This document discusses database security and privacy. It covers various topics related to database security such as discretionary access control using privileges, mandatory access control for multilevel security, encryption, and public key infrastructures. It also discusses legal and ethical issues regarding access to information, and threats to database security goals like integrity, availability and confidentiality of data. Common security mechanisms like access control, flow control and encryption are described for protecting databases against security threats.
Database security is an important topic in DBMS course. This is my group presentation of this course. We discus three are security aspects, security problems, security controls, database and firewall.
If you really want to understand what exactly Database Security is all about,this presentation is yours.
You will understand it just by having one look at the slides.
Presentation contains things which are really simple to understand.
An Introduction to Architecture of Object Oriented Database Management System and how it differs from RDBMS means Relational Database Management System
4.1Introduction
- Potential Threats and Attacks on Computer System
- Confinement Problems
- Design Issues in Building Secure Distributed Systems
4.2 Cryptography
- Symmetric Cryptosystem Algorithm: DES
- Asymmetric Cryptosystem
4.3 Secure Channels
- Authentication
- Message Integrity and Confidentiality
- Secure Group Communication
4.4 Access Control
- General Issues
- Firewalls
- Secure Mobile Code
4.5 Security Management
- Key Management
- Issues in Key Distribution
- Secure Group Management
- Authorization Management
To Support Digital India, We are trying to enforce the security on the web and digital Information. This Slides provide you basic as well as advance knowledge of security model. Model covered in this slides are Chinese Wall, Clark-Wilson, Biba, Harrison-Ruzzo-Ullman Model, Bell-LaPadula Model etc.
Types of Access Control.
Slides present data and information system. In any information system security and integrity is the prime concern. How we can make sure stored data is more secure and generated information should be accurate, reliable and consistent.
Database security is an important topic in DBMS course. This is my group presentation of this course. We discus three are security aspects, security problems, security controls, database and firewall.
If you really want to understand what exactly Database Security is all about,this presentation is yours.
You will understand it just by having one look at the slides.
Presentation contains things which are really simple to understand.
An Introduction to Architecture of Object Oriented Database Management System and how it differs from RDBMS means Relational Database Management System
4.1Introduction
- Potential Threats and Attacks on Computer System
- Confinement Problems
- Design Issues in Building Secure Distributed Systems
4.2 Cryptography
- Symmetric Cryptosystem Algorithm: DES
- Asymmetric Cryptosystem
4.3 Secure Channels
- Authentication
- Message Integrity and Confidentiality
- Secure Group Communication
4.4 Access Control
- General Issues
- Firewalls
- Secure Mobile Code
4.5 Security Management
- Key Management
- Issues in Key Distribution
- Secure Group Management
- Authorization Management
To Support Digital India, We are trying to enforce the security on the web and digital Information. This Slides provide you basic as well as advance knowledge of security model. Model covered in this slides are Chinese Wall, Clark-Wilson, Biba, Harrison-Ruzzo-Ullman Model, Bell-LaPadula Model etc.
Types of Access Control.
Slides present data and information system. In any information system security and integrity is the prime concern. How we can make sure stored data is more secure and generated information should be accurate, reliable and consistent.
International Journal of Engineering Inventions (IJEI) provides a multidisciplinary passage for researchers, managers, professionals, practitioners and students around the globe to publish high quality, peer-reviewed articles on all theoretical and empirical aspects of Engineering and Science.
The peer-reviewed International Journal of Engineering Inventions (IJEI) is started with a mission to encourage contribution to research in Science and Technology. Encourage and motivate researchers in challenging areas of Sciences and Technology.
Database Security Introduction,Methods for database security
Discretionary access control method
Mandatory access control
Role base access control for multilevel security.
Use of views in security enforcement
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
2. Database security issues
Discretionary access control based on grant &
revoking
privilege
Mandatory access control and role based access
control for multilevel security
Encryption & public key infrastructures
3. Types of Security:
Legal & Ethical issues regarding the right to access certain
information.
System related issues such as the system levels at which various
security functions should be enforced , for e.g whether a security
function should be handled at the physical hardware level, the
operating system level or the DBMS level.
The need in some organizations to identify multiple security
levels & to categorize the data & users based on these
classifications , for e,g top secret, secret, confidential, &
unclassified.
Policy issues at the governmental, institutional or corporate level
as to what kind of information should be made publicly available,
for e.g credit ratings & personal medical records.
3By:-Gourav Kottawar
4. Threats to database result in loss or degradation of following security
goals:
Loss of Integrity: Database Integrity refers to the requirement that
information be protected from improper modification.
Loss of Availability: Database availability refers to making objects
available to the user or a program to which they have a legitimate right.
Loss of Confidentiality: Refers to the protection of data from
unauthorized disclosure.
Unauthorized , unanticipated or unintentional disclosure could result in
loss of public confidence
Modification of data includes creation, insertion , modification, changing
the status of data & deletion.
Integrity is lost if unauthorized changes are made to the data by either
intentional or accidental acts.
4By:-Gourav Kottawar
5. To protect database against these types of threats
four countermeasures can be implemented:
Access Control
Flow Control
Encryption
5By:-Gourav Kottawar
6. In a multi-user Database System , DBMS must provide techniques
to enable certain users or user groups to access selected portions
of a database without granting access to the rest of the database.
There are two types of security mechanisms:
Discretionary security Mechanisms: These are used to grant
privileges to users , including the capability to access specific
data files, records , or fields in a specific mode (such as read ,
insert , delete or update)
Mandatory Security Mechanisms: These are used to enforce
multilevel security by classifying data & users into various
security classes.
For e.g a role based security , which enforces policies & privileges
based on the concept of roles.
6By:-Gourav Kottawar
7. A major problem to all computer systems is that of preventing
unauthorized persons from accessing the system itself.
The security mechanisms of DBMS must include provisions for
restricting access to the database system as a whole.
The function is called Access Control & is handled by creating
user accounts & passwords to control the login process by the
DBMS.
DBA is the central authority for managing a database system.
DBA’s responsibilities include:
Account Creation
Privilege granting
Privilege revocation
Security level assignment
7By:-Gourav Kottawar
8. Whenever a person or a group of persons needs to
access a database system, the individual or group
must first apply for a user account.
The DBA will then create a new account & password
for the user if there is a legal need to access the
database.
The user must login to the DBMS by entering the
account name/number & password whenever
database access is needed.
The database system must also keep track of all
operations on the database that are applied by a
certain user throughout each login session.
8By:-Gourav Kottawar
9. The typical method of enforcing discretionary access
control in a database system is based on the granting
& revoking of privileges.
The main idea is to include statements in the query
language that allow the DBA & selected users to grant
& revoke privileges.
Types of Discretionary Privileges:
There are two levels for assigning privileges to use the
database system.:
◦ The account level: DBA specifies the particular
privileges that each account holds independently of
the relations in the database.
◦ The relation (table) level: DBA can control the
privileges to access each individual relation in the
9By:-Gourav Kottawar
10. Privileges at account level apply to the capabilities provided
to the account itself & can include the CREATE TABLE / VIEW
PREVILAGE, ALTER privilege , DROP privilege, MODIFY, SELECT
privilege
Account level privileges are not defined as part of SQL ; they
are left to the DBMS implementers to define.
The second level of privilege applies to the relation level,
whether they are base relations or virtual relations.
In SQL the following types of privileges can be granted on
each individual relation R.
SELECT: Gives the account retrieval privilege.
MODIFY: This gives the account the capability to modify
tuples of R. In SQL this is divided into UPDATE, DELETE &
INSERT privileges.
10By:-Gourav Kottawar
11. A user who creates a view has precisely those privileges on the
view that he or she has on the base tables used to define the
view.
The user creating the view must have the SELECT privilege on
each underlying table ,so is always granted the SELECT privilege
on the view.
The creator of the view has the SELECT privilege with the grant
option only if he or she has the SELECT privilege with the grant
option on every underlying table.
The user automatically gets the same privilege on the view.
A view may be dropped as a SELECT privilege is revoked from the
user who created the view.
If the creator of the view gains additional privilege on the
underlying tables, he or she automatically gains additional
privileges on the view.
11By:-Gourav Kottawar
12. In this method a user either has or does not have a certain
privilege.
In many applications an additional security policy is needed
that classifies data & users based on security classes.
This approach is known as mandatory access control.
It is important to note that most of the commercial DBMSs
currently provide mechanisms only for discretionary access
control.
However the need for multilevel security exists in government
, military & intelligence applications , as well as in many
industrial & corporate applications.
Typical security classes are
◦ Top secret (TS)
◦ Secret (S)
◦ Confidential( C)
◦ Unclassified (U)
12By:-Gourav Kottawar
13. TS is the highest level & U the lowest.
The system uses four security classification levels , where
TS>S>C>U.
The commonly used model for multilevel security , known as Bell-
Lapadula model.
It classifies each subject (user, account, program) & object (table,
tuple,column,view,operation) into one of the security
classifications.
The classification of subject S is referred as class(S) & classification
of object is referred as class(O)
13By:-Gourav Kottawar
14. MAC is based on system wide policies that can not be
changed by individual user.
In this approach each database object is assigned a
security class.
Each user is assigned a clearance for a security class.
Rules are imposed on reading & writing of database
objects by users.
The DBMS determines whether a given user can read or
write a given object based on certain rules that involve
the security level of that object & the clearance of the
user.
These rules seek to ensure that sensitive data can never
be ’passed on’ to a user without the necessary
clearance.
SQL standard does not include any support for MAC.
14By:-Gourav Kottawar
15. Clearance is the security level to which an individual
user or client can access information.
This clearance is associated with ‘need to know’
requirement.
The Bell-Lapadula model imposes two restrictions on
all reads & writes of database objects:
Simple-security property: A subject can read an object
only if the security level of the subject is higher or
equal to the security level of object. (read –down)
*-property: A subject can write on an object only if the
security level of the object is higher or equal to the
security level of the subject. (write up)
It is usually assumed that the security levels on
subjects & objects once assigned cannot be changed
(except DBA)
This is the reason that the MAC is mandatory.
15By:-Gourav Kottawar
16. Subjects: Individuals who perform some activity
on the database. Might include specific people or
a group of users
Objects: Database units that require
authorization in order to manipulate. Database
units might include an entire table, specific
columns in a table, specific rows in a table, etc.
Actions: Any activity that might be performed on
an object by a subject. For example: Read,
Modify, Insert, Write, Delete, Grant (the ability to
grant authorizations to others)
Constraint: A more specific rule regarding an
aspect of the object and action.
16By:-Gourav Kottawar
17. For e.g a user with TS clearance can read a table with C
clearance , but a user with C clearance is not allowed to read
a table with TS classification. (Simple Security Property)
*_Property: For e.g a user with S clearance can write only
objects with S or TS classification.
In case of Multilevel security notions into the relational
database model, it is common to consider attribute values &
tuples as data objects.
Each attribute is associated with a classification C.
Each attribute value is associated with a corresponding
security classification.
17By:-Gourav Kottawar
18. RBAC emerged in 1990s as a proven technology for managing &
enforcing security in large scale enterprise wide systems.
Its basic notion is that permissions are associated with roles, &
users are assigned to appropriate roles.
Roles can be created using CREATE ROLE & DESTROY ROLE
commands.
RBAC appears to be a viable alternative to traditional
discretionary & mandatory access controls; it ensures that only
authorized users are given access to certain data or resources.
User create sessions during which they may activate a subset of
roles to which they belong.
Each session can be assigned to many roles, but it maps to only
one user.
Many DBMSs have allowed the concept of roles , where privileges
can be assigned to roles.
20By:-Gourav Kottawar
19. Another important consideration in RBAC systems is the
possible temporal constraints that may exist on roles, such as
the time & duration of role activations & time triggering of a
role by an activation of another role.
RBAC models have several desirable features , such as
flexibility , better support for security management &
administration.
RBAC can be effectively used for developing secure Web
based applications , however MAC & DAC lack capabilities
needed to support a secure web based application.
21By:-Gourav Kottawar
20. The previous access control mechanisms being strong
countermeasures, may not be able to protect databases
from some threats.
Suppose we communicate data, but our data falls into the
hands of some invalid user.
In this situation , by using encryption we can disguise the
message so that even if the transmission is diverted, the
message will not be revealed.
Encryption is a means of securing data in a insecure
environment.
Encryption consists of applying an encryption algorithm to
data using some pre specified encryption key.
The resulting data has to be decrypted using a decryption
key.
22By:-Gourav Kottawar
21. The DES (Data Encryption Standard )is a system developed by
the U.S government for use by the general public.
It has been widely accepted as a cryptographic standard both
in the United States & abroad.
DES can provide end-to-end encryption on the channel
between the sender A & receiver B.
The DES algorithm is a careful & complex combination of two
of the fundamental building blocks of encryption:
Substitution & Transposition
The algorithm derives its strength from repeated application
of these two techniques for a total of 16 cycles.
23By:-Gourav Kottawar
22. substitution :For example: a is replaced with D, b
with E, c with F and z with C. In this way attack
becomes DWWDFN. The substitution ciphers are
not much secure because intruder can easily guess
the substitution characters.
Transposition:Plaintext: this is a test
t h i s
i s a t tiehssiatst!
e s t !
24By:-Gourav Kottawar
23. In 1976 Diffie & Hellman proposed a new kind of
cryptosystems ,which they called public key encryption.
This algorithm uses two separate keys, in contrast to
conventional encryption , which uses only one key.
The two keys are referred to as public key , & private key.
The private key is kept secret .
The Public key Encryption scheme:
◦ Plain Text
◦ Encryption Algorithm
◦ Pubilc key & Private key : Public key is used for encryption &
Private key used for decryption.
◦ Cipher Text
◦ Decryption Algorithm
25By:-Gourav Kottawar
24. When John wants to send a secure message to Nipun, he
uses Nipun 's public key to encrypt the message. Nipun
then uses her private key to decrypt it. An important
element to the public key system is that the public and
private keys are related in such a way that only the public
key can be used to encrypt messages and only the
corresponding private key can be used to decrypt them.
Moreover, it is virtually impossible to figure out the private
key if you know the public key.
Public-key systems are becoming popular for transmitting
information via the Internet. They are extremely secure
and relatively simple to use. The only difficulty with
public-key systems is that you need to know the
recipient's public key to encrypt a message for him or her.
26By:-Gourav Kottawar
25. ciphertext (or cyphertext) is the result of
encryption performed on plaintext using an
algorithm, called a cipher .Ciphertext is also
known as encrypted or encoded information
because it contains a form of the original
plaintext that is unreadable by a human or
computer without the proper cipher to
decrypt it. Decryption, the inverse of
encryption, is the process of turning
ciphertext into readable plaintext.
27By:-Gourav Kottawar
26. plaintext is information a sender wishes to
transmit to a receiver. Cleartext is often used
as a synonym. Plaintext has reference to the
operation of cryptographic algorithms,
usually encryption algorithms
28By:-Gourav Kottawar
Editor's Notes
In the United States , there are numerous laws governing privacy of information.
Inference Control
REFERENCE: This privilege gives the account the capability to reference relation R when specifying integrity constraints.
In addition in some models tuple classification attribute TC is also added to the relation attribute to provide a classification of each tuple as a whole.
Thus RBAC becomes a superset model that can in turn mimic the behavior of MAC & DAC systems.
Easier deployment over the Internet has been another reason for the success of RBAC.