Download - Lect 03 Database Security
-
8/3/2019 Lect 03 Database Security
1/37
Lecture 15 Database Security
Department of Computer Science University of Peshawar
Database SecurityLec-15
Prepared by
Bilal Khan
-
8/3/2019 Lect 03 Database Security
2/37
Lecture 15 Database Security
Lecture 15 Database Security
2
Protection of the data against accidental or intentional
loss, destruction, or misuse.
Access to data has become more open through the
Internet and corporate intranets and from mobilecomputing devices. As a result, managing data security
effectively has become more difficult and time
consuming.
-
8/3/2019 Lect 03 Database Security
3/37
Lecture 15 Database Security
Lecture 15 Database Security
3
For the protection of data in database it is the
responsibility of Data administration to develop overall
policies and procedures to protect databases.
Database administration is responsible for
administering database security on a daily basis.
-
8/3/2019 Lect 03 Database Security
4/37
Lecture 15 Database Security
Lecture 15 Database Security
4
Data is a valuable resource that must be strictly
controlled and managed, as with any corporate
resource.
Part or all of the corporate data may have strategicimportance and therefore needs to be kept secure and
confidential.
-
8/3/2019 Lect 03 Database Security
5/37
Lecture 15 Database Security
Lecture 15 Database Security
5
Mechanism that protect the database against intentional
or accidental threats.
Security considerations do not only apply to the data
held in a database. Breaches of security may affectother parts of the system, which may in turn affect the
database.
-
8/3/2019 Lect 03 Database Security
6/37
Lecture 15 Database Security
Lecture 15 Database Security
6
If any unauthorized person gain access to database who
may alter, change, or even steal the data.
Only database security does not ensure the secure
database.
All parts of the system must be secure, including the database,
network, operating system, building in which the database
resides physically, and the staff member who have any
opportunity to access the system.
-
8/3/2019 Lect 03 Database Security
7/37
Lecture 15 Database SecurityLecture 15 Database Security
7
-
8/3/2019 Lect 03 Database Security
8/37
Lecture 15 Database SecurityLecture 15 Database Security
8
The threats addresses in a data Security plans are as:
Accidental losses
Theft and fraud
Improper data access
Loss of data integrity
Loss of availability
-
8/3/2019 Lect 03 Database Security
9/37
Lecture 15 Database SecurityLecture 15 Database Security
9
Accidental losses
Human error
Software failure
Hardware failure
-
8/3/2019 Lect 03 Database Security
10/37
Lecture 15 Database SecurityLecture 15 Database Security
10
Theft and fraud
These activities are going to be perpetrated by people,quite possibly through electronic means, and may ormay not alter data. Attention here should focus on each
possible location.
For example, physical security must be established sothat unauthorized persons are unable to gain access.
Establishment of a firewall to protect unauthorizedaccess to the database from outside world so that hamperpeople whose aim is to theft or fraud in database.
-
8/3/2019 Lect 03 Database Security
11/37
Lecture 15 Database SecurityLecture 15 Database Security
11
Loss of Privacy
Loss of Privacy mean a loss of protection of individuals
data.
Failure to control privacy of information may lead to
blackmail, corruption, public embarrassment, or stealing
of user passwords.
b
b
-
8/3/2019 Lect 03 Database Security
12/37
Lecture 15 Database SecurityLecture 15 Database Security
12
Loss of Privacy
Loss of confidentiality mean loss of protection of
organizational data that may have strategic value to the
organization.
Failure to control confidentiality may lead to loss of
competitiveness.
L 15 D b S i
L 15 D b S i
-
8/3/2019 Lect 03 Database Security
13/37
Lecture 15 Database SecurityLecture 15 Database Security
13
Loss of data integrity
When data integrity is compromised, data will be invalid
or corrupted.
If data integrity can not be restored through backup and
recovery techniques then it may suffer organization data
or make incorrect and expensive decisions based on the
invalid data.
L 15 D b S i
L 15 D b S i
-
8/3/2019 Lect 03 Database Security
14/37
Lecture 15 Database SecurityLecture 15 Database Security
14
Loss of availability
Damage of hardware, networks, or applications may
cause the data to become unavailable to users, which
again may lead to severe operational difficulties.
L t 15 D t b S it
L t 15 D t b S it
-
8/3/2019 Lect 03 Database Security
15/37
Lecture 15 Database SecurityLecture 15 Database Security
15
Views or subschemas
Integrity controls
Authorization rules
User-defined procedures
Encryption
Authentication schemes
Backup, journalizing, and checkpointing
L t 15 D t b S it
L t 15 D t b S it
-
8/3/2019 Lect 03 Database Security
16/37
Lecture 15 Database SecurityLecture 15 Database Security
16
Views or subschemas
View is virtual relation that does not necessarily exist in
the database but can be produced upon request by a
particular user , at the time of request.
It may dynamically derived from one or more base
relations.
It is always based on the current data in the base tablesfrom which it is built.
L t 15 D t b S it
L t 15 D t b S it
-
8/3/2019 Lect 03 Database Security
17/37
Lecture 15 Database SecurityLecture 15 Database Security
17
Views or subschemas
The view mechanism provides a powerful and flexible
security mechanism by hiding parts of the database from
certain users.
The user is not aware of the existence of any attributes
or row that are missing from the view.
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
18/37
Lecture 15 Database SecurityLecture 15 Database Security
18
Views or subschemas
It effectively prevent the user from viewing other data
that may be private or confidential.
The user may be granted the right to access the view, but
not to access the base tables upon which the view is
based.
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
19/37
Lecture 15 Database SecurityLecture 15 Database Security
19
Integrity controls
Prevents data from becoming invalid, and hence giving
misleading or incorrect results.
Maintaining a secure database system by preventing data
from becoming invalid.
Protect data from unauthorized use
Domainsset allowable values
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
20/37
Lecture 15 Database SecurityLecture 15 Database Security
20
Authorization rules
Authorization rules are controls incorporated in the data
management system that restrict access to data and also
restrict the actions that people may take when theyaccess data.
A person who can supply a particular password may be
authorized to read any record in a database but cannot
necessarily modify any of those records.
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
21/37
Lecture 15 Database SecurityLecture 15 Database Security
21
Authorization rules
Example
A person who can supply a particular password may be
authorized to read any record in a database but cannotnecessarily modify any of those records.
The GRANT command gives privileges to users, and theREVOKE command takes away privileges.
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
22/37
Lecture 15 Database SecurityLecture 15 Database Security
22
Authorization rules
Authorization Matrix
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
23/37
Lecture 15 Database Security
23
Authorization table for subjects (salespeople)
Authorization table for objects (orders)
Oracle privileges
Implementingauthorization
rules
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
24/37
Lecture 15 Database SecurityLecture 15 Database Security
24
Authorization rules
The GRANT command gives privileges to users, and the REVOKE
command takes away privileges.
GRANT SELECT, UPDATE (unit_price) ON PRODUCT_T TO SMITH;
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
25/37
Lecture 15 Database SecurityLecture 15 Database Security
25
Encryption
It is the coding of data so that humans cannot read them.
Some DBMS products include encryption routines that
automatically encode sensitive data when they are storedor transmitted over communications channels.
Example
Encryption is commonly used in electronic funds transfer (EFT)systems.
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
26/37
Lecture 15 Database SecurityLecture 15 Database Security
26
Encryption
Type of encryption
One Key Encryption
Two Key Encryption
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
27/37
Lecture 15 Database SecurityLecture 15 Database Security
27
Encryption
Type of encryption
One Key Encryption
It is also called data encryption standard (DES), both the sender
and the receiver need to know the key that is used to scramble
the transmitted or stored data.
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
28/37
Lecture 15 Database SecurityLecture 15 Database Security
28
Encryption
Type of encryption
Two Key Encryption
It is also called asymmetric encryption, employs a private and a
public key.
Two-key methods are especially popular in e-commerce
applications to provide secure transmission and database storageof payment data, such as credit card numbers.
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
29/37
Lecture 15 Database SecurityLecture 15 Database Security
29
Authentication
Positive identification of the user
Identify the user that who are trying to gain access to a
computer or its resources.
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
30/37
Lecture 15 Database SecurityLecture 15 Database Security
30
Authentication
Identify the user that who are trying to gain access by
supplying one of the following factor.
Something the user knows, usually a password or personalidentification number (PIN)
Something the user possesses, such as a smart card or token
Some unique personal characteristic, such as a fingerprint orretinal scan
Authentication schemes are called one-factor, two-factor, or
three-factor authentication,
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
31/37
Lecture 15 Database SecurityLecture 15 Database Security
31
Authentication
Passwords
It is a one-factor authentication scheme.
The person who can supply a valid password can log on
to the database system.
The DBA is responsible for issuing or creatingpasswords for the DBMS and other specific applications.
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
32/37
ectu e 5 atabase Secu tyectu e 5 atabase Secu ty
32
Authentication
Passwords
The DBA should follow several guidelines in creating
passwords
Should be at least 8 characters long
Should combine alphabetic and numeric data
Should not be complete words or personal information
Should be changed frequently
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
33/37
yy
33
Authentication
Strong Authentication
Two factor authentication schemes (usually card and
PIN code e.g ATM).
Two factor authentication schemes is more secure than
simple passwords because it is quite difficult for an
unauthorized person to obtain both factors at the sametime.
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
34/37
yy
34
Authentication
Strong Authentication
Two-factor schemes are also not perfect. Cards can be
lost or stolen, and PINs can be intercepted. For sensitive
applications, such as e-commerce and online banking,
stronger security is necessary.
Solution: Three factor authentication schemes
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
35/37
yy
35
Authentication
Strong Authentication
Three factor authentication schemes have en extra
biometric attribute (finger prints, voiceprints, eye
pictures etc) that is unique for each individual user.
Three-factor authentication is normally implementedwith a high-tech card called a smart card.
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
36/37
yy
36
Authentication
Mediated Authentication
Introduce the third-party for authentication systems,
which establish user authenticity through a trusted
authentication agent, such as Kerberos.
Lecture 15 Database Security
Lecture 15 Database Security
-
8/3/2019 Lect 03 Database Security
37/37
Have a Nice Day