section 3 database security. 3-2 ca306 introduction section content 3.1 security overview 3.2...
TRANSCRIPT
CA306 Introduction 3-2
Section Content
• 3.1 Security Overview• 3.2 Security Controls
• 3.3 Views• 3.4 Security in Oracle
• 3.5 Web Database Security
CA306 Introduction 3-3
Security Overview
• Database security is the mechanism that protects the database against intentional or accidental threats.
• Database security can be considered in the following situations:+ Theft and fraud;+ Loss of confidentiality;+ Loss of privacy;+ Loss of integrity+ Loss of availability.
• These are situations in which an organisation should seek to reduce risk.
• Theft and fraud affect both the database environment and the entire organisation. The result may not be the alteration of data.
CA306 Introduction 3-4
Breaches
• Confidentiality refers to the need to maintain secrecy over data, usually that which is critical to the organisation.
• Privacy refers to the need to protect data.
• Breaches of security which results in the loss of confidentiality could:+ Lead to a loss of competitiveness;+ Lead to legal action taken against the organisation.
• Loss of data results in invalid or corrupted data.
CA306 Introduction 3-5
• A threat is any situation or event (intentional or accidental) that may adversely affect a system and consequently the organisation.
CA306 Introduction 3-6
Threats
• The extent that an organisation suffers depends on a number of factors: the existence of counter-measures and contingency plans.
• If there is a hardware failure, what is involved (and how long) in restarting the system with minimal loss of data?
• An organisation must identify the types of threats it may encounter, and propose plans and counter-measures.
• What are the potential threats to computer systems?
CA306 Introduction 3-8
Sections Covered
3.1 Security Overview• 3.2 Security Controls
• 3.3 Views• 3.4 Security in Oracle
• 3.5 Web Database Security
CA306 Introduction 3-9
3.2 Security Controls
• The types of controls range from physical controls to administrative procedures.
• In most cases the DBMS relies of the Operating System to provide a basic level of security.
• Types of Controls+ Authorisation+ Views+ Backup and Recovery+ Integrity+ Encryption
CA306 Introduction 3-11
Authorisation
• Authorisation is the granting of privileges that enable a subject to have legitimate access to a system or some object(s) in the system.
• Authorisation controls are (generally) built into software, and govern both the objects for access, and the types of operations possible.
• The process of authorisation involves authentication of users (applications) requesting access to objects.
• Authorisation can be views (conceptually) in the form of a matrix of privileges.
• Each object has its own authorisation matrix.
CA306 Introduction 3-12
Authorisation Matrix
User Create Retrieve Update Delete
Mike X X X
Joe X
Salary_update X X X X
Monthly_rep X
Paula X X
CA306 Introduction 3-13
Authentication
• Authentication is the mechanism that determines whether a subject is who he/she/it claims to be.
• The System Administrator provides access to the computer system through a username and password. The password is used by the system to authenticate the user.
• The Database Administrator (DBA) provides access to the DBMS through a similar process, and authentication is necessary at this level also.
• In many cases, both forms of authentication can be synchronised (merged).
CA306 Introduction 3-14
Sections Covered
3.1 Security Overview 3.2 Security Controls
• 3.3 Views• 3.4 Security in Oracle
• 3.5 Web Database Security
CA306 Introduction 3-15
3.3 Views
• A view (or subschema) is the dynamic result of one or more query operations.
• In relational databases, a view is a virtual relation that does not exist in the database, but is materialised upon request by the user (with the required authorisation privileges).
• A view mechanism provides a powerful and flexible means of security by hiding parts of the database from certain users.
• The user is unaware of the existence of columns or tuples (or both) that may be missing from a specific table.
CA306 Introduction 3-16
View Structure
• Views may be vertical: a projection of a table.
• Views may be horizontal: a query is used to filter tuples from the view
• Views may be based on aggregations: an aggregation operator provides a statistical summary, or overall report. This has the effect of hiding data from individual tuples.
• A view may be based on multiple tables.
CA306 Introduction 3-17
Sections Covered
3.1 Security Overview 3.2 Security Controls
3.3 Views• 3.4 Security in Oracle
• 3.5 Web Database Security
CA306 Introduction 3-18
3.4 Security in Oracle
• Oracle uses the concept of privileges to permit execution of SQL statements and access to another user’s objects.
• Some examples include the right to:+ Connect to the database (create a session);+ Create (and alter) a table;+ Select rows (from other user’s tables)+ Update rows.
• Oracle provides two distinct categories:+ System privileges;+ Object privileges.
CA306 Introduction 3-19
System Privileges
• A system privilege is the right to perform a particular action, or to perform an action on schema objects of a particular type.
• Examples are: the privilege to create tablespaces and users.
• Oracle provides over 80 distinct system privileges.
• System privileges are granted to, or revoked from, users and roles.
• These actions may be achieved through a user interface or through the SQL GRANT and REVOKE statements.
• Note that users must have privileges to GRANT or REVOKE privileges.
CA306 Introduction 3-20
Object Privileges
• An object privilege is the right to perform a specific action on a specific table, view, or procedure.
• Different privileges are available for different types of objects. For example, the privilege to delete tuples is an object privilege.
• Some schema objects (indexes and triggers) do not have associated object privileges: their use is controlled with system privileges.
• Users automatically obtain all privileges for schema objects in their schema. Users can grant any object privilege in any schema object they own (to any other user or role).
• If this privilege includes the WITH GRANT OPTION, the grantee can grant further privileges on that object.
• A REVOKE statement will cascade appropriate GRANT privileges.
CA306 Introduction 3-22
Roles
• A user can receive a privilege in two ways: explicitly and in the form of a role.
• A user can explicitly grant the privilege (for example) to insert rows in a table (Employee).
GRANT INSERT ON Employee TO maryb
• Privileges can also be granted to a role (a named group of privileges), and this role subsequently granted to one or more users.
• The privilege to select, insert and update rows to the Employee table may be given to a role called Payroll.
CA306 Introduction 3-23
Role Sample
• The Payroll role can be granted to all users who operate payroll functions.
• This facilitates easier and better management of privileges.
• Privileges should normally be granted to roles and not to specific users.
CA306 Introduction 3-24
Sections Covered
3.1 Security Overview 3.2 Security Controls
3.3 Views 3.4 Security in Oracle
• 3.5 Web Database Security
CA306 Introduction 3-25
3.5 Web Database Security
• The challenge is to transmit and receive information over the Internet while ensuring:+ Privacy: it is in accessible to anyone except the sender and receiver.+ Integrity: data has not been altered during transmission.+ Authenticity: the receiver can be sure it came form the sender.+ Non-fabrication: the sender is sure that the receiver is genuine.+ Non-repudiation: the sender cannot deny sending the data.
• However, data must also be protected at the Web Server. The three-tier architecture implies three levels of security.
• A further problem is that HTML pages may contain executable content, e.g. JavaScript or applets.
CA306 Introduction 3-26
Malicious Actions
• Executable content can perform malicious actions:+ Corrupt data or executable software.+ Reformat disks.+ Force the system to shut down.+ Collect and download confidential data (eg. passwords)+ Impersonate the user in order to attack other sites on the network.+ Lock up resources.+ Cause non-damaging effects such as messages to appear.
CA306 Introduction 3-27
Proxy Servers
• In Web terms, a proxy server is a computer that sits between a browser and web server.
• It intercepts all requests to the Web server, to determine if it can fulfill the requests itself. If not, requests are forwarded to the server.
• Proxy servers have two main purposes: to improve performance and to filter requests.
CA306 Introduction 3-28
Improve Performance
• Since a proxy server saves the results of all requests (for some chosen time limit), it can significantly improve performance for groups of users.
• For example, suppose A and B access the web through a proxy server. If B requests a page already selected by A, there is no need to request this page (again) from the server, unless it has been modified since.
• Proxy servers such as those used by Compuserve and America Online can support thousands of users.
CA306 Introduction 3-29
Filter Requests
• Proxy servers can also be used to filter requests.
• An organisation may use a proxy server to prevent access to a group of sites.
CA306 Introduction 3-30
Firewalls
• A firewall is a system designed to prevent unauthorised access to or from a private network.
• If a Web server is connected to an internal network (which may access the company database), firewall technology can help to prevent unauthorised access.
• Firewalls can be implemented in hardware or software (or both).
• All messages which enter or leave the intranet pass through the firewall, and are examined to check that security criteria is met.
CA306 Introduction 3-31
Firewall Techniques
• A packet filter is used to look at each packet entering or leaving the network, and accepts or rejects the packet based on user-defined rules. Although popular and effective, it is prone to IP spoofing where an un-trusted machine appears to be a trusted one.
• An application gateway applies security mechanisms to specific applications (eg. FTP and Telnet servers). This is very effective but carries performance overheads.
• A circuit-level gateway applies security mechanisms when a TCP connection is first established. However, once the connection has been made, packets flow between hosts without further checking.
• A proxy server intercepts all messages entering and leaving the network. It has the effect of hiding the true network address.