Database Security

Database Security
Ghezal Ahmad Zia
Information Systems Department
Faculty of Computer Science
Kabul University
ghezalahmadzia@yahoo.com
May 16, 2014
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 1 / 42

Contents I
1 Introduction
2 Main Aspect of Database Security
Integrity
Conﬁdentiality
Availability
3 Access Control
Discretionary Access Control
Mandatory Access Control
4 Conclusion
5 References

How to think about Insecurity?

People are part of the problem...

Bad guys don’t follow rules

Bad guys don’t follow rules
Need to understand what sort of attack possible to compromise a
system
Prerequisite to understand what to protect in a system!

Causes of Software Security Incidents

Buggy software and wrong conﬁgurations
Unsafe program languages
Complex programs

Complex programs
Lack of awareness and education
Few courses in computer security
Programming text books do not emphasize security

Complex programs
Poor usability
Security sometimes makes things harder to use

Complex programs
Poor usability
Economic factors
Consumers do not care about security
Security is diﬃcult, expensive and takes time
Few security audits

Complex programs
Poor usability
Economic factors
Consumers do not care about security
Security is diﬃcult, expensive and takes time
Few security audits
Human Factor

Human Factor
Who are the attackers?

Human Factor
Who are the attackers?
Why do the attack systems?

What is Database security?

Database
It is a collection of information stored in a computer

Database
Security
It is being free from danger

Database
Security
Database Security
It is the mechanisms that protect the database against intentional or
accidental threats.
OR

Database
Security
Database Security
It is the mechanisms that protect the database against intentional or
accidental threats.
OR
Protection from malicious attempts to steal (view) or modify data.

What is Threats?

What is Threats?
Threats - Any situation or event, whether intensional or accidental,
that may adversely aﬀect a system and consequently the
organization.

What is Threats?
Threats - Any situation or event, whether intensional or accidental,
that may adversely aﬀect a system and consequently the
organization.
Computer Systems
Databases

Threats

Threats
Hardware
Fire/Flood/bombs
Data corruption due to power
loss or surge
Failure of security mechanisms
giving greater access
Theft of equipment
Physical damage of equipment

Threats
Hardware
Fire/Flood/bombs
loss or surge
Theft of equipment
DBMS and Application Software
Failure of security mechanism
Program alteration
Theft of programs

Threats
Hardware
Fire/Flood/bombs
loss or surge
Theft of equipment
Program alteration
Theft of programs
Communication Networks
Wire tapping
Breaking or disconnection of cables
Electronic interference and radiation

Threats
Hardware
Fire/Flood/bombs
loss or surge
Theft of equipment
Program alteration
Theft of programs
Wire tapping
Database
Unauthorized amendment or
copying of data
Theft of data
loss or surge

Threats
Hardware
Fire/Flood/bombs
loss or surge
Theft of equipment
Program alteration
Theft of programs
Wire tapping
Database
copying of data
Theft of data
loss or surge

Threats
Hardware
Fire/Flood/bombs
loss or surge
Theft of equipment
Program alteration
Theft of programs
Wire tapping
Database
copying of data
Theft of data
loss or surge
User
o  Using another
person’s means of
access
o  Viewing and
disclosing
unauthorized data
o  Inadequate staff
training
o  Illegal entry by
hacker
o  Blackmail
o  Introduction of
viruses

Threats
Hardware
Fire/Flood/bombs
loss or surge
Theft of equipment
Program alteration
Theft of programs
Wire tapping
Database
copying of data
Theft of data
loss or surge
Programmers/
Operators
o  Creating trapdoors
o  Program alteration
(such as creating
software that is
insecure)
training
o  Inadequate security
policies and
procedure
User
o  Using another
person’s means of
access
o  Viewing and
disclosing
unauthorized data
training
hacker
o  Blackmail
viruses

Threats
Hardware
Fire/Flood/bombs
loss or surge
Theft of equipment
Program alteration
Theft of programs
Wire tapping
Database
copying of data
Theft of data
loss or surge
Programmers/
Operators
o  Creating trapdoors
o  Program alteration
(such as creating
software that is
insecure)
training
policies and
procedure
User
o  Using another
person’s means of
access
o  Viewing and
disclosing
unauthorized data
training
hacker
o  Blackmail
viruses
Data/Database
Administrator
o  Policies and
procedures

Deﬁnition of Database security

Database Security is deﬁned as the process by which ”Conﬁdentiality,
Integrity, and Availability”of the database can be protected

Database Security is deﬁned as the process by which ”Conﬁdentiality,
Integrity, and Availability”of the database can be protected
Countermeasures
authorization
access control
views
backup and recovery
encryption
RAID technology

Database security Concepts

Three Main Aspects
Conﬁdentiality
Integrity
Availability

Three Main Aspects
Conﬁdentiality
Integrity
Availability
Threats to databases:

Three Main Aspects
Conﬁdentiality
Integrity
Availability
Threats to databases:
Loss of Integrity
Loss of Availability
Loss of Conﬁdentiality

Conﬁdentiality
Conﬁdentiality
No one can read our data / communication unless we want them to

Conﬁdentiality
Conﬁdentiality
It is protecting the database from unauthorized users.

Conﬁdentiality
Conﬁdentiality
Ensures that users are allowed to do the things they are trying to do.

Conﬁdentiality
Conﬁdentiality
Ensures that users are allowed to do the things they are trying to do.
For example:
The employees should not see the salaries of their managers.

Conﬁdentiality
Conﬁdentiality involves:
privacy: protection of private data,
secrecy: protection of organisational data

Integrity
Integrity
No one can manipulate our data / processing / communication unless
we want them to

Integrity
Integrity
we want them to
Protecting the database from authorized users.

Integrity
Integrity
we want them to
Protecting the database from authorized users.
Ensures that what users are trying to do is correct
For example:
An employee should be able to modify his or her own information.

Integrity
”Making sure that everything is as it is supposed to be.”
Preventing unauthorized writing or modiﬁcations

Availability
Availability
We can access our data / conduct our processing / use our
communication capabilities when we want to

Availability
Availability
Authorized users should be able to access data for Legal Purposes as
necessary

Availability
Availability
Authorized users should be able to access data for Legal Purposes as
necessary
For example:
Payment orders regarding taxes should be made on time by the tax law.

Availability
Services are accessible and useable (without delay) whenever needed by an
authorized entity.

Relationship between Conﬁdentiality Integrity and
Availability

Thanks for your attention!

Integrity
How is data integrity preserved?
Through Data integrity Constraints

Integrity
How is data integrity preserved?
Through Data integrity Constraints
Constraints restrict data values that can be inserted or updated

Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test
(rollno number(2) check (rollno between 1 and 50),
name varchar2(15));

Example
CREATE TABLE test
name varchar2(15));
INSERT INTO test values(45, ’ Willy’ );

Example
CREATE TABLE test
name varchar2(15));
1 row inserted

Example
CREATE TABLE test
name varchar2(15));
1 row inserted
INSERT INTO test values(55, ’ Hiess’ );

Example
CREATE TABLE test
name varchar2(15));
1 row inserted
INSERT INTO test values(55, ’ Hiess’ );
ERROR-Check constraints violated

Referential Integrity

Conﬁdentiality
Example: How to ensure data conﬁdentiality?

Conﬁdentiality
Cryptography

Conﬁdentiality
Cryptography
Strong Access Control

Conﬁdentiality
Cryptography
Strong Access Control
Limiting number of places where data can appear

Access Control

Access Control
An identity permits access to resources
In computer security this is called

Access Control
Access Control
Authorization
We talk about:
Subjects (for whom an action is performed)

Access Control
Access Control
Authorization
We talk about:
Objects (upon what an action is performed)

Access Control
Access Control
Authorization
We talk about:
Objects (upon what an action is performed)
Operations (the type of action performed)

Access Control Models
A DBMS provides access control mechanisms to help implement a security
policy.

policy.
Two complementary types of mechanism:

policy.
1 Discretionary access control (DAC)

policy.
1 Discretionary access control (DAC)
2 Mandatory access control (MAC)

Idea
Achieve security based on the concept of access rights:
1 privileges for objects

Idea
1 privileges for objects (certain access rights for tables, columns, etc.),
and

Idea
and
2 a mechanism for giving users privileges (and revoking privileges)

Idea
and
Users are given privileges to access the appropriate schema objects
(tables, views).

Idea
and
(tables, views).
Users can grant privileges to other users at their own discretion.

Idea
and
(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands

Granting/Revoking Privileges
GRANT SELECT ON database.* TO user@’localhost’;

Granting/Revoking Privileges
GRANT SELECT ON database.* TO user@’localhost’;
GRANT SELECT ON database.* TO user@’localhost’ IDENTIFIED BY
’password’;

DBMSs and Web Security
Countermeasures
Proxy servers
Firewalls
Secure Socket Layer or SSL

DBMSs and Web Security
Countermeasures
Proxy servers
Firewalls
Secure Socket Layer or SSL Which is used extensively to secure
e-commerce on the Internet today.

Proxy Servers

Proxy Servers
Deﬁnition
Proxy servers is a computer that sits between a Web browser and a Web
servers. It intercepts all requests for web pages and saves them locally for
some times. Proxy server provides improvement in performance and ﬁlters
requests.

Proxy Servers
Deﬁnition
Proxy servers is a computer that sits between a Web browser and a Web
servers. It intercepts all requests for web pages and saves them locally for
some times. Proxy server provides improvement in performance and ﬁlters
requests.
Computer A
Computer B
Proxy-server Internet

Firewalls

Firewalls
Firewalls
Is a system that prevents unauthorized access to or from private network.
Implemented in software, hardware or both.
Packet ﬁlter
Application gateway
Proxy server

Conclusion
Data security is critical.
Requires security at diﬀerent levels.
Several technical solutions .
But human training is essential.

References
Mark Stamp
INFORMATION SECURITY PRINCIPLES AND PRACTICE
Mark Stamp
Database Systems
Security , Chapter 19, 541
Michael Gertz
Handbook of Database Security Applications and Trends
Dorothy Elizabeth Robling Denning
Cryptography and Data Security

Thanks for your attention!

Database Security

More Related Content

What's hot

Viewers also liked

Similar to Database Security

Recently uploaded

Database Security