DB.ppt

445 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
445
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DB.ppt

  1. 1. Database Security By Bei Yuan
  2. 2. Why do we need DB Security? <ul><li>Make data arranged and secret </li></ul><ul><li>Secure other’s DB </li></ul>
  3. 3. Security Issues: <ul><li>Security Policy </li></ul><ul><li>Access Control </li></ul><ul><li>Encryption </li></ul><ul><li>Internet Security </li></ul><ul><li>Threat Monitoring (Auditing) </li></ul>
  4. 4. Security Policy <ul><li>Exposures: A form of possible loss of a firm. </li></ul><ul><li>Vulnerabilities: Weakness in an enterprise’s system. </li></ul><ul><li>Threats: Specific, potential attack on the enterprise. </li></ul><ul><li>Controls: Eliminate threats, vulnerabilities and exposures </li></ul>
  5. 5. A security system is a system.
  6. 6. Access Control ♦ Access Control Models ♦ User Authentication
  7. 7. Access Control Models <ul><li>Discretionary Access Control (DAC) Model </li></ul><ul><li>Mandatory Access Control (MAC) Model </li></ul><ul><li>Role-Based Access Control (RABC) Model </li></ul>
  8. 8. Discretionary Access Control <ul><li>Ownership-based, flexible, most widely used, low assurance </li></ul><ul><li>Privileged users: DBA and owners of the tables </li></ul>
  9. 9. Limitations of DAC
  10. 10. Mandatory Access Control <ul><li>Administration-based </li></ul><ul><li>Data flow control rules </li></ul><ul><li>High level of security, but less flexible </li></ul>
  11. 11. MAC Policy
  12. 12. Role-Based Access Control <ul><li>Flexible </li></ul><ul><li>Separation of duty </li></ul><ul><li>Able to express DAC, MAC, and user-specific policies using role constraints </li></ul><ul><li>Easy to incorporated into current tech </li></ul>
  13. 13. User Authentication <ul><li>Password-Based Authentication </li></ul><ul><li>Host-Based Authentication </li></ul><ul><li>Third Party-Based Authentication </li></ul>
  14. 14. Encryption <ul><li>Full Database Encryption </li></ul><ul><li>Partial Database Encryption </li></ul><ul><li>Off-Line Database Encryption </li></ul>
  15. 15. Full Database Encryption <ul><li>Limit readability of DB files in the OS </li></ul><ul><li>Redundance </li></ul><ul><li>Time-consuming in changing encryption key </li></ul>
  16. 16. Off-line Database Encryption <ul><li>A note of caution: </li></ul><ul><li>Organizations considering this should thoroughly </li></ul><ul><li>test that data which is encrypted before storage off- </li></ul><ul><li>line can be decrypted and re-imported successfully </li></ul><ul><li>before embarking on large-scale encryption of </li></ul><ul><li>backup data. </li></ul>
  17. 17. Internet Security <ul><li>Server Security </li></ul><ul><li>— Static Web Pages </li></ul><ul><li>— Dynamic Page Generation </li></ul><ul><li>Session Security </li></ul>
  18. 18. Session Security <ul><li>Secret-key Security (Using single key) </li></ul><ul><li>Public-key Security (Using two keys) </li></ul><ul><li> — SSL protocol </li></ul>
  19. 19. Auditing <ul><li>Audit via the database or operating system </li></ul><ul><li>The DBA must be able to log every relevant user action in order to recreate a series of actions. </li></ul><ul><li>The series of user actions is called the audit trail. </li></ul>
  20. 20. Conclusion <ul><li>Database security will always be the critical </li></ul><ul><li>component of every information system. </li></ul><ul><li>“ Security costs. Pay for it, or pay for not having it.” </li></ul>

×