* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download A Locksmith's Guide to SoD
Survey
Document related concepts
Transcript
A Locksmith’s Approach to Separation of Duties (SoD) Presented by: Rebecca Bond a.k.a. DB2Locksmith [email protected] Phone: 434-322-0070 What is SoD? According to the SANS Institute of Technology: “Separation of duties is a classic security principle to manage conflict of interest, the appearance of conflict of interest, and fraud. It restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual. Fraud will still occur if there is collusion. To properly identify separation of duties issues, you will first need to create an information flow diagram for every function within each area of the organization. ” Why Are DBAs Involved Now? DBAs should have always been involved in enforcing appropriate SoD, but the ability to do so had been limited, not just in DB2, but in most database products. With breaches increasing, fraud on the rise and concerns about data loss, implementing SoD for databases is a logical step toward enhancing security. Separation of Duties (SoD) Supports the security concept of Least Privilege Separation of Duties serves to lessen risk by dividing the work and re-assigning some of the “power” For example, do your DBAs really need to query user data to do their job? If not, why continue to allow them to have access? What about security tasks? Should these all reside within the control of one individual or group? With DB2 9.7, SoD can be used to reduce these risks and make sense of the term “Least Privilege” History BEFORE: • SYSADM authority included the ability to configure, start, stop, prune or extract any audit data as well as the ability to access and manipulate data for any database in that instance. • DBADM authority, the highest database authority, conferred the ability to access data. • Even though it might not have been wise or necessary, many shops allowed DBAs to hold SYSADM (which also implicitly conferred DBADM) just to make sure anyone on the DBA team could do anything they might possibly need to do in the day-to-day performance of their tasks. In Rides the SECADM • Beginning in DB2 9.1, a new security functional job designation was introduced, that of the Security Administrator (SECADM) for the database. • With DB2 9.7, the SECADM tasks are intensified and Separation of Duties abilities are specifically introduced. Current Day • The SYSADMs no longer implicitly get DBADM authority, which means they don’t automatically get data access. • DBADM, has changed significantly in a manner that tracks well to SoD security concepts and practices. • New options in the “grant DBADM…” statement can be specified to prevent those who hold DBADM authority from also having the ability to access database user data in user defined tables (DATAACCESS) or perform grants and revokes (ACCESSCTRL). • The specific SoD benefit, depending on how the DBADM authority is granted in a DB2 9.7 database, is that holders of that authority do not necessarily acquire the ability to access user data or to perform grants/revokes. With DB2 9.7, the SECADM functional role has been separated from the DBADM functional role and the two no longer need to overlap in order to complete security tasks. • There are also some new and re-defined authorities. Some were carved out from DBADM authority. Whether new or re-vamped, all of them lend themselves to the Separation of Duties approach to task delegation including: • DATAACCESS conveys: – LOAD authority – SELECT, INSERT, UPDATE, DELETE privileges on tables, views, MQTs and nicknames – EXECUTE on packages and routines (except audit routines) • ACCESSCTRL authority – Gives the ability to grant/revoke database privileges • EXPLAIN authority – Allows the holder to EXPLAIN, PREPARE and DESCRIBE SQL statements. (Note: This authority does not include explicit ability to execute the SQL.) • WLMADM authority – Allows management of workload objects for the database. • SQLADM authority – Ability to manage event monitors – Ability to manage package and optimization caches – Also conveys EXPLAIN authority (see above) • DATAACCESS and ACCESSCTRL authorities will be granted to ids that currently hold DBADM. • DBADM, DATAACCESS, and ACCESSCTRL are granted to the SYSADM GROUP. • If migrating from a version of DB2 prior to 9.1, or a database that does not have a SECADM authority assigned, then, by default, the SECADM authority for the migrated database will be granted to the user id performing the migration. Limiting the DBAs Do you really want DBADMS to have it all? Who holds DBADM? It’s a good idea to check. You might be surprised. Determine what authority “must” be held by each specific DBA and assign only that and nothing more. > > > Reducing authority does not imply mistrust < < < Don’t “over” grant. It’s not wise and not necessary Grant ACCESSCTRL and DATAACCESS authority separately Only Grant DBADM ….. without ACCESSCTRL and DATAACCESS Do DBAs Really Need It All? In the past, DBADM authority was granted to DBAs because there was no other appropriate High Level Authority. With DB2 9.7, the SECADM can Grant DBADM without also granting DATAACCESS or ACCESSCTRL Who is that DBADM Dude? #1) What are the AUTHIDs on the database and what are their AUTHIDTYPES? SELECT char(AUTHID,35) as AUTHID, CASE AUTHIDTYPE when 'U' then 'USER' when 'G' then 'GROUP' when 'R' then 'ROLE' ELSE 'ERROR' END as AUTHIDTYPE from SYSIBMADM.AUTHORIZATIONIDS #2) What authorizations have been granted to those ids? For Example….To see what authorizations the USER, LOCKSMITH, has been granted, you could run: SELECT AUTHORITY, D_USER, D_GROUP, D_PUBLIC, ROLE_USER, ROLE_GROUP, ROLE_PUBLIC, D_ROLE FROM TABLE (SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID ('LOCKSMITH', 'U') ) AS T ORDER BY AUTHORITY #3) What ids have had DBADM granted to them via Direct Grants? SELECT DISTINCT GRANTEE, GRANTEETYPE FROM SYSCAT.DBAUTH WHERE DBADMAUTH = 'Y' • • • • • • • • • • DBADMs can: Create, alter, and drop non-security DB objects Read log files Work with event monitors (create, alter, drop) Query tablespace states Update log history files Quiesce a tablespace Reorganize tables Runstats on catalog SQLADM authority and WLMADM authority are subsets of the DBADM authority. (WLMADM authority has the ability to grant USAGE on workloads.) DB2 9.7 DBADM • Cannot be granted to PUBLIC • Can only be granted or revoked by the SECADM • Can be granted to a user, a group, or a role. Grant it Right Write Rite In DB2 9.7, the GRANT DBADM statement is more robust $> db2 “grant DBADM on database to db2locksmith” statement still works, and it implicitly includes DATAACCESS and ACCESSCTRL authority. But thinking about Least Privilege, I can instead use: $> db2 "grant dbadm without accessctrl without dataaccess on database to db2locksmith” I want to take some authority back $> db2 revoke dbadm on database from locksmith $> db2 "SELECT char(AUTHORITY,35) AUTHORITY, D_USER FROM TABLE (SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID ('LOCKSMITH', 'U') ) AS T where AUTHORITY in ('ACCESSCTRL','DATAACCESS','DBADM') ORDER BY AUTHORITY" AUTHORITY ----------------------------------ACCESSCTRL DATAACCESS DBADM D_USER -----Y Y N $> db2 "REVOKE ACCESSCTRL, DATAACCESS ON DATABASE FROM locksmith" My authority or yours? Some GREAT Aids for achieving Least Privilege: SQLADM A Subset of DBADM Lets others Monitor & Tune SQL Statements This Authority includes EXPLAIN authority Gives authority to do all tasks surrounding tuning, even runstats/reorgs WLMADM Allows the holder to create, alter, drop, comment on, and grant and revoke access to workload manager objects. Also provides execute auth for the system defined Workload Management routines. Can be granted by the SECADM or someone who holds ACCESSCTRL authority. Can be granted to a user, a group, a role, or to PUBLIC (I would not suggest you grant to Public) Explain it What you can say to Developers and Testers: “EXPLAIN yourself” The EXPLAIN authority level provides administrative authority to explain query plans without gaining access to data. EXPLAIN is also granted as part of the SQLADM authority Locksmith’s Corp The Locksmith Says: Starting with SYSADM • Assigned via Group Membership • One of the DBAs (DBA1) will need to hold SYSADM. • db2 "update dbm cfg using SYSADM_GROUP SGURU_Grp” (DBA1 is a member of that group). Note: Windows -- LocalSystem account is considered a SYSADM if DBM sysadm_group is not specified. db2 "select char(grantee,30) grantee from syscat.dbauth where securityadmauth = 'Y'" GRANTEE -----------------------------LOCKSMITH A BUSY SECADM DBA2 is a top DBA. She does not perform grants or revokes and does not need to query data. She needs: • Create, alter, and drop non-security DB objects • Read log files • To work with event monitors (create, alter, drop) • Query tablespace states • Update log history files • Quiesce a tablespace • Reorganize tables & Runstats on Catalog DBA2’s Authority db2 connect to mydb user locksmith db2 create role topdba db2 grant dbadm without dataaccess without accessctrl on database to role topdba db2 grant role topdba to DBA2 Busy DBAs To keep development going, some DBAs need to have the ability to grant/revoke. They also need to be able to do all SQL tuning tasks and peform reorgs/runstats. db2 create role appdb db2 grant accessctrl, sqladm on database to role appdb Busy Developers Developers probably should not be working in production, but even Dev and Test environments should have security controls. If nothing else, enforcing LEAST PRIVILEGE can save some unintended consequences…like updates to an incorrect table. Protect Developers & Yourself! db2 create role devusr db2 create role devtbls db2 create role devexpln What now? db2 grant connect on database to role devusr db2 grant select, insert on locksmith.employee to role devtbls db2 grant select on locksmith.sales to role devtbls db2 grant select on syscat.tables to role devtbls db2 grant explain on database to role devexpln db2 grant role devusr, devtbls, devexpln to Fred db2 grant role devusr, devtbls to Rebecca Possibilities ? As you can see, you can get very granular with your approach separation of duties. Using Roles, you could do things like: Create Separate Roles for: Explain Accessctrl Dataaccess And then grant only what is needed Over Granting Time for the Breakup! There is so much granularity available, there is really no need to over grant. And the ability to use Roles means that you have a Plug and Play Approach Roles can be Granted to form a Role Hierarchy Revoking is so much easier when you use Roles as well. The Benefit The ability to use these new features of DB2 9.7, especially when coupled with the use of Roles that were introduced in DB2 9.5, allows a better match between job responsibilities and database access. The granularity is significant and allows fine grained control. Use it to your advantage. A Locksmith’s Approach to Separation of Duties (SoD) Rebecca Bond, CISSP A.K.A. DB2Locksmith 434-DB2-0070 [email protected]