Security Information & Event Management Blog | SIEM

4 Best Practices for IBM DB2 Access Auditing in the Era of Compliance Creep

80% of the world’s corporate data resides on mainframes, and IBM DB2 DB2 auditing and compliance blog imageis a pack-leader for the performance and availability necessary to support immense mainframe workloads. This should be concerning if your organization falls in line with the Win-/UNIX-only security strategies still prevalent in the IT world. Hackers continue to gravitate towards the most lucrative data, and sooner or later we’re going to read about a major DB2 data breach on par with recent the Target and Yahoo breaches that caught some CXOs with their security and compliance pants down.

In light of documented mainframe breaches recently and growing IT security concerns in government and enterprise, we sponsored a webinar titled “Who Did What to Which Data When?” featuring database management strategist Craig S. Mullins and his whitepaper of the same name. Both paper and presentation expertly outline the practice of mainframe Database Activity Monitoring (DAM) to assist organizations in their pursuit of IBM DB2 security best practices that have been the standard in distributed computing environments for years.

In a follow-up to Mullins’ “Who Did What to Which Data When?” whitepaper, we commissioned Mullins to produce another expert whitepaper titled “Compliance Needs Drive Data Access Auditing Requirements” with 4 database auditing techniques that will help your organization’s compliance mandates.

Download Mullins' New Whitepaper:   "4 Steps to Improve DB2 Access Auditing"

Four Approaches to Database Access Auditing in IBM DB2

According to Mullins, 60 to 80 percent of all IT security threats are internal. The stakes continue to rise for lost or altered data, and it has never been more essential for InfoSec administrators to ratchet database visibility up to 360 degrees. Here are some Mullins-vetted database auditing methods worthy of consideration as you strive to secure your data.

1. Trace-based Auditing

Nearly any DBMS will include a native process for producing records on activity already audited by the DBMS. While this method offers thorough trace records on activity such as successful and unsuccessful logins and logoffs, database server restarts, commands by privileged users, and much more, this process tends to reduce system resources significantly.

 2. Scan and Parse Database Transaction Logs

Every time a database modification occurs, the DBMS creates transaction logs to ensure data recovery capabilities. Organizations can employ software that interprets these logs to identify who changed what data, but certain activities such as reads, SPUFI requests, and DBA work executed locally are not captured.

3. Mid-transit Packet Sniffing

You can capture SQL statements and trigger an audit trail of all the database requests as they cross the network, however the downside here is that not all requests cross the network. This creates vulnerabilities in DB2-CICS applications where TCP/IP is not involved or any other DBA work executed directly on the server.

4. Proactive Monitoring at the Database Server Level

The fourth and most effective means of DAM is to capture SQL requests as they are being made on the database server level. Again, as not all requests travel across the network, proactive auditing on this level provides a complete view to help ensure no one is slipping through the cracks. After all, you can’t stop a breach you don’t know about.

It’s important to note that DAM is not only essential for DB2 security, it’s a major stipulation in data security standards such as PCI DSS, FISMA, GLBA, and others – and rest assured these standards will continue to grow as breaches escalate.


Ultimately, there are a few questions your IT security department must ask itself. Can you prove that you know who did what to which data when in IBM DB2? Can you prove that you have authorization auditing to ensure that users are only accessing the data necessary for them to complete their jobs? Do employees they stay within their permitted row or collection of rows? Is there someone accessing, viewing, or altering datasets without authorization right now? One can never be too sure without a complete view of database activity in real time within your SIEM.

Click here to download Mullins’ free and enlightening data access auditing whitepaper and get closer to answers that fit your organization. For more information about DBA and Consultant Craig S. Mullins, visit his website here.

Click here for more information on CorreLog’s industry-leading DB2 security and compliance solutions.
0 replies