Database Security (ppt)
Upcoming SlideShare
Loading in...5

Database Security (ppt)






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Database Security (ppt) Database Security (ppt) Presentation Transcript

  • Database Security Tampere University of Technology, 2003. 8102300 Introduction to Databases. Oleg Esin. [email_address]
  • What is database security?
    • Database security – The mechanisms that protect the database against intentional or accidental threats.
    • Major areas of loss:
        • theft and fraud
        • loss of confidentiality
        • loss of privacy
        • loss of integrity
        • loss of availability
  • Threats
    • Treat – Any situation or event, whether intentional or accidental, that may adversely affect a system and consequently the organization.
        • Using another person’s means of access
        • Illegal entry by hacker
        • Creating “trapdoor” into system
        • Theft of data, programs, and equipment
        • Staff shortages or strikes
        • Inadequate staff training
        • Viewing and disclosing unauthorized data
        • Data corruption owning to power loss or surge
        • Physical damage to equipment
        • Introduction of viruses
    View slide
  • Potential threats to computer system
    • DBMS and Application Software - Failure of security mechanisms giving greater access; Program alteration; Theft of programs.
    • Communication networks - Wire tapping; Breaking of cables; Electronic interference and radiation.
    • Data/Database Administrator - Inadequate security policies and procedures.
    • Hardware - fire/flood/bombs; Data corruption due to power loss; Theft of equipment;
    • Database - Unauthorized amendment or copying of data; Theft of data; Data corruption due to power loss.
    • Users - Using another person’s means of access; Viewing and disclosing unauthorized data; Inadequate Staff training; Introduction of viruses.
    • Programmers/Operators - Creating trapdoors; Program alteration; Inadequate security policies; Staff shortage or strikes.
    View slide
  • Countermeasures – Computer-Based Controls
        • Authorization and Authentication
        • Views
        • Backup and Recovery
        • Integrity
        • Encryption
        • RAID technology
  • Authorization and Authentication
    • Authorization – The granting of a right or privilege that enables a subject to have legitimate access to a system or a system’s objects.
    • Authentication – A mechanism that determines whether a user is who he/she claims to be.
  • Views View - A view is the dynamic result of one or more relational operations operating on the base relations to produce another relation. A view is a virtual relation that does not actually exist in the database, but is produced upon request by a particular user, at the time of request. The view mechanism provides a powerful and flexible security mechanism by hiding parts of the database from certain users.
  • Backup and Recovery Backup - The process of periodically taking a copy of the database and log file on to offline storage media. Journaling - The process of keeping and maintaining a log file (or journal) of all changes made to the database to enable recovery to be undertaken effectively in the event of a failure.
  • Encryption Encryption - The encoding of the data by a special algorithm that renders the data unreadable by any program without the decryption key. Symmetric encryption - DES, IDEA, RC4, BlowFish, AES. Asymmetric encryption - RSA, Diffie-Helman. Plain-data Algorithm and password Encrypted data
  • RAID - Redundant Array of Independent Disks
    • RAID is a category of disk drives that employ two or more drives in combination for fault tolerance and performance. RAID disk drives are used frequently on servers running the databases.
          • Level 0: Provides data striping (spreading out blocks of each file across multiple disks) but no redundancy. This improves performance but does not deliver fault tolerance.
          • Level 1: Provides disk mirroring.
          • Level 3: Same as Level 0, but also reserves one dedicated disk for error correction data. It provides good performance and some level of fault tolerance.
          • Level 5: Provides data striping at the byte level and also stripe error correction information. This results in excellent performance and good fault tolerance.
  • Microsoft Access and Oracle DBMS Microsoft Access: System level security - password. User-level security - identification as a member of groups (Administrators and Users), permissions are granted (Open/Run, Read, Update, Delete, etc). Oracle DBMS: System level security - name, password. User-level security is based on a privilege, i.e a right to execute a particular type of SQL statements or to access another user’s object. System privileges and object privileges.
  • DBMSs and Web Security
        • Proxy servers
        • Firewalls
        • Message Digest Algorithms and Digital Signature
        • Digital Certificates
        • SSL and S-HTTP
  • Proxy servers Proxy servers is a computer that sits between a Web browser and a Web servers. It intercepts all requests for web pages and saves them locally for some time. Proxy server provides improvement in performance and filters requests. Computer A Computer B Proxy-server Internet
  • Firewalls
    • Firewall - is a system that prevents unauthorized access to or from private network. Implemented in software, hardware or both.
        • Packet filter
        • Application gateway
        • Circuit-level gateway (TCP, UDP protocols)
        • Proxy server
  • Message Digest Algorithms and Digital Signatures Message digest algorithm is the one-way hash function that produces a fixed-length string (hash) from an arbitrary-sized message. It’s computationally infeasible that there is another message with the same digest, the digest does not reveal anything about the message. Digital signature consist of two parts: a string of bits that is computed from the message and the private key of organization. Digital signature is used to verify that the message comes from this organization.
  • Digital Certificates Digital Certificate is an attachment to an electronic message used for security purposes, most commonly to verify that a user sending a message is who he/she claims to be, and provide the receiver with the means to encrypt a reply. Protocol - X.509. Digital Certificate Authorities - VeriSign, Thwate.
  • Secure Sockets Layer and Secure HTTP
    • SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely. S-HTTP is designed to transmit individual messages securely. Both use asymmetric encryption.
    • Allow Web browsers and servers to authenticate each other
    • Permit Web site owners to control access to particular servers, directories, files
    • Allow sharing of sensitive information (credit card numbers) only between browser and server
    • Ensure that data exchange between browser and server is reliable