DATABASE SECURITY

Database

the heart of each information system

a persistent collection of related data, where data are facts that have an implicit

meaning.

built to store logically interrelated data representing some aspects of the real

world, which must be collected, processed, and made accessible to a given user

population.

Database Concepts

• The database is constructed according to a data model which define the way in which data and interrelationships between them can be represented.

Data Model

s• The collection of software programs that

provide the functionalities for defining, maintaining, and accessing data stored in a database is called a database management system (DBMS).

DBMS

Database abstraction levels

Internal level

• describing the physical storage of the database

Conceptual (or logical level )

• providing the users with a high level description of the real world that the database represents

External level

• describing the views that different users or applications have on the stored data.

The internal level maps the logical objects supported by the data model to the physical objects of the underlying

operating system

Data Security

• Concerned with improper disclosure of information. The terms secrecy or non-disclosure are synonyms for confidentiality.

Confidentiality

• Concerned with improper modification of information or processes.

Integrity

• Concerned with improper denial of access to information. The term denial of service is also used as a synonym for availability.

Availability

Top Ten Database Security Threats

• When someone is granted database privileges that exceed the requirements of their job function, these privileges can be abused.

Excessive and Unused Privileges

• Users may abuse legitimate database privileges for unauthorized purposes.

Privilege Abuse

• Injection attacks usually involve inserting (or “injecting”) unauthorized or malicious statements into the input fields of web applications that gives an attacker unrestricted access to an entire database.

Input Injection (Formerly SQL Injection)

• Cybercriminals, state-sponsored hackers, and spies use advanced attacks that blend multiple tactics—such as spear phishing emails and malware—to penetrate organizations and steal sensitive data.

Malware

• Automated recording of database transactions involving sensitive data should be part of any database deployment. Failure to collect detailed audit records of database activity represents a serious organizational risk on many levels.

Weak Audit Trail

• Backup storage media is often completely unprotected from attack.

Storage Media Exposure

• It is common to find vulnerable and un-patched databases, or discover databases that still have default accounts and configuration parameters.

Exploitation of Vulnerable, Misconfigured Databases

• Many companies struggle to maintain an accurate inventory of their databases and the critical data objects contained within them.

Unmanaged Sensitive Data

• Denial of Service (DoS) is a general attack category in which access to network applications or data is denied to intended users.

Denial of Service

• Many organizations are ill-equipped to deal with a security breach due to the lack of expertise required to implement security controls, enforce policies, or conduct incident response processes.

Limited Security Expertise and Education

Approaches to Data Security

Prevention • Prevention ensures that security breaches cannot

occur. The basic technique is that the system examines every action and checks its conformance with the security policy before allowing it to occur.

• This technique is called access control.

Detection• Detection ensures that sufficient history of the

activity in the system is recorded in an audit trail, so that a security breach can be detected after the fact.

• This technique is called auditing.

ACCESS CONTROL

Access Control Policies

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC)

Discretionary Access Control• The word discretionary characterizes the fact that users

can be given the ability of passing their privileges to others.

• Discretionary access control policies are based on authorizations rules. • An authorization rule states that a subject has the privilege to

exercise a given action on a given object. • The kind (and granularity) of subjects, objects, and

actions that can be referenced in authorizations may be different in different systems.

Discretionary access control policies

Subjects

Subjects are the entities to which authorizations can be granted.Typically, subjects are users.

Objects

Objects are the entities to be protected. Typically, objects correspond to information container (tables or portion of it) or procedures.

Actions

Actions define the specific operations that subjects can execute on objects. Actions to be supported include the operations corresponding to the basic read, write, delete, create, and execute

Authorizations• Authorizations define which accesses are to be allowed.

• The simplest form of authorization is a triple (subject, object, action) specifying that subject is authorized to exercise action on object.

• Example• subject object access

• Joe Black Employee-relation read

Granularity and Modes of Access Control

The entire database.

Some collection of relations.

One relation.

Some columns of one relation.

Some rows of one relation.

DAC modes in SQL operationsThe ability to INSERT and DELETE is specified on a relation by relation basis.

SELECT is also usually specified on a relation by

relation basis.

UPDATE can be restricted to certain columns of a

relation.

Access Control Mechanisms

Security through Views

Grant and Revoke

Stored Procedures

Query modificatio

n

SECURITY THROUGH VIEWS

View Based Access Control• A base relation is a “real" relation in the database, that is actually stored in the Database.

• A view is a “virtual" relation which is derived from base relations and other views.

• For retrieval purposes users need not distinguish between views and base relations.

• Views, therefore, provide a very powerful mechanism for specifying data-dependent authorization for data retrieval.

A user who has read access to TOY-DEPT is thereby limited to retrieving information about employees in the Toy Department.

Suppose that a new employeeBrown is inserted in base relation EMPLOYEE, as shown in Table 3. The viewTOY-DEPT will be automatically modified to include Brown, as shown in Table 4.

Views can also be used to provide access to statistical information.

A view is simply another relation in the database, which happens to be automatically

modified by the DBMS whenever its base relations are modified.

Problem: Difficult to maintain updates.

GRANTING AND REVOCATION OF ACCESS

Grant• Granting and revocation allow users to selectively and

dynamically grant privileges to other users, and subsequently revoke them if so desired.

• The GRANT command applies to base relations as well as views.

• In SQL granting is accomplished by means of the GRANT statement which has the following general format.

Some examples of GRANT statements

Note that it is not possible to grant a user the grant option on a privilege, withoutallowing the grant option itself to be further granted.

Revoke• Revocation in SQL is accomplished by means of the

REVOKE statement which has the following general format.

• Examples:

STORED PROCEDURESAssign rights to execute compiled programsGRANT RUN ON <program> TO <user>

Problem:Programs may access resources for which the user who runs the program does not have permission.

QUERY MODIFICATION• It is not supported in SQL• In this technique, a query submitted by a user is modified

to include further restrictions as determined by the user's authorization.