisation failures 140, 83 VALIDATE New or changed authorisation IDs, new or user switching within 55, 83, trusted context 87, 169, 269, 312 CONTEXT Utility start, objects or phase change, and end 23, 24, 25 EXECUTE Any table change or read (all DML) 143,144, 145 OBJMAINT Table ALTER or DROP (DDL) 142 SECMAINT Grant and revoke of admin auths, create and alter roles and TC. 141, 270 Create, alter drop row permissions and column masks DBADMIN DBMAINT, DBCTRL, DBADM, PACKADM, SQLADM, SYSTEM. 361 DBADM, DATAACCESS, ACCESSCTRL, SECADM SYSADMIN installation SYSADM, installation SYSOPR 361 SYSCTRL, or SYSADM 14
  • 16. Example: Dynamic auditing of tables Audit all the tables that start with ‘PAY’ in EMPLOYEE schema Does not require AUDIT clause to be specified during table definition IFCID 145 trace record contains full SQL statement text and unique statement ID IFCID 143 and 144 trace records contain the unique statement ID that can be used to identify the SQL statement in IFCID 145 record. INSERT INTO SYSIBM.SYSAUDITPOLICIES (AUDITPOLICYNAME, OBJECTSCHEMA, OBJECTNAME, OBJECTTYPE, EXECUTE) VALUES ('TABADT1',‘EMPLOYEE','’’PAY%’’','T','A'); -STA TRACE (AUDIT) DEST (GTF) AUDTPLCY(TABADT1); 15
  • 17. Example: Audit Administrative Authority New IFCID 361 trace record audits successful execution of all access to DB2 Audit policy provides the capability to specify the administrative authority to be audited Trace started using IFCID or CLASS keyword audits successful execution by all users If Access Control Authorization Exit is active, then only operations performed by installation SYSADM and installation SYSOPR are audited by IFCID 314 trace. RACF provides similar capability with AUDIT(ALL) keyword for the profiles. INSERT INTO SYSIBM.SYSAUDITPOLICIES (AUDITPOLICYNAME, SYSADMIN, DBADMIN) VALUES(‘AUDITADMIN',’*',‘BD'); -STA TRACE (AUDIT) DEST (GTF) AUDTPLCY(AUDITADMIN); 16
  • 18. Satisfy Your Auditor: New table controls to protect against unplanned SQL access Define additional data controls at the row and column level Security policies are defined using SQL Separate security logic from application logic Security policies based on real time session attributes Protects against SQL injection attacks Determines how column values are returned Determines which rows are returned All access via SQL including privileged users, adhoc query tools, report generation tools is protected Policies can be added, modified, or removed to meet current company rules without change to applications 17
  • 19. Table controls to protect SQL access to individual row level Establish a row policy for a table Filter rows out of answer set Policy can use session information, e.g. the SQL ID is in what group or user is using what role, to control which row is returned in result set Applicable to SELECT, INSERT, UPDATE, DELETE, & MERGE Defined as a row permission: CREATE PERMISSION policy-name ON table-name FOR ROWS WHERE search-condition ENFORCED FOR ALL ACCESS ENABLE; Optimizer inserts search condition in all SQL statements accessing table. If row satisfies search-condition, row is returned in answer set. 18
  • 20. Table controls to protect SQL access to individual column level Establish a column policy for a table Mask column values in answer set Policy can use session information, e.g. the SQL ID is in what group or user is using what role, to control what masked value is returned in result set Applicable to the output of outermost subselect Defined as column masks : CREATE MASK mask-name ON table-name FOR COLUMN column-name RETURN CASE-expression ENABLE; Optimizer inserts CASE expression in all SQL statements accessing table to determine mask value to return in answer set 19
  • 21. Define table policies based on who or how table is being accessed SESSION_USER - Primary authorization ID of the process CURRENT SQLID - SQL authorization ID of the process SET CURRENT SQLID = string-constant VERIFY_GROUP_FOR_USER function Get the authorization IDs for the value in SESSION_USER Includes both primary and secondary authorization IDs Return 1 if any of those authorization IDs is in the argument list WHERE VERIFY_GROUP_FOR_USER (SESSION_USER, ‘MGR’, ‘PAYROLL’) = 1 VERIFY_ROLE_FOR_USER function Get the role for the value in SESSION_USER Return 1 if the role is in the argument list WHERE VERIFY_ROLE_FOR_USER (SESSION_USER, ’MGR’, ‘PAYROLL’) = 1 20
  • 22. Managing row and column access controls When activated row and column access controls: All row permissions and column masks become effective in all DML All row permissions are connected with ‘OR’ to filter out rows All column masks are applied to mask output All access to the table is prevented if no user-defined row permissions ALTER TABLE table-name ACTIVATE ROW ACCESS CONTROL ACTIVATE COLUMN ACCESS CONTROL; When deactivated row and column access controls: Make row permissions and column masks become ineffective in DML Opens all access to the table ALTER TABLE table-name DEACTIVATE ROW ACCESS CONTROL DEACTIVATE COLUMN ACCESS CONTROL; 21
  • 23. Example – A simple banking scenario Only allow customer service representatives to see customer data but always with masked income Table: CUSTOMER Account Name Phone Income Branch 1111-2222-3333-4444 Alice 111-1111 22,000 A 2222-3333-4444-5555 Bob 222-2222 71,000 B 3333-4444-5555-6666 Louis 333-3333 123,000 B 4444-5555-6666-7777 David 444-4444 172,000 C 22
  • 24. Define row and column access control on customer table Define row and column policies for customer service representatives Allow access to all customers of the bank (a row permission) Mask all INCOME values (a column mask) Return value 0 for incomes of 25000 and below Return value 1 for incomes between 25000 and 75000 Return value 2 for incomes between 75000 and 150000 Return value 3 for incomes above 150000 Customer service representatives are in the CSR group (who) 23
  • 25. Create a row permission for customer service representatives CREATE PERMISSION CSR_ROW_ACCESS ON CUSTOMER FOR ROWS WHERE VERIFY_GROUP_FOR_USER (SESSION_USER, ’CSR’) = 1 ENFORCED FOR ALL ACCESS ENABLE; Create a column mask on INCOME column for customer service representatives CREATE MASK INCOME_COLUMN_MASK ON CUSTOMER FOR COLUMN INCOME RETURN CASE WHEN (VERIFY_GROUP_FOR_USER (SESSION_USER, ‘CSR’) = 1) THEN CASE WHEN (INCOME > 150000) THEN 3 WHEN (INCOME > 75000) THEN 2 WHEN (INCOME > 25000) THEN 1 ELSE 0 END ELSE NULL END ENABLE; 24
  • 26. Start enforcing row and column access control on customer table Activate Row and Column Access Control ALTER TABLE CUSTOMER ACTIVATE ROW ACCESS CONTROL ACTIVATE COLUMN ACCESS CONTROL; COMMIT; What happens in DB2? A default row permission is created implicitly to prevent all access to table CUSTOMER (WHERE 1=0) except for users in the CSR group All packages and cached statements that reference table CUSTOMER are invalidated 25
  • 27. Selecting from customer table … after row and column access control activated SELECT ACCOUNT, NAME, INCOME, PHONE FROM CUSTOMER; ACCOUNT NAME INCOME PHONE 1111-2222-3333-4444 Alice 0 111-1111 2222-3333-4444-5555 Bob 1 222-2222 3333-4444-5555-6666 Louis 2 333-3333 4444-5555-6666-7777 David 3 444-4444 INCOME automatically masked by DB2! 26
  • 28. DB2 effectively evaluates the following revised query SELECT ACCOUNT, NAME, CASE WHEN (VERIFY_GROUP_FOR_USER (SESSION_USER, ‘CSR’) = 1) THEN CASE WHEN (INCOME > 150000) THEN 3 WHEN (INCOME > 75000) THEN 2 WHEN (INCOME > 25000) THEN 1 ELSE 0 END ELSE NULL END INCOME, PHONE FROM CUSTOMER WHERE VERIFY_GROUP_FOR_USER (SESSION_USER, ‘CSR’) = 1 OR 1 = 0 ; 27
  • 29. Rules about row and column access Not enforced for RI, CHECK, or UNIQUE CONSTRAINT Preserve data integrity Require secure triggers CREATE or ALTER TRIGGER with the SECURED option Managed by SECADM or new privilege CREATE_SECURE_OBJECT Rebind trigger packages implicitly after ALTER TRIGGER Require secure UDFs Referenced in the row permission and column mask definition CREATE or ALTER TRIGGER with the SECURED option Managed by SECADM or new privilege CREATE_SECURE_OBJECT Populate access control information in EXPLAIN tables Can activate access control on EXPLAIN tables No support for MQT and set operations 28
  • 30. DB2 10 for z/OS Security Enhancements Help Satisfy Your Auditors using new features New granular authorities to reduce data exposure for administrators New auditing features using new audit policies comply with new laws New row and column access table controls to safe guard your data Questions ? 29
  • 31. DB2 Security updates PM26966 – System DBADM updates PM28296 – Secure audit policy trace support – Prevent privileged users from stopping audit traces – No implicit system privileges for DBADM PM30394 – IFCID 361 support for commands PM32217 – SQLCODE +4726 updates to provide granular information Connection security PM17665 – DB2 server authentication behavior change for DB2 for z/OS requestor clients PM37300 – Provides option for private protocol like authentication behavior for DB2 for z/OS clients PM43292 – Allows RACF protected userids to be PASSTICKET authenticated 30
  • 32. DB2 / RACF Access Control Authorization Exit updates RACF APARs PM02054 - Authorization cache support. XAPLUCHK implicit ownership check for the object is suppressed when caching is enabled. PM17673 – View resource name updates for INSERT, UPDATE, and DELETE operations. The first resource that RACF checks is: db2-subsystem.table-qualifier.table-name.view- qualifier.view-name.privilege DB2 APARs PM95112 (V9), PM02841 (V8) – View updates for exit PK92315, PM05218, PM25115 - Authorization cache changes for exit. DB2 checks and caches the primary authorization ID, if a role is not in effect. PM27835 - Provides the capability for IMS to communicate ACEE to DB2 for RACF authorization. PM28543 – System DBADM updates using the exit 31
  • 33. References • Security Functions of IBM DB2 10 for z/OS (SG24-7959-00) http://www.redbooks.ibm.com • DB2 10 for z/OS Technical Overview (SG24-7892-00) http://www.redbooks.ibm.com • DB2 10 for z/OS Administration Guide (SC19-2968-02) http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/topic/com.ibm.db2z10.doc.admin/src/admin/db2z _admin.htm • DB2 10 for z/OS RACF Access Control Module Guide (SC19-2982-02) http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/topic/com.ibm.db2z10.doc.racf/src/racf/db2z_racf. htm • DB2 V10: A new standard in data protection, by Mark Nelson, Randy Love, Gayathiri Chandran, zJournal, February 2011 http://publibz.boulder.ibm.com/zoslib/pdf/EOZ2N1C0.pdf • DB2 9 for z/OS: Configuring SSL for Secure Client-Server communications - Red paper http://www.redbooks.ibm.com/abstracts/redp4630.html?Open • DB2 for z/OS Information Center http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/index.jsp 32
  • 34. Useful DB2 for z/OS URLs • DB2 10 Launch Website http://bit.ly/DB210Launch • DB2 for z/OS Website http://www-01.ibm.com/software/data/db2/zos/ • DB2 Product Library http://www.ibm.com/software/data/db2/zos/library.html • DB2 Newsletter http://www.ibm.com/vrm/newsletter/11065 • Latest Whitepapers – Business Value of DB2 10 – Julian Stuhler – A Matter of Time: Temporal Data Management – Why DB2 for z/OS is BETTER than Oracle RAC ? • DB2 for z/OS e-Kit • Upcoming Conferences/Events http://bit.ly/DB210e-Kit – IDUG DB2 Tech Conference AG Denver - 14th -16th May 2012 – IDUG 10 Migration Planning Workshop Denver - 13th May 2012 33
  • 35. Top DB2 for z/OS e-Communities World of DB2 for z/OS - 1700+ members http://db2forzos.ning.com/ http://linkd.in/IBMDB210 DB2 10 LinkedIn - 1000+ members DB2 for z/OS What’s On LinkedIn – 2000+ members http://linkd.in/kd05LH http://www.youtube.com/user/IBMDB2forzOS DB2 for z/OS YouTube WW IDUG LinkedIn Group - 2000 +members http://linkd.in/IDUGLinkedIn http://www.ibm.com/developerworks/data/community/ IBM DeveloperWorks 34
  • 36. DB2 10 is Here ! Customers seeing reduced costs, simplified workloads through proven technology Reduced Costs Simplified Workloads Proven Technology “Based on the performance metrics from our “With DB2 10 able to handle 5-10 times as “Every single SQL statement we have controlled test environment, we see a significant many threads as the previous version, the tested has been better or the same as amount of CPU and Elapsed time savings. This upgrade will immediately give the bank some our current optimal paths – we have release has many features that will help bring down much-needed room for future workload growth yet to see any significant access path our operating costs.” while simultaneously reducing their data regression. We had to spend a lot of sharing overhead.” time tuning SQL with DB2 9, but we expect that to disappear when we upgrade to DB2 10.” Paulo Sahadi - Senior Production Manager, Philipp Nowak, Morgan Stanley DB2 Team Information Management Division at Banco do Brasil BMW DB2 Product Manager “We are particularly interested in the performance “The new temporal functionality in DB2 10 for The new audit capabilities in DB2 10 improvements due to the potential CPU reductions z/OS will allow us to drastically simplify our will allow tables to be audited as soon that we realized during our DB2 10 Beta testing. date-related queries. In addition, we’ll be able as they are created, which is an obvious Our early testing has shown out-of-the-box to reduce our storage costs by using cheaper benefit for the business and will reduce processing cost reductions of between 5% - 10% storage for inactive rows and reduce our costs and simplify our processes” and for some workloads as high as 30%. Potential processing cost by having DB2 handle data cost savings of this magnitude cannot be ignored movement more efficiently than the custom given today’s business climate.” code we’ve written to do the same work in the Guenter Schinkel -Postbank Systems AG past” Large Insurance Company Large Global Bank For more customer references visit : http://www.ibm.com/software/data/db2/zos/testimonials.html 35 35
  • 37. Thank You! Your Feedback is Important to Us • Visit Us at www.ibm.com/software/data/db2/db210 36 36