17 Database Security

CS 338: Computer Applications in Business: Databases (Fall 2014)
Database Security
Chapter 24
Fall 2014
1992-2014 by Addison Wesley & Pearson Education, Inc., McGraw Hill, Cengage Learning
Slides adapted and modified from Fundamentals of Database Systems (5/6) (Elmasri et al.), Database System
Concepts (5/6) (Silberschatz et al.), Database Systems (Coronel et al.), Database Systems (4/5) (Connolly et al. ),
Database Systems: Complete Book (Garcia-Molina et al.)
CS 338: Computer Applications in Business: Databases

Rice University Data Center
What is a Threat?
Threat is a potential for

violation of security
Attack is an assault on system

security, a deliberate attempt
to evade security services as a
potential for violation of security
Slides adapted and modified from Fundamentals of Database Systems (5/6) (Elmasri et al.), Database System Concepts (5/6)
(Silberschatz et al.), Database Systems (Coronel et al.), Database Systems (4/5) (Connolly et al. ), Database Systems: Complete Book
(Garcia-Molina et al.)
Threats to Database Security

Outsiders
Amateurs,
Hackers (intruders): Script kiddies, Script writers, elite hackers
Crackers
Organized Crime
Information Warfare
Script kiddies:
only download and
run scripts, do not
create
Script writers:
write scripts
Elite hackers:
write scripts and
organize attacks
Insiders
Disgruntled, bribed, or nave employees
Social engineering (convincing an authorized individual to provide

confidential information/access to unauthorized individual)
Accidental misuse
3
How Secure Should We Make Database?

Principle of Easiest Penetration
A system is only as strong as its weakest link"
Perpetrator will attack most vulnerable part(s) of the system
To build secure systems, need to think like an attacker!

How would you get private information from the Canada
Revenue Agency database? Chapters? Facebook? UW?
Principle of Adequate Protection

Security is economics"
Don't spend $100,000 to protect a system
if maximum loss is only $1000 in damage
Don't spend only $100 to protect a system
if maximum loss is $100,000 in damage
Defenses Against Security Breach

Prevent it
Stop the attack for happening
Deter it
Make the attack harder or more expensive
Deflect it
Make yourself less attractive to attacker
Detect it
Notice that attack is occurring (or has occurred)
Recover from it
Mitigate the effects of the attack
5
Types of Security
Legal and ethical issues
Some information may be deemed to be private
Policy issues
What kinds of information should not be publicly available
(e.g. credit ratings, public medical records))
System-related issues
Security function should be handled at physical hardware
level, the operating system, or the DBMS
The need to identify multiple security levels

Categorize data and users (e.g. top secret, secret, confidential,
and unclassified)
What are the Threats?

Loss of confidentiality
information is disclosed to individuals not authorized to see it
e.g., student learns other students grades
Loss of integrity
information is modified by individuals not authorized to
change it.
e.g., student changing grades for a class they are taking
Loss of availability
information or the system processing it are not available for
use by authorized users when they need the information
e.g., denial of service attack
Mechanisms for Protecting Databases

A DBMS typically includes a database security and
authorization subsystem that is responsible for ensuring the
security portions of a database against unauthorized access.
Two types of database security mechanisms:
Discretionary security mechanisms
Grant privileges to users including ability to access data files, records, or
fields in a specified mode (e.g. read, insert, delete, or update)
Mandatory security mechanisms

Enforce multilevel security by classifying the data and users into various
security classes and then implementing the appropriate security policy
Database Security and the DBA

The database administrator (DBA) is the central
authority for managing a database system.
The DBAs responsibilities include
granting privileges to users who need to use the system
classifying users and data in accordance with the policy of the
organization
The DBA is responsible for the overall security of

the database system.
Database Security and the DBA
The DBA has a DBA account in the DBMS

Sometimes these are called a system or superuser account
These accounts provide powerful capabilities such as:
1.
2.
3.
4.
Account creation
Privilege granting
Privilege revocation
Security level assignment
Action 1 is used to control access to the DBMS, whereas 2 and

3 are discretionary and 4 is used to control mandatory
authorization
Access Protection, User Accounts, and Database

Audits
Whenever a person or group of persons need to
access a database system, the individual or group
must first apply for a user account.
The DBA will then create a new account id and password
for the user if he/she deems there is a legitimate need to
access the database
The user must log in to the DBMS by entering

account id and password whenever database access
is needed.
Access Protection, User Accounts, and Database

Audits
The database system must also keep track of all

operations on the database that are applied by a
certain user throughout each login session.
system log: keeps a record of all updates applied to the
database and of the particular user who applied each
update
If any tampering with the database is suspected, a
database audit is performed
A database audit consists of reviewing the log to examine all
accesses and operations applied to the database during a certain
time period.
A database log that is used mainly for security purposes is

sometimes called an audit trail.
Countermeasures for Providing

Security for Databases
1. Access control
2. Inference control (deduction prevention)
3. Flow control (consistent security levels)
4. Encryption
13
Access Control
Limiting access to the database as a whole (or parts of
the database)
Requires authentication (e.g., through login and
password)
Usually includes auditing (i.e., logging database
operations by each user)
14
Access Control
Access Control Mechanisms

1. Discretionary Access Control (DAC)
2. Mandatory Access Control (MAC)
3. Role-based access control (RBAC)
Access Control
Discretionary Access Control (DAC)
The typical method of enforcing discretionary access
control in a database system is based on the granting and
revoking privileges.
Purpose: Granting specific users access to specific

data in specific ways
Example: permit John Smith to insert employees
into Employee table
Access Control
Types of Discretionary Privileges

1. The account level:
At this level, the DBA specifies the particular
privileges that each account holds independently
of the relations in the database.
2. The relation level (or table level):

At this level, the DBA can control the privilege to
access each individual relation or view in the
database.
Access Control
Revoking Privileges
In some cases it is desirable to grant a
privilege to a user temporarily. For example,
The owner of a relation may want to grant the
SELECT privilege to a user for a specific task and
then revoke that privilege once the task is
completed.
Hence, a mechanism for revoking privileges is
needed. In SQL, a REVOKE command is included
for the purpose of canceling privileges.
Access Control
Mandatory Access Control (MAC)
The discretionary access control techniques of granting
and revoking privileges on relations has traditionally been
the main security mechanism for relational database
systems.
This is an all-or-nothing method:
A user either has or does not have a certain privilege.
In many applications, and additional security policy is

needed that classifies data and users based on security
classes.
This approach as mandatory access control, would typically
be combined with the discretionary access control
mechanisms.
Access Control
Mandatory Access Control (MAC)
Purpose:
Classifies data and users based on security classes (or levels).
Typical security classes are top secret (TS), secret (S), confidential
(C), and unclassified (U), where TS is the highest level and U the
lowest: TS S C U
The commonly used model for multilevel security, known as the
Bell-LaPadula model
Each subject (user, account, program) and object (relation, tuple,
column, view, operation) is classified into one of the security
classifications TS, S, C, or U
Not allowed read access: e.g., user must have sufficiently high
clearance to read top secret data
Not allowed write access: e.g., person with high clearance cannot
update unclassified object
10
Access Control
Role-based access control (RBAC)
Role-based access control (RBAC) emerged rapidly in the
1990s as a proven technology for managing and enforcing
security in large-scale enterprise systems.
Purpose: Its basic notion is that permissions are associated
with roles, and users are assigned to appropriate roles.
Roles can be created using the CREATE ROLE and
DESTROY ROLE commands.
The GRANT and REVOKE commands discussed under DAC
can then be used to assign and revoke privileges from roles.
Example: emergency physician can update any patient record
Access Control
Role-based access control (RBAC)
RBAC appears to be a viable alternative to traditional

discretionary and mandatory access controls; it ensures
that only authorized users are given access to certain data
or resources.
Many DBMSs have allowed the concept of roles, where
privileges can be assigned to roles.
Role hierarchy in RBAC is a natural way of organizing
roles to reflect the organizations lines of authority and
responsibility.
11
Inference Control
Inference control: Access to summary data without ability
to determine individuals data
Statistical databases are used mainly to produce statistics or
summaries of values based on various populations
What is a population?
A population is a set of tuples of a relation (table) that satisfy some
selection condition.
Users are permitted to retrieve statistical information on the

populations, such as averages, sums, counts, maximums,
minimums, and standard deviations
23
Inference Control
Example: we may want to retrieve the number of individuals

in a population or the average income in the population.
However, statistical users are not allowed to retrieve individual data,
such as the income of a specific person.
Statistical database security techniques must prohibit the

retrieval of individual data.
This can be achieved by prohibiting queries that retrieve
attribute values and by allowing only queries that involve
statistical aggregate functions such as COUNT, SUM, MIN,
MAX, AVERAGE, and STANDARD DEVIATION
Statistical queries are queries that involve applying statistical
functions to a population of tuples
24
12
Flow Control
Flow control regulates the distribution or flow of
information among accessible objects.
Keeping information from being transferred illegitimately
A flow between object X and object Y occurs when a

program reads values from X and writes values into Y.
Flow controls check that information contained in some objects
does not flow explicitly or implicitly into less protected objects.
A flow policy specifies the channels along which

information is allowed to move.
A covert channel allows a transfer of information that violates
the security or the policy.
Encryption
Encryption is a means of maintaining secure data in
an insecure environment.
Encryption consists of applying an encryption
algorithm to data using some prespecified
encryption key.
The resulting data has to be decrypted using a
decryption key to recover the original data.
The Data Encryption Standard (DES) is a system
developed by the U.S. government for use by the general
public.
13

17 Database Security

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

17 Database Security

Uploaded by

Copyright:

Available Formats

CS 338: Computer Applications in Business: Databases (Fall 2014)

CS 338: Computer Applications in Business: Databases

Threat is a potential for

Attack is an assault on system

CS 338: Computer Applications in Business: Databases (Fall 2014)

Threats to Database Security

Hackers (intruders): Script kiddies, Script writers, elite hackers

Disgruntled, bribed, or nave employees

Social engineering (convincing an authorized individual to provide

How Secure Should We Make Database?

To build secure systems, need to think like an attacker!

Principle of Adequate Protection

CS 338: Computer Applications in Business: Databases (Fall 2014)

Defenses Against Security Breach

The need to identify multiple security levels

CS 338: Computer Applications in Business: Databases (Fall 2014)

What are the Threats?

Mechanisms for Protecting Databases

Mandatory security mechanisms

CS 338: Computer Applications in Business: Databases (Fall 2014)

Database Security and the DBA

The DBA is responsible for the overall security of

Database Security and the DBA

The DBA has a DBA account in the DBMS

Action 1 is used to control access to the DBMS, whereas 2 and

CS 338: Computer Applications in Business: Databases (Fall 2014)

Access Protection, User Accounts, and Database

The user must log in to the DBMS by entering

Access Protection, User Accounts, and Database

The database system must also keep track of all

A database log that is used mainly for security purposes is

CS 338: Computer Applications in Business: Databases (Fall 2014)

Countermeasures for Providing

CS 338: Computer Applications in Business: Databases (Fall 2014)

Access Control Mechanisms

Purpose: Granting specific users access to specific

CS 338: Computer Applications in Business: Databases (Fall 2014)

Types of Discretionary Privileges

2. The relation level (or table level):

CS 338: Computer Applications in Business: Databases (Fall 2014)

In many applications, and additional security policy is

Classifies data and users based on security classes (or levels).

CS 338: Computer Applications in Business: Databases (Fall 2014)

RBAC appears to be a viable alternative to traditional

CS 338: Computer Applications in Business: Databases (Fall 2014)

Users are permitted to retrieve statistical information on the

Example: we may want to retrieve the number of individuals

Statistical database security techniques must prohibit the

CS 338: Computer Applications in Business: Databases (Fall 2014)

A flow between object X and object Y occurs when a

A flow policy specifies the channels along which

You might also like