2. Introduction
Most DBMS did not have a secure mechanisms for
authentication and encryption until recently.
DBA is required to have an additional skill-that of
implementing security policies that protect one of the
most valuable assets of company-its data.
Database Security is degree to which all data is fully
protected from tampering and unauthorized acts.
5. Confidentiality
Addresses two aspects
First aspect is prevention of unauthorized individuals
from accessing secret information.
Second aspect is process of safe guarding confidential
information and disclosing secret information only to
authorized individuals by means of classifying
information
7. Integrity
Consistent and valid data
Data is considered to have integrity if it is accurate
and has been tampered with intentionally or
accidentally.
8. Degradation of data integrity
Invalid data
Redundant Data (lead to inconsistency and data anomalies)
Inconsistent data (redundant data resides in several places, is
not identical)
Data Anomalies (occurs when one occurrence of the repeated
data is changed and the other occurrences are not)
9. Degradation of data integrity
Data read inconsistency (data changes that are made by the
user are visible to others before changes are committed; indicates user
does not always read the last committed data)
Data non concurrency
11. Database security access points
A security access point is place where database
security must be protected and applied.
People (secure data within the DB against violations caused by people)
Applications (when granting security privileges to applications, be
cautious, permissions shouldn’t too loose/too restrictive)
Network
12. Database security access points
OS (gateway to data, security credentials must be verified)
DBMS
Data Files (make use of encryption and permissions to protect
data files belonging to database)
Data
13. Data Integrity violation process
Security
Access points
Are
unprotected
Data
Integrity
Violation
Process of security gap resulting in security breach
14. Data Integrity violation process
Security gaps are points at which security is missing, and
thus system is vulnerable.
Vulnerability is state in which an object can potentially be
affected by a force or another object or even a situation
but not necessarily is or will be.
Threat is defined as security risk that has high possibility
of becoming a system breach.
16. Database Security Levels
VIEW database object is stored query that returns
columns and rows from selected tables.
Data provided by view object is protected by database
system functionality that allows schema owners to grant
or revoke privileges.
Data files in which data resides are protected by database
and that protection is enforced by OS file permissions.
Finally database is secured by DBMS (through accounts
and password mechanism, privileges, permissions to few)
17. Menaces to Databases
Security Vulnerability
Security Threat (security violation that can happen any time
because of security vulnerability)
Security Risk (A known security gap that company intentionally
leaves open)
18. Types of Vulnerabilities
Susceptible to attack
Intruders, attackers exploit in our environment to
start their attacks.
Hackers usually explore the weak points of a system
until they gain entry through gap in protection.
19. Types of Vulnerabilities
Installation and configuration (results from default
installation/configuration which is known publicly and we don’t
enforce any security measures)
User mistakes (due to carelessness in implementing procedures)
Software (found in commercial softwares, patches not applied)
Design and implementation (due to improper software
analysis, design as well as coding deficiencies)
20. Types of Threats
People (people intentionally/unitentionally inflict damage, e.g.
hackers,terrorists)
Malicious code (software code that is intentionally written to
damage the components, e.g. viruses)
Natural disasters
Technological disasters (malfunction in equipment, e.g.
network failure, hardware failure)
22. Types of Risks
People (loss of people who are vital components of DB, e.g. due to
resignation)
Hardware (results in hardware unavailability, down due to failure,
malfunction)
Data (data loss, corruption)
Confidence (loss of public confidence in data produced by
company)
24. Security Methods
People
a.Security policies & procedures
b.Process of identification and authentication
c. Training courses on importance of security
d.Physical limits on access to hardware and documents
30. Database Security Methodology
Identification (investigation of resources reqd., policies to be
adopted)
Assessment (analysis of vulnerabilities, threats and risks)
Design (blueprint of adopted security model)
Implementation (code developed, tools purchased)
Evaluation (testing system against attacks, failures, disasters)
Auditing