I'm not sure how any system could pro-actively deal with stolen credentials. An earlier post discussed that the application should (at minimum) log one access per request, where a request might retrieve hundreds of records from the database. This one record should be sufficient to identify the profile that was used to access the database. This is a passive control, meaning that it has no value until someone finally figures out that their login credentials have been stolen. Then they can go back and identify what was accessed....
Now, if you have secured the data from all regular users, and the only way to access this data is to use your programs (which adopt authority), and your application logs all access to the database, and you audit the activities of your *ALLOBJ users, then I'm not sure what else you want to accomplish. Loggin is just a CYA activity.
Note: stolen access credentials could potentially be reduced by issuing RSA key-pin generators, along with a user specified pin value AND their login credentials... This is how some VPN appliances work, and it seems quite secure compared to just Profile/password credentials. I would think this *could* be handled when logging in to Active Directory, then using SSO (Kerberos) to authenticate to i5.
Eric
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Mike Cunningham
Sent: Thursday, August 21, 2008 10:21 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: DB2/400 logging of read only access
All true and that is how we are setup but security today needs to be multi-layered and not rely on any one method. This would just be another method to monitor that the other one is working. We do lock down ODBC and JDBC and only allow access when needed but what if that userid/password get compromised and someone make their own connection or if one the allobj IT employees is the one poking around where they don't belong. And even with all of the standard security features in place how do you prove to a 3rd party that no one did read the data?
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of DeLong, Eric
Sent: Thursday, August 21, 2008 10:26 AM
To: Midrange Systems Technical Discussion
Subject: RE: DB2/400 logging of read only access
Mike,
Why would your users be allowed to access data thorough any means other than your applications? For something like this, just secure the he!! out of the database, so that the default rule for access is "DENIED"! Adopt authority in your apps to get access to the data. If the users absolutely *HAVE* to download a file from the production database, then use an exit point security product to "ALLOW" this user to acquire the authority needed to access the file.
Now that your database is secure (from everyone EXCEPT *ALLOBJ users) you have a much better chance of proving your access audit data, without needing the read-trigger overhead.
JMO,
Eric DeLong
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Mike Cunningham
Sent: Wednesday, August 20, 2008 9:01 PM
To: Midrange Systems Technical Discussion
Subject: RE: DB2/400 logging of read only access
True on HIPPA rules but the only way to do that would be at an application level and if someone were to access all the same records using DFU and construct up the patients record with cut and paste operations you would not get that access recorded.
Since we are not covered by HIPPA I was actually thinking of enhancing the protection of some data elements like SSN and credit card numbers which I encrypt but would still like to be able to tell who read any file that has any of this type of data. I was thinking of moving this data to a file with only this data and journaling everything that accesses it so even if someone were to gain access (odbc, jdbc, dfu, etc, etc, etc) I know the db is recording everything. A trigger might work fine for this since the file is not accessed often and the overhead of the trigger processing would not be that great. I could also do some scans against the journals looking for activity I do not expect (ignore anything logged from one of our applications that are allowed to use the data) and send myself an alert
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Walden H. Leverich
Sent: Wednesday, August 20, 2008 6:32 PM
To: Midrange Systems Technical Discussion
Subject: RE: DB2/400 logging of read only access
We are not covered by HIPPA regulations but if we were would
be adding this to our own applications be the only way to
record record level access?
There are also read-triggers. Just like other update triggers, these are
database-level things that you can't get around. However, they're a
performance PIG!
Also, there's nothing in the HIPPA regs that require you to record read
access to every single record. You need to record access to
medical-records, not database-records. For example, if reviewing a
single "medical-record" results in 1 read to the patient table, 2 reads
to the address table (home/office), 5 reads to the phone table
(office/cell/home/emergency/other), 22 reads to the procedure table, 19
reads to the sub-procedure table, and 211 reads to the charges table,
you only have to record 1 access, not 261.
-Walden
--
Walden H Leverich III
Tech Software
(516) 627-3800 x3051
WaldenL@xxxxxxxxxxxxxxx
http://www.TechSoftInc.com
Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.