Chapter 19: Further Reading

These resources extend the material covered in Chapter 19. They are organized by topic and annotated with guidance on when and why you would consult each one.

IBM Official Documentation

DB2 for LUW

  • IBM Db2 Knowledge Center: Security https://www.ibm.com/docs/en/db2/11.5?topic=security The canonical reference for all DB2 for LUW security features. Start here when you need the precise syntax for any security-related SQL statement or configuration parameter.

  • IBM Db2 Knowledge Center: Row and Column Access Control https://www.ibm.com/docs/en/db2/11.5?topic=security-row-column-access-control Detailed documentation on RCAC including CREATE PERMISSION, CREATE MASK, and the rules governing RCAC activation and evaluation order. Essential reading before implementing RCAC in production.

  • IBM Db2 Knowledge Center: Audit Policies https://www.ibm.com/docs/en/db2/11.5?topic=security-auditing Comprehensive documentation on the db2audit utility, audit policy creation, audit categories, and audit data extraction. Includes examples of audit policy configurations for common compliance scenarios.

  • IBM Db2 Knowledge Center: Trusted Contexts https://www.ibm.com/docs/en/db2/11.5?topic=security-trusted-contexts Documentation on trusted context creation, role switching, and security attributes. Critical reading for three-tier application architecture.

  • IBM Db2 Knowledge Center: Native Encryption https://www.ibm.com/docs/en/db2/11.5?topic=security-db2-native-encryption Guide to configuring at-rest encryption, key management, keystore configuration, and encryption with external key managers.

DB2 for z/OS

  • IBM Db2 for z/OS: Managing Security https://www.ibm.com/docs/en/db2-for-zos The z/OS security administration guide covering RACF integration, administrative authorities, privilege management, and LBAC. Consult this for z/OS-specific security features and DSNZPARM settings.

  • IBM Db2 for z/OS: RACF Access Control Module Detailed documentation on the DB2 RACF Access Control Module (DSNX@XAC), RACF class profiles for DB2 (DSNR, DSNADM), and the authorization exit.

IBM Redbooks

  • DB2 11 for z/OS Security IBM Redbook SG24-8329. A comprehensive Redbook focused entirely on DB2 for z/OS security. Covers RACF integration, multilevel security, LBAC, trusted contexts, and audit. Includes detailed examples and best practices from real customer implementations. Essential for z/OS DBAs.

  • DB2 for z/OS and Row and Column Access Control IBM Redbook SG24-8386. Deep dive into RCAC implementation on z/OS, including performance considerations, migration strategies from view-based security, and integration with existing RACF security models.

  • Securing Db2 and Informix: A Practical Guide for DBAs IBM Redbook SG24-8507. Practical guide covering both LUW and z/OS security features, with implementation scenarios, troubleshooting tips, and compliance checklists.

  • IBM Db2 11.5 Encryption IBM Redbook covering native encryption configuration, key management options, performance impact measurements, and integration with IBM Security Guardium Key Lifecycle Manager.

Security Frameworks and Compliance Standards

  • PCI DSS v4.0: Payment Card Industry Data Security Standard https://www.pcisecuritystandards.org/ The definitive standard for protecting cardholder data. Read Requirements 3 (protect stored data), 7 (restrict access by need to know), 8 (identify and authenticate access), and 10 (track and monitor access) with DB2 implementation in mind.

  • HIPAA Security Rule: 45 CFR Part 164 https://www.hhs.gov/hipaa/for-professionals/security/ The HIPAA Security Rule defines administrative, physical, and technical safeguards for electronic protected health information (ePHI). Section 164.312 maps directly to DB2 security features (access controls, audit controls, integrity controls, transmission security).

  • SOX Section 404: Internal Control over Financial Reporting The Sarbanes-Oxley Act requirements for internal controls apply to any database storing financial data. Focus on separation of duties, change management audit trails, and access control documentation.

  • GDPR: General Data Protection Regulation https://gdpr-info.eu/ Articles 5 (principles), 25 (data protection by design), 32 (security of processing), and 17 (right to erasure) have direct implications for DB2 security design.

Books

  • Securing DB2 on z/OS: An Enterprise Guide by Yoav Eilat The most comprehensive book on DB2 for z/OS security. Covers RACF integration, administrative authorities, privilege models, LBAC, and compliance. Written by an IBM security architect with deep practical experience.

  • Database Security: Concepts, Approaches, and Challenges by Elisa Bertino and Ravi Sandhu An academic text that provides the theoretical foundation for database security models. Covers mandatory access control, discretionary access control, role-based access control, and label-based access control. Valuable for understanding the theory behind DB2's RCAC and LBAC implementations.

  • SQL Antipatterns by Bill Karwin Chapter on SQL Injection (Antipattern #15) is essential reading for any developer writing applications that interact with DB2. Understanding SQL injection is necessary even though it is an application-level vulnerability — the DBA must understand it to design defense-in-depth controls.

Articles and Technical Papers

  • Implementing Row and Column Access Control in DB2 (IBM developerWorks) A practical walkthrough of RCAC implementation with real-world examples. Includes performance benchmarks and best practices for permission design.

  • DB2 Trusted Context: Enabling Enterprise Security for Three-Tier Applications (IBM Technical Paper) Detailed technical paper on trusted context implementation, including connection pooling considerations, role switching mechanics, and integration with application servers (WebSphere/Liberty, JBoss, etc.).

  • Performance Implications of DB2 Security Features (IBM IDUG Conference Paper) Analysis of the performance impact of RCAC, audit policies, and encryption on DB2 workloads. Includes benchmark data and optimization strategies. Presented at the International DB2 Users Group conference.

Tools and Utilities

  • IBM Security Guardium https://www.ibm.com/security/data-security/guardium Enterprise database security and compliance tool that integrates with DB2 for real-time monitoring, vulnerability assessment, and automated compliance reporting. Particularly useful for organizations managing multiple DB2 instances across z/OS and LUW.

  • IBM Security Guardium Key Lifecycle Manager (GKLM) Centralized key management for DB2 native encryption. Manages encryption keys across multiple databases and platforms, supports key rotation, and provides audit trails for key operations.

  • db2audit (DB2 for LUW utility) The built-in command-line utility for managing and extracting DB2 audit data on LUW. Part of the standard DB2 installation. Documented in the IBM Knowledge Center under Security > Auditing.

  • DFSORT/ICETOOL (z/OS) z/OS utilities commonly used to extract and format SMF records, including DB2 audit records (SMF type 142). Essential for z/OS audit reporting when enterprise audit tools are not available.

Online Resources and Communities

  • IDUG (International DB2 Users Group) https://www.idug.org/ The primary professional community for DB2 practitioners. Annual conferences (North America and Europe) frequently include sessions on DB2 security, compliance, and audit. The online forums are a valuable resource for troubleshooting security configuration issues.

  • IBM Support: DB2 Security Technotes https://www.ibm.com/support/pages/db2 Search for security-related APARs, technotes, and known issues. Critical for staying current on security patches and vulnerabilities.

  • NIST Cybersecurity Framework https://www.nist.gov/cyberframework While not DB2-specific, the NIST framework provides a structured approach to managing cybersecurity risk that maps well to DB2 security features. Useful for organizations that need to align DB2 security with an enterprise cybersecurity program.

If you are preparing for a DB2 security implementation:

  1. Start with the IBM Db2 Knowledge Center security overview for your platform
  2. Read the relevant IBM Redbook for your platform (z/OS or LUW)
  3. Study the compliance framework applicable to your industry (PCI-DSS, HIPAA, SOX, GDPR)
  4. Practice RCAC, audit policies, and trusted contexts in a development environment
  5. Review the Meridian Bank security model (Section 19.12) as a design template
  6. Use IBM Guardium documentation if your organization uses it for monitoring

Return to Chapter 19 | Continue to Case Study 1