IBM DB2 database security, risks and controls are discussed below from an IT auditor’s view. This area is especially relevant due to the persistent attacks on DB2 and other commercial databases resulting in the disclosure of huge amounts of confidential data.

IT audits are planned with an understanding of the risks around the technology and the controls that are expected to be in place. The controls are then tested to determine their effectiveness. This risk and control approach is fundamental to IT auditing and critical to effective security.

Below we will discuss the most critical DB2 risks and controls taken from different sources of DB2 security best practices. Overall, there is substantial agreement on database security and the underlying risks and controls that are used in an audit of DB2.

One source of valuable guidance is an article in the IBM Technical Library titled ’12 DB2 Security Best Practices’. Another excellent reference in this area is a white paper titled ‘Top Ten Database Security Threats’ published by the well-respected industry vendor Imperva. Both sources are applicable to any DB2 environment. Both sources provide valuable guidance to IT auditors in their reviews of DB2 and are highly recommended to database administrators for use in their organizations.

The following discussion is based on these articles as correlated to our professional experience auditing DB2 databases. Without going through every risk and control, we will highlight some major themes in DB2 security.

DB2 Risks. Threats and vulnerabilities are the main components of risk. DB2 threats relate to unauthorized user access, faulty authentication and misuse of privileges. Network threats come from the potential for denial of service attacks directed at a database. One of the most serious threats is SQL injection which correlates to the annual SANS Top Cyber Security Risks.

Vulnerabilities in a DB2 database environment relate to the host operating system and the network configuration. Although these vulnerabilities are not found in the database itself, the direct impact on a database could be quite serious. By addressing the risks discussed above, an organization can get reasonable assurance that security and compliance requirements are met even in highly regulated industries.

DB2 Database Security, Risk and Control: An IT Auditor's View
DB2 Database Security, Risk and Control: An IT Auditor’s View

DB2 controls. The IBM and Imperva sources refer to critical DB2 controls. Remember that risks are mitigated or reduced with specific controls.

DB2 controls are related directly or indirectly to the risks discussed above. Specific controls are necessary to secure user access, authentication and privileges. Other controls should be implemented to prevent SQL injection.

Current DB2 FixPaks should be maintained to ensure that bug fixes and performance enhancements are installed. Another control is the performance of a random security audit that consists of analyzing access patterns in database audit logs for events such as user validation, authorization checking and system administration.

Common Themes of DB2 Security. There is some degree of consensus in DB2 security, risk and control. It is clearly worthwhile for an organization to understand the risks around DB2 and to implement the appropriate controls in maintaining a secure DB2 environment.