Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The."— Presentation transcript:

1 Chapter 16 Security

2 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The type of threats that can affect a database system. u How to protect a computer system using computer-based controls. u How to protect a computer system using non-computer-based controls. u The purpose and main stages of risk analysis. u The purpose of data protection and privacy laws.

3 4 Database Security u Data is a valuable resource that must be strictly controlled and managed, as with any corporate resource. u Part or all of the corporate data may have strategic importance and therefore needs to be kept secure and confidential. u Protection of the database against intentional or unintentional threats using computer-based or non-computer-based controls. u Security considerations do not only apply to the data held in a database. Breaches of security may affect other parts of the system, which may in turn affect the database.

4 6 Database Security Involves measures to avoid: u Theft and fraud u Loss of confidentiality (secrecy) u Loss of privacy u Loss of integrity u Loss of availability u Threat – Any situation or event, whether intentional or unintentional, that will adversely affect a system and consequently an organization.

5 8 Examples of Threats

6 9 Summary of Threats to Computer Systems

7 10 Typical Multi-user Computer Environment

8 11 Countermeasures – Computer-Based Controls u Authorization u Views u Backup and recovery u Integrity u Encryption u Associated procedures

9 12 Countermeasures – Computer-Based Controls u Authorization – The granting of a right or privilege, which enables a subject to legitimately have access to a system or a system’s object. u Authentication – A mechanism that determines whether a user is, who he or she claims to be. u View – Is the dynamic result of one or more relational operations operating on the base relations to produce another relation. A view is a virtual relation that does not actually exist in the database, but is produced upon request by a particular user, at the time of request.

10 14 Countermeasures – Computer-Based Controls u Backup – Process of periodically taking a copy of the database and log file (and possibly programs) to offline storage media. u Journaling – Process of keeping and maintaining a log file (or journal) of all changes made to database to enable effective recovery in event of failure. u Checkpointing – Point of synchronization between the database and the transaction log file. All buffers are force-written to secondary storage. u Integrity – Prevents data from becoming invalid, hence giving misleading or incorrect results.

11 16 Countermeasures – Computer-Based Controls u Encryption – The encoding of the data by a special algorithm that renders the data unreadable by any program without the decryption key. u Associated Procedures u Authorization and Authentication u Backup u Recovery u Audit u Installation of new application software u Installation/upgrading of system software

12 18 Countermeasures – Non-Computer- Based Controls u Concerned with matters such as policies, agreements, and other administrative controls and includes: – Security policy and contingency plan – Personnel controls – Secure positioning of equipment – Escrow agreements – Maintenance agreements – Physical access controls

13 19 Authentication - User and Group Identifiers Authentication – Access Control Matrix

14 21 Security Policy Coverage u The area of the business it covers. u Responsibilities and obligations of employees. u The disciplinary action that will result from breaches of the policy. u Procedures that must be followed.

15 22 Contingency Plan Coverage u Key personnel and how to contact. u Who decides contingency exists. u Technical requirements of transferring operations to other site(s). u Operational requirements of transferring operations to other site(s). u Any important external contacts. u Whether insurance exists to cover situation.

16 23 Escrow Agreement u Legal contract concerning software, made between developers and clients, whereby a third party holds the source code for the client’s applications. u Client can acquire source code if developer goes out of business, and ensures that the client is not left with non-maintainable systems. u Often overlooked and under-managed.

17 24 Escrow Agreement Issues u Type of contents deposited. u Update process and the timing. u Details of any third party software used. u Whether verification of the deposit is required. u Conditions governing the release of the deposit. u Details of the release process.

18 25 PC Security u Moved easily and normally located on employees’ desks - often no access controls other than those that apply to the building or area. u Security includes – Use of keyboard lock. – Use of user identifier and/or password. – Procedures to control access to floppy discs. – Procedures to reduce risk of virus infection.

19 26 Database and Web Security Measures u Proxy servers u Firewalls u Digital signatures u Message digest algorithms and digital signatures u Digital certificates u Kerberos u Secure sockets layer (SSL) and Secure HTTP (SHTTP)

20 27 Security in Statistical Databases u Typically used to generate statistical information on various populations of data. u Details of individual records should remain confidential and not be accessible. u Main problem is how to assess whether answers to legal queries can be used to infer the answer to illegal queries.

21 28 Security Strategies in Statistical Databases u Preventing queries on only few entries. u Randomly adding entries to query result set to produce an error but approximates to the true response. u Using only a random sample to answer query. u Maintaining query profile and rejecting queries that use a high number of records identical to those used in previous queries.

22 29 Stages of Risk Analysis u Establish a security team. u Define scope of analysis and obtain system details. u Identify all existing countermeasures. u Identify and evaluate all assets. u Identify and assess all threats and risks. u Select countermeasures, undertake a cost/benefit analysis, compare with existing countermeasures. u Make recommendations. u Test security system.

23 30 Data Protection and Privacy Laws u Concerns personal data and rights of individuals with respect to their personal data. u Legislation attempts to protect individuals from abuse, and to enable organizations (both public and private) to carry out their lawful activities or duties. u Privacy – Right of an individual not to have personal information collected, stored, and disclosed either will fully or indiscriminately. u Data protection – Protection of personal data from unlawful acquisition, storage, and disclosure, and provision of the safeguards to avoid the destruction or corruption of legitimate data

Download ppt "Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The."

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
Security Dale-Marie Wilson, Ph.D.. Why Database Security? Data Valuable resource Must be strictly controlled and managed Corporate resource Have strategic.

Security Dale-Marie Wilson, Ph.D.. Why Database Security? Data Valuable resource Must be strictly controlled and managed Corporate resource Have strategic.
1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.

1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Chapter 19 Security.

Chapter 19 Security.
Chapter 19 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 19 Security Transparencies © Pearson Education Limited 1995, 2005.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
DATABASE SECURITY By Oscar Suciadi CS 157B Prof. Sin-Min Lee.

DATABASE SECURITY By Oscar Suciadi CS 157B Prof. Sin-Min Lee.
Business Intelligence: Data and Text Management Instructor: Bajuna Salehe Web:

Business Intelligence: Data and Text Management Instructor: Bajuna Salehe Web:
10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

Similar presentations

Ads by Google