Database Security: Protecting Confidentiality, Integrity and Availability, Lecture notes of Database Management Systems (DBMS)

The importance of database security, the risks involved, and various types of controls to mitigate these risks. Topics include access control, auditing, authentication, encryption, data integrity, backups, application security, and statistical database security. Database security is crucial to prevent unauthorized access, malware infections, performance issues, physical damage, design flaws, and data corruption.

Typology: Lecture notes

2017/2018

Uploaded on 05/01/2018

dinesh-kumar-26
dinesh-kumar-26 🇮🇳

2 documents

1 / 3

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Database security concerns the use of a broad range of information security controls to protect
databases (potentially including the data, the database applications or stored functions, the
database systems, the database servers and the associated network links) against compromises of
their confidentiality, integrity and availability. It involves various types or categories of controls, such
as technical, procedural/administrative and physical. Database security is a specialist topic within the
broader realms of computer security, information security and risk management.
Security risks to database systems include, for example:
Unauthorized or unintended activity or misuse by authorized database users, database
administrators, or network/systems managers, or by unauthorized users or hackers (e.g.
inappropriate access to sensitive data, metadata or functions within databases, or
inappropriate changes to the database programs, structures or security configurations);
Malware infections causing incidents such as unauthorized access, leakage or disclosure of
personal or proprietary data, deletion of or damage to the data or programs, interruption or
denial of authorized access to the database, attacks on other systems and the unanticipated
failure of database services;
Overloads, performance constraints and capacity issues resulting in the inability of
authorized users to use databases as intended;
Physical damage to database servers caused by computer room fires or floods, overheating,
lightning, accidental liquid spills, static discharge, electronic breakdowns/equipment failures
and obsolescence;
Design flaws and programming bugs in databases and the associated programs and
systems, creating various security vulnerabilities (e.g. unauthorized privilege escalation),
data loss/corruption, performance degradation etc.;
Data corruption and/or loss caused by the entry of invalid data or commands, mistakes in
database or system administration processes, sabotage/criminal damage etc.
Ross J. Anderson has often said that by their nature large databases will never be free of abuse by
breaches of security; if a large system is designed for ease of access it becomes insecure; if made
watertight it becomes impossible to use. This is sometimes known as Anderson's Rule.[1]
Many layers and types of information security control are appropriate to databases, including:
Access control
Auditing
Authentication
Encryption
Integrity controls
Backups
Application security
Database Security applying Statistical Method
Access control
In the fields of physical security and information security, access control (AC) is the selective
restriction of access to a place or other resource.[1] The act of accessing may mean consuming,
entering, or using. Permission to access a resource is called authorization.
pf3

Partial preview of the text

Download Database Security: Protecting Confidentiality, Integrity and Availability and more Lecture notes Database Management Systems (DBMS) in PDF only on Docsity!

Database security concerns the use of a broad range of information security controls to protect databases (potentially including the data, the database applications or stored functions, the database systems, the database servers and the associated network links) against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural/administrative and physical. Database security is a specialist topic within the broader realms of computer security, information security and risk management.

Security risks to database systems include, for example:

  • Unauthorized or unintended activity or misuse by authorized database users, database administrators, or network/systems managers, or by unauthorized users or hackers (e.g. inappropriate access to sensitive data, metadata or functions within databases, or inappropriate changes to the database programs, structures or security configurations);
  • Malware infections causing incidents such as unauthorized access, leakage or disclosure of personal or proprietary data, deletion of or damage to the data or programs, interruption or denial of authorized access to the database, attacks on other systems and the unanticipated failure of database services;
  • Overloads, performance constraints and capacity issues resulting in the inability of authorized users to use databases as intended;
  • Physical damage to database servers caused by computer room fires or floods, overheating, lightning, accidental liquid spills, static discharge, electronic breakdowns/equipment failures and obsolescence;
  • Design flaws and programming bugs in databases and the associated programs and systems, creating various security vulnerabilities (e.g. unauthorized privilege escalation), data loss/corruption, performance degradation etc.;
  • Data corruption and/or loss caused by the entry of invalid data or commands, mistakes in database or system administration processes, sabotage/criminal damage etc.

Ross J. Anderson has often said that by their nature large databases will never be free of abuse by breaches of security; if a large system is designed for ease of access it becomes insecure; if made watertight it becomes impossible to use. This is sometimes known as Anderson's Rule.[1]

Many layers and types of information security control are appropriate to databases, including:

  • Access control
  • Auditing
  • Authentication
  • Encryption
  • Integrity controls
  • Backups
  • Application security
  • Database Security applying Statistical Method

Access control

In the fields of physical security and information security, access control ( AC ) is the selective restriction of access to a place or other resource. [1]^ The act of accessing may mean consuming,

entering, or using. Permission to access a resource is called authorization.

Database Audit

Database auditing involves observing a database so as to be aware of the actions of database users. Database administrators and consultants often set up auditing for security purposes, for

example, to ensure that those without the permission to access information do not access it.

Authenticaton

Authentication (from Greek: α 1 F 5 0θεντικός authentikos , "real, genuine", from α 1 F 5 0θέντης authentes ,

"author") is the act of confirming the truth of an attribute of a single piece of data claimed true by an

entity. In contrast with identification, which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing's identity, authentication is the process of actually

confirming that identity. It might involve confirming the identity of a person by validating their identity documents, verifying the authenticity of a website with a digital certificate, [1]^ determining the age of

an artifact by carbon dating, or ensuring that a product is what its packaging and labeling claim to

be. In other words, authentication often involves verifying the validity of at least one form of identification.

Encryption

In cryptography, encryption is the process of encoding a message or information in such a way that

only authorized parties can access it and those who are not authorized cannot. Encryption does not itself prevent interference, but denies the intelligible content to a would-be interceptor. In an

encryption scheme, the intended information or message, referred to as plaintext, is encrypted using

an encryption algorithm – a cipher – generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated

by an algorithm. It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required.

An authorized recipient can easily decrypt the message with the key provided by the originator to recipients but not to unauthorized users.

Data Intigrity

Data integrity is the maintenance of, and the assurance of the accuracy and consistency of, data

over its entire life-cycle, [1]^ and is a critical aspect to the design, implementation and usage of any

system which stores, processes, or retrieves data. The term is broad in scope and may have widely different meanings depending on the specific context – even under the same general umbrella of

computing. It is at times used as a proxy term for data quality, [2]^ while data validation is a pre-

requisite for data integrity. [3]^ Data integrity is the opposite of data corruption. [4]^ The overall intent of

any data integrity technique is the same: ensure data is recorded exactly as intended (such as a database correctly rejecting mutually exclusive possibilities,) and upon later retrieval, ensure the

data is the same as it was when it was originally recorded. In short, data integrity aims to prevent

unintentional changes to information. Data integrity is not to be confused with data security, the discipline of protecting data from unauthorized parties.

Backup

In information technology, a backup , or the process of backing up, refers to the copying and archiving of computer data so it may be used to restore the original after a data lossevent. The verb form is to back up in two words, whereas the noun is backup. [1]