database security
DESCRIPTION
Database Security with main aspect of CIATRANSCRIPT
Database Security
Ghezal Ahmad Zia
Information Systems DepartmentFaculty of Computer Science
Kabul University
May 16, 2014
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 1 / 42
Contents I
1 Introduction
2 Main Aspect of Database SecurityIntegrityConfidentialityAvailability
3 Access ControlDiscretionary Access ControlMandatory Access Control
4 Conclusion
5 References
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 2 / 42
How to think about Insecurity?
People are part of the problem...
Bad guys don’t follow rules
Need to understand what sort of attack possible to compromise asystem
Prerequisite to understand what to protect in a system!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
How to think about Insecurity?
People are part of the problem...
Bad guys don’t follow rules
Need to understand what sort of attack possible to compromise asystem
Prerequisite to understand what to protect in a system!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
How to think about Insecurity?
People are part of the problem...
Bad guys don’t follow rules
Need to understand what sort of attack possible to compromise asystem
Prerequisite to understand what to protect in a system!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
How to think about Insecurity?
People are part of the problem...
Bad guys don’t follow rules
Need to understand what sort of attack possible to compromise asystem
Prerequisite to understand what to protect in a system!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
Causes of Software Security Incidents
Buggy software and wrong configurationsUnsafe program languagesComplex programs
Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security
Poor usabilitySecurity sometimes makes things harder to use
Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
Causes of Software Security Incidents
Buggy software and wrong configurationsUnsafe program languagesComplex programs
Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security
Poor usabilitySecurity sometimes makes things harder to use
Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
Causes of Software Security Incidents
Buggy software and wrong configurationsUnsafe program languagesComplex programs
Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security
Poor usabilitySecurity sometimes makes things harder to use
Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
Causes of Software Security Incidents
Buggy software and wrong configurationsUnsafe program languagesComplex programs
Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security
Poor usabilitySecurity sometimes makes things harder to use
Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
Causes of Software Security Incidents
Buggy software and wrong configurationsUnsafe program languagesComplex programs
Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security
Poor usabilitySecurity sometimes makes things harder to use
Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
Causes of Software Security Incidents
Buggy software and wrong configurationsUnsafe program languagesComplex programs
Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security
Poor usabilitySecurity sometimes makes things harder to use
Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
Human Factor
Who are the attackers?
Why do the attack systems?
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 5 / 42
Human Factor
Who are the attackers?
Why do the attack systems?
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 5 / 42
What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Database Security
It is the mechanisms that protect the database against intentional oraccidental threats.
OR
Protection from malicious attempts to steal (view) or modify data.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Database Security
It is the mechanisms that protect the database against intentional oraccidental threats.
OR
Protection from malicious attempts to steal (view) or modify data.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Database Security
It is the mechanisms that protect the database against intentional oraccidental threats.
OR
Protection from malicious attempts to steal (view) or modify data.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Database Security
It is the mechanisms that protect the database against intentional oraccidental threats.
OR
Protection from malicious attempts to steal (view) or modify data.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Database Security
It is the mechanisms that protect the database against intentional oraccidental threats.
OR
Protection from malicious attempts to steal (view) or modify data.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
What is Threats?
Threats - Any situation or event, whether intensional or accidental,that may adversely affect a system and consequently theorganization.
Computer Systems
Databases
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
What is Threats?
Threats - Any situation or event, whether intensional or accidental,that may adversely affect a system and consequently theorganization.
Computer Systems
Databases
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
What is Threats?
Threats - Any situation or event, whether intensional or accidental,that may adversely affect a system and consequently theorganization.
Computer Systems
Databases
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
Threats
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 8 / 42
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 9 / 42
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 10 / 42
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 11 / 42
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation
Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 12 / 42
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation
Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 13 / 42
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation
Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge
User o Using another
person’s means of access
o Viewing and disclosing unauthorized data
o Inadequate staff training
o Illegal entry by hacker
o Blackmail o Introduction of
viruses
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 14 / 42
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation
Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge
Programmers/Operators o Creating trapdoors o Program alteration
(such as creating software that is insecure)
o Inadequate staff training
o Inadequate security policies and procedure
User o Using another
person’s means of access
o Viewing and disclosing unauthorized data
o Inadequate staff training
o Illegal entry by hacker
o Blackmail o Introduction of
viruses
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 15 / 42
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation
Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge
Programmers/Operators o Creating trapdoors o Program alteration
(such as creating software that is insecure)
o Inadequate staff training
o Inadequate security policies and procedure
User o Using another
person’s means of access
o Viewing and disclosing unauthorized data
o Inadequate staff training
o Illegal entry by hacker
o Blackmail o Introduction of
viruses
Data/Database Administrator o Inadequate security o Policies and
procedures
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 16 / 42
Definition of Database security
Database Security is defined as the process by which ”Confidentiality,Integrity, and Availability”of the database can be protected
Countermeasures
authorization
access control
views
backup and recovery
encryption
RAID technology
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
Definition of Database security
Database Security is defined as the process by which ”Confidentiality,Integrity, and Availability”of the database can be protected
Countermeasures
authorization
access control
views
backup and recovery
encryption
RAID technology
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
Definition of Database security
Database Security is defined as the process by which ”Confidentiality,Integrity, and Availability”of the database can be protected
Countermeasures
authorization
access control
views
backup and recovery
encryption
RAID technology
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Loss of Integrity
Loss of Availability
Loss of Confidentiality
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Loss of Integrity
Loss of Availability
Loss of Confidentiality
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Loss of Integrity
Loss of Availability
Loss of Confidentiality
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Loss of Integrity
Loss of Availability
Loss of Confidentiality
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Loss of Integrity
Loss of Availability
Loss of Confidentiality
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
Confidentiality
Confidentiality
No one can read our data / communication unless we want them to
It is protecting the database from unauthorized users.
Ensures that users are allowed to do the things they are trying to do.
For example:
The employees should not see the salaries of their managers.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
Confidentiality
Confidentiality
No one can read our data / communication unless we want them to
It is protecting the database from unauthorized users.
Ensures that users are allowed to do the things they are trying to do.
For example:
The employees should not see the salaries of their managers.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
Confidentiality
Confidentiality
No one can read our data / communication unless we want them to
It is protecting the database from unauthorized users.
Ensures that users are allowed to do the things they are trying to do.
For example:
The employees should not see the salaries of their managers.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
Confidentiality
Confidentiality
No one can read our data / communication unless we want them to
It is protecting the database from unauthorized users.
Ensures that users are allowed to do the things they are trying to do.
For example:
The employees should not see the salaries of their managers.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
Confidentiality
Confidentiality involves:
privacy: protection of private data,
secrecy: protection of organisational data
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 20 / 42
Integrity
Integrity
No one can manipulate our data / processing / communication unlesswe want them to
Protecting the database from authorized users.
Ensures that what users are trying to do is correct
For example:
An employee should be able to modify his or her own information.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
Integrity
Integrity
No one can manipulate our data / processing / communication unlesswe want them to
Protecting the database from authorized users.
Ensures that what users are trying to do is correct
For example:
An employee should be able to modify his or her own information.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
Integrity
Integrity
No one can manipulate our data / processing / communication unlesswe want them to
Protecting the database from authorized users.
Ensures that what users are trying to do is correct
For example:
An employee should be able to modify his or her own information.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
Integrity
”Making sure that everything is as it is supposed to be.”Preventing unauthorized writing or modifications
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 22 / 42
Availability
Availability
We can access our data / conduct our processing / use ourcommunication capabilities when we want to
Authorized users should be able to access data for Legal Purposes asnecessary
For example:
Payment orders regarding taxes should be made on time by the tax law.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
Availability
Availability
We can access our data / conduct our processing / use ourcommunication capabilities when we want to
Authorized users should be able to access data for Legal Purposes asnecessary
For example:
Payment orders regarding taxes should be made on time by the tax law.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
Availability
Availability
We can access our data / conduct our processing / use ourcommunication capabilities when we want to
Authorized users should be able to access data for Legal Purposes asnecessary
For example:
Payment orders regarding taxes should be made on time by the tax law.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
Availability
Services are accessible and useable (without delay) whenever needed by anauthorized entity.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 24 / 42
Relationship between Confidentiality Integrity andAvailability
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 25 / 42
Relationship between Confidentiality Integrity andAvailability
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 26 / 42
Thanks for your attention!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 27 / 42
Integrity
How is data integrity preserved?
Through Data integrity Constraints
Constraints restrict data values that can be inserted or updated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 28 / 42
Integrity
How is data integrity preserved?
Through Data integrity Constraints
Constraints restrict data values that can be inserted or updated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 28 / 42
Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test(rollno number(2) check (rollno between 1 and 50),name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );1 row inserted
Validity Checking Example
INSERT INTO test values(55, ’ Hiess’ );ERROR-Check constraints violated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test(rollno number(2) check (rollno between 1 and 50),name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );
1 row inserted
Validity Checking Example
INSERT INTO test values(55, ’ Hiess’ );ERROR-Check constraints violated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test(rollno number(2) check (rollno between 1 and 50),name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );1 row inserted
Validity Checking Example
INSERT INTO test values(55, ’ Hiess’ );ERROR-Check constraints violated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test(rollno number(2) check (rollno between 1 and 50),name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );1 row inserted
Validity Checking Example
INSERT INTO test values(55, ’ Hiess’ );
ERROR-Check constraints violated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test(rollno number(2) check (rollno between 1 and 50),name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );1 row inserted
Validity Checking Example
INSERT INTO test values(55, ’ Hiess’ );ERROR-Check constraints violated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
Referential Integrity
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 30 / 42
Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Strong Access Control
Limiting number of places where data can appear
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Strong Access Control
Limiting number of places where data can appear
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Strong Access Control
Limiting number of places where data can appear
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Strong Access Control
Limiting number of places where data can appear
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Strong Access Control
Limiting number of places where data can appear
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
Access Control
An identity permits access to resources
In computer security this is called
Access ControlAuthorization
We talk about:
Subjects (for whom an action is performed)Objects (upon what an action is performed)Operations (the type of action performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
Access Control
An identity permits access to resources
In computer security this is called
Access ControlAuthorization
We talk about:
Subjects (for whom an action is performed)Objects (upon what an action is performed)Operations (the type of action performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
Access Control
An identity permits access to resources
In computer security this is called
Access ControlAuthorization
We talk about:
Subjects (for whom an action is performed)
Objects (upon what an action is performed)Operations (the type of action performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
Access Control
An identity permits access to resources
In computer security this is called
Access ControlAuthorization
We talk about:
Subjects (for whom an action is performed)Objects (upon what an action is performed)
Operations (the type of action performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
Access Control
An identity permits access to resources
In computer security this is called
Access ControlAuthorization
We talk about:
Subjects (for whom an action is performed)Objects (upon what an action is performed)Operations (the type of action performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
Access Control Models
A DBMS provides access control mechanisms to help implement a securitypolicy.
Two complementary types of mechanism:
1 Discretionary access control (DAC)
2 Mandatory access control (MAC)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
Access Control Models
A DBMS provides access control mechanisms to help implement a securitypolicy.
Two complementary types of mechanism:
1 Discretionary access control (DAC)
2 Mandatory access control (MAC)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
Access Control Models
A DBMS provides access control mechanisms to help implement a securitypolicy.
Two complementary types of mechanism:
1 Discretionary access control (DAC)
2 Mandatory access control (MAC)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
Access Control Models
A DBMS provides access control mechanisms to help implement a securitypolicy.
Two complementary types of mechanism:
1 Discretionary access control (DAC)
2 Mandatory access control (MAC)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects
(certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Granting/Revoking Privileges
GRANT SELECT ON database.* TO user@’localhost’;
GRANT SELECT ON database.* TO user@’localhost’ IDENTIFIED BY’password’;
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 35 / 42
Granting/Revoking Privileges
GRANT SELECT ON database.* TO user@’localhost’;
GRANT SELECT ON database.* TO user@’localhost’ IDENTIFIED BY’password’;
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 35 / 42
DBMSs and Web Security
Countermeasures
Proxy servers
Firewalls
Secure Socket Layer or SSL
Which is used extensively to securee-commerce on the Internet today.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 36 / 42
DBMSs and Web Security
Countermeasures
Proxy servers
Firewalls
Secure Socket Layer or SSL Which is used extensively to securee-commerce on the Internet today.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 36 / 42
Proxy Servers
Definition
Proxy servers is a computer that sits between a Web browser and a Webservers. It intercepts all requests for web pages and saves them locally forsome times. Proxy server provides improvement in performance and filtersrequests.
Computer A
Computer B
Proxy-server Internet
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
Proxy Servers
Definition
Proxy servers is a computer that sits between a Web browser and a Webservers. It intercepts all requests for web pages and saves them locally forsome times. Proxy server provides improvement in performance and filtersrequests.
Computer A
Computer B
Proxy-server Internet
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
Proxy Servers
Definition
Proxy servers is a computer that sits between a Web browser and a Webservers. It intercepts all requests for web pages and saves them locally forsome times. Proxy server provides improvement in performance and filtersrequests.
Computer A
Computer B
Proxy-server Internet
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
Firewalls
Firewalls
Is a system that prevents unauthorized access to or from private network.Implemented in software, hardware or both.
Packet filter
Application gateway
Proxy server
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 38 / 42
Firewalls
Firewalls
Is a system that prevents unauthorized access to or from private network.Implemented in software, hardware or both.
Packet filter
Application gateway
Proxy server
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 38 / 42
Conclusion
Data security is critical.
Requires security at different levels.
Several technical solutions .
But human training is essential.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 39 / 42
References
Mark Stamp
INFORMATION SECURITY PRINCIPLES AND PRACTICE
Mark Stamp
Database Systems
Security , Chapter 19, 541
Michael Gertz
Handbook of Database Security Applications and Trends
Dorothy Elizabeth Robling Denning
Cryptography and Data Security
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 40 / 42
Thanks for your attention!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 41 / 42