Download DataBase Development and Implementation Lec14 - Database Security and more Study notes Database Management Systems (DBMS) in PDF only on Docsity!
DBDI / Lecture 14
Database Security
Dr. Ala Al-Zobaidie The slides are based on the textbooks Database Systems by Connolly & Begg
30/05/2007 DBDI / Security 2
Lecture - Objectives
- The scope of database security.
- Why database security is a serious concern for an organization.
- The type of threats that can affect a database system.
- How to protect a computer system using computer-based controls.
- The security measures provided by Microsoft Office Access and Oracle DBMSs.
- Approaches for securing a DBMS on the Web.
30/05/2007 DBDI / Security 3
Database Security
- Data is a valuable resource that must be strictly controlled and managed, as with any corporate resource.
- Part or all of the corporate data may have strategic importance and therefore needs to be kept secure and confidential.
30/05/2007 DBDI / Security 4
Database Security
- Mechanisms that protect the database against intentional or accidental threats.
- Security considerations do not only apply to the data held in a database. Breaches of security may affect other parts of the system, which may in turn affect the database.
Database Security
- Involves measures to avoid:
- Theft and fraud
- Loss of confidentiality (secrecy)
- Loss of privacy
- Loss of integrity
- Loss of availability
Database Security
- Threat
- Any situation or event, whether intentional or unintentional, that will adversely affect a system and consequently an organization.
30/05/2007 DBDI / Security 7
Summary of Threats to Computer Systems
30/05/2007 DBDI / Security 8
Typical Multi-user Computer Environment
30/05/2007 DBDI / Security 9
Security Countermeasures
- Non Computer-Based Controls
- Concerned with matters such as policies, agreements, and other administrative controls such as physical controls to buildings and safeguarding equipments
- Computer-Based Controls
- Concerned with electronic administrative procedures
30/05/2007 DBDI / Security 10
Countermeasures – Non Computer-Based Controls
- Security policy and contingency plans
- Personnel controls
- Securing positioning of equipment
- Secure data and software
- Escrow agreements
- Maintenance agreements
- Physical access control
- Building Controls
- Emergency arrangements
Countermeasures – Computer-Based Controls
1. Authorization & Authentication
2. Access controls
3. Views
4. Backup and recovery
5. Integrity
6. Encryption
7. RAID technology
Computer-Based Controls / 1. Authorization & Authentication
- Authorization is the granting of a right or privilege, which enables a subject to legitimately have access to a system or a system’s object.
- Authentication is a mechanism that determines whether a user is, who he or she claims to be.
30/05/2007 DBDI / Security 19
Computer-Based Controls / 2. Access control DAC Specification on SQL
- Syntax GRANT { privileges |ALL [PRIVILEGES]} [ON obj] TO users [WITH GRANT OPTION];
Where “privileges” -- a list of 1 or more privilege or the phrase ALL PRIVILEGES “obj” -- a list of names of one or more objects (all of the same kind - table, stored proc, etc.) “users” -- specific USERS or PUBLIC
30/05/2007 DBDI / Security 20
Computer-Based Controls / 2. Access control DAC Examples on SQL
GRANT System(Object)_Privilege TO useid;
- GRANT select ON Deposit TO Ibrahim;
- GRANT delete, update (Cname, City) ON Customer TO Kahn, Jabang;
- GRANT select ON Borrow to PUBLIC;
- GRANT reference ON Branch TO Jugoo;
- GRANT create table TO Ali;
- GRANT create database TO Kariri, Maryann; ...
- Revoke is the same: REVOKE [WITH GRANT OPTION] privileges [ON obj] FROM users [CASCADE];
table privl’g
DB & system privileges
30/05/2007 DBDI / Security 21
Computer-Based Controls / 2. Access control Summary of DAC mechanism
- Database administrator
- Authorization: not all users can do (DBS, Owner,..)
- User classifications / roles
- User rights (r, w, x, d, u, ...)
- Access granularity - DB, relation/table, tuple,, attributes, …
- Grant / revoke rights
30/05/2007 DBDI / Security 22
Computer-Based Controls / 3. Views
Back to our Computer-Based Controls procedures
- Authorization
- Access controls
- Views
- Backup and recovery
- Integrity
- Encryption
- RAID technology
View
- Is the dynamic result of one or more relational operations operating on the base relations to produce another relation.
- A view is a virtual relation that does not actually exist in the database, but is produced upon request by a particular user, at the time of request.
Computer-Based Controls / 4. Backup & Recovery
- Backup
- Process of periodically taking a copy of the database and log file (and possibly programs) to offline storage media.
- Journaling
- Process of keeping and maintaining a log file (or journal) of all changes made to database to enable effective recovery in event of failure.
- Checkpointing
- Point of synchronization between the database and the transaction log file. All buffers are force-written to secondary storage.
Computer-Based Controls / 5. Integrity
- Prevents data from becoming invalid, and hence giving misleading or incorrect results.
Computer-Based Controls / 6. Encryption
- The encoding of the data by a special algorithm that renders the data unreadable by any program without the decryption key.
30/05/2007 DBDI / Security 25
Computer-Based Controls / 7. RAID (Redundant Array of Independent Disks) Technology
- Hardware for DBMS must be fault-tolerant.
- One solution: having fault-tolerant redundant components
- fault-tolerant components include disk drives, disk controllers, CPU, power supplies, and cooling fans.
- Disk drives are most vulnerable components.
- One solution: RAID 30/05/2007 DBDI / Security 26
Security in Microsoft Office Access DBMS
- Provides two methods for securing a database: - setting a password for opening a database (system security); - user-level security, which can be used to limit the parts of the database that a user can read or update (data security).
30/05/2007 DBDI / Security 27
Securing the DreamHome database using a password
Note: You need to open DB in Exclusive mode
30/05/2007 DBDI / Security 28
User and Group Accounts dialog box for the DreamHome database
User and Group Permissions dialog box Security in Oracle DBMS: Creation of a new user with password authentication set
30/05/2007 DBDI / Security 37
Summary
- Security Definition
- Need of Security
- Countermeasures
- Computer-Based Controls
- Discretionary Access Control (DAC)
- Security in MS Access
- Web Security