Presentation is loading. Please wait.

Presentation is loading. Please wait.

OpenQM Martin Phillips Ladybridge Systems Ltd Data Security.

Published byAri Martel Modified over 9 years ago

Similar presentations

Presentation on theme: "OpenQM Martin Phillips Ladybridge Systems Ltd Data Security."— Presentation transcript:

1 OpenQM Martin Phillips Ladybridge Systems Ltd Data Security

2 There are two sides to data security... Not losing our data Not letting others access it OpenQM

3 How do we lose data? User ErrorSoftware Error Hardware Failure Environmental OpenQM

4 What are the risks? User error Hardware / software failure Malicious users / developers Theft / loss of backup media Theft / loss of the entire system OpenQM

5 What do we need to know about? Application level security File permissions Data encryption QMClient security issues Backup policies OpenQM

6 Application level security Don't let the user near a command prompt Security subroutines Identify the user Identify the process type OpenQM

7 Hiding the command prompt Use LOGIN paragraph to enter application Use ON.ABORT to catch application errors OPTION NO.USER.ABORTS to hide all abort options OpenQM

8 Security subroutines Apply to R and V type VOC entries Command line or EXECUTEd commands User defined - Can do almost anything Don't allow the user to update the VOC! OpenQM

9 Identify the user @LOGNAME @IP.ADDR SYSTEM(1017) - Port number SYSTEM(27 – 30) - UID, EUID, GID, EGID OpenQM

10 Identify the process type @TTY phantomBackground process portSerial connection vbsrvrQMClient session OpenQM

11 File permissions QM uses o/s files and is hence subject to normal o/s permissions settings Group users as Administrators, Developers, Others Permission requirements for each group are in the QM Reference Manual Program execution needs read access OpenQM

12 Data encryption New at QM release 2.6-0 (August 2007) Ad hoc encryption Record level encryption Field level encryption Uses AES 128, 192 or 256 bit algorithms OpenQM

13 Ad hoc data encryption Simple to use for any QMBasic data item ENCRYPT() & DECRYPT() functions Key provided by application program Encrypted data never contains mark characters or ASCII control characters Can store in all file types OpenQM

14 Record level data encryption Encrypts whole record automatically when writing to database Users without access to the key cannot open the file Can use AKs but index itself is not encrypted OpenQM

15 Field level data encryption Encrypts specific field(s) automatically when writing to database Users without access to the key see fields as empty when reading and cannot update encrypted fields Cannot use AKs on encrypted fields OpenQM

16 Encryption keys Key strings are stored in a secure "key vault" protected by a master key Only the security administrator has access to the keys Developers only know the key name OpenQM

17 Security Administrator Commands CREATE.KEY Associates a key string and encryption algorithm with a key name CREATE.KEY {name {algorithm {string}}} OpenQM

18 Security Administrator Commands GRANT.KEY Grants access to key by user name or group name GRANT.KEY name {GROUP} name... OpenQM

19 Security Administrator Commands REVOKE.KEY Removes access to key by user name or group name GRANT.KEY name {GROUP} name... OpenQM

20 Security Administrator Commands DELETE.KEY Deletes a key from the key vault DELETE.KEY name OpenQM

21 Security Administrator Commands LIST.KEYS Shows key name, algorithm and access rights for each key LIST.KEYS OpenQM

22 Create a File with Record Level Encryption Use ENCRYPT option to CREATE.FILE Not restricted to administrators Specifies the key name, not the string OpenQM

23 Add Record Level Encryption to File ENCRYPT.FILE Not restricted to administrators Specify key name to be used ENCRYPT.FILE filename keyname OpenQM

24 Set Up Field Level Encryption ENCRYPT.FILE Not restricted to administrators Specify key name to be used for each encrypted field ENCRYPT.FILE filename field,keyname... OpenQM

25 Which Fields Did I Encrypt? LIST.KEYS Not restricted to administrators Displays list of field name / encryption key pairs LIST.KEYS filename OpenQM

26 What if I Restore a Backup Elsewhere? OpenQM The file can only be accessed if the key name is in the key vault and has the right key string Restoring a backup won't work because the master key is linked to a specific system Re-enable by entering the master key

27 But I Want to Copy My File! Copy the file Ensure the key name is in the key vault with the correct algorithm and key string Use SET.ENCRYPTION.KEY.NAME if the key name clashes with one on the new system OpenQM

28 What If My Computer Is Stolen? Optionally require entry of master key every time QM is started Potentially inconvenient but provides best security Can enable / disable at any time UNLOCK.KEY.VAULT OpenQM

29 QMClient security issues QMClient allows a VB (etc) program to open files, execute commands and subroutines This is just like being at a command prompt but application level security is now on the client side Malicious users can do nasty things! OpenQM

30 QMClient security issues The QMCLIENT configuration parameter imposes rules on what the client can do: 0No restrictions 1Ban OPEN and EXECUTE, limiting to calling subroutines 2Restrict which subroutines can be called OpenQM

31 Backup policies Surprising numbers of users get this wrong! Backup of a live system is always dangerous Use of suspend / resume may not be on a business transaction boundary OpenQM

32 Backup policies Backup a complete, consistent set of data Cycle backup media Keep it in a secure place Test your backups! OpenQM

33 QUESTIONS?

34 OpenQM

Download ppt "OpenQM Martin Phillips Ladybridge Systems Ltd Data Security."

Similar presentations

OpenQM Martin Phillips Ladybridge Systems Ltd Data Resilience in a QM System.

OpenQM Martin Phillips Ladybridge Systems Ltd Data Resilience in a QM System.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
This presentation will take a look at to prevent your information from being discovered by and investigator.

This presentation will take a look at to prevent your information from being discovered by and investigator.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
By Mary Anne Poatsy, Keith Mulbery, Eric Cameron, Jason Davidson, Rebecca Lawson, Linda Lau, Jerri Williams Chapter 9 Fine-Tuning the Database 1 Copyright.

By Mary Anne Poatsy, Keith Mulbery, Eric Cameron, Jason Davidson, Rebecca Lawson, Linda Lau, Jerri Williams Chapter 9 Fine-Tuning the Database 1 Copyright.
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.

Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.

Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Lesson 19 – ADMINISTERING WINDOWS 2000 SERVER : THE BASICS.

Lesson 19 – ADMINISTERING WINDOWS 2000 SERVER : THE BASICS.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
With Microsoft Access 2010 © 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access.

With Microsoft Access 2010 © 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Backup and Recovery Part 1.

Backup and Recovery Part 1.
Linux File Security. What is Permission ? Specifies what right are granting to users to access the resources available in the computer. So that important.

Linux File Security. What is Permission ? Specifies what right are granting to users to access the resources available in the computer. So that important.

Similar presentations

Ads by Google