database security

Database Security

Ghezal Ahmad Zia

Information Systems DepartmentFaculty of Computer Science

Kabul University

[email protected]

May 16, 2014

Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 1 / 42

Contents I

1 Introduction

2 Main Aspect of Database SecurityIntegrityConfidentialityAvailability

3 Access ControlDiscretionary Access ControlMandatory Access Control

4 Conclusion

5 References

How to think about Insecurity?

People are part of the problem...

Bad guys don’t follow rules

Need to understand what sort of attack possible to compromise asystem

Prerequisite to understand what to protect in a system!

Causes of Software Security Incidents

Buggy software and wrong configurationsUnsafe program languagesComplex programs

Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security

Poor usabilitySecurity sometimes makes things harder to use

Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits

Human Factor

Who are the attackers?

Why do the attack systems?

Human Factor

Who are the attackers?

Why do the attack systems?

What is Database security?

Database

It is a collection of information stored in a computer

Security

It is being free from danger

Database Security

It is the mechanisms that protect the database against intentional oraccidental threats.

Protection from malicious attempts to steal (view) or modify data.

Database

Security

Database Security

Database

Security

Database Security

Database

Security

Database Security

Database

Security

Database Security

What is Threats?

Threats - Any situation or event, whether intensional or accidental,that may adversely affect a system and consequently theorganization.

Computer Systems

Databases

What is Threats?

Computer Systems

Databases

What is Threats?

Computer Systems

Databases

Threats

Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment

Threats

DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs

Threats

Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation

Threats

Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge

Threats

User o  Using another

person’s means of access

o  Viewing and disclosing unauthorized data

o  Inadequate staff training

o  Illegal entry by hacker

o  Blackmail o  Introduction of

viruses

Threats

Programmers/Operators o  Creating trapdoors o  Program alteration

(such as creating software that is insecure)

o  Inadequate security policies and procedure

viruses

Threats

Programmers/Operators o  Creating trapdoors o  Program alteration

(such as creating software that is insecure)

o  Inadequate security policies and procedure

viruses

Data/Database Administrator o  Inadequate security o  Policies and

procedures

Definition of Database security

Database Security is defined as the process by which ”Confidentiality,Integrity, and Availability”of the database can be protected

Countermeasures

authorization

access control

backup and recovery

encryption

RAID technology

Countermeasures

authorization

access control

backup and recovery

encryption

RAID technology

Countermeasures

authorization

access control

backup and recovery

encryption

RAID technology

Database security Concepts

Three Main Aspects

Confidentiality

Integrity

Availability

Threats to databases:

Loss of Integrity

Loss of Availability

Loss of Confidentiality

Three Main Aspects

Confidentiality

Integrity

Availability

Loss of Integrity

Three Main Aspects

Confidentiality

Integrity

Availability

Loss of Integrity

Three Main Aspects

Confidentiality

Integrity

Availability

Loss of Integrity

Three Main Aspects

Confidentiality

Integrity

Availability

Loss of Integrity

Confidentiality

No one can read our data / communication unless we want them to

It is protecting the database from unauthorized users.

Ensures that users are allowed to do the things they are trying to do.

For example:

The employees should not see the salaries of their managers.

Confidentiality

For example:

Confidentiality

For example:

Confidentiality

For example:

Confidentiality

Confidentiality involves:

privacy: protection of private data,

secrecy: protection of organisational data

Integrity

No one can manipulate our data / processing / communication unlesswe want them to

Protecting the database from authorized users.

Ensures that what users are trying to do is correct

For example:

An employee should be able to modify his or her own information.

Integrity

For example:

Integrity

For example:

Integrity

”Making sure that everything is as it is supposed to be.”Preventing unauthorized writing or modifications

Availability

We can access our data / conduct our processing / use ourcommunication capabilities when we want to

Authorized users should be able to access data for Legal Purposes asnecessary

For example:

Payment orders regarding taxes should be made on time by the tax law.

Availability

For example:

Availability

For example:

Availability

Services are accessible and useable (without delay) whenever needed by anauthorized entity.

Relationship between Confidentiality Integrity andAvailability

Thanks for your attention!

Integrity

How is data integrity preserved?

Through Data integrity Constraints

Constraints restrict data values that can be inserted or updated

Integrity

How is data integrity preserved?

Through Data integrity Constraints

Constraints restrict data values that can be inserted or updated

Column CHECK constraints

Example

Validity Checking Example

CREATE TABLE test(rollno number(2) check (rollno between 1 and 50),name varchar2(15));

INSERT INTO test values(45, ’ Willy’ );1 row inserted

INSERT INTO test values(55, ’ Hiess’ );ERROR-Check constraints violated

Example

INSERT INTO test values(45, ’ Willy’ );

1 row inserted

Example

INSERT INTO test values(55, ’ Hiess’ );

ERROR-Check constraints violated

Example

Referential Integrity

Confidentiality

Example: How to ensure data confidentiality?

Cryptography

Strong Access Control

Limiting number of places where data can appear

Confidentiality

Cryptography

Confidentiality

Cryptography

Confidentiality

Cryptography

Confidentiality

Cryptography

Access Control

An identity permits access to resources

In computer security this is called

Access ControlAuthorization

We talk about:

Subjects (for whom an action is performed)Objects (upon what an action is performed)Operations (the type of action performed)

Access Control

We talk about:

Access Control

We talk about:

Subjects (for whom an action is performed)

Objects (upon what an action is performed)Operations (the type of action performed)

Access Control

We talk about:

Subjects (for whom an action is performed)Objects (upon what an action is performed)

Operations (the type of action performed)

Access Control

We talk about:

Access Control Models

A DBMS provides access control mechanisms to help implement a securitypolicy.

Two complementary types of mechanism:

1 Discretionary access control (DAC)

2 Mandatory access control (MAC)

Discretionary Access Control

Achieve security based on the concept of access rights:

1 privileges for objects (certain access rights for tables, columns, etc.),and

2 a mechanism for giving users privileges (and revoking privileges)

Users are given privileges to access the appropriate schema objects(tables, views).

Users can grant privileges to other users at their own discretion.

Implementation: GRANT and REVOKE commands

1 privileges for objects

(certain access rights for tables, columns, etc.),and

Granting/Revoking Privileges

GRANT SELECT ON database.* TO user@’localhost’;

GRANT SELECT ON database.* TO user@’localhost’ IDENTIFIED BY’password’;

Granting/Revoking Privileges

GRANT SELECT ON database.* TO user@’localhost’;

GRANT SELECT ON database.* TO user@’localhost’ IDENTIFIED BY’password’;

DBMSs and Web Security

Countermeasures

Proxy servers

Firewalls

Secure Socket Layer or SSL

Which is used extensively to securee-commerce on the Internet today.

DBMSs and Web Security

Countermeasures

Proxy servers

Firewalls

Secure Socket Layer or SSL Which is used extensively to securee-commerce on the Internet today.

Proxy Servers

Definition

Proxy servers is a computer that sits between a Web browser and a Webservers. It intercepts all requests for web pages and saves them locally forsome times. Proxy server provides improvement in performance and filtersrequests.

Computer A

Computer B

Proxy-server Internet

Proxy Servers

Definition

Computer A

Computer B

Proxy Servers

Definition

Computer A

Computer B

Firewalls

Is a system that prevents unauthorized access to or from private network.Implemented in software, hardware or both.

Packet filter

Application gateway

Proxy server

Firewalls

Is a system that prevents unauthorized access to or from private network.Implemented in software, hardware or both.

Packet filter

Application gateway

Proxy server

Conclusion

Data security is critical.

Requires security at different levels.

Several technical solutions .

But human training is essential.

References

Mark Stamp

INFORMATION SECURITY PRINCIPLES AND PRACTICE

Mark Stamp

Database Systems

Security , Chapter 19, 541

Michael Gertz

Handbook of Database Security Applications and Trends

Dorothy Elizabeth Robling Denning

Cryptography and Data Security

Thanks for your attention!

database security

Technology

security security

ku database security

danger database security

computer ghezal ahmad

threats ghezal ahmad

danger ghezal ahmad

rules ghezal ahmad zia

references ghezal ahmad