01 database security ent-db
TRANSCRIPT
DATABASE SECURITY
Database
the heart of each information system
a persistent collection of related data, where data are facts that have an implicit
meaning.
built to store logically interrelated data representing some aspects of the real
world, which must be collected, processed, and made accessible to a given user
population.
Database Concepts
• The database is constructed according to a data model which define the way in which data and interrelationships between them can be represented.
Data Model
s• The collection of software programs that
provide the functionalities for defining, maintaining, and accessing data stored in a database is called a database management system (DBMS).
DBMS
Database abstraction levels
Internal level
• describing the physical storage of the database
Conceptual (or logical level )
• providing the users with a high level description of the real world that the database represents
External level
• describing the views that different users or applications have on the stored data.
The internal level maps the logical objects supported by the data model to the physical objects of the underlying
operating system
Data Security
• Concerned with improper disclosure of information. The terms secrecy or non-disclosure are synonyms for confidentiality.
Confidentiality
• Concerned with improper modification of information or processes.
Integrity
• Concerned with improper denial of access to information. The term denial of service is also used as a synonym for availability.
Availability
Top Ten Database Security Threats
• When someone is granted database privileges that exceed the requirements of their job function, these privileges can be abused.
Excessive and Unused Privileges
• Users may abuse legitimate database privileges for unauthorized purposes.
Privilege Abuse
• Injection attacks usually involve inserting (or “injecting”) unauthorized or malicious statements into the input fields of web applications that gives an attacker unrestricted access to an entire database.
Input Injection (Formerly SQL Injection)
• Cybercriminals, state-sponsored hackers, and spies use advanced attacks that blend multiple tactics—such as spear phishing emails and malware—to penetrate organizations and steal sensitive data.
Malware
• Automated recording of database transactions involving sensitive data should be part of any database deployment. Failure to collect detailed audit records of database activity represents a serious organizational risk on many levels.
Weak Audit Trail
• Backup storage media is often completely unprotected from attack.
Storage Media Exposure
• It is common to find vulnerable and un-patched databases, or discover databases that still have default accounts and configuration parameters.
Exploitation of Vulnerable, Misconfigured Databases
• Many companies struggle to maintain an accurate inventory of their databases and the critical data objects contained within them.
Unmanaged Sensitive Data
• Denial of Service (DoS) is a general attack category in which access to network applications or data is denied to intended users.
Denial of Service
• Many organizations are ill-equipped to deal with a security breach due to the lack of expertise required to implement security controls, enforce policies, or conduct incident response processes.
Limited Security Expertise and Education
Approaches to Data Security
Prevention • Prevention ensures that security breaches cannot
occur. The basic technique is that the system examines every action and checks its conformance with the security policy before allowing it to occur.
• This technique is called access control.
Detection• Detection ensures that sufficient history of the
activity in the system is recorded in an audit trail, so that a security breach can be detected after the fact.
• This technique is called auditing.
ACCESS CONTROL
Access Control Policies
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Discretionary Access Control• The word discretionary characterizes the fact that users
can be given the ability of passing their privileges to others.
• Discretionary access control policies are based on authorizations rules. • An authorization rule states that a subject has the privilege to
exercise a given action on a given object. • The kind (and granularity) of subjects, objects, and
actions that can be referenced in authorizations may be different in different systems.
Discretionary access control policies
Subjects
Subjects are the entities to which authorizations can be granted.Typically, subjects are users.
Objects
Objects are the entities to be protected. Typically, objects correspond to information container (tables or portion of it) or procedures.
Actions
Actions define the specific operations that subjects can execute on objects. Actions to be supported include the operations corresponding to the basic read, write, delete, create, and execute
Authorizations• Authorizations define which accesses are to be allowed.
• The simplest form of authorization is a triple (subject, object, action) specifying that subject is authorized to exercise action on object.
• Example• subject object access
• Joe Black Employee-relation read
Granularity and Modes of Access Control
The entire database.
Some collection of relations.
One relation.
Some columns of one relation.
Some rows of one relation.
DAC modes in SQL operationsThe ability to INSERT and DELETE is specified on a relation by relation basis.
SELECT is also usually specified on a relation by
relation basis.
UPDATE can be restricted to certain columns of a
relation.
Access Control Mechanisms
Security through Views
Grant and Revoke
Stored Procedures
Query modificatio
n
SECURITY THROUGH VIEWS
View Based Access Control• A base relation is a “real" relation in the database, that is actually stored in the Database.
• A view is a “virtual" relation which is derived from base relations and other views.
• For retrieval purposes users need not distinguish between views and base relations.
• Views, therefore, provide a very powerful mechanism for specifying data-dependent authorization for data retrieval.
A user who has read access to TOY-DEPT is thereby limited to retrieving information about employees in the Toy Department.
Suppose that a new employeeBrown is inserted in base relation EMPLOYEE, as shown in Table 3. The viewTOY-DEPT will be automatically modified to include Brown, as shown in Table 4.
Views can also be used to provide access to statistical information.
A view is simply another relation in the database, which happens to be automatically
modified by the DBMS whenever its base relations are modified.
Problem: Difficult to maintain updates.
GRANTING AND REVOCATION OF ACCESS
Grant• Granting and revocation allow users to selectively and
dynamically grant privileges to other users, and subsequently revoke them if so desired.
• The GRANT command applies to base relations as well as views.
• In SQL granting is accomplished by means of the GRANT statement which has the following general format.
Some examples of GRANT statements
Note that it is not possible to grant a user the grant option on a privilege, withoutallowing the grant option itself to be further granted.
Revoke• Revocation in SQL is accomplished by means of the
REVOKE statement which has the following general format.
• Examples:
STORED PROCEDURESAssign rights to execute compiled programsGRANT RUN ON <program> TO <user>
Problem:Programs may access resources for which the user who runs the program does not have permission.
QUERY MODIFICATION• It is not supported in SQL• In this technique, a query submitted by a user is modified
to include further restrictions as determined by the user's authorization.