This document discusses database security. It introduces the CIA triangle of confidentiality, integrity and availability as key security objectives. It describes various security access points like people, applications, networks and operating systems. It also discusses vulnerabilities, threats, risks and different security methods to protect databases. The document provides an overview of concepts important for implementing database security.

1. Introduction

2. Introduction
Most DBMS did not have a secure mechanisms for
authentication and encryption until recently.
DBA is required to have an additional skill-that of
implementing security policies that protect one of the
most valuable assets of company-its data.
Database Security is degree to which all data is fully
protected from tampering and unauthorized acts.

3. CIA Triangle

4. Three Key Objectives
Confidentiality
Data confidentiality
Privacy
Integrity
Data integrity
System integrity
Availability

5. Confidentiality
Addresses two aspects
First aspect is prevention of unauthorized individuals
from accessing secret information.
Second aspect is process of safe guarding confidential
information and disclosing secret information only to
authorized individuals by means of classifying
information

6. Confidentiality Classification
Less
More
Control
Few
Many
People

7. Integrity
Consistent and valid data
Data is considered to have integrity if it is accurate
and has been tampered with intentionally or
accidentally.

8. Degradation of data integrity
Invalid data
Redundant Data (lead to inconsistency and data anomalies)
Inconsistent data (redundant data resides in several places, is
not identical)
Data Anomalies (occurs when one occurrence of the repeated
data is changed and the other occurrences are not)

9. Degradation of data integrity
Data read inconsistency (data changes that are made by the
user are visible to others before changes are committed; indicates user
does not always read the last committed data)
Data non concurrency

10. Availability
System should be available to individuals who are
authorized to access the information.

11. Database security access points
A security access point is place where database
security must be protected and applied.
People (secure data within the DB against violations caused by people)
Applications (when granting security privileges to applications, be
cautious, permissions shouldn’t too loose/too restrictive)
Network

12. Database security access points
OS (gateway to data, security credentials must be verified)
DBMS
Data Files (make use of encryption and permissions to protect
data files belonging to database)
Data

13. Data Integrity violation process
Security
Access points
Are
unprotected
Data
Integrity
Violation
Process of security gap resulting in security breach

14. Data Integrity violation process
Security gaps are points at which security is missing, and
thus system is vulnerable.
Vulnerability is state in which an object can potentially be
affected by a force or another object or even a situation
but not necessarily is or will be.
Threat is defined as security risk that has high possibility
of becoming a system breach.

15. Database Security Levels

16. Database Security Levels
VIEW database object is stored query that returns
columns and rows from selected tables.
Data provided by view object is protected by database
system functionality that allows schema owners to grant
or revoke privileges.
Data files in which data resides are protected by database
and that protection is enforced by OS file permissions.
Finally database is secured by DBMS (through accounts
and password mechanism, privileges, permissions to few)

17. Menaces to Databases
Security Vulnerability
Security Threat (security violation that can happen any time
because of security vulnerability)
Security Risk (A known security gap that company intentionally
leaves open)

18. Types of Vulnerabilities
Susceptible to attack
Intruders, attackers exploit in our environment to
start their attacks.
Hackers usually explore the weak points of a system
until they gain entry through gap in protection.

19. Types of Vulnerabilities
Installation and configuration (results from default
installation/configuration which is known publicly and we don’t
enforce any security measures)
User mistakes (due to carelessness in implementing procedures)
Software (found in commercial softwares, patches not applied)
Design and implementation (due to improper software
analysis, design as well as coding deficiencies)

20. Types of Threats
People (people intentionally/unitentionally inflict damage, e.g.
hackers,terrorists)
Malicious code (software code that is intentionally written to
damage the components, e.g. viruses)
Natural disasters
Technological disasters (malfunction in equipment, e.g.
network failure, hardware failure)

21. Virus
Worm
Back Door
Trojan Horse
Rootkits

22. Types of Risks
People (loss of people who are vital components of DB, e.g. due to
resignation)
Hardware (results in hardware unavailability, down due to failure,
malfunction)
Data (data loss, corruption)
Confidence (loss of public confidence in data produced by
company)

23. Asset Types and their values
Physical Assets (hardware, cars)
Logical Assets (purchased softwares, OS, DB)
Intangible Assets (business reputation, confidence)
Human Assets (human skills, knowledge)

24. Security Methods
People
a.Security policies & procedures
b.Process of identification and authentication
c. Training courses on importance of security
d.Physical limits on access to hardware and documents

25. Security Methods
Applications
a.Authentication of users who access
b.Business rules
c. Single sign on ( signing on once for different
applications)

26. Security Methods
Network
a.Firewalls
b.VPN
c. Authentication

27. Security Methods
OS
a.Authentication
b.Intrusion Detection
c. Password Policy
d.User Accounts

28. Security Methods
DBMS
a.Authentication
b.Audit Mechanisms
c. Database resource limits
d.Password Policy

29. Security Methods
Data Files
a.File Permissions
b.Access Monitoring
Data
a.Validation
b.Data access
c. Encryption
d.Data constraints

30. Database Security Methodology
Identification (investigation of resources reqd., policies to be
adopted)
Assessment (analysis of vulnerabilities, threats and risks)
Design (blueprint of adopted security model)
Implementation (code developed, tools purchased)
Evaluation (testing system against attacks, failures, disasters)
Auditing