Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Database Security
1. Database
Database is the collection of logically related data
that satisfy the needs of an organization.
Data is organized into rows, columns and tables.
Data gets updated, expanded and deleted as new
information is added.
Databases hold the backbone of an organization.
2. Database security
Databases often contain extremely sensitive
information that must be protected from
security vulnerabilities and exploits.
It contain customers, employee info, financial
data for both the company and its customers,
and much more are all held in databases.
Database security and integrity are important
aspects of an organization’s security.
3. Database Security
It is not desirable for all users to see the entire
logical model.
Security considerations may require that
certain data be hidden from users.
To do so, applications must authenticate users,
and ensure that users are only allowed to carry
out authorized tasks.
4. For example, in a university, payroll personnel
need to see only that part of the database that has
financial information. For example,
SELECT ID, name, dept name
FROM instructor
5. • According to technology Application Security,
the following are the top 10 threats related to
databases:
• Default or weak passwords, SQL injection,
Excessive user and group privileges, Unnecessary
DBMS features enabled, Broken configuration
management, Buffer overflows, Privilege
escalation, Denial of service, Un-patched
RDBMS, Unencrypted data, Privacy
6. Security Loopholes
In this section, we first describe several
security loopholes that can permit hackers to
carry out actions.
The authentication and authorization carried
out by the application, and explain how to
prevent such loopholes.
7. Many databases today store sensitive customer
information, such as credit card numbers,
names, fingerprints, signatures, and
identification numbers such as, social-security
numbers.
A criminal who gets access to such data can
use it for a variety of illegal activities such as
purchasing goods using a credit-card number,
or even acquiring a credit card in someone
else’s name.
8. Organizations such as credit-card companies
use knowledge of personal information as a
way of identifying who is requesting a service
or goods.
Leakage of such personal information allows a
criminal to impersonate someone else and get
access to service or goods; such impersonation
is referred to as identity theft.
9. Encrypted
Thus, applications that store such sensitive
data must take great care to protect them from
theft.
To reduce the chance of sensitive information
being acquired by criminals, many countries
and states today require by law that any
database storing such sensitive information
must store the information in an encrypted
form.
10. There are a vast number of techniques for the
encryption of data. Simple encryption techniques
may not provide adequate security, since it may
be easy for an unauthorized user to break the
code.
As an example of a weak encryption technique,
consider the substitution of each character with the
next character in the alphabet. Thus, Perry ridge
Becomes Qfsszsjehf.
11. Password-based authentication is used widely by
operating systems as well as databases.
A more secure scheme involves a challenge–
response system. The database system sends a
challenge string to the user.
The user encrypts the challenge string using a secret
password as encryption key and then returns the
result.
Encryption of certain sensitive data stored in
databases is a legal requirement in many countries
and states.
12. Apattention to security, to prevent attacks such
as SQL injection attacks and cross-site
scripting attacks
Aplication developers must pay careful
Protecting the privacy of data is an important
task for database applications.
13. Properties
A good encryption technique has the following
properties:
It is relatively simple for authorized users to
encrypt and decrypt data.
It depends on the algorithm called the encryption
key, which is used to encrypt data.
Its decryption key is extremely difficult for an
intruder to determine, even if the intruder has
access to encrypted data.