Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Application Security Models

Published byShannon Townsend Modified over 8 years ago

Similar presentations

Presentation on theme: "Database Application Security Models"— Presentation transcript:

1 Database Application Security Models
Dr. Gabriel

2 Definitions Application:
Solves a problem Performs a specific business function Database: collection of related data files used by an application Application user: user within the application schema

3 Types of Users Types: Application administrator Application owner
Administering app users No specific db privileges required Application owner Owner of app-related db objects Application user Use application Database administrator

4 Types of Users Database user Proxy user Schema owner Virtual user
User with db privileges Proxy user DB user with specific roles and privileges Isolating app users from db Schema owner Owner of db objects Virtual user

5 Security Models Access Matrix Model:
Represents two main entities: objects and subjects: Columns represent objects Rows represent subjects Objects: tables, views, procedures, database objects Subjects: users, roles, privileges, modules Authorization cell

6 Security Models (continued)

7 Security Models (continued)
Access Modes Model: Based on the Take-Grant model Uses objects and subjects Specifies access modes: static and dynamic modes Access levels: a subject has access to objects at its level and all levels below it

8 Security Models (continued)

9 Security Models (continued)

10 Application Types Client/Server applications:
Management Information System (MIS) department: Thirty year ago centralized information Developed mainframe projects Was a bottleneck Personal computer was introduced: developing need for client/server applications Based on the business model

11 Client/Server Applications

12 Client/Server Applications (continued)
Provides a flexible and scalable structure Components: User interface Business logic Data access Components usually spread out over several tiers: Minimum two Normally, four to five

13 Client/Server Applications (continued)

14 Web Applications Evolved with the rise of dot-com and Web-based companies Uses the Web to connect and communicate to the server A Web application uses HTML pages created using: ActiveX Java applets or beans ASP (Active Server Pages)

15 Web Applications (continued)

16 Web Applications (continued)
Components: Web browser layer Web server layer Application server layer Business logic layer Database server layer

17 Web Applications (continued)

18 Data Warehouse Applications
Used in decision-support applications Collection of many types of data taken from a number of different databases Typically composed of a database server Accessed by software applications or reporting applications: online analytical processing (OLAP)

19 Data Warehouse Applications (continued)

20 Application Security Models
Database role based Application role based Application function based Application role and function based Application table based

21 Security Model Based on Database Roles
Application authenticates application users: maintain all users in a table Each user is assigned a role; roles have privileges assigned to them A proxy user is needed to activate assigned roles; all roles are assigned to the proxy user Model and privileges are database dependent

22 Security Model Based on Database Roles (continued)

23 Security Model Based on Database Roles (continued)
Implementation in SQL Server: Use application roles: Special roles you that are activated at the time of authorization Require a password and cannot contain members Connect a user to the application role: overrules user’s privileges

24 Security Model Based on Database Roles (continued)
Implementation in SQL Server (continued): Create and drop application roles using the command line: CREATE APPLICATION ROLE DROP APPLICATION ROLE You can activate application roles using SP_SETAPPROLE

25 Security Model Based on Database Roles (continued)
Implementation in SQL Server (continued): Connect to database as the proxy user Validate the user name and password Retrieve the application role name Activate the application role Great article on app roles: SQL Server Security: Pros and Cons of Application Roles By Brian Kelley

26 Security Model Based on Database Roles (continued)
Example CREATE LOGIN appuser WITH PASSWORD = 'appuserpwd' CREATE USER appuser FOR LOGIN appuser; CREATE APPLICATION ROLE approle WITH PASSWORD = 'approlepwd' create table t (col1 int, col2 int) insert into t values (1,2) grant select on t to approle select * from t SP_SETAPPROLE approle,'approlepwd'

27 Security Model Based on Application Roles
Application roles are mapped to real business roles Application authenticates users Each user is assigned to an application role; application roles are provided with application privileges (read and write)

28 Security Model Based on Application Roles (continued)

29 Security Model Based on Application Roles (continued)
Implementation in SQL Server Create a database user Connect the application to the database using this user Create stored procedures to perform all database operations

30 Security Model Based on Application Roles (continued)
Example: grant select, insert, update, delete on t to appuser create table tusers (userid varchar(50) primary key, pwd varchar(50) not null) insert into tusers values ('bob','pwd') create proc pverifylogin @id varchar(50), @pwd varchar(50) as select count(*) from tusers where and exec pverifylogin 'bob','pwd‘ exec pverifylogin 'bob','pwd2'

31 Security Model Based on Application Roles (continued)
Example: CREATE SYMMETRIC KEY EncryptedData WITH ALGORITHM = DES ENCRYPTION BY PASSWORD=' ' OPEN SYMMETRIC KEY EncryptedData DECRYPTION BY PASSWORD =' ' CREATE TABLE tencrypteddatatest (Data VARBINARY(255)) UNIQUEIDENTIFIER = Key_GUID FROM sys.symmetric_keys WHERE Name = 'EncryptedData' INSERT INTO tencrypteddatatest (Data) VALUES 'Bob', 1)) SELECT Data FROM tencrypteddatatest SELECT CONVERT(VARCHAR(20), DecryptByKey(tencrypteddatatest.Data, 1)) AS Data FROM tencrypteddatatest DROP TABLE tencrypteddatatest CLOSE SYMMETRIC KEY EncryptedData

32 Security Model Based on Application Functions
Application authenticates users Application is divided into functions Considerations: Isolates application security from database Passwords must be securely encrypted Must use a real database user Granular privileges require more effort during implementation

33 Security Model Based on Application Functions (continued)

34 Security Model Based on Application Roles and Functions
Combination of models Application authenticates users Application is divided into functions Highly flexible model

35 Security Model Based on Application Roles and Functions (continued)

36 Security Model Based on Application Tables
Depends on the application to authenticate users Application provides privileges to the user based on tables; not on a role or a function User is assigned access privilege to each table owned by the application owner

37 Security Model Based on Application Tables
Privileges: 0 -no access 1 –read only 2 – read and add 3 –read, add, and modify 4 – read, add, modify, and delete 5 – read, add, modify, delete, and admin

38 Security Model Based on Application Tables (continued)

39 Security Model Based on Application Tables (continued)
Implementation in SQL Server: Grant authorization on application functions to the end user Alter authorization table from the security model based on database roles; incorporate the table and access columns required to support model

40 Application Security Models

41 Application Security Models (continued)

42 Data Encryption Passwords should be kept confidential and preferably encrypted Passwords should be compared encrypted: Never decrypt the data Hash the passwords and compare the hashes

43 Questions ?

Download ppt "Database Application Security Models"

Similar presentations

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Management Information Systems, Sixth Edition

Management Information Systems, Sixth Edition
Database Management System

Database Management System
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Database Management: Getting Data Together Chapter 14.

Database Management: Getting Data Together Chapter 14.
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
Chapter 4: Database Management. Databases Before the Use of Computers Data kept in books, ledgers, card files, folders, and file cabinets Long response.

Chapter 4: Database Management. Databases Before the Use of Computers Data kept in books, ledgers, card files, folders, and file cabinets Long response.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
CSC 2720 Building Web Applications Database and SQL.

CSC 2720 Building Web Applications Database and SQL.
View n A single table derived from other tables which can be a base table or previously defined views n Virtual table: doesn’t exist physically n Limitation.

View n A single table derived from other tables which can be a base table or previously defined views n Virtual table: doesn’t exist physically n Limitation.
Introduction to Web Applications Instructor: Enoch E. Damson.

Introduction to Web Applications Instructor: Enoch E. Damson.
Lecture 7 Access Control

Lecture 7 Access Control
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.

DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Introduction To Databases IDIA 618 Fall 2014 Bridget M. Blodgett.

Introduction To Databases IDIA 618 Fall 2014 Bridget M. Blodgett.
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.

ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
CST221: Database Systems Dr. Zhen Jiang Computer Science Department West Chester University West Chester, PA 19383.

CST221: Database Systems Dr. Zhen Jiang Computer Science Department West Chester University West Chester, PA
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.

PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.

Similar presentations

Ads by Google