Encryption for Data at Rest
Native encryption assists organizations to meet organizational and regulatory requirements to protect sensitive data by providing native encryption capabilities that encrypt data at rest for the entire database, including backup images. Deployment of native encryption ensures that sensitive data is encrypted and secured at all times, is simple to enable, transparent to the applications accessing the data, and applied to backups as well. DB2's Native Encryption meets the requirements of NIST SP 800-131 compliant cryptographic algorithms and utilizes FIPS 140-2 certified cryptographic libraries.
Encryption for Data in Transit
You can prevent hackers from seeing your data while it's being transmitted through the network using the DB2 Secure Socket Layer (SSL) capability. The DB2 SSL capability encrypts all your database traffic including your authentication credentials. The DB2 SSL feature utilizes FIPS 140-2 certified cryptographic libraries and meets the NIST SP 800 – 131 requirements.
Before attaching to a DB2 instance, or connecting to a DB2 database, users must authenticate. Authentication is the process of validating that users are who they claim to be. You can configure DB2 to authenticate users via the operating system, via a Lightweight Directory Access Protocol (LDAP) server, or via Kerberos. Additionally, DB2 supports custom authentication plug-ins, so you have the flexibility to configure DB2 to more closely match your specific authentication needs.
After a user is authenticated, DB2 performs an authorization check. Authorization is the process where the DB2 database manager verifies that a user is authorized to perform certain operations on specific data or resources. Users can be granted specific privileges to a given data resource or be given pre-defined roles known as authorities. DB2 also allows you to create your own database roles to bundle several privileges together so you can grant them at once to a user or group.
Trusted contexts provide a way to build faster and more secure three-tier applications. Trusted contexts address many security concerns in the three-tier application model, such as loss of user's identity, user accountability, and the granting of unnecessary privileges to access certain information. Under DB2 trusted contexts, the user's identity is sent to DB2 within a trusted connection for audit and authorization purposes. Additionally, trusted contexts allow you to control when certain users can exercise the privileges granted to them. For example, you may use trusted contexts to limit a user to connecting to the database from certain IP addresses.
Row and Column Access Control
DB2 includes Row and Column Access Control for fine-grained security. You can use Row and Column Access Control to restrict the rows and mask the columns that a user sees. The access control is transparent to users; they are not aware of the existence of the unauthorized rows.
DB2 includes an audit facility that allows you to monitor data access and provides information needed for subsequent analysis. Auditing can help discover unwanted, unknown, and unacceptable access to the data as well as keep history records of the activities on the database system.
Label-Based Access Control
Label Based Access Control (LBAC) provides multi-level security for managing classified data. Once the LBAC rules have been defined, data access control is managed by DB2 and is completely transparent to the user.