Designing IA for AI - Information Architecture Conference 2024
Database Security
1. Database Security
Ghezal Ahmad Zia
Information Systems Department
Faculty of Computer Science
Kabul University
ghezalahmadzia@yahoo.com
May 16, 2014
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 1 / 42
2. Contents I
1 Introduction
2 Main Aspect of Database Security
Integrity
Confidentiality
Availability
3 Access Control
Discretionary Access Control
Mandatory Access Control
4 Conclusion
5 References
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 2 / 42
3. How to think about Insecurity?
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
4. How to think about Insecurity?
People are part of the problem...
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
5. How to think about Insecurity?
People are part of the problem...
Bad guys don’t follow rules
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
6. How to think about Insecurity?
People are part of the problem...
Bad guys don’t follow rules
Need to understand what sort of attack possible to compromise a
system
Prerequisite to understand what to protect in a system!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
7. Causes of Software Security Incidents
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
8. Causes of Software Security Incidents
Buggy software and wrong configurations
Unsafe program languages
Complex programs
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
9. Causes of Software Security Incidents
Buggy software and wrong configurations
Unsafe program languages
Complex programs
Lack of awareness and education
Few courses in computer security
Programming text books do not emphasize security
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
10. Causes of Software Security Incidents
Buggy software and wrong configurations
Unsafe program languages
Complex programs
Lack of awareness and education
Few courses in computer security
Programming text books do not emphasize security
Poor usability
Security sometimes makes things harder to use
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
11. Causes of Software Security Incidents
Buggy software and wrong configurations
Unsafe program languages
Complex programs
Lack of awareness and education
Few courses in computer security
Programming text books do not emphasize security
Poor usability
Security sometimes makes things harder to use
Economic factors
Consumers do not care about security
Security is difficult, expensive and takes time
Few security audits
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
12. Causes of Software Security Incidents
Buggy software and wrong configurations
Unsafe program languages
Complex programs
Lack of awareness and education
Few courses in computer security
Programming text books do not emphasize security
Poor usability
Security sometimes makes things harder to use
Economic factors
Consumers do not care about security
Security is difficult, expensive and takes time
Few security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
13. Human Factor
Who are the attackers?
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 5 / 42
14. Human Factor
Who are the attackers?
Why do the attack systems?
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 5 / 42
15. What is Database security?
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
16. What is Database security?
Database
It is a collection of information stored in a computer
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
17. What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
18. What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Database Security
It is the mechanisms that protect the database against intentional or
accidental threats.
OR
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
19. What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Database Security
It is the mechanisms that protect the database against intentional or
accidental threats.
OR
Protection from malicious attempts to steal (view) or modify data.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
21. What is Threats?
Threats - Any situation or event, whether intensional or accidental,
that may adversely affect a system and consequently the
organization.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
22. What is Threats?
Threats - Any situation or event, whether intensional or accidental,
that may adversely affect a system and consequently the
organization.
Computer Systems
Databases
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
24. Threats
Hardware
Fire/Flood/bombs
Data corruption due to power
loss or surge
Failure of security mechanisms
giving greater access
Theft of equipment
Physical damage of equipment
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 9 / 42
25. Threats
Hardware
Fire/Flood/bombs
Data corruption due to power
loss or surge
Failure of security mechanisms
giving greater access
Theft of equipment
Physical damage of equipment
DBMS and Application Software
Failure of security mechanism
giving greater access
Program alteration
Theft of programs
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 10 / 42
26. Threats
Hardware
Fire/Flood/bombs
Data corruption due to power
loss or surge
Failure of security mechanisms
giving greater access
Theft of equipment
Physical damage of equipment
DBMS and Application Software
Failure of security mechanism
giving greater access
Program alteration
Theft of programs
Communication Networks
Wire tapping
Breaking or disconnection of cables
Electronic interference and radiation
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 11 / 42
27. Threats
Hardware
Fire/Flood/bombs
Data corruption due to power
loss or surge
Failure of security mechanisms
giving greater access
Theft of equipment
Physical damage of equipment
DBMS and Application Software
Failure of security mechanism
giving greater access
Program alteration
Theft of programs
Communication Networks
Wire tapping
Breaking or disconnection of cables
Electronic interference and radiation
Database
Unauthorized amendment or
copying of data
Theft of data
Data corruption due to power
loss or surge
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 12 / 42
28. Threats
Hardware
Fire/Flood/bombs
Data corruption due to power
loss or surge
Failure of security mechanisms
giving greater access
Theft of equipment
Physical damage of equipment
DBMS and Application Software
Failure of security mechanism
giving greater access
Program alteration
Theft of programs
Communication Networks
Wire tapping
Breaking or disconnection of cables
Electronic interference and radiation
Database
Unauthorized amendment or
copying of data
Theft of data
Data corruption due to power
loss or surge
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 13 / 42
29. Threats
Hardware
Fire/Flood/bombs
Data corruption due to power
loss or surge
Failure of security mechanisms
giving greater access
Theft of equipment
Physical damage of equipment
DBMS and Application Software
Failure of security mechanism
giving greater access
Program alteration
Theft of programs
Communication Networks
Wire tapping
Breaking or disconnection of cables
Electronic interference and radiation
Database
Unauthorized amendment or
copying of data
Theft of data
Data corruption due to power
loss or surge
User
o Using another
person’s means of
access
o Viewing and
disclosing
unauthorized data
o Inadequate staff
training
o Illegal entry by
hacker
o Blackmail
o Introduction of
viruses
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 14 / 42
30. Threats
Hardware
Fire/Flood/bombs
Data corruption due to power
loss or surge
Failure of security mechanisms
giving greater access
Theft of equipment
Physical damage of equipment
DBMS and Application Software
Failure of security mechanism
giving greater access
Program alteration
Theft of programs
Communication Networks
Wire tapping
Breaking or disconnection of cables
Electronic interference and radiation
Database
Unauthorized amendment or
copying of data
Theft of data
Data corruption due to power
loss or surge
Programmers/
Operators
o Creating trapdoors
o Program alteration
(such as creating
software that is
insecure)
o Inadequate staff
training
o Inadequate security
policies and
procedure
User
o Using another
person’s means of
access
o Viewing and
disclosing
unauthorized data
o Inadequate staff
training
o Illegal entry by
hacker
o Blackmail
o Introduction of
viruses
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 15 / 42
31. Threats
Hardware
Fire/Flood/bombs
Data corruption due to power
loss or surge
Failure of security mechanisms
giving greater access
Theft of equipment
Physical damage of equipment
DBMS and Application Software
Failure of security mechanism
giving greater access
Program alteration
Theft of programs
Communication Networks
Wire tapping
Breaking or disconnection of cables
Electronic interference and radiation
Database
Unauthorized amendment or
copying of data
Theft of data
Data corruption due to power
loss or surge
Programmers/
Operators
o Creating trapdoors
o Program alteration
(such as creating
software that is
insecure)
o Inadequate staff
training
o Inadequate security
policies and
procedure
User
o Using another
person’s means of
access
o Viewing and
disclosing
unauthorized data
o Inadequate staff
training
o Illegal entry by
hacker
o Blackmail
o Introduction of
viruses
Data/Database
Administrator
o Inadequate security
o Policies and
procedures
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 16 / 42
32. Definition of Database security
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
33. Definition of Database security
Database Security is defined as the process by which ”Confidentiality,
Integrity, and Availability”of the database can be protected
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
34. Definition of Database security
Database Security is defined as the process by which ”Confidentiality,
Integrity, and Availability”of the database can be protected
Countermeasures
authorization
access control
views
backup and recovery
encryption
RAID technology
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
36. Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
37. Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
38. Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
39. Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Loss of Integrity
Loss of Availability
Loss of Confidentiality
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
40. Confidentiality
Confidentiality
No one can read our data / communication unless we want them to
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
41. Confidentiality
Confidentiality
No one can read our data / communication unless we want them to
It is protecting the database from unauthorized users.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
42. Confidentiality
Confidentiality
No one can read our data / communication unless we want them to
It is protecting the database from unauthorized users.
Ensures that users are allowed to do the things they are trying to do.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
43. Confidentiality
Confidentiality
No one can read our data / communication unless we want them to
It is protecting the database from unauthorized users.
Ensures that users are allowed to do the things they are trying to do.
For example:
The employees should not see the salaries of their managers.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
45. Integrity
Integrity
No one can manipulate our data / processing / communication unless
we want them to
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
46. Integrity
Integrity
No one can manipulate our data / processing / communication unless
we want them to
Protecting the database from authorized users.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
47. Integrity
Integrity
No one can manipulate our data / processing / communication unless
we want them to
Protecting the database from authorized users.
Ensures that what users are trying to do is correct
For example:
An employee should be able to modify his or her own information.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
48. Integrity
”Making sure that everything is as it is supposed to be.”
Preventing unauthorized writing or modifications
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 22 / 42
49. Availability
Availability
We can access our data / conduct our processing / use our
communication capabilities when we want to
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
50. Availability
Availability
We can access our data / conduct our processing / use our
communication capabilities when we want to
Authorized users should be able to access data for Legal Purposes as
necessary
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
51. Availability
Availability
We can access our data / conduct our processing / use our
communication capabilities when we want to
Authorized users should be able to access data for Legal Purposes as
necessary
For example:
Payment orders regarding taxes should be made on time by the tax law.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
52. Availability
Services are accessible and useable (without delay) whenever needed by an
authorized entity.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 24 / 42
55. Thanks for your attention!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 27 / 42
56. Integrity
How is data integrity preserved?
Through Data integrity Constraints
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 28 / 42
57. Integrity
How is data integrity preserved?
Through Data integrity Constraints
Constraints restrict data values that can be inserted or updated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 28 / 42
58. Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test
(rollno number(2) check (rollno between 1 and 50),
name varchar2(15));
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
59. Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test
(rollno number(2) check (rollno between 1 and 50),
name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
60. Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test
(rollno number(2) check (rollno between 1 and 50),
name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );
1 row inserted
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
61. Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test
(rollno number(2) check (rollno between 1 and 50),
name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );
1 row inserted
Validity Checking Example
INSERT INTO test values(55, ’ Hiess’ );
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
62. Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test
(rollno number(2) check (rollno between 1 and 50),
name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );
1 row inserted
Validity Checking Example
INSERT INTO test values(55, ’ Hiess’ );
ERROR-Check constraints violated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
64. Confidentiality
Example: How to ensure data confidentiality?
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
65. Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
66. Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
67. Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Strong Access Control
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
68. Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Strong Access Control
Limiting number of places where data can appear
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
70. Access Control
An identity permits access to resources
In computer security this is called
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
71. Access Control
An identity permits access to resources
In computer security this is called
Access Control
Authorization
We talk about:
Subjects (for whom an action is performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
72. Access Control
An identity permits access to resources
In computer security this is called
Access Control
Authorization
We talk about:
Subjects (for whom an action is performed)
Objects (upon what an action is performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
73. Access Control
An identity permits access to resources
In computer security this is called
Access Control
Authorization
We talk about:
Subjects (for whom an action is performed)
Objects (upon what an action is performed)
Operations (the type of action performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
74. Access Control Models
A DBMS provides access control mechanisms to help implement a security
policy.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
75. Access Control Models
A DBMS provides access control mechanisms to help implement a security
policy.
Two complementary types of mechanism:
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
76. Access Control Models
A DBMS provides access control mechanisms to help implement a security
policy.
Two complementary types of mechanism:
1 Discretionary access control (DAC)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
77. Access Control Models
A DBMS provides access control mechanisms to help implement a security
policy.
Two complementary types of mechanism:
1 Discretionary access control (DAC)
2 Mandatory access control (MAC)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
79. Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
80. Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),
and
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
81. Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),
and
2 a mechanism for giving users privileges (and revoking privileges)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
82. Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),
and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects
(tables, views).
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
83. Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),
and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects
(tables, views).
Users can grant privileges to other users at their own discretion.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
84. Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),
and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects
(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
86. Granting/Revoking Privileges
GRANT SELECT ON database.* TO user@’localhost’;
GRANT SELECT ON database.* TO user@’localhost’ IDENTIFIED BY
’password’;
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 35 / 42
87. DBMSs and Web Security
Countermeasures
Proxy servers
Firewalls
Secure Socket Layer or SSL
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 36 / 42
88. DBMSs and Web Security
Countermeasures
Proxy servers
Firewalls
Secure Socket Layer or SSL Which is used extensively to secure
e-commerce on the Internet today.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 36 / 42
90. Proxy Servers
Definition
Proxy servers is a computer that sits between a Web browser and a Web
servers. It intercepts all requests for web pages and saves them locally for
some times. Proxy server provides improvement in performance and filters
requests.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
91. Proxy Servers
Definition
Proxy servers is a computer that sits between a Web browser and a Web
servers. It intercepts all requests for web pages and saves them locally for
some times. Proxy server provides improvement in performance and filters
requests.
Computer A
Computer B
Proxy-server Internet
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
93. Firewalls
Firewalls
Is a system that prevents unauthorized access to or from private network.
Implemented in software, hardware or both.
Packet filter
Application gateway
Proxy server
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 38 / 42
94. Conclusion
Data security is critical.
Requires security at different levels.
Several technical solutions .
But human training is essential.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 39 / 42
95. References
Mark Stamp
INFORMATION SECURITY PRINCIPLES AND PRACTICE
Mark Stamp
Database Systems
Security , Chapter 19, 541
Michael Gertz
Handbook of Database Security Applications and Trends
Dorothy Elizabeth Robling Denning
Cryptography and Data Security
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 40 / 42
96. Thanks for your attention!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 41 / 42