Blog
DB2utor

Advertisement

Links

General DB2 sites:
Troy L. Coleman
DB2USA
DB2 Pod Cast
Interesting DB2 Sites

Blogs:
EXEC I/O Mainframe
Craig Mullins: DB2 Portal Blog
Willie Favero: Getting the Most out of DB2 for z/OS and System z
Chris Eaton: An Expert’s Guide to DB2 Technology

Education Library:
DB2 V9.1 for z/OS Library
FTP Directory of IBM Presentations

User Groups:
DB2 International User Group
Midwest Database User Group (Chicago)

Development Leading Edge:
DB2 purXML
Developer Works
Alpha Works

General Mainframe sites:
CA
IBM Mainframe
IBM Destination z

« The Benefits of Sharing Your DB2 Know-How | Main | Coming Soon: Masked Data »

September 29, 2009

Curtailing the SYSADM Privilege

For years I worked as a consultant for numerous companies. While managing databases supporting banks and health insurers, I had full access to sensitive production data. I could view financial data about my neighbors and friends. I could see personal health information about myself and others. I've also had access to my co-workers' payroll data.

Access to private information comes with the territory for DBAs. And while I've never taken advantage of this access- and I've never heard of another DBA doing so--I can see how it could happen. The openings are there, and it's easy to imagine a disgruntled employee, or someone facing a financial crisis and desperate for money, taking advantage of their access.

Having access to the data stored in DB2 tables has been inherent with the DB2 system administration SYSADM privilege. However, IBM will address this issue in the next release of DB2 (DB2 X for z/OS) by removing data access from the SYSADM privilege. This is a positive change that will help strengthen security in production environments. However, it does not address the issue of copying data to test, where everyone can see it.

And that's the point. IBM is always working to secure the systems it produces and sells, but companies still have much to do on their own. Hopefully your company already "de-identifies," or masks, sensitive data before copying it to test. But if not, there's a DB2 X for z/OS feature that you should know about. I'll cover this soon.

Posted at 07:35 AM in Database Administration, DB2, IBM, z/OS |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83545a5d153ef0120a59e660a970b

Listed below are links to weblogs that reference Curtailing the SYSADM Privilege:

Comments

www.facebook.com/profile.php?id=1590840490

Very interesting... This may make management feel better, but if I'm a DBA with the ability to do an image copy, DSN1COPY, REORG, etc then I'm pretty sure I can find a way to read the underlying data. It may make it more difficult, but a determined SYSADM with the authority that he/she needs to do their job will probably be able to find a way to read data. I think we'd be more productive finding creative ways to audit what a DBA does rather than take away privileges that are sometimes essential to doing the job.

Posted by: www.facebook.com/profile.php?id=1590840490 | September 29, 2009 at 09:46 PM

Troy Coleman

Sorry David but IBM has just been listening to it's customers. This has been a complaint with upper management and auditors for years. As for reading the underlying data sets that is another issue that is being address. You will have encryption on data at rest. Solutions are coming that are making this possible. That is a discussion for another day :-)

Posted by: Troy Coleman | September 30, 2009 at 03:56 PM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.