4. What is Security And Authentication
Security definition: Data security refers to
protective digital privacy measures that are
applied to prevent unauthorized access to
computers, databases and websites.
Authentication Definition: Authentication is
the process of recognizing a user's identity. It is
the mechanism of associating an incoming
request with a set of identifying credentials
5. 4 Keys of Authentication
Data security is also known as information
security (IS) or computer security.
Introduction to User Authentication: A
basic security requirement is that you must
know your users. You must identify them
before you can determine their privileges
and access rights, and so that you can audit
their actions upon the data.
6. Passwords for Authentication
Passwords are one
of the basic forms of
authentication.
A user must provide
the correct
password when
establishing a
connection to
prevent
unauthorized use of
the database.
7. Strong Authentication
Strong authentication has important
advantages:
More choices of authentication mechanism
are available, such as smart cards,
Kerberos, or the operating system.
Many network authentication services, such
as Kerberos and DCE, support single sign-
on.
8. Proxy Authentication and Authorization
It enables the database administrator to regulate
which users are allowed to access the database
server through a given application.
It enables the administrator to audit actions of the
application acting on behalf of a given user.
11. The security of the location
where the database is stored
Even if you know that the
contents of a database file
are safe, if the file is stored
in a location that is not fully
secure.
Someone might introduce
unsafe content into the
database.
You should be careful when
deciding to trust database
files that are stored in
locations that might not be
secure.
13. Level of data security
Human level
Corrupt/careless user
Network/user interface
Database application program
Database system
operating system
Physical level
14. 14
Physical/OS Security
• Physical level
– Traditional lock-and-key security
– Protection from floods, fire, etc.
• E.g. WTC (9/11), fires in IITM, WWW conf website, etc.
– Protection from administrator error
• E.g. delete critical files
– Solution
• Remote backup for disaster recovery
• Plus archival backup (e.g. DVDs/tapes)
• Operating system level
– Protection from virus/worm attacks critic
15. Database and Application Security, Nov 2006
15
Security at the Database
• Authentication and
authorization
mechanisms to allow
specific users access
only to required data
• Authentication: who
are you? Prove it!
• Authorization: what
you are allowed to do
16. SECURITY Policies
Database security officer secures the
system and data
Work with the database administrator.
Security policy
Collection of standards, policies, procedures to guarantee security.
Ensures auditing and compliance
Security audit process identifies security vulnerabilities.
17. Security Pearls
Back up key files
Use encryption on sensitive data
Use good passwords
Network security requires expertise
authentication
encryption
firewalls
18. 18
User Authentication
• Password
– Most users abuse passwords. For e.g.
• Easy to guess password
• Share passwords with others
• Smartcards
– Need smartcard
– + a PIN or password
Bill Gates
19. Conclusion
The goal of database security is to protect your critical
and confidential data from unauthorized access.
Each organization should have a data security policy,
which is a set of high level guidelines determined by
User requirements.
Environmental aspects.
Internal regulations
Governmental law