In-Depth

DB2 Security with All the Trimmings

• 02/01/1999

At a major New England-area insurance provider, a database engineer who asked not to be identified in this article, describes the management of security for her mainframe databases as "a nearly-impossible, labor-intensive task - if all we had to use were IBM's own security administration utilities."

She reports that her company has over 600 IBM DB2 databases running in 13 LPARs across eight mainframes distributed across two, geographically separate data centers.

"About 8,000 end users at the company have controlled access to the literally hundreds of volumes of DB2 data on systems which we are migrating to DB2 version 5.1. We are also in the process of migrating from [IBM] MVS to the OS/390 operating system to achieve Year 2000 compliance," says the engineer.

"While IBM did a great job with DB2, its security administration tools are inadequate to keep up with the changes that occur in our environment on an almost daily basis: changes in user access, the maintenance of object security and the securing of access to new transactions. Our database administrators (DBAs) would be spending all of their time just doing security work if all we had were DB2's own security utilities. It is just not an option not to have a second [security] administration package for DB2."

To enhance the security administration capabilities delivered with IBM DB2, the engineer reports that her company uses RC/Secure from Platinum Technology Inc. (Oakbrook Terrace, IL). With RC/Secure, she says, "We can let our security administration personnel do the busywork of [granting and revoking access to DB2 database objects], while letting the DBAs focus on the intelligence work of database design. Platinum's product provides for cleaner security operations and productivity improvements over native DB2 security applications."

In DB2's defense, the engineer concedes that her company has not looked closely at any changes in DB2 security delivered with the new version of the IBM database. Platinum's RC/Secure has become a fixture at the company over a period of years and she has little incentive to change something that works.

IBM, which has delivered DB2 since its branding in 1994 to more than 11,000 organizations and more than 40 million end users worldwide, has been actively evolving the product from an MVS-only mainframe database to a universal data base, according to Hershel Harris, Director of Database Technology with IBM's Software Solutions Division.

Harris briefly recounts some watershed accomplishments in the development of DB2. "In 1994, we released an AIX and OS/2 version of the product. In 1995, we provided a parallel edition for data warehousing and a UNIX edition for Sun Microsystems and Hewlett-Packard. In 1997, we released the Universal Database (UDB) edition, adding object extensions, support for OLAP and OLTP applications and additional support for parallel databases that enabled data to be split across multiple nodes in a clustered environment. This year, we announced OS/390 DB2 UDB. Version 6, which should be available in 1999, extends the capability of UDB to understand objects. The family of products now runs across multiple operating environments, including NT, UNIX, OS/390, AIX and other flavors of UNIX. We are no longer a only mainframe product, but we are proud of our mainframe heritage."

Built around the relational database model, says Hershel, DB2 delivers "built-in security based on privileges." He explains that, for every user with a valid ID or group membership, DB2 DBAs can use the product's native security features to control what the user can do with the database objects.

"This goes beyond access. For every object and every user, specific privileges can be set up, including read, write, delete, update and run. The objects can be tables, views or procedures, and the privileges can be defined at a very granular level."

Hershel says that generic SQL data control language statements such as GRANT and REVOKE may be used readily to control object access. He adds that IBM will make available in Version 6 of the OS/390 DB2 UDB product a suite of Administrative Tools similar to those that already ship with distributed platform versions of the product, "We have in Version 5.2 [of our distributed systems product], an easy-to-use, NT-based Administration Tool that allows both graphical and Web-based administration of all distributed DB2 servers. This tool set is being added to [our OS/390 DB2 product] with its release in 1999."

Hershel is aware of the availability and use of third party products in conjunction with the IBM database, which he describes as "complimentary to the product."

"IBM encourages complimentary product development by other companies. In the area of DB2 security administration, there are probably a number of companies that deliver products to enhance the capabilities delivered with DB2. These tools may provide a graphical user interface to security administration using IBM's application programming interface. Some products emphasize enhanced query capabilities or enhanced reporting. Some try to integrate system level security with DB2. One company showed me a demonstration recently of an application that enabled speech recognition technology and its use with DB2 database security administration. In general, we are very supportive of these efforts."

Opportunities to enhance DB2 in a complimentary manner have been exploited by numerous companies, including Platinum Technology, according to Pete Peterson, Vice President for Database Administration Products at Platinum.

Peterson says that RC/Secure answers a need within companies to simplify the model for managing authority, "With DB2 version 5, IBM allows RACF or external security products to be used in administering security within DB2. It is not a very straightforward procedure and it is difficult to create application and user domains using IBM utilities. Companies can gain a lot of [security administration efficiency] if they had a simple way to pass a hierarchy of privileges from one user to another without having to redo everything."

RC/Secure, according to Peterson, is designed as a "management layer on top of DB2 - but not a run-time layer." He explains that changes made to security privileges may be applied on an ad hoc basis or in batch mode and suggests that the latter method continues to be preferred by security administrators. He adds that Platinum's RC/Query product also enhances DB2's query facilities and may be employed in connection with RC/Secure to verify updated objects within user and application domains.

Peterson anticipates a continuing demand for DB2 enhancement products despite IBM's claim that Version 6 will eliminate the need for certain types of enhancement products. Says Peterson, while IBM is trying to move toward a goal of a Universal Database to enable administration across platforms, "there are differences in the mainframe DB2 product that were put there to cater to the MVS folks and to capitalize on the characteristics of that platform that will continue to impede this goal."

Mark Combs agrees that IBM opened doors to third parties with version 5 of its DB2 implementation on MVS. Combs, who is Senior Vice President for Research and Development with Computer Associates (CA) in Islandia, NY, sees the opportunity created less in terms of enhancing DB2 than as an opportunity to replace RACF with either ACF2 or Top Secret - both CA mainframe security management products.

"Companies need to move to real, rules-based security - that is, a situation in which business rules determine access. Today, in many mainframe environments, about 75 percent of the rules are controlled by system management products such as CA-ACF2, CA-Top Secret or RACF from IBM. Another 25 percent are actually established or enforced using much less robust SQL database security capabilities in products like DB2. What is needed is an integrated management infrastructure that enable centralized, rules-based security across the entire environment and that provide administrative tools on the mainframe, as well as graphical user interface-based tools on the desktop," says Combs.

The CA approach, as outlined in the company's CA-Top Secret and CA-ACF2 Product Road Maps, is to secure the OS/390 environment using CA security management products, while extending their "robust, integrated security capabilities" to widely-used mainframe products, such as DB2, that "are not integrated or capable of fully using external security managers." According to the Product Road Maps, IBM's decision to make available "an exit point, with sample code, to enable an external security manager to handle some of the DB2 security functions" opened the door for third-party vendors to deliver an out-of-the-box solutions. In essence, by selecting one of CA's "external security management products," customers would be able to achieve comprehensive security management at both the operating system and sub-system level (DB2) within the mainframe. Moreover, hooks between the CA mainframe security management products and CA's enterprise management solution, UnicenterTNG, ultimately enable the centralized management of security throughout the distributed environment. The one capability absent from this solution, according to Combs, is support for IBM's competitive mainframe security manager, RACF.

If centralized security management is the goal for an IBM customer, responds Jeff Jones, Program Manager for Data Management Marketing within IBM's Software Solutions organization, IBM has a solution - and is building more. Says Jones, "OS/390, RACF and DB2 are tightly wrapped together. They are designed for integration, to fit hand in glove. You would be walking away from that if you take out RACF and go to a CA solution."

Jones points out that IBM's enterprise management framework product, Tivoli TME 10, supports the consolidated management of both RACF and mainframe DB2 security, "Tivoli is becoming the central management console. The DB2 Database Management Module for TME 10 was spun off from our management group and lets you administer the security of DB2 databases wherever they are deployed in the enterprise. We also have the DB2 Control Center and the Web Control Center for those who don't want to do TME 10."

Jones concedes that IBM's security administration utilities provided with DB2 "are not the fanciest in the world, but they do the job." He believes that many complimentary products available to enhance DB2 security administration are simply "productized" versions of facilities that a dedicated DBA could develop using DB2 SQL commands and administration tools. However, he insists, security administration facilities, like other tools for database administration, are being enhanced on an ongoing basis by IBM itself.

"There is great movement toward centralizing DB2 administration generally both on mainframes and across the enterprise," remarks Jones. IBM is working to drive out SQL differences between implementations it has made of DB2 on different platforms. DB2 for the mainframe will always be functionally distinct from other implementations - roughly 90 percent of the code is the same; 10 percent is different to exploit the capabilities of host platforms. However, we are pushing for commonality from an application development point of view."

That, says Jones, is ultimately an enabler of centralized DB2 security administration for every platform in the enterprise where the Universal Data Base is installed. In the meantime, both complimentary and competing products by third-party vendors will continue to find use in organizations seeking a more efficient use of DBA time.