In our increasingly virtualized, fast-paced world, data has become both the biggest enterprise asset and a liability. Information security policies and guiding security principles have become an essential part of the corporate risk management framework to mitigate the exposure risk of corporate data. Guiding security principles—a set of concise, high-level engineering best practices—can provide an effective foundation for systems security and should be considered as appropriate guidance when designing and maintaining IT systems.
This article outlines a practical, cohesive approach to translate the key guiding security principles into role-based access control mechanisms; it considers DB2 z/OS as a practical example and explores its security features available in DB2 10:
• New authorization model to support fine-grained DB2 system authorities
• Roles and trusted context
• Support for z/OS identity propagation using distributed identity filters.
A practical approach to control access to data in the DBMS from all entities ranging from system authorities to applications may be useful to many IT practitioners in corporate environments, including application, security and data architects, and Database Administrators (DBAs).
Commonly recognized security principles can be used to provide an efficient framework and directions for making architectural, design and operational decisions for implementing security policies to pursue risk-driven security objectives and simultaneously facilitate legal and regulatory compliance. Implementing systematic, risk-based security polices based on a comprehensive set of security principles directly contributes to the stability of business applications and positively influences consumer confidence and customer loyalty.
The fundamental, commonly recognized security principles IT organizations use as architectural statements or directives are:
• Least privilege
• Separation of responsibilities
• Maintaining accountability and traceability of a user or process.
There’s another key guiding security principle, which recently emerged: Compliance doesn’t equal security.
Efforts to achieve compliance with standards and regulations aren’t a substitute for implementing risk-based security policies defined based on guiding security principles. Security regulations and standards imposed by various governing bodies are really “minimum” standards that focus on specific subsets of data and security threats. If IT organizations were implementing risk-based security policies consistent with guiding security principles initially, there’s a good chance the standards and regulations may not have been required. Defining risk-based security polices consistent with guiding security principles simplifies and shortens the path to compliance with existing or future regulations and standards, making it a sustainable, replicable process.
This approach facilitates satisfying most of the regulations and standards requirements without extensive changes. Focusing on implementing risk-based security polices consistent with guiding security principles better prepares enterprises to protect their assets against various security threats and is arguably a more efficient, cost-effective way to achieve regulatory compliance.