I mentioned this RedBook in one of my earlier posts and wanted to have a closer look at it.

I remember that when I looked at the contents originally, I was surprised to see no mention of physical and only a limited discussion of file system security. The only discussion relating to file system security was around backups.

In my opinion, another omission was that there is no suggestion made of what sort of things you should audit with the onaudit program.

Some of the options are presented to the reader without any real emphasis as to which is a better option. For example, there is no mention that regular DES encryption (as opposed to Triple-DES or DES3) is not a very good option. Although it is mentioned that Electronic Cook Book (ECB) cipher mode is easy to crack, it's also not very well highlighted and didn't jump out at me. (It will leap out at you if you scan the PDF for the string "ecb", but if you were reading the article normally, it certainly wouldn't, as it's in a section called "Sample Settings". :-) )

Another example of the lack of emphasis is that it isn't made clear that column encryption is something which should not be done for the heck of it.

It also doesn't mention that encryption is more resource-intensive than decryption or that the length of the data being encrypted has a significant impact on performance, while the choice of encryption algorithm has very little effect.

A small point, but I would have thought that if you were going to encrypt and compress a backup, I would have done the compression first, because encryption tends to produce streams that don't compress very well.

These omissions and "differences of opinion in implementation" are because IBM's philosophy with these RedBooks is to make them useful to as wide an audience as possible. For this reason, they will always tend to advise on general principles and refrain from any specific recommendations and any platform-specific issues, where possible. It's worth bearing that in mind when perusing them.

However, if that sounds like I've got a downer on the RedBook, you're wrong: the first chapter provides an excellent summary of the security technology features available in IDS, and the subsequent chapters discuss the principles of setting up security for compliance very clearly. If you're interested in providing better security for your databases (and you are, aren't you?) then you should read this book.

If you have read any Informix-related RedBooks and aren't sure of where to go next, or if you have a specific issue from them, feel free to ask on the "Ask Spokey" forum.