Learning outcomesAt the end of this chapter, you should be able
to:Define terms related to Database SecurityDescribe threats to data securityDescribe problems of database security
and list techniques that are used to enhance security
Understand the role of databases in Sarbanes-Oxley compliance
Database SecurityDatabase Security:Database Security: Protection of the
data against accidental or intentional loss, destruction, or misuse
Increased difficulty due to Internet access and client/server technologies
Threats to Data Security
Possible locations of data security threats
Threats to Data Security1. Accidental losses, including human error,
software and hardware caused breaches2. Theft and fraud3. Loss of privacy (personal data)4. Loss of confidentiality (corporate data)5. Loss of data integrity6. Loss of availability (through, e.g.
sabotage)
Threats to Data SecurityAccidental losses, including human error,
software and hardware caused breachesEstablishing operating procedures
User authorization Uniform software installation procedures Hardware maintenance schedule
Human error: Some losses are inevitable, but well-thought-out
policies and procedures should reduce the amount and severity of losses
Threats to Data SecurityTheft and fraud
Activities done by people, quite possibly through electronic means, and may or may not alter data.
Physical securityFirewall
Loss of privacy or confidentialityLoss of privacy: loss of protection of data about
individualsLoss of confidentiality: loss of protection of
critical organizational data that may have strategic value to the organization
Threats to Data SecurityLoss of data integrity
When data integrity is compromised, data will be invalid or corrupted
Can be restored through established backup and recovery procedures Or else an organization may suffer serious losses or
make incorrect and expensive decisions
Loss of availabilitySabotage of hardware, networks or applications Virus: corrupt data or software or to render the
system unusable Installing antivirus Update the antivirus regularly
Establishing Client/Server SecurityServer security
Multiple servers need to be protected (incl. db server)
Secure areaPassword, layers of protection against
intrusionMost DBMS database-level password
securityIn database server sole reliance on OS
authentication should not be encouraged
Establishing Client/Server SecurityNetwork security
Networks are susceptible to breaches of security through: Eavesdropping Unauthorized connections Unauthorized retrieval of packets of information
traversing the networkEncryptionAuthentication Audit trailsRouters
Application security issues in three-tier Client/Server Environments
Dynamic web page require access to the databaseIf database is not properly protected
vulnerable to inappropriate access by any userPrivacy companies collect information on
users
Application security issues in three-tier Client/Server Environments
Establishing Internet Security
Web servers, Database servers
Web SecurityStatic HTML files are easy to secure
Protection must be established for the HTML stored on a Web server
Standard database access controlsHTML files sensitive: placed in
directories that are protected using OS security or they may be readable but not published in the directory
Web SecurityDynamic pages are harder
Web pages stored as a template Appropriate and current data are inserted from the
database or user input once any queries associated with the page are run
Web server must be able to access database Connection usually requires full access to the database
Adequate server security is critical Database server: physically secure Execution of programs on the server should be
controlled User input could embed SQL commands: needs to
be filtered Access to data can also be controlled through user
authentication security Session security must be established TCP/IP is not a very secure protocol encryption
systems are essentialSecure Sockets Layer (SSL)
Web SecurityAdditional methods of Web Security:
Restrict the number of users on the Web Server
Restrict access to the Web Server: keeping a minimum number of ports open
Remove any unneeded programs that load automatically when setting up the server
Data PrivacyProtection of individual privacy when using
the Internet IMPORTANTRights of the individual?Individual privacy legislation:
Right to know what data have been collectedTo correct any errors in those data
Amount of data exchanged continues to grow:develop adequate data protectionAdequate provisions to allow the data to be
used for legitimate legal purposes
Data PrivacyIndividuals must guard their privacy rights and
must be aware of the privacy implications of the tools they are using.E.g.: cookies
At work: communication executed through employer’s machines and networks is not private
Internet: privacy of communication is not guaranteed
Encryption, anonymous remailers and built-in security mechanisms in software help to preserve privacy
Web PrivacyW3C has created a standard, the Platform for Privacy
Preferences (P3P) that will communicate a Web site’s stated privacy policies and compare that statement with the user’s own policy preferences.Addresses the following:
Who is collecting the data? What information is being collected and for what purpose? What information will be shared with others and who are
those others? Can users make changes in the way their data will be used by
the collector? How are disputes resolved? What policies are followed for retaining data? Where can the site’s detailed policies be found, in readable
form?
Database Software Security Features
• Views or sub schemas• Integrity controls• Authorization rules• User-defined procedures• Encryption• Authentication schemes• Backup, journalizing, and checkpointing
ViewsViews
Subset of the database that is presented to one or more usersCreated by using querying one or more of the base tablesUser can be given access privilege to view without allowing
access privilege to underlying tablesExample: Build a view that has sales by region
information
CREATE VIEW V_REGION_SALESAS SELECT A1.region_name REGION, SUM(A2.Sales) SALES
FROM Geography A1, Store_Information A2
WHERE A1.store_name = A2.store_nameGROUP BY A1.region_name
Viewsstore_name
Sales
Date
Los Angeles
1500 Jan-05-2008
San Diego
250 Jan-07-2008
Los Angeles
300 Jan-08-2008
Boston 700 Jan-08-2008
region_name store_name
East Boston
East New York
West Los Angeles
West San Diego
SELECT * FROM V_REGION_SALES
REGION
SALES
East 700
West 2050
Integrity ControlsIntegrity Controls
Protect data from unauthorized useDomains– set allowable values
create domain MONEY as INTEGER (2);create domain ORDER_IDENT as INTEGER;create domain PRODUCT_NAME as char
(20);create domain CUSTOMER_NAME as char
(20);
Integrity ControlsAssertionsenforce database conditionsThe sum of all loan amounts for each branch must
be less than the sum of all account balances at the branch.
create assertion sum-constraint check (not exists (select * from branch
where (select sum(amount) from loan where loan.branch-name =
branch.branch-name) <= (select sum(amount) from
account where loan.branch-name =
branch.branch-name)))
Integrity ControlsTriggers prevent inappropriate actions, invoke special
handling procedures, write to log filesRoutines that execute in response to a database
event (INSERT, UPDATE, or DELETE)
CREATE TRIGGER STANDARD_PRICE_UPDATEAFTER UPDATE OF STANDARD_PRICE ON
PRODUCT_TFOR EACH ROWINSERT INTO PRICE_UPDATES_T VALUES(PRODUCT_DESCRIPTION, DATE, STANDARD_PRICE);
Authorization RulesControls incorporated in the data
management systemRestrict:
access to dataactions that people can take on data
Authorization matrix for:SubjectsObjectsActionsConstraints
Authorization Rules
Authorization table for subjects (salespeople)
Authorization table for objects (orders)
Oracle privileges
Some DBMSs also provide capabilities for user-defined procedures to customize the authorization process
Authorization Rules
GRANT SELECT, UPDATE (unit_price) ON PRODUCT_T TO SMITH
User Defined ProceduresSome DBMSs also provide capabilities for user-
defined procedures to customize the authorization process
User exits or interfaces that allow system designers to define their own security procedures in addition to the authorization rules.User procedure might be designed to provide
positive user identification.User might be required to supply a procedure
name in addition to a passwordValid password & correct procedure names: system
calls the procedure which asks the user a series of questions whose answers should be known only to that user.
EncryptionThe coding or scrambling of data so that
humans cannot read them.Two common forms of encryption:
One key: symmetric key: Data Encryption Standard (DES) Uses the same key to encrypt and decrypt Easy to understand and implement
Two key Different keys to encrypt and decrypt (key pair) One key is published (the public key) Other key is kept secret (the private key)
Secure Sockets Layer Secure Sockets Layer (SSL) is a popular (SSL) is a popular encryption scheme for encryption scheme for TCP/IP connectionsTCP/IP connections
Authentication SchemesGoal – obtain a positive identification of the
userIn electronic environment:
Something the user knows: Password/PINSomething the user possesses: Smart
card/tokenSome unique personal characteristics:
biometricsAuthentication schemes:
One-factorTwo-factorThree-factor
Authentication SchemesFirst line of defense: One-factorFirst line of defense: One-factorPasswords
Should be at least 8 characters longShould combine alphabetic and numeric dataShould not be complete words or personal
informationShould be changed frequently
Authentication SchemesStrong Authentication
Passwords are flawed: Users share them with each other They get written down, could be copied Automatic logon scripts remove need to explicitly type
them in Unencrypted passwords travel the Internet
Possible solutions:Two factor–e.g. smart card, PINThree factor–e.g. smart card, biometric, PINBiometric devices–use of fingerprints, retinal
scans, etc. for positive IDThird-party mediated authentication–using
secret keys, digital certificates
Sarbanes-Oxley (SOX)Designed to ensure the integrity of public
companies’ financial statements.Sufficient control and security over the financial
systems and IT infrastructure
Requires companies to audit the access to sensitive data
SOX audit involves:IT change managementLogical access to dataIT operations
Audit starts with a walkthroughAuditor will try to understand how the THREE areas
are handled by the IT organization
Sarbanes-Oxley (SOX): IT Change Management
The process by which changes to operational systems and databases are authorized
For database, changes to: schema, database configuration, updates to DBMS software
Top deficiency found by SOX auditors:Segregation of duties between people who had access to
databases in the three common environments: development, test, production
SOX mandates: DBAs who have the ability to modify data in these environments must be differentIf not, other personnel should be authorized to do periodic
reviews of database access by DBAs: use database audits
Sarbanes-Oxley (SOX): Logical Access to Data
Security procedures in place to prevent unauthorized access to the data
SOX perspective:Who has access to what?Who has access to too much?
Organizations must establish administrative policies and procedures
Two types of security policies and procedures:Personnel controlsPhysical access controls
Sarbanes-Oxley (SOX): Logical Access to Data
Personnel controlsAdequate controls of personnel must be
developed and followedHiring practices, employee monitoring,
security training, separation of dutiesPhysical access controls
Limiting access to particular areas within a building Swipe cards, equipment locking, check-out
procedures, screen placement, laptop protection
Sarbanes-Oxley (SOX): IT Operations
Policies and procedures for day-to-day management of infrastructure, applications, and databases in an organization
For databases: backup, recovery, availabilityAn area of control that helps to maintain data
quality and availability: vendor managementPeriodically review external maintenance
agreements for hardware and softwareConsider reaching agreements: organization
can get access to source code should developer go out of business or stop supporting the programs
END OF CHAPTER