

















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
As the use of Internet technology is growing for both the Intranet and the Internet, information security is becoming exceedingly crucial for organizations
Typology: Lecture notes
1 / 25
This page cannot be seen from the preview
Don't miss anything!


















To connect to a server through a client machine, you would need to configure the server to allow access to only trusted IP addresses. You should know exactly who should be allowed to access your database server. For example, if it is the back end of a web server, then only that web server address should be allowed access to the database server. If the database server is the back end of a local application that is running on the internal network, then it should only talk to addresses from within the internal network. Database Connections With the ever-increasing number of Dynamic Applications, an application may allow immediate unauthenticated updates to some database. If you are going to allow users make updates to some database via a web page, please ensure that you validate all such updates. This will ensure that all updates are desirable and safe. For example, you may remove any possible SQL code from a user-supplied input. If a normal user does not input SQL code, then we need not allow such data to be submitted. Table Access Control Table access control is probably one of the most overlooked but one of the very strong forms of database security because of the difficulty in applying it. Using a table access control properly would require the collaboration of both the system administrator as well as the database developer. In practice, however such “collaboration” is relatively difficult to find. Restricting Database Access By now we have defined some of the basic issues of database security, let us now look into the specifics of server security, from the point of view of network access of the system. Internet based databases have been the most recent targets of security attacks. All web-enabled applications listen to a number of ports. Cyber criminals often perform a simple “port scan” to
look for ports that are open from the popular default ports used by database systems. How can we address this problem? We can address this problem “by default”, that is, we can change the default ports a database service would listen into. Thus, this is a very simple way to protect the DBMS from such criminals. There are many ways of preventing open access from the Internet. Each DBMS and OS has its own set of unique features for the same. Let us discuss some general methods of preventing open access from the Internet.
to users and roles as necessary. We will now look at the methods for removing permissions from users. Removing Permissions Once we have granted permissions, it may be necessary to revoke them at a later date. SQL provides us with the REVOKE command to remove granted permissions. The following is the syntax of this command: REVOKE [GRANT OPTION FOR] permission. You can also issue a GRANT command to provide the DELETE permission to Usha’s account. The access control mechanisms supported by the Standard Query Language is a good starting point, but you must look into the DBMS documentation to locate the enhanced security measures supported by your system. You will find that many DBMS support more advanced access control mechanisms, such as granting permissions on specific attributes. STATISTICAL DATABASE SECURITY By now we have discussed the basic security measures in both DBMS and SQL commands that provide necessary permissions to the users. However, in practice there are many database systems where information can be determined without having the access rights to do so. This is a breach of data confidentiality. In the subsequent subsection we discuss this problem and the way to resolve it. Types of Disclosures Data of an organisation is a very sensitive resource. Even the characteristics of data are quite sensitive. For example, existence of a piece of data such as “use of health related drugs” is sensitive information and is a form of disclosure. The various type of disclosure may be: Disclosure of data as indicated in the previous section is a major problem as disclosure may result in breach of security in some form or the other, and thus, is not acceptable. Thus, the first step in this direction would be to reject any query that directly asks for sensitive information that is hidden. But, how about a sequence of queries that are raised for the purpose of statistics (management information)? For example, we may be able to determine the average marks obtained in a class of 50 students, but if only 2 students have opted for a subject then the first student who knows his/her marks can find the marks of the other student by issuing the average marks query. Thus, statistical queries should be permitted only when some minimum number of records satisfies a condition. Thus, the overall objectives are to make sure that security is not compromised. Let us discuss some of the queries that may result in the disclosure of sensitive data. Consider the relation in the following Table : Enrolment No. Name Gender Grade Fee paid Age Hostel 0601 Ani l M C 10000 25 Ganga ii) The queries that result in limited value can be checked by either rejecting a query. If the result set size is too small, it is also called ‘suppression’ or if the information that is to be displayed as a result of the query is changed slightly so that it does not match the actual value it is also called concealing. MULTILEVEL SECURITY In certain applications data items can be classified under various levels of security. Some such security levels may be Secret, Classified, etc. The database system that supports such security features are known as Multilevel Sensitive Databases. Such systems may have the following three security features: Security of different objects may be different from the other attribute values of that tuple or security may be different from the other values of the attributes. Thus, every individual element is the micro item for security. In addition, security against statistical queries may also need to be provided. A number of security level needs to be defined for such security. But how do we enforce the multilevel security? There are many techniques to support multi-level security. Two important methods of these are: Partitioning In this approach the original database is divided into partitions. Each of the partitions has a different level of security. However, the major drawback of this approach is that the database looses the advantage of a relation. Encryption Encryption of critical information may help in maintaining security as a user who accidentally receives them cannot interpret the data. Such a scheme may be used when a user password file is implemented in the database design. However, the simple encryption algorithms are not secure, also since data is available in the database it may also be obtained in response to a query. There are many more schemes to handle such multi-level database security. These references are given in the further reading. AUDIT TRAILS IN THE DATABASES One of the key issues to consider while procuring a database security solution is making sure you have a secure audit-trail. An audit trail tracks and reports activities around confidential data. Many companies have not realized the potential amount of risk associated with sensitive information within databases unless they run an internal audit which details who has access to sensitive data and have assessed it. Consider the situation that a DBA who has complete control of database information may conduct a security breach, with respect to business details and financial information. This will cause tremendous loss to the company. In such a situation database audit helps in locating the source of the problem. The database audit process involves a review of log files to find and examine all reads and writes to database items during a specific time period, to ascertain mischief if any, banking database is one such database which contains very critical data and should have the security feature of auditing. An audit trail is a log that is used for the purpose of security auditing Database auditing is one of the essential requirements for security especially, for companies in possession of critical data. Such companies should define their auditing strategy based on their knowledge of the application or database activity. Auditing need not be of the type “all or nothing”. One must do intelligent auditing to save time and reduce performance concerns. This also limits the volume of logs and also causes more critical security events to be highlighted. More often then not, it is the insiders who makes database intrusions as they often have network authorization, knowledge of database access codes and the idea about the value of data they want to exploit. Sometimes despite having all the access rights and policies in place, database files may be directly accessible (either on the server or from backup media) to such users. Most of the database applications, store information in ‘form text’ that is completely unprotected and viewable. As huge amounts are at stake, incidents of security breaches will increase and continue to be widespread. For example, a large global investment bank conducted an audit of its proprietary banking data. It was revealed that more than ten DBAs had unrestricted access to their key sensitive databases and over hundred employees had administrative access to the operating systems. The security policy that was in place was that proprietary information in the database should be denied to employees who did not require access to such information to perform their duties. Further, the bank’s database internal audit also reported that the backup data (which is taken once every day) was also cause for concern as tapes could get stolen. Thus the risk to the database was high and real and that the bank needed to protect its data. However, a word of caution, while considering ways to protect sensitive database information, please ensure that the privacy protection process should not prevent authorized personnel from obtaining the right data at the right time. The credit card information is the single, most common financially traded information that is desired by database attackers. The positive news is that database misuse or unauthorized access can be prevented with currently available database security products and audit procedures. DISTRIBUTED DATABASES Relational Database Management Systems are the backbone of most of the commercial database management systems. With the client-server architecture in place they can even be used in local and global networks. However, client-server systems are primarily centralized in nature-that is, the data is under the control of one single DBMS. What about applications that are distributed, where large number of transactions may be related to a local site, and where there are also a few global transactions? In such situations, it may be advisable to use a distributed database system. In this unit, we will discuss the classification of distributed databases, its functions and architecture, distributed query design and the commit protocol. Towards the end of the unit we will also introduce the concept of replication servers. CENTRALISED Vs. NON-CENTRALISED DATABASES If the data of an organisation is stored at a single location under the strict control of the DBMS, then, it is termed as a centralized database system. A centralized system has the advantage of controlling data under a central authority, so, the chances of integrity loss, inaccuracy are very low. In such a system it is easier to enforce business rules and the system can also be made very secure. However, consider the situation when the organisation is geographically dispersed and the data is created and used at many distributed offices of the same organisation. In such a case the centralized database may act, as a bottleneck as all accesses to data has to be from the central site. The reliability and availability of such a system will not only be dependent on the centralized system but also on the communication links. The load on the central system may also is available in the non-database system. This action is to be supported transparently, such that the users need not know the details. architecture has been defined for the centralized system and can be extended for the distributed database systems with various levels defined for data distribution as well. Reference architecture may also define the following additional schema for distributed database systems: the Figure 2 the transactions that are shown occurring on Site 1 will have direct connection to Site 1, but they will have an indirect communication to Site 2, to access the local sales data of that site. Thus, a network is necessary for a distributed database system. Component architecture of DDBMS Thus, we have clients, servers and the network in the distributed databases. Now the question is how to use names in this network of a DDBMS sites? The names on a DDBMS may be provided using a global directory service. To allow easy access to the configuration of data, a networks name server can be used to provide information on the repositories of the databases and their data distribution. Global System Catalogue: One of the ways of keeping information about data distribution is through the system catalogue of the DBMSs. In a DDBMS we need to keep a global system catalogue. This catalogue itself might be distributed in implementation. In addition to basic information about the databases it should keep information on data fragmentation and replication schema. Database Links : A database in a distributed database is distinct from the other databases in the system. Each of these distributed databases may have their own global database name. All these database components would also have certain local names. Now, the questions are: How reach out from one database in a distributed database to another database and how does one resolve the names of various schema elements in the distributed databases that are available across the network. Figure 3 represents a hierarchical arrangement of databases components that are available on a network. It shows the hierarchical arrangement of a hypothetical distributed database of some Universities. As far as the first question is concerned, an application can travel from one database system to another by using database links, which is a unidirectional path from one database to another. Such links must be transparent from a user point of view. Figure 3: Network directories and global database naming Network directories and global database naming Now, as far as naming issues are concerned, the names of the database may be resolved by specifying the path. For example, in the Figure 3 , the name for the result database in IGNOU – SRE may be RESULT, may also be the same for the JNU, which database for storing the result of the student. However, these databases will be referred to as: RESULT.SRE.IGNOU.EDU_INST.EDU (Please note that EDU_INST represents “Educational Institutes” block in Figure 3 ) and RESULT.SCHOOL.JNU.EDU_INST.EDU FROM <user/role> Please notice that the syntax of this command is almost similar to that of the GRANT command. Please also note that the WITH GRANT OPTION is specified on the REVOKE command line and not at the end of the command as was the case in GRANT. As an example, let us imagine we want to revoke a previously granted permission to the user Usha, such that she is not able to remove records from the STUDENT database. The following commands will solve the problem: REVOKE DELETE ON STUDENT FROM Usha There is one additional mechanism supported by some commercial DBMS that is worth discussing − the DENY command. This command can be used to explicitly deny permission to a user that s/he might otherwise have received because of his/her membership of a role. Here is the syntax: DENY
TO <user/role> Consider the last problem again, let us imagine that Usha was also a member of the Teachers role that also had access to the STUDENT table. The previous REVOKE statement would not be sufficient to deny her access to the table. It will remove the permission granted to her through a GRANT statement, but would not affect the permissions gained through her membership in the Teachers role. However, if we use a DENY statement it will block permission for any role. Here is the command: DENY DELETE ON STUDENT TO Usha Thus DENY command creates a “NOT PERMITTED” statement in the database access controls. If we later want to give Usha permission to remove student records again from the STUDENT table, we cannot simply use the GRANT command. This is because of the fact that the GRANT command permission to DELETE record would be overridden by the existing DENY. Thus, first we use the REVOKE command to remove the DENY Not permission as: REVOKE DELETE ON STUDENT FROM Usha Please notice that this command is exactly the same as the REVOKE used to remove a granted permission. Thus, the DENY and GRANT commands both work in a similar fashion -- they both create permissions in the database access control mechanism. The REVOKE command removes all such permissions for the specified user. Once this command has been issued, Usha will be able to delete student records from the table if she is a member of a role that possesses that
Security vs. Decisions