DB2 Security

Before attaching to a DB2 instance, or connecting to a DB2 database, users must authenticate. Authentication is the process of validating the user ID and password. DB2 provides you with a set of default security plug-ins to perform user ID and password authentication, group membership lookup, Kerberos authentication, and LDAP authentication. If you decide not to use the default plug-ins, you have the flexibility to develop your own or use third-party loadable plug-in libraries to fit your business need.

After a user is authenticated, DB2 performs an authorization check. Authorization is the process where the DB2 database manager verifies that a user is authorized to perform certain operations on specific data or resources. Users can be granted specific privileges to a given data resource or be given pre-defined roles known as authorities. DB2 also allows you to create your own database roles to bundle several privileges together so you can grant them at once to a user or group.

Trusted contexts provide a way to build faster and more secure three-tier applications. Trusted contexts address many security concerns in the three-tier application model, such as loss of user's identity, user accountability, and the granting of unnecessary privileges to access certain information. Under DB2 trusted contexts, the user's identity is sent to DB2 within a trusted connection for audit and authorization purposes.

DB2 includes an audit facility that allows you to monitor data access and provides information needed for subsequent analysis. Auditing can help discover unwanted, unknown, and unacceptable access to the data as well as keep history records of the activities on the database system.

Label Based Access Control (LBAC) gives you the granularity to manage access to your tables at the row-level, column-level or both. LBAC is configurable and can be tailored to match our particular security environment.

A security administrator can create security policies based on labels. A security policy describes the criteria that will be used to decide who has access to what data. One key advantage of using LBAC to protect sensitive data is that no administrative authority has the power to access your data.

You can prevent hackers from seeing your data while it's being transmitted through the network using DB2 encryption mechanisms. DB2 supports encryption of user ID, password and data while in transit.

DB2 also supports external encryption using Secure Socket Layer (SSL). This provides a secure tunnel or envelope for data being sent between client and server. All communication can be encrypted.