and
network security , and the application security . All of these
areas were considered during the security audit that was conducted
on IBM Cognos 8 as part of the developmental cycle.The primary goals of the IBM Cognos 8 security strategy are
to limit access to authorized data to the intended users
to prevent modification of the data, or data presentation, by unauthorized users
to prevent the theft or destruction of information
to ensure that the application is available
You must ensure that users cannot, either through inadvertent or malicious actions, view data that they are not authorized to view, bypass authentication and authorization mechanisms, steal or violate session states to assume the identity of another user, or escalate existing privileges. You must also prevent users from causing disruptions in service for the application.
This information will help you configure an IBM Cognos 8
installation for maximum security. The issues discussed include
the environment security, which involves the operating system and
network security , and the application security . All of these
areas were considered during the security audit that was conducted
on IBM Cognos 8 as part of the developmental cycle.
Each customer’s installation and configuration of IBM Cognos 8 is unique. As a result, the security requirements for each installation and configuration are also unique. This section does not contain complete information about issues involved in securing an IBM Cognos 8 environment. However, it provides guidelines and recommendations that supplement the more detailed information in the IBM Cognos 8 Installation and Configuration Guide.
The IBM Cognos 8 security framework is based on the industry standard approach to securing Web applications. This involves addressing security issues during the design and development of functional areas that are vulnerable to security threats.
The following IBM Cognos 8 functional areas were developed with special attention to security.
User authentication and authorization prevent unauthorized users from accessing system components and data.
The effectiveness of the security strategy depends on the type of authentication and authorization.
Web request and content validation checks the data before the data is processed.
The effectiveness of the security strategy depends on the validation techniques, such as bounds checking that prevents buffer overflow and variable assignment violations, and format checking that prevents data encoding and format string violations.
Session management supports appropriate access control. It relies on strong session identifiers that are difficult to guess.
The effectiveness of the security strategy depends on the type of session management systems used, the information that they include, and where in the program cycle the sessions are validated.
Transport security is used during transmission to secure transactions that contain sensitive information when untrusted networks are used.
The effectiveness of the security strategy depends on how data is encrypted.
Encryption protects sensitive data, such as account credentials and personal information.
The effectiveness of the security strategy depends on how data is encrypted and stored.
Application logs identify when errors occur or when sensitive transactions are complete. In addition, application logs record error messages that provide system information. Error messages should expose the minimum amount of information to meet business requirements.
The effectiveness of the security strategy depends on where the log files are stored, and whether auditing capabilities are built into the application.
Administrative access includes the right to add and remove users, provide group and role-based access, and configure application components. Administrative access should be restricted to appropriate individuals.
The effectiveness of the security strategy depends on how the application is administered, the configuration of administrative options for security, and how these options are protected.
