database security overview
DESCRIPTION
Database Security Overview. Blake Middleton CSE 7330 – Fall 2009. Protecting a Critical Resource. Banking/Financial Records Medical Records Inventory Customer Information Personnel Records Student Records. Threats to Data. Copy Destroy Modify - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/1.jpg)
Database Security Overview
Blake MiddletonCSE 7330 – Fall 2009
![Page 2: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/2.jpg)
Protecting a Critical Resource
Banking/Financial RecordsMedical Records
InventoryCustomer Information
Personnel RecordsStudent Records
![Page 3: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/3.jpg)
Threats to Data
CopyDestroyModify
“Securing the Database may be the single biggest action an organization can take to protect its
assets.” – David Knox
![Page 4: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/4.jpg)
Results of an “Incident”
Loss of reputationLoss of $$$
Lawsuits (more loss of $)
TJX – 45M credit/debit cards,$256M as of 8/2007
-Boston Globe Online
![Page 5: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/5.jpg)
General Security Goals - CIAA
ConfidentialityIntegrity
AvailabilityAuthentication
![Page 6: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/6.jpg)
Threat Sources
• External• fame or gain
• Internal• gain or revenge
![Page 7: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/7.jpg)
Big Picture
• Physical security• Network security• Operating System Security• Application Security• DBMS (yes, these have vulnerabilities too)
![Page 8: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/8.jpg)
Access Control
Data Control Language – DCL
GRANT priv ON object TO user [WITH GRANT OPTION]
REVOKE priv ON object FROM user
![Page 9: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/9.jpg)
ExamplesTable Level Privileges:
GRANT INSERT, UPDATE ON Students TO fred
GRANT DELETE ON Students TO sam WITH GRANT OPTION
GRANT ALL ON Students TO barney
REVOKE INSERT ON Students FROM fred
![Page 10: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/10.jpg)
Examples
Column Level: (Select and Update)
GRANT UPDATE ON Students (address) TO fred
![Page 11: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/11.jpg)
Examples
Object privileges:
GRANT CREATE table TO fred
![Page 12: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/12.jpg)
Oracle Virtual Private Database (VPD)
Provides row-level security
Presents partial view of tables based on policies
![Page 13: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/13.jpg)
VPD - Examples
Restrict user to only see courses from CSE
User:SELECT * FROM Courses;
Executed:SELECT * FROM CoursesWHERE department = ‘CSE’;
source – Oracle Database 10g Top 20 DBA Features
![Page 14: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/14.jpg)
VPD – Examples – Selective Columns
Restrict user to only see students with GPA above 3.0
SELECT * FROM Students; --Will return rows 1 and 3
SELECT COUNT(*) FROM Students; --Will return 2
source – Oracle Database 10g Top 20 DBA Features
ID Name GPA
100 Jones 3.1
101 Smith 2.6
102 Smart 4.0
![Page 15: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/15.jpg)
VPD – Examples – Column MaskingRestrict user to only see GPA values above 3.0
SELECT * FROM Students;
source – Oracle Database 10g Top 20 DBA Features
ID Name GPA100 Jones 3.1101 Smith 2.6102 Smart 4.0
ID Name GPA100 Jones 3.1101 Smith <null>102 Smart 4.0
![Page 16: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/16.jpg)
Oracle Label Security
Access based on:data sensitivity labels
user label authorizations
Provides multi-level security capability
![Page 17: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/17.jpg)
Oracle Label SecurityData Sensitivity Labels have 3 components
Level – required
Compartment – optional
Group - optional
A policy can have up to 999 levels and 9,999 groups and compartments-Source Oracle Label Security Best Practices White Paper
![Page 18: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/18.jpg)
Oracle Label Security - Example
-Source Oracle Label Security Best Practices White Paper
ID SSN DL_Num Lname Pol1_sec_lab
100 123-45-6789 09234554 Miller Sensitive:PII:HR
101 234-56-6887 10854834 Arnold Private:PII:HR
![Page 19: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/19.jpg)
Inference
Simple example (from Viega & McGraw)
SELECT AVG(income) FROM customersWHERE state = “VA” OR (city = “Reno” AND state = “NV” AND age = 72);
Followed by:SELECT AVG(income) FROM customersWHERE state = “VA”;
![Page 20: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/20.jpg)
Good Practices
Use viewsUse stored procedures
Keep up to date on patchesLimit privileges
Have a security policy and follow itEncrypt sensitive data
Do audits/monitor employeesRegular security assessments
Enforce strong passwords
![Page 21: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/21.jpg)
Future
• More data to protect
• More sophisticated attacks
• More emphasis on security education (hopefully)
![Page 22: Database Security Overview](https://reader036.vdocuments.us/reader036/viewer/2022062411/568168b4550346895ddf89d4/html5/thumbnails/22.jpg)
Bibliography
• Alapati, S. R., & Kim, C. (2007). Oracle Database 11g: New Features for DBAs and Developers. Apress.
• Bauer, M. D. (2005). Linux Server Security (2nd ed.). O'Reilly Media, Inc.• Defense Information Systems Agency. (2007, Sep. 19). Security Technical Implementation
Guides. Retrieved Oct 26, 2009, from http://iase.disa.mil/stigs/stig/database-stig-v8r1.zip• Knox, D. (2004). Effective Oracle Database 10g Security by Design. McGraw-Hill.• Litchfield, D., Anley, C., Heasman, J., & Grindlay, B. (2005). The Database Hacker's Handbook:
Defending Database Servers. Wiley.• Mullins, C. S. (2002). Database Administration: The Complete Guide to Practices and
Procedures. Addison-Wesley Professional.• Needham, P. (2008). Oracle Label Security Best Practices. Oracle.• Oracle. (n.d.). Oracle Database 10g Top 20 DBA Features. Retrieved 10 26, 2009, from
http://www.oracle.com/technology/pub/articles/10gdba/week14_10gdba.html• Pfluger, C. P., & Lawrence, S. (2006). Security in Computing (4th ed.). Prentice Hall.• Viega, J., & McGraw, G. (2002). Building Secure Software. Addison-Wesley Professional.