DataBase Development and Implementation Lec14 - Database Security, Study notes of Database Management Systems (DBMS)

In this document topics covered which are Database Security, The scope of database security, Summary of Threats to Computer Systems, Security Countermeasures,Authorization

Typology: Study notes

2010/2011

Uploaded on 09/08/2011

rossi46
rossi46 🇬🇧

4.5

(10)

313 documents

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
DBDI 30/05/2007
Lecture-_14 / Security 1
DBDI / Lecture 14
Database Security
Dr. Ala Al-Zobaidie
The slides are based on the textbooks Database Systems by Connolly & Begg
30/05/2007 DBDI / Security 2
Lecture - Objectives
The scope of database security.
Why database security is a serious concern for an
organization.
The type of threats that can affect a database
system.
How to protect a computer system using
computer-based controls.
The security measures provided by Microsoft
Office Access and Oracle DBMSs.
Approaches for securing a DBMS on the Web.
30/05/2007 DBDI / Security 3
Database Security
Data is a valuable resource that must be
strictly controlled and managed, as with any
corporate resource.
Part or all of the corporate data may have
strategic importance and therefore needs to
be kept secure and confidential.
30/05/2007 DBDI / Security 4
Database Security
Mechanisms that protect the database
against intentional or accidental threats.
Security considerations do not only apply to
the data held in a database. Breaches of
security may affect other parts of the
system, which may in turn affect the
database.
30/05/2007 DBDI / Security 5
Database Security
Involves measures to avoid:
Theft and fraud
Loss of confidentiality (secrecy)
Loss of privacy
Loss of integrity
Loss of availability
30/05/2007 DBDI / Security 6
Database Security
Threat
Any situation or event, whether intentional or
unintentional, that will adversely affect a
system and consequently an organization.
pf3
pf4
pf5

Partial preview of the text

Download DataBase Development and Implementation Lec14 - Database Security and more Study notes Database Management Systems (DBMS) in PDF only on Docsity!

DBDI / Lecture 14

Database Security

Dr. Ala Al-Zobaidie The slides are based on the textbooks Database Systems by Connolly & Begg

30/05/2007 DBDI / Security 2

Lecture - Objectives

  • The scope of database security.
  • Why database security is a serious concern for an organization.
  • The type of threats that can affect a database system.
  • How to protect a computer system using computer-based controls.
  • The security measures provided by Microsoft Office Access and Oracle DBMSs.
  • Approaches for securing a DBMS on the Web.

30/05/2007 DBDI / Security 3

Database Security

  • Data is a valuable resource that must be strictly controlled and managed, as with any corporate resource.
  • Part or all of the corporate data may have strategic importance and therefore needs to be kept secure and confidential.

30/05/2007 DBDI / Security 4

Database Security

  • Mechanisms that protect the database against intentional or accidental threats.
  • Security considerations do not only apply to the data held in a database. Breaches of security may affect other parts of the system, which may in turn affect the database.

Database Security

  • Involves measures to avoid:
    • Theft and fraud
    • Loss of confidentiality (secrecy)
    • Loss of privacy
    • Loss of integrity
    • Loss of availability

Database Security

  • Threat
    • Any situation or event, whether intentional or unintentional, that will adversely affect a system and consequently an organization.

30/05/2007 DBDI / Security 7

Summary of Threats to Computer Systems

30/05/2007 DBDI / Security 8

Typical Multi-user Computer Environment

30/05/2007 DBDI / Security 9

Security Countermeasures

  • Non Computer-Based Controls
    • Concerned with matters such as policies, agreements, and other administrative controls such as physical controls to buildings and safeguarding equipments
  • Computer-Based Controls
    • Concerned with electronic administrative procedures

30/05/2007 DBDI / Security 10

Countermeasures – Non Computer-Based Controls

  1. Security policy and contingency plans
  2. Personnel controls
  3. Securing positioning of equipment
  4. Secure data and software
  5. Escrow agreements
  6. Maintenance agreements
  7. Physical access control
  8. Building Controls
  9. Emergency arrangements

Countermeasures – Computer-Based Controls

1. Authorization & Authentication

2. Access controls

3. Views

4. Backup and recovery

5. Integrity

6. Encryption

7. RAID technology

Computer-Based Controls / 1. Authorization & Authentication

  • Authorization is the granting of a right or privilege, which enables a subject to legitimately have access to a system or a system’s object.
  • Authentication is a mechanism that determines whether a user is, who he or she claims to be.

30/05/2007 DBDI / Security 19

Computer-Based Controls / 2. Access control DAC Specification on SQL

  • Syntax GRANT { privileges |ALL [PRIVILEGES]} [ON obj] TO users [WITH GRANT OPTION];

Where “privileges” -- a list of 1 or more privilege or the phrase ALL PRIVILEGES “obj” -- a list of names of one or more objects (all of the same kind - table, stored proc, etc.) “users” -- specific USERS or PUBLIC

30/05/2007 DBDI / Security 20

Computer-Based Controls / 2. Access control DAC Examples on SQL

GRANT System(Object)_Privilege TO useid;

  • GRANT select ON Deposit TO Ibrahim;
  • GRANT delete, update (Cname, City) ON Customer TO Kahn, Jabang;
  • GRANT select ON Borrow to PUBLIC;
  • GRANT reference ON Branch TO Jugoo;
  • GRANT create table TO Ali;
  • GRANT create database TO Kariri, Maryann; ...
  • Revoke is the same: REVOKE [WITH GRANT OPTION] privileges [ON obj] FROM users [CASCADE];

table privl’g

DB & system privileges

30/05/2007 DBDI / Security 21

Computer-Based Controls / 2. Access control Summary of DAC mechanism

  • Database administrator
  • Authorization: not all users can do (DBS, Owner,..)
  • User classifications / roles
  • User rights (r, w, x, d, u, ...)
  • Access granularity - DB, relation/table, tuple,, attributes, …
  • Grant / revoke rights

30/05/2007 DBDI / Security 22

Computer-Based Controls / 3. Views

Back to our Computer-Based Controls procedures

  1. Authorization
  2. Access controls
  3. Views
  4. Backup and recovery
  5. Integrity
  6. Encryption
  7. RAID technology

View

  • Is the dynamic result of one or more relational operations operating on the base relations to produce another relation.
  • A view is a virtual relation that does not actually exist in the database, but is produced upon request by a particular user, at the time of request.

Computer-Based Controls / 4. Backup & Recovery

  • Backup
    • Process of periodically taking a copy of the database and log file (and possibly programs) to offline storage media.
  • Journaling
    • Process of keeping and maintaining a log file (or journal) of all changes made to database to enable effective recovery in event of failure.
  • Checkpointing
    • Point of synchronization between the database and the transaction log file. All buffers are force-written to secondary storage.

Computer-Based Controls / 5. Integrity

  • Prevents data from becoming invalid, and hence giving misleading or incorrect results.

Computer-Based Controls / 6. Encryption

  • The encoding of the data by a special algorithm that renders the data unreadable by any program without the decryption key.

30/05/2007 DBDI / Security 25

Computer-Based Controls / 7. RAID (Redundant Array of Independent Disks) Technology

  • Hardware for DBMS must be fault-tolerant.
  • One solution: having fault-tolerant redundant components
  • fault-tolerant components include disk drives, disk controllers, CPU, power supplies, and cooling fans.
  • Disk drives are most vulnerable components.
  • One solution: RAID 30/05/2007 DBDI / Security 26

Security in Microsoft Office Access DBMS

  • Provides two methods for securing a database: - setting a password for opening a database (system security); - user-level security, which can be used to limit the parts of the database that a user can read or update (data security).

30/05/2007 DBDI / Security 27

Securing the DreamHome database using a password

Note: You need to open DB in Exclusive mode

30/05/2007 DBDI / Security 28

User and Group Accounts dialog box for the DreamHome database

User and Group Permissions dialog box Security in Oracle DBMS: Creation of a new user with password authentication set

30/05/2007 DBDI / Security 37

Summary

  • Security Definition
  • Need of Security
  • Countermeasures
    • Computer-Based Controls
    • Discretionary Access Control (DAC)
  • Security in MS Access
  • Web Security