Lecture 15

Database Security

Database Security Lec-15

Prepared by Bilal Khan

Department of Computer Science University of Peshawar

Lecture 15

Database Security

Protection of the data against accidental or intentional loss, destruction, or misuse.

Access to data has become more open through the Internet and corporate intranets and from mobile computing devices. As a result, managing data security effectively has become more difficult and time consuming.

Lecture 15

Database Security

For the protection of data in database it is the responsibility of Data administration to develop overall policies and procedures to protect databases.
Database administration is responsible administering database security on a daily basis. for

Lecture 15

Database Security

Data is a valuable resource that must be strictly controlled and managed, as with any corporate resource. Part or all of the corporate data may have strategic importance and therefore needs to be kept secure and confidential.

Lecture 15

Database Security

Mechanism that protect the database against intentional or accidental threats.

Security considerations do not only apply to the data held in a database. Breaches of security may affect other parts of the system, which may in turn affect the database.

Lecture 15

Database Security

If any unauthorized person gain access to database who may alter, change, or even steal the data.
Only database security does not ensure the secure database.
All parts of the system must be secure, including the database, network, operating system, building in which the database resides physically, and the staff member who have any opportunity to access the system.

Lecture 15

Database Security

Lecture 15

Database Security

The threats addresses in a data Security plans are as:

Accidental losses Theft and fraud Improper data access Loss of data integrity

Loss of availability

Lecture 15

Database Security

Accidental losses
Human error Software failure Hardware failure

Lecture 15

Database Security

Theft and fraud

These activities are going to be perpetrated by people, quite possibly through electronic means, and may or may not alter data. Attention here should focus on each possible location.
For example, physical security must be established so that unauthorized persons are unable to gain access. Establishment of a firewall to protect unauthorized access to the database from outside world so that hamper people whose aim is to theft or fraud in database.

10

Lecture 15

Database Security

Loss of Privacy

Loss of Privacy mean a loss of protection of individuals data.

Failure to control privacy of information may lead to blackmail, corruption, public embarrassment, or stealing of user passwords.

11

Lecture 15

Database Security

Loss of Privacy

Loss of confidentiality mean loss of protection of organizational data that may have strategic value to the organization.
Failure to control confidentiality may lead to loss of competitiveness.

12

Lecture 15

Database Security

Loss of data integrity

When data integrity is compromised, data will be invalid or corrupted.

If data integrity can not be restored through backup and recovery techniques then it may suffer organization data or make incorrect and expensive decisions based on the invalid data.

13

Lecture 15

Database Security

Loss of availability

Damage of hardware, networks, or applications may cause the data to become unavailable to users, which again may lead to severe operational difficulties.

14

Lecture 15

Database Security

Views or subschemas

Integrity controls
Authorization rules

User-defined procedures
Encryption Authentication schemes Backup, journalizing, and checkpointing

15

Lecture 15

Database Security

Views or subschemas

View is virtual relation that does not necessarily exist in the database but can be produced upon request by a particular user , at the time of request. It may dynamically derived from one or more base relations.
It is always based on the current data in the base tables from which it is built.

16

Lecture 15

Database Security

Views or subschemas

The view mechanism provides a powerful and flexible security mechanism by hiding parts of the database from certain users. The user is not aware of the existence of any attributes or row that are missing from the view.

17

Lecture 15

Database Security

Views or subschemas

It effectively prevent the user from viewing other data that may be private or confidential.
The user may be granted the right to access the view, but not to access the base tables upon which the view is based.

18

Lecture 15

Database Security

Integrity controls

Prevents data from becoming invalid, and hence giving misleading or incorrect results.
Maintaining a secure database system by preventing data from becoming invalid. Protect data from unauthorized use

Domainsset allowable values

19

Lecture 15

Database Security

Authorization rules

Authorization rules are controls incorporated in the data management system that restrict access to data and also restrict the actions that people may take when they access data. A person who can supply a particular password may be authorized to read any record in a database but cannot necessarily modify any of those records.

20

Lecture 15

Database Security

Authorization rules

Example
A person who can supply a particular password may be authorized to read any record in a database but cannot necessarily modify any of those records.

The GRANT command gives privileges to users, and the REVOKE command takes away privileges.

21

Lecture 15

Database Security

Authorization rules

Authorization Matrix
22

Lecture 15

Database Security Authorization table for subjects (salespeople)

Implementing authorization rules

Authorization table for objects (orders)

Oracle privileges

23

Lecture 15

Database Security

Authorization rules

GRANT SELECT, UPDATE (unit_price) ON PRODUCT_T TO SMITH;

The GRANT command gives privileges to users, and the REVOKE 24 command takes away privileges.

Lecture 15

Database Security

Encryption

It is the coding of data so that humans cannot read them. Some DBMS products include encryption routines that automatically encode sensitive data when they are stored or transmitted over communications channels.
Example
Encryption is commonly used in electronic funds transfer (EFT) systems.

25

Lecture 15

Database Security

Encryption

Type of encryption
One Key Encryption

Two Key Encryption

26

Lecture 15

Database Security

Encryption

Type of encryption
One Key Encryption
It is also called data encryption standard (DES), both the sender and the receiver need to know the key that is used to scramble the transmitted or stored data.

27

Lecture 15

Database Security

Encryption

Type of encryption
Two Key Encryption
It is also called asymmetric encryption, employs a private and a public key.
Two-key methods are especially popular in e-commerce applications to provide secure transmission and database storage of payment data, such as credit card numbers.

28

Lecture 15

Database Security

Authentication

Positive identification of the user

Identify the user that who are trying to gain access to a computer or its resources.

29

Lecture 15

Database Security

Authentication

Identify the user that who are trying to gain access by supplying one of the following factor.
Something the user knows, usually a password or personal identification number (PIN) Something the user possesses, such as a smart card or token Some unique personal characteristic, such as a fingerprint or retinal scan

Authentication schemes are called one-factor, two-factor, or 30 three-factor authentication,

Lecture 15

Database Security

Authentication

Passwords
It is a one-factor authentication scheme.

The person who can supply a valid password can log on to the database system.
The DBA is responsible for issuing or creating passwords for the DBMS and other specific applications.

31

Lecture 15

Database Security

Authentication

Passwords
The DBA should follow several guidelines in creating passwords
Should be at least 8 characters long Should combine alphabetic and numeric data

Should not be complete words or personal information

Should be changed frequently
32

Lecture 15

Database Security

Authentication

Strong Authentication
Two factor authentication schemes (usually card and PIN code e.g ATM). Two factor authentication schemes is more secure than simple passwords because it is quite difficult for an unauthorized person to obtain both factors at the same time.

33

Lecture 15

Database Security

Authentication

Strong Authentication
Two-factor schemes are also not perfect. Cards can be lost or stolen, and PINs can be intercepted. For sensitive applications, such as e-commerce and online banking, stronger security is necessary.

Solution: Three factor authentication schemes

34

Lecture 15

Database Security

Authentication

Strong Authentication
Three factor authentication schemes have en extra biometric attribute (finger prints, voiceprints, eye pictures etc) that is unique for each individual user. Three-factor authentication is normally implemented with a high-tech card called a smart card.

35

Lecture 15

Database Security

Authentication

Mediated Authentication
Introduce the third-party for authentication systems, which establish user authenticity through a trusted authentication agent, such as Kerberos.

36

Lecture 15

Database Security

Have a Nice Day

37