11/4/2012ISC239 Isabelle Bichindaritz1 Database Security.

Slides:



Advertisements
Similar presentations
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Advertisements

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.
Database Administration and Security Transparencies 1.
Database Management System
Chapter 7 HARDENING SERVERS.
Security Dale-Marie Wilson, Ph.D.. Why Database Security? Data Valuable resource Must be strictly controlled and managed Corporate resource Have strategic.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.
Manajemen Basis Data Pertemuan 1 Matakuliah: M0264/Manajemen Basis Data Tahun: 2008.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.
Chapter 19 Security.
Chapter 19 Security Transparencies © Pearson Education Limited 1995, 2005.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
DATABASE SECURITY By Oscar Suciadi CS 157B Prof. Sin-Min Lee.
DATABASE ADMINISTRATION AND SECURITY
Chapter 19 Security Transparencies. 2 Chapter 19 - Objectives Scope of database security. Why database security is a serious concern for an organization.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Chapter 19 Security Integrity Security Control –computer-based –non-computer-based PC security DBMS and Web security Risk Analysis Data protection and.
II.I Selected Database Issues: 1 - SecuritySlide 1/24 II. Selected Database Issues Part 1: Security Lecture 1 Lecturer: Chris Clack 3C13/D6.
© Pearson Education Limited, Chapter 5 Database Administration and Security Transparencies.
D ATABASE A DMINISTRATION L ECTURE N O 4 Muhammad Abrar.
Security CPSC 356 Database Ellen Walker Hiram College (Includes figures from Database Systems by Connolly & Begg, © Addison Wesley 2002)
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
Concepts of Database Management Sixth Edition
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Chapter 13 – Network Security
1 Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Security and Transaction Nhi Tran CS 157B - Dr. Lee Fall, 2003.
The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.
Types of Electronic Infection
Chapter 21 Distributed System Security Copyright © 2008.
D ATABASE A DMINISTRATION L ECTURE N O 3 Muhammad Abrar.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Section 3 Database Security. 3-2 CA306 Introduction Section Content 3.1 Security Overview 3.2 Security Controls 3.3 Views 3.4 Security in Oracle 3.5 Web.
1 Chpt. 12: INFORMATION SYSTEM QUALITY, SECURITY, AND CONTROL.
CSCI 3140 Module 6 – Database Security Theodore Chiasson Dalhousie University.
Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.
CSC271 Database Systems Lecture # 31. Summary: Previous Lecture  Remaining steps/activities in  Physical database design methodology  Monitoring and.
Chap1: Is there a Security Problem in Computing?.
Academic Year 2014 Spring Academic Year 2014 Spring.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Install, configure and test ICT Networks
1 Chapter 7 Data Protection Data Recovery As with almost all complex forms of computer hardware and software, there is always the possibility.
DATA SECURITY. Security considerations apply not only to the data held in the database Breaches of security may affect other parts of the system which.
Web Database Security Session 12 & 13 Matakuliah: Web Database Tahun: 2008.
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
Database Security Threats. Database An essential corporate resource Data is a valuable resource Must be strictly controlled, managed and secured May have.
SYSTEMS IMPLEMENTATION TECHNIQUES TRANSACTION PROCESSING DATABASE RECOVERY DATABASE SECURITY CONCURRENCY CONTROL.
Chapter Name September 98 Security by Adrienne Watt.
SECURITY OF DATABASE SYSTEMS
Securing Network Servers
Working at a Small-to-Medium Business or ISP – Chapter 8
Database Security and Authorization
Security and Administration Transparencies
By Oscar Suciadi CS 157B Prof. Sin-Min Lee
By Oscar Suciadi CS 157B Prof. Sin-Min Lee
Database Security &Threats
DATABASE SECURITY For CSCL (BIM).
By Oscar Suciadi CS 157B Prof. Sin-Min Lee
Implementation of security elements in database
Electronic Payment Security Technologies
Presentation transcript:

11/4/2012ISC239 Isabelle Bichindaritz1 Database Security

11/4/2012ISC239 Isabelle Bichindaritz2 Learning Objectives Define the scope of database security. Evaluate the importance of database security as a serious concern for an organization. List the types of threats that can affect a database system. Protect a computer system using computer-based controls. Secure Microsoft Office Access and Oracle DBMSs. Secure a DBMS on the Web.

11/4/2012ISC239 Isabelle Bichindaritz3 Acknowledgments Some of these slides have been adapted from Thomas Connolly and Carolyn Begg

4 Database Security Data is a valuable resource that must be strictly controlled and managed, as with any corporate resource. Part or all of the corporate data may have strategic importance and therefore needs to be kept secure and confidential. 11/4/2012ISC239 Isabelle Bichindaritz

5 Database Security Mechanisms that protect the database against intentional or accidental threats. Security considerations do not only apply to the data held in a database. Breaches of security may affect other parts of the system, which may in turn affect the database. 11/4/2012ISC239 Isabelle Bichindaritz

6 Database Security Involves measures to avoid: –Theft and fraud –Loss of confidentiality (secrecy) –Loss of privacy –Loss of integrity –Loss of availability 11/4/2012ISC239 Isabelle Bichindaritz

7 Database Security Threat –Any situation or event, whether intentional or unintentional, that will adversely affect a system and consequently an organization. 11/4/2012ISC239 Isabelle Bichindaritz

8 Summary of Threats to Computer Systems 11/4/2012ISC239 Isabelle Bichindaritz

9 Typical Multi-user Computer Environment 11/4/2012ISC239 Isabelle Bichindaritz

10 Countermeasures – Computer- Based Controls Concerned with physical controls to administrative procedures and includes: –Authorization –Access controls –Views –Backup and recovery –Integrity –Encryption –RAID technology 11/4/2012ISC239 Isabelle Bichindaritz

11 Countermeasures – Computer- Based Controls Authorization –The granting of a right or privilege, which enables a subject to legitimately have access to a system or a system’s object. –Authorization is a mechanism that determines whether a user is, who he or she claims to be. 11/4/2012ISC239 Isabelle Bichindaritz

12 Countermeasures – Computer- Based Controls Access control –Based on the granting and revoking of privileges. –A privilege allows a user to create or access (that is read, write, or modify) some database object (such as a relation, view, and index) or to run certain DBMS utilities. –Privileges are granted to users to accomplish the tasks required for their jobs. 11/4/2012ISC239 Isabelle Bichindaritz

13 Countermeasures – Computer- Based Controls Most DBMS provide an approach called Discretionary Access Control (DAC). SQL standard supports DAC through the GRANT and REVOKE commands. The GRANT command gives privileges to users, and the REVOKE command takes away privileges. 11/4/2012ISC239 Isabelle Bichindaritz

14 Countermeasures – Computer- Based Controls DAC while effective has certain weaknesses. In particular an unauthorized user can trick an authorized user into disclosing sensitive data. An additional approach is required called Mandatory Access Control (MAC). 11/4/2012ISC239 Isabelle Bichindaritz

15 Countermeasures – Computer- Based Controls DAC based on system-wide policies that cannot be changed by individual users. Each database object is assigned a security class and each user is assigned a clearance for a security class, and rules are imposed on reading and writing of database objects by users. 11/4/2012ISC239 Isabelle Bichindaritz

16 Countermeasures – Computer- Based Controls DAC determines whether a user can read or write an object based on rules that involve the security level of the object and the clearance of the user. These rules ensure that sensitive data can never be ‘passed on’ to another user without the necessary clearance. The SQL standard does not include support for MAC. 11/4/2012ISC239 Isabelle Bichindaritz

17 Popular Model for MAC called Bell-LaPudula 11/4/2012ISC239 Isabelle Bichindaritz

18 Countermeasures – Computer- Based Controls View –Is the dynamic result of one or more relational operations operating on the base relations to produce another relation. –A view is a virtual relation that does not actually exist in the database, but is produced upon request by a particular user, at the time of request. 11/4/2012ISC239 Isabelle Bichindaritz

19 Countermeasures – Computer- Based Controls Backup –Process of periodically taking a copy of the database and log file (and possibly programs) to offline storage media. Journaling –Process of keeping and maintaining a log file (or journal) of all changes made to database to enable effective recovery in event of failure. 11/4/2012ISC239 Isabelle Bichindaritz

20 Countermeasures – Computer- Based Controls Integrity –Prevents data from becoming invalid, and hence giving misleading or incorrect results. Encryption –The encoding of the data by a special algorithm that renders the data unreadable by any program without the decryption key. 11/4/2012ISC239 Isabelle Bichindaritz

21 RAID (Redundant Array of Independent Disks) Technology Hardware that the DBMS is running on must be fault-tolerant, meaning that the DBMS should continue to operate even if one of the hardware components fails. Suggests having redundant components that can be seamlessly integrated into the working system whenever there is one or more component failures. 11/4/2012ISC239 Isabelle Bichindaritz

22 RAID (Redundant Array of Independent Disks) Technology The main hardware components that should be fault-tolerant include disk drives, disk controllers, CPU, power supplies, and cooling fans. Disk drives are the most vulnerable components with the shortest times between failure of any of the hardware components. 11/4/2012ISC239 Isabelle Bichindaritz

23 RAID (Redundant Array of Independent Disks) Technology One solution is to provide a large disk array comprising an arrangement of several independent disks that are organized to improve reliability and at the same time increase performance. 11/4/2012ISC239 Isabelle Bichindaritz

24 RAID (Redundant Array of Independent Disks) Technology Performance is increased through data striping: the data is segmented into equal- size partitions (the striping unit), which are transparently distributed across multiple disks. Reliability is improved through storing redundant information across the disks using a parity scheme or an error- correcting scheme. 11/4/2012ISC239 Isabelle Bichindaritz

25 RAID (Redundant Array of Independent Disks) Technology There are a number of different disk configurations called RAID levels. –RAID 0 Nonredundant –RAID 1 Mirrored –RAID 0+1 Nonredundant and Mirrored –RAID 2 Memory-Style Error-Correcting Codes –RAID 3 Bit-Interleaved Parity –RAID 4 Block-Interleaved Parity –RAID 5 Block-Interleaved Distributed Parity –RAID 6 P+Q Redundancy 11/4/2012ISC239 Isabelle Bichindaritz

26 RAID 0 and RAID 1 11/4/2012ISC239 Isabelle Bichindaritz

27 RAID 2 and RAID 3 11/4/2012ISC239 Isabelle Bichindaritz

28 RAID 4 and RAID 5 11/4/2012ISC239 Isabelle Bichindaritz

29 Security in Microsoft Office Access DBMS Provides two methods for securing a database: –setting a password for opening a database (system security); –user-level security, which can be used to limit the parts of the database that a user can read or update (data security). 11/4/2012ISC239 Isabelle Bichindaritz

30 Securing the DreamHome database using a password 11/4/2012ISC239 Isabelle Bichindaritz

31 User and Group Accounts dialog box for the DreamHome database 11/4/2012ISC239 Isabelle Bichindaritz

32 User and Group Permissions dialog box 11/4/2012ISC239 Isabelle Bichindaritz

33 Creation of a new user with password authentication set 11/4/2012ISC239 Isabelle Bichindaritz

34 Log on dialog box 11/4/2012ISC239 Isabelle Bichindaritz

35 Setting the Insert, Select, and Update privileges 11/4/2012ISC239 Isabelle Bichindaritz

36 DBMSs and Web Security Internet communication relies on TCP/IP as the underlying protocol. However, TCP/IP and HTTP were not designed with security in mind. Without special software, all Internet traffic travels ‘in the clear’ and anyone who monitors traffic can read it. 11/4/2012ISC239 Isabelle Bichindaritz

37 DBMSs and Web Security Must ensure while transmitting information over the Internet that: –inaccessible to anyone but sender and receiver (privacy); –not changed during transmission (integrity); –receiver can be sure it came from sender (authenticity); –sender can be sure receiver is genuine (non- fabrication); –sender cannot deny he or she sent it (non- repudiation). 11/4/2012ISC239 Isabelle Bichindaritz

38 DBMSs and Web Security Measures include: –Proxy servers –Firewalls –Message digest algorithms and digital signatures –Digital certificates –Kerberos –Secure sockets layer (SSL) and Secure HTTP (S-HTTP) –Secure Electronic Transactions (SET) and Secure Transaction Technology (SST) –Java security –ActiveX security 11/4/2012ISC239 Isabelle Bichindaritz

39 How Secure Electronic Transactions (SET) Works 11/4/2012ISC239 Isabelle Bichindaritz

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.