Download - Database Security
![Page 1: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/1.jpg)
Database Security
Ghezal Ahmad Zia
Information Systems DepartmentFaculty of Computer Science
Kabul University
May 16, 2014
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 1 / 42
![Page 2: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/2.jpg)
Contents I
1 Introduction
2 Main Aspect of Database SecurityIntegrityConfidentialityAvailability
3 Access ControlDiscretionary Access ControlMandatory Access Control
4 Conclusion
5 References
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 2 / 42
![Page 3: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/3.jpg)
How to think about Insecurity?
People are part of the problem...
Bad guys don’t follow rules
Need to understand what sort of attack possible to compromise asystem
Prerequisite to understand what to protect in a system!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
![Page 4: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/4.jpg)
How to think about Insecurity?
People are part of the problem...
Bad guys don’t follow rules
Need to understand what sort of attack possible to compromise asystem
Prerequisite to understand what to protect in a system!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
![Page 5: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/5.jpg)
How to think about Insecurity?
People are part of the problem...
Bad guys don’t follow rules
Need to understand what sort of attack possible to compromise asystem
Prerequisite to understand what to protect in a system!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
![Page 6: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/6.jpg)
How to think about Insecurity?
People are part of the problem...
Bad guys don’t follow rules
Need to understand what sort of attack possible to compromise asystem
Prerequisite to understand what to protect in a system!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
![Page 7: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/7.jpg)
Causes of Software Security Incidents
Buggy software and wrong configurationsUnsafe program languagesComplex programs
Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security
Poor usabilitySecurity sometimes makes things harder to use
Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
![Page 8: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/8.jpg)
Causes of Software Security Incidents
Buggy software and wrong configurationsUnsafe program languagesComplex programs
Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security
Poor usabilitySecurity sometimes makes things harder to use
Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
![Page 9: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/9.jpg)
Causes of Software Security Incidents
Buggy software and wrong configurationsUnsafe program languagesComplex programs
Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security
Poor usabilitySecurity sometimes makes things harder to use
Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
![Page 10: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/10.jpg)
Causes of Software Security Incidents
Buggy software and wrong configurationsUnsafe program languagesComplex programs
Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security
Poor usabilitySecurity sometimes makes things harder to use
Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
![Page 11: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/11.jpg)
Causes of Software Security Incidents
Buggy software and wrong configurationsUnsafe program languagesComplex programs
Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security
Poor usabilitySecurity sometimes makes things harder to use
Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
![Page 12: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/12.jpg)
Causes of Software Security Incidents
Buggy software and wrong configurationsUnsafe program languagesComplex programs
Lack of awareness and educationFew courses in computer securityProgramming text books do not emphasize security
Poor usabilitySecurity sometimes makes things harder to use
Economic factorsConsumers do not care about securitySecurity is difficult, expensive and takes timeFew security audits
Human Factor
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
![Page 13: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/13.jpg)
Human Factor
Who are the attackers?
Why do the attack systems?
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 5 / 42
![Page 14: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/14.jpg)
Human Factor
Who are the attackers?
Why do the attack systems?
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 5 / 42
![Page 15: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/15.jpg)
What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Database Security
It is the mechanisms that protect the database against intentional oraccidental threats.
OR
Protection from malicious attempts to steal (view) or modify data.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
![Page 16: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/16.jpg)
What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Database Security
It is the mechanisms that protect the database against intentional oraccidental threats.
OR
Protection from malicious attempts to steal (view) or modify data.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
![Page 17: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/17.jpg)
What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Database Security
It is the mechanisms that protect the database against intentional oraccidental threats.
OR
Protection from malicious attempts to steal (view) or modify data.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
![Page 18: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/18.jpg)
What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Database Security
It is the mechanisms that protect the database against intentional oraccidental threats.
OR
Protection from malicious attempts to steal (view) or modify data.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
![Page 19: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/19.jpg)
What is Database security?
Database
It is a collection of information stored in a computer
Security
It is being free from danger
Database Security
It is the mechanisms that protect the database against intentional oraccidental threats.
OR
Protection from malicious attempts to steal (view) or modify data.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
![Page 20: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/20.jpg)
What is Threats?
Threats - Any situation or event, whether intensional or accidental,that may adversely affect a system and consequently theorganization.
Computer Systems
Databases
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
![Page 21: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/21.jpg)
What is Threats?
Threats - Any situation or event, whether intensional or accidental,that may adversely affect a system and consequently theorganization.
Computer Systems
Databases
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
![Page 22: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/22.jpg)
What is Threats?
Threats - Any situation or event, whether intensional or accidental,that may adversely affect a system and consequently theorganization.
Computer Systems
Databases
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
![Page 23: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/23.jpg)
Threats
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 8 / 42
![Page 24: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/24.jpg)
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 9 / 42
![Page 25: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/25.jpg)
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 10 / 42
![Page 26: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/26.jpg)
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 11 / 42
![Page 27: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/27.jpg)
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation
Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 12 / 42
![Page 28: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/28.jpg)
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation
Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 13 / 42
![Page 29: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/29.jpg)
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation
Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge
User o Using another
person’s means of access
o Viewing and disclosing unauthorized data
o Inadequate staff training
o Illegal entry by hacker
o Blackmail o Introduction of
viruses
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 14 / 42
![Page 30: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/30.jpg)
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation
Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge
Programmers/Operators o Creating trapdoors o Program alteration
(such as creating software that is insecure)
o Inadequate staff training
o Inadequate security policies and procedure
User o Using another
person’s means of access
o Viewing and disclosing unauthorized data
o Inadequate staff training
o Illegal entry by hacker
o Blackmail o Introduction of
viruses
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 15 / 42
![Page 31: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/31.jpg)
Threats
Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment
DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs
Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation
Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge
Programmers/Operators o Creating trapdoors o Program alteration
(such as creating software that is insecure)
o Inadequate staff training
o Inadequate security policies and procedure
User o Using another
person’s means of access
o Viewing and disclosing unauthorized data
o Inadequate staff training
o Illegal entry by hacker
o Blackmail o Introduction of
viruses
Data/Database Administrator o Inadequate security o Policies and
procedures
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 16 / 42
![Page 32: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/32.jpg)
Definition of Database security
Database Security is defined as the process by which ”Confidentiality,Integrity, and Availability”of the database can be protected
Countermeasures
authorization
access control
views
backup and recovery
encryption
RAID technology
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
![Page 33: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/33.jpg)
Definition of Database security
Database Security is defined as the process by which ”Confidentiality,Integrity, and Availability”of the database can be protected
Countermeasures
authorization
access control
views
backup and recovery
encryption
RAID technology
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
![Page 34: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/34.jpg)
Definition of Database security
Database Security is defined as the process by which ”Confidentiality,Integrity, and Availability”of the database can be protected
Countermeasures
authorization
access control
views
backup and recovery
encryption
RAID technology
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
![Page 35: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/35.jpg)
Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Loss of Integrity
Loss of Availability
Loss of Confidentiality
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
![Page 36: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/36.jpg)
Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Loss of Integrity
Loss of Availability
Loss of Confidentiality
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
![Page 37: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/37.jpg)
Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Loss of Integrity
Loss of Availability
Loss of Confidentiality
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
![Page 38: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/38.jpg)
Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Loss of Integrity
Loss of Availability
Loss of Confidentiality
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
![Page 39: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/39.jpg)
Database security Concepts
Three Main Aspects
Confidentiality
Integrity
Availability
Threats to databases:
Loss of Integrity
Loss of Availability
Loss of Confidentiality
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
![Page 40: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/40.jpg)
Confidentiality
Confidentiality
No one can read our data / communication unless we want them to
It is protecting the database from unauthorized users.
Ensures that users are allowed to do the things they are trying to do.
For example:
The employees should not see the salaries of their managers.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
![Page 41: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/41.jpg)
Confidentiality
Confidentiality
No one can read our data / communication unless we want them to
It is protecting the database from unauthorized users.
Ensures that users are allowed to do the things they are trying to do.
For example:
The employees should not see the salaries of their managers.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
![Page 42: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/42.jpg)
Confidentiality
Confidentiality
No one can read our data / communication unless we want them to
It is protecting the database from unauthorized users.
Ensures that users are allowed to do the things they are trying to do.
For example:
The employees should not see the salaries of their managers.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
![Page 43: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/43.jpg)
Confidentiality
Confidentiality
No one can read our data / communication unless we want them to
It is protecting the database from unauthorized users.
Ensures that users are allowed to do the things they are trying to do.
For example:
The employees should not see the salaries of their managers.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
![Page 44: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/44.jpg)
Confidentiality
Confidentiality involves:
privacy: protection of private data,
secrecy: protection of organisational data
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 20 / 42
![Page 45: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/45.jpg)
Integrity
Integrity
No one can manipulate our data / processing / communication unlesswe want them to
Protecting the database from authorized users.
Ensures that what users are trying to do is correct
For example:
An employee should be able to modify his or her own information.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
![Page 46: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/46.jpg)
Integrity
Integrity
No one can manipulate our data / processing / communication unlesswe want them to
Protecting the database from authorized users.
Ensures that what users are trying to do is correct
For example:
An employee should be able to modify his or her own information.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
![Page 47: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/47.jpg)
Integrity
Integrity
No one can manipulate our data / processing / communication unlesswe want them to
Protecting the database from authorized users.
Ensures that what users are trying to do is correct
For example:
An employee should be able to modify his or her own information.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
![Page 48: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/48.jpg)
Integrity
”Making sure that everything is as it is supposed to be.”Preventing unauthorized writing or modifications
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 22 / 42
![Page 49: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/49.jpg)
Availability
Availability
We can access our data / conduct our processing / use ourcommunication capabilities when we want to
Authorized users should be able to access data for Legal Purposes asnecessary
For example:
Payment orders regarding taxes should be made on time by the tax law.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
![Page 50: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/50.jpg)
Availability
Availability
We can access our data / conduct our processing / use ourcommunication capabilities when we want to
Authorized users should be able to access data for Legal Purposes asnecessary
For example:
Payment orders regarding taxes should be made on time by the tax law.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
![Page 51: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/51.jpg)
Availability
Availability
We can access our data / conduct our processing / use ourcommunication capabilities when we want to
Authorized users should be able to access data for Legal Purposes asnecessary
For example:
Payment orders regarding taxes should be made on time by the tax law.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
![Page 52: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/52.jpg)
Availability
Services are accessible and useable (without delay) whenever needed by anauthorized entity.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 24 / 42
![Page 53: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/53.jpg)
Relationship between Confidentiality Integrity andAvailability
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 25 / 42
![Page 54: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/54.jpg)
Relationship between Confidentiality Integrity andAvailability
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 26 / 42
![Page 55: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/55.jpg)
Thanks for your attention!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 27 / 42
![Page 56: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/56.jpg)
Integrity
How is data integrity preserved?
Through Data integrity Constraints
Constraints restrict data values that can be inserted or updated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 28 / 42
![Page 57: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/57.jpg)
Integrity
How is data integrity preserved?
Through Data integrity Constraints
Constraints restrict data values that can be inserted or updated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 28 / 42
![Page 58: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/58.jpg)
Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test(rollno number(2) check (rollno between 1 and 50),name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );1 row inserted
Validity Checking Example
INSERT INTO test values(55, ’ Hiess’ );ERROR-Check constraints violated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
![Page 59: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/59.jpg)
Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test(rollno number(2) check (rollno between 1 and 50),name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );
1 row inserted
Validity Checking Example
INSERT INTO test values(55, ’ Hiess’ );ERROR-Check constraints violated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
![Page 60: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/60.jpg)
Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test(rollno number(2) check (rollno between 1 and 50),name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );1 row inserted
Validity Checking Example
INSERT INTO test values(55, ’ Hiess’ );ERROR-Check constraints violated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
![Page 61: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/61.jpg)
Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test(rollno number(2) check (rollno between 1 and 50),name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );1 row inserted
Validity Checking Example
INSERT INTO test values(55, ’ Hiess’ );
ERROR-Check constraints violated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
![Page 62: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/62.jpg)
Column CHECK constraints
Example
Validity Checking Example
CREATE TABLE test(rollno number(2) check (rollno between 1 and 50),name varchar2(15));
Validity Checking Example
INSERT INTO test values(45, ’ Willy’ );1 row inserted
Validity Checking Example
INSERT INTO test values(55, ’ Hiess’ );ERROR-Check constraints violated
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
![Page 63: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/63.jpg)
Referential Integrity
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 30 / 42
![Page 64: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/64.jpg)
Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Strong Access Control
Limiting number of places where data can appear
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
![Page 65: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/65.jpg)
Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Strong Access Control
Limiting number of places where data can appear
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
![Page 66: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/66.jpg)
Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Strong Access Control
Limiting number of places where data can appear
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
![Page 67: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/67.jpg)
Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Strong Access Control
Limiting number of places where data can appear
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
![Page 68: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/68.jpg)
Confidentiality
Example: How to ensure data confidentiality?
Cryptography
Strong Access Control
Limiting number of places where data can appear
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
![Page 69: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/69.jpg)
Access Control
An identity permits access to resources
In computer security this is called
Access ControlAuthorization
We talk about:
Subjects (for whom an action is performed)Objects (upon what an action is performed)Operations (the type of action performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
![Page 70: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/70.jpg)
Access Control
An identity permits access to resources
In computer security this is called
Access ControlAuthorization
We talk about:
Subjects (for whom an action is performed)Objects (upon what an action is performed)Operations (the type of action performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
![Page 71: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/71.jpg)
Access Control
An identity permits access to resources
In computer security this is called
Access ControlAuthorization
We talk about:
Subjects (for whom an action is performed)
Objects (upon what an action is performed)Operations (the type of action performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
![Page 72: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/72.jpg)
Access Control
An identity permits access to resources
In computer security this is called
Access ControlAuthorization
We talk about:
Subjects (for whom an action is performed)Objects (upon what an action is performed)
Operations (the type of action performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
![Page 73: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/73.jpg)
Access Control
An identity permits access to resources
In computer security this is called
Access ControlAuthorization
We talk about:
Subjects (for whom an action is performed)Objects (upon what an action is performed)Operations (the type of action performed)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
![Page 74: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/74.jpg)
Access Control Models
A DBMS provides access control mechanisms to help implement a securitypolicy.
Two complementary types of mechanism:
1 Discretionary access control (DAC)
2 Mandatory access control (MAC)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
![Page 75: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/75.jpg)
Access Control Models
A DBMS provides access control mechanisms to help implement a securitypolicy.
Two complementary types of mechanism:
1 Discretionary access control (DAC)
2 Mandatory access control (MAC)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
![Page 76: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/76.jpg)
Access Control Models
A DBMS provides access control mechanisms to help implement a securitypolicy.
Two complementary types of mechanism:
1 Discretionary access control (DAC)
2 Mandatory access control (MAC)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
![Page 77: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/77.jpg)
Access Control Models
A DBMS provides access control mechanisms to help implement a securitypolicy.
Two complementary types of mechanism:
1 Discretionary access control (DAC)
2 Mandatory access control (MAC)
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
![Page 78: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/78.jpg)
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
![Page 79: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/79.jpg)
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects
(certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
![Page 80: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/80.jpg)
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
![Page 81: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/81.jpg)
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
![Page 82: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/82.jpg)
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
![Page 83: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/83.jpg)
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
![Page 84: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/84.jpg)
Discretionary Access Control
Idea
Achieve security based on the concept of access rights:
1 privileges for objects (certain access rights for tables, columns, etc.),and
2 a mechanism for giving users privileges (and revoking privileges)
Users are given privileges to access the appropriate schema objects(tables, views).
Users can grant privileges to other users at their own discretion.
Implementation: GRANT and REVOKE commands
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
![Page 85: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/85.jpg)
Granting/Revoking Privileges
GRANT SELECT ON database.* TO user@’localhost’;
GRANT SELECT ON database.* TO user@’localhost’ IDENTIFIED BY’password’;
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 35 / 42
![Page 86: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/86.jpg)
Granting/Revoking Privileges
GRANT SELECT ON database.* TO user@’localhost’;
GRANT SELECT ON database.* TO user@’localhost’ IDENTIFIED BY’password’;
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 35 / 42
![Page 87: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/87.jpg)
DBMSs and Web Security
Countermeasures
Proxy servers
Firewalls
Secure Socket Layer or SSL
Which is used extensively to securee-commerce on the Internet today.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 36 / 42
![Page 88: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/88.jpg)
DBMSs and Web Security
Countermeasures
Proxy servers
Firewalls
Secure Socket Layer or SSL Which is used extensively to securee-commerce on the Internet today.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 36 / 42
![Page 89: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/89.jpg)
Proxy Servers
Definition
Proxy servers is a computer that sits between a Web browser and a Webservers. It intercepts all requests for web pages and saves them locally forsome times. Proxy server provides improvement in performance and filtersrequests.
Computer A
Computer B
Proxy-server Internet
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
![Page 90: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/90.jpg)
Proxy Servers
Definition
Proxy servers is a computer that sits between a Web browser and a Webservers. It intercepts all requests for web pages and saves them locally forsome times. Proxy server provides improvement in performance and filtersrequests.
Computer A
Computer B
Proxy-server Internet
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
![Page 91: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/91.jpg)
Proxy Servers
Definition
Proxy servers is a computer that sits between a Web browser and a Webservers. It intercepts all requests for web pages and saves them locally forsome times. Proxy server provides improvement in performance and filtersrequests.
Computer A
Computer B
Proxy-server Internet
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
![Page 92: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/92.jpg)
Firewalls
Firewalls
Is a system that prevents unauthorized access to or from private network.Implemented in software, hardware or both.
Packet filter
Application gateway
Proxy server
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 38 / 42
![Page 93: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/93.jpg)
Firewalls
Firewalls
Is a system that prevents unauthorized access to or from private network.Implemented in software, hardware or both.
Packet filter
Application gateway
Proxy server
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 38 / 42
![Page 94: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/94.jpg)
Conclusion
Data security is critical.
Requires security at different levels.
Several technical solutions .
But human training is essential.
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 39 / 42
![Page 95: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/95.jpg)
References
Mark Stamp
INFORMATION SECURITY PRINCIPLES AND PRACTICE
Mark Stamp
Database Systems
Security , Chapter 19, 541
Michael Gertz
Handbook of Database Security Applications and Trends
Dorothy Elizabeth Robling Denning
Cryptography and Data Security
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 40 / 42
![Page 96: Database Security](https://reader037.vdocuments.us/reader037/viewer/2022110115/548ebd21b479598d5a8b4756/html5/thumbnails/96.jpg)
Thanks for your attention!
Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 41 / 42