This document discusses database security and authorization. It begins by explaining the importance of database security to protect sensitive data from theft or modification. It then outlines different levels of data security, including physical, operating system, network, database application, and human levels. The document also discusses authorization in databases, describing how authorization determines which database operations and data objects a user can access based on their authentication. It provides examples of different types of authorization, including read, insert, update, and delete authorization.

1. DATA BASE
SECURITY &
AUTHORIZATION
PRESENTED TO: PROF ABIDA WAHEED
(HOD OF COMPUTER SCIENCE)

2. Click to edit Master title style
2
• Aoun
Jafry
• Maham
Amjad
• Inshal
Mubashir
• Tayyba
sajjad
Presented By:

3. Click to edit Master title style
3
Overview
 Database Security
 Levels Of Data Security
 Authorization in Database

4. Click to edit Master title style
4
Database Security
4
• Database Security - protection from
malicious attempts to steal (view) or modify
data.

5. Click to edit Master title style
5
Importance of Data
5
• Bank/accounts
• Credit card, Salary, Income tax data
• University admissions, marks/grades
• Land records, licenses
• Data = crown jewels for organizations
• Recent headlines:
• Personal information of millions of credit card users
stolen
• Laws on privacy in the US
• Theft of US data in Pakistan
• Hackers steal credit card data using card reader and make
fraudulent purchases
• Hacker creates fake Web site to phish for credit card
information
• ID Card fraud in KPK

6. Click to edit Master title style
6
UBL BAD(BANK ACCOUNT DATA)
6
• Another possible reason could be debit card hacking, which is
done by hijacking ATM machines. In such instances,
information on debit cards is duplicated when inserted into the
machine. Key pins of the card are also stolen through key
loggers installed and then these cards are used on the
internet
• The aggrieved customers were briefed by the bank’s
representatives that services are being faced with issues and
that bank is trying hard to fix the issues.
• Customers further reported that their cards were blocked on a
temporary basis.

7. Click to edit Master title style
7 7
• NBP has reported a cyber security related incident which is
being investigated, NBP has not observed any data breach
or financial lose. (30 October 2021)
NBP(NATIONAL BANK OF PAKISTAN)

8. Click to edit Master title style
8
Overview
 Database Security
 Levels Of Data Security
 Authorization in Database

9. Click to edit Master title style
9
Levels of Data Security
• Human level: Corrupt/careless User
• Network/User Interface
• Database application program
• Database system
• Operating System
• Physical level
9

10. Click to edit Master title style
10
Level of Data security
10
Physical level
Operating system level
• Traditional lock-and-key security
• Protection from floods, fire, etc.
• It’s also important not to host web
servers and applications on the same
server as the database the
organization wants to secure
• Protection from administrator error
• E.g. delete critical files
• Solution
• Remote backup for disaster recovery
• Plus archival backup (e.g.
DVDs/tapes/USB/Hard disk)
• Protection from virus/worm attacks
critical

11. Click to edit Master title style
11
Level of Data security
11
Database Encryption
Security (Cont.)
• E.g. What if a laptop/disk/USB key with critical data
is lost?
• Partial solution: encrypt the database at storage
level, transparent to application
• Whole database/file/relation
• Unit of encryption: page
• Column encryption
• Main issue: key management
• E.g. user provides decryption key
(password) when database is started up
• Supported by many database systems
• Standard practice now to encrypt credit
card information, and other sensitive
information
• Network level: must use encryption to prevent
• Eavesdropping: unauthorized reading of
messages
• Masquerading:
• pretending to be an authorized
user or legitimate site, or
• sending messages supposedly
from authorized users

12. Click to edit Master title style
12
Level of Data security
12
Network Security
Site Authentication
• All information must be encrypted to
prevent eavesdropping
• Public/private key encryption widely used
• Handled by secure http - https://
• Must prevent person-in-the-middle attacks
• E.g. someone impersonates seller or
bank/credit card company and fools buyer
into revealing information
• Encrypting messages alone doesn’t
solve this problem
• More on this in next slide
• Digital certificates are used in https to
prevent impersonation/man-in-the middle
attack
• Certification agency creates digital
certificate by encrypting, e.g., site’s public
key using its own private key
• Verifies site identity by external
means first!
• Site sends certificate to buyer
• Customer uses public key of certification
agency to decrypt certificate and find sites
public key
• Man-in-the-middle cannot send fake
public key
• Sites public key used for setting up secure
communication

13. Click to edit Master title style
13
Level of Data security
13
Security at the Database/Application
Program Database vs. Application
• Authentication and authorization mechanisms to
allow specific users access only to required data
• Authentication: who are you? Prove it!
• Authorization: what you are allowed to do
• Application authenticates/authorizes users
• Application itself authenticates itself to
database
• Database password
Application
Program
Database

14. Click to edit Master title style
14
Level of Data security
14
User Authentication
• Password
• Most users abuse passwords. For e.g.
• Easy to guess password
• Share passwords with others
• Smartcards
• Need smartcard
• + a PIN or password

15. Click to edit Master title style
15
Overview
 Database Security
 Levels Of Data Security
 Authorization in Database

16. Click to edit Master title style
1616
• Authorization is the process where the
database manager gets information
about the authenticated user. Part of
that information is determining which
database operations the user can
perform and which data objects a user
can access.
What is Database
Authorization?

17. Click to edit Master title style
1717
• Read authorization - allows reading, but
not modification of data.
• Insert authorization - allows insertion of new data,
but not modification of existing data.
• Update authorization - allows modification, but not
deletion of data.
• Delete authorization - allows deletion of data
Types of Authorization

18. Click to edit Master title style
18
DatabaseAuthorization Working
18

19. Click to edit Master title style
19
DatabaseAuthorization Levels
• DBADM (database administrator):
The DBADM authority level provides administrative authority
over a single database
• SECADM (security administrator):
The security administrator authority possesses the ability to manage
database security objects
• SQLADM (SQL administrator)
The SQLADM authority level provides administrative authority to
monitor and tune SQL statements within a single database. It can be
granted by a user with ACCESSCTRL or SECADM authority.
19

20. Click to edit Master title style
20
20
• (Shameless advertisement!) Chapter 8 of Database System Concepts 5th Edition,
Silberschatz, Korth and Sudarshan, McGraw-Hill
• The Open Web Application Security Project
• http://www.owasp.org
• Web application security scanners
• e.g. WebInspect (SPI Dynamics)
• http://www.windowsecurity.com/software/Web-Application-Security/
• SQL Injection
• http://www.cgisecurity.com/development/sql.shtml
• 9 ways to hack a web app
• http://developers.sun.com/learning/javaoneonline/2005/webtier/TS-5935.pdf
• Related research papers
• Kabra, Ramamurthy and Sudarshan, Redundancy and Information Leakage in Fine-
Grained Access Control, SIGMOD 2006
• Rizvi, Mendelzon, Sudarshan and Roy, Extending Query Rewriting Techniques for Fine-
Grained Access Control, SIGMOD 2004
References

21. Click to edit Master title style
21
Thank You 