Posts Tagged ‘authorization

Data Loss or Leakage

There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Unlinking a record from a larger context may render it unrecoverable, as can storage on unreliable media. Loss of an encoding key may result in effective destruction. Finally, unauthorized parties must be prevented from gaining access to sensitive data.

The threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.

Impact

Data loss or leakage can have a devastating impact on a business. Beyond the damage to one’s brand and reputation, a loss could significantly impact employee, partner, and customer morale and trust. Loss of core intellectual property could have competitive and financial implications. Worse still, depending upon the data that is lost or leaked, there might be compliance violations and legal ramifications.

Examples

Insufficient authentication, authorization, and audit (AAA) controls;inconsistent use of encryption and software keys; operational failures;persistence and remanence challenges: disposal challenges; risk of association; jurisdiction and political issues; data center reliability; and disaster recovery.

Remediation

• Implement strong API access control.
• Encrypt and protect integrity of data in transit.
• Analyzes data protection at both design and run time.
• Implement strong key generation, storage and management,and destruction practices.
• Contractually demand providers wipe persistent media before it is released into the pool.
• Contractually specify provider backup and retention strategies.

Tags : AAA, audit, authentication, authorization, Cloud, Data Loss, encoding key, key generation, Leakage, protect integrity

The Ten Commandments of Computer Ethics

• Thou shalt not use a computer to harm other people.
• Thou shalt not interfere with other people’s computer work.
• Thou shalt not snoop around in other people’s computer files.
• Thou shalt not use a computer to steal.
• Thou shalt not use a computer to bear false witness.
• Thou shalt not copy or use proprietary software for which you have not paid.
• Thou shalt not use other people’s computer resources without authorization or proper compensation.
• Thou shalt not appropriate other people’s intellectual output.
• Thou shalt think about the social consequences of the program you are writing orthe system you are designing.
• Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Tags : authorization, Computer Ethics, Ten Commandments

Link Layer Access

One aspect that has been overlooked in mobile research is link layer access. Most mobility solutions assume that the link layer configuration will be automatic and base trigger mechanisms in the presence of network layer connectivity.We believe that there is the need for a framework for link layer access, to standardize the operating system interface, creating an unified API to report the presence of access point in the vicinity of the mobile, and to do AAA(Authentication, Authorization and Accounting). A multiplexing transport protocol has to be aware of new link layers that become available, and of link layers that can no longer be used, to add and remove these interfaces from protocol processing. To this end, a link-layer aware transport protocol needs the following support:

Link layer management: a management entity can usedirect information (by probing or listening to the link layer for the presence of access points) or indirect information(by using an existing connection to query the infrastructure for the existence of additional access points) to find new access points. This is called link layer discovery. Management also encompasses measuring signal strength and possibly location hints to rule that a link layer is nolonger usable. This is called link layer disconnection.

Network layer management: before using a link layer,the mobile has to acquire an IP address for that interface. The most common protocol for acquiring a network addressin broadcast media is DHCP (Dynamic Host Configuration Protocol). For point-to-point links, such as infrared, acquiring a network address also entails creatinga point-to-point link. In this case, the link will only be created on demand, as creating the link precludes other mobiles from using the same access point.

Transport layer notification: the transport layer has to benotified of new access points (in the form of a new IP address it can use) and of the loss of an active access point(an IP that can no longer be used). The transport protocols can also notify a management entity about the available bandwidth of each link. Because this bandwidth is closely tied with the available bandwidth of the last hop, by controlling the maximum bandwidth each protocol instance can use the management entity to enforce usage policies for cooperating protocols.

Tags : AAA, Accounting, authentication, authorization, DHCP, Dynamic Host Configuration Protocol, IP address, Link Layer Access, Link layer management, multiplexing, Network layer management, point-to-point links, Transport layer notification, transport protocol

DB2 security mechanisms

A database security plan should define:

• Who is allowed access to the instance and/or database
• Where and how a user’s password will be verified
• The authority level that a user is granted
• The commands that a user is allowed to run
• The data that a user is allowed to read and/or alter
• The database objects a user is allowed to create, alter, and/or drop

There are three main mechanisms within DB2 that allow a DBA to implement a database security plan : authentication, authorization, and privileges.

Authentication is the first security feature you will encounter when you attempt to access a DB2 instance or database. DB2 authentication works closely with the security features of the underlying operating system to verify user IDs and passwords. DB2 can also work with security protocols like Kerberos to authenticate users.

Authorization involves determining the operations that users and/or groups can perform, and the data objects that they may access. A user’s ability to perform high-level database and instance management operations is determined by the authorities that they have been assigned. The five different authority levels within DB2 are SYSADM, SYSCTRL, SYSMAINT, DBADM, and LOAD.

Privileges are a bit more granular than authorities, and can be assigned to users and/or groups. Privileges help define the objects that a user can create or drop. They also define the commands that a user can use to access objects like tables, views, indexes, and packages.

You will need to create a database within the db2inst1 instance. Make sure that the db2instance variable is still set to db2inst1, and then create the sample database using the command db2sampldrive, using the name of the drive where you want to create the sample. For the examples, we’ll create the sample database on our C drive, as follows:

C:\PROGRA~1\SQLLIB\BIN>db2sampl c:

Tags : authentication, authorization, database objects, database security, DB2, DBA, DBADM, LOAD, privileges, security protocols, SYSADM, SYSCTRL, SYSMAINT