Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Security, Authorization, & Encryption

Published byFelicia Sullivan Modified over 10 years ago

Similar presentations

Presentation on theme: "Database Security, Authorization, & Encryption"— Presentation transcript:

1 Database Security, Authorization, & Encryption
Alexis Sandifer Barrimore McCaskill

2 Database Security, Authorization, and Encryption
Introduction to Database Security Auditing and Access Control Flow Control Encryption and Decryption (DBA) Database Administrator Security Privileges Authorization Types of Securities for Database Physical Network Programming Backups Data Integrity

3 Database Security Types of Security An organized collection of data
Legal and ethical issues Policy issues System-related issues The need to identify multiple security levels An organized collection of data Data is typically organized to model aspects of reality in a way that supports processes requiting information. ex. Hotel Booking System, Airline Reservations, and Warehouse Inventory Database Security refers to the collective measures used to protect and secure a database or database management software from illegitimate use and malicious threats and attacks.

4 Database Security Threats to DB Loss of integrity Loss of availability
Loss of confidentiality To protect DB against these types of threats four kinds of countermeasures can be implemented: Access control Inference control Flow control Encryption A DBMS includes a DB security and authorization subsystem that ensures security against unauthorized access 2 types of DB security mechanisms: Discretionary security mechs Mandatory security mechs

5 Database Security (Continued)
Access Control is a security mechanism that restricts unauthorized access by handling user accounts and passwords A security issue associated with DB is controlling access to a statistical DB, which provides stats or summaries of values based on criteria one countermeasure to this is called inference control measures Flow control prevents information from flowing to unauthorized users by use of covert channels, which are information pathways

6 Access Control Auditing
Monitoring and recording of selected user database actions Database adninistrators and consultants often set up auditing for security purposes ex. Ensures that users do not access information without permission Refers to security features that control who can access resources in the OS Apps call access control functions to set who can access resources or control access to resources provided by the app Mechanism of authorization to enforce that requests to a system resource or functionality should be granted Gives administrators the ability to control, restrict, monitor, and protect resource availabilty, integrity, and confidentiality Access controls are security features that control how users and systems communicate and teract with other systems and resources

7 Role-Based Access Control
Role-based access control(RBAC) emerged in the 1990s for managing and enforcing security in large-scale enterprise wide systems Roles can be created using the CREATE ROLE and DESTROLY ROLE commands. RBAC is an alternative to traditional discretionary and mandatory access controls; it ensures that only authorized users are given access to vertain data or resources. RBAC is a good model for addressing the key security requirements of Web-based applications; whereas, DAC and MAC models lack capabilities needed to support the security requirements for enterprises and Web-based applications

8 Discretionary Access Control VS Mandatory Access Control
MAC policies ensure a high degree of protection because it restricts any illegal flow of information. Mandatory policies have a drawback of being too rigid and only applicable in limited environments. In many practical situations, discretionary policies are preferred because they provide better trade-offs between security and applicability. DAC policies are characterized by a high degree of flexibility, making them suitable for a variety of application domains. DAC models are vulnerable to attacks, such as Trojan horses embedded in applications

9 Flow Control Flow control regulates the distribution or flow of information among accessible objects. ex. A flow between object X and Y occurs when a program reads values from X and writes values into Y A flow policy specifies the channels along which information is allowed to move. 2 classes of information confidential(C) nonconfidential(N)

10 Database Security (Continued)
A final issue is data encryption, which is used to protect sensitive information such as credit card numbers

11 Encryption In cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it Converts data to a cipher text format that cannot be easily understood by unauthorized personnel Enhances security of files and messages by scrambling the contents so that it can be read only by someone who has the encryption key This process is called decryption

12 Encryption (Continued)
"Masks" data for secure transmission or storage Encrypt(data, encrption key) = encrpted data Decrypt(encrypted data, decryption key = original data Without decryption key, the encrypted data is meaningless Symmetric Encryption: Encryption key = decrption key; all authorized users know decryption key(a weakness) DES, has 56-bit key; AES has 128-bit,192-bit or 256-bit Public-Key Encryption (Asymmetric): has 2 keys User's public encryption key: Known to all Decryption key: Known only to this user

13 Encryption (Example) CREATE ASYMMETRIC KEY Sales09 WITH ALGORITHM= RSA_2048 ENCRYPTION BY PASSWORD = '<enterStrongPasswordHere>'; An asymmetric key is a securable entity at the database level. In its default form, this entity contains both a public key and a private key. When executed without the FROM clause, CREATE ASYMMETRIC KEY generates a new key pair. When executed with the FROM clause, CREATE ASYMMETRIC KEY imports a key pair from a file or imports a public key from an assembly. Creating an asymmetric key CREATE ASYMMETRIC KEY Sales AUTHORIZATION Ashley FROM FILE = 'c:\Sales\Managers\Ashley.tmp' ENCRYPTION BY PASSWORD = '<enterStrongPasswordHere>'; Encryption: Creating an asymmetric key from a file, giving authorization to a user

14 Decryption (Example) -- First, open the symmetric key with which to decrypt the data. OPEN SYMMETRIC KEY SSN_Key DECRYPTION BY CERTIFICATE HResources037; SELECT NationalIDNumber, EncryptedNationalID AS 'Encrypted ID Number', CONVERT(nvarchar, DecryptByKey(EncryptedNationalID)) AS 'Decrypted ID Number' FROM HResources.Employee; A secret key algorithm, symmetric algorithm, is a cryptographic algorithm that uses the same key to encrypt and decrypt data. DecryptByKey uses a symmetric key. This symmetric key must already be open in the database. There can be multiple keys open at the same time. You do not have to open the key immediately before decrypting the cipher text. Symmetric encryption and decryption is relatively fast, and is suitable for working with large amounts of data. Decrypting by using a symmetric key

15 Encryption and Decryption (Continued)
An encryption key infrastructure is made up of 6 items: Plaintext: the data, which is a readable message, is fed into the algorithm as input. Encryption algorithm: completes several alterations to the plaintext. Public and private keys: pair of keys that have been selected in case one key is used for decryption, then the other is used for encryption. The exec conversions done by the encryption algorithm hinge on the public or private key that is provided as input. Ciphertext: Is the scrambled message produced as output. It depends on the plaintext and the key. Decryption algorithm: This algorithm accepts the ciphertext and the matching key and produces the original plaintext.

16 Digital Signatures Digital Signature: an example of using encryption methods to provide authentication services in e-commerce applications. Digital Signature: combining a unique streak to an individual with a body of text. The streak, digital signature, should be memorable, others should be capable of knowing that the signature does come from the creator. A digital signature consists of a string of symbols. Public key methods are the means of creating digital signatures. For each use, signature must be different. This can be accomplished by creating each digital signature a function of the message that it is signing, plus a time stamp.

17 DB security and the DBA The database administrator(DBA) is the central authority for database management He or she is responsible for granting privileges to use the system classifying users and data according to the policy of the organization The DBA is responsible for the overall security of the system

18 DB security and the DBA The DBA has a DBA account in the DBMS called the superuser account These accounts can: create accounts grant privileges revoke privileges assign security levels A database management system (DBMS) is system software for creating and managing databases. The DBMS provides users and programmers with a systematic way to create, retrieve, update and manage data. A DBMS makes it possible for end users to create, read, update and delete data in a database.

19 DB security and the DBA When someone must access the system the DBA must create a id and password for the new user account DBA use a system log to record all operations done during a login session If any damage is done to the DB during a login session the DBA carries out a database audit to review all changes the DB log used for security purposes is the audit trail

20 Types of Discretionary Privileges
Enforcement of discretionary access control is based on granting and revoking privileges account level- DBA specifies the privileges that each account holds independently of the relations in the DB ex. CREATE SCHEMA or CREATE TABLE, CREATE VIEW, ALTER, DROP,MODIFY, and SELECT relation level- DBA controls privileges to access each relation or view in the DB to control granting and revoking of relation privileges each relation R in a DB is assigned an owner account, which is typically the account that created it ex. SELECT privilege on R: gives account retrieval privilege MODIFY privileges on R: gives account the capability to modify

21 Revoking & Granting Privileges
The DMA can revoke privileges by using one of the following: Revoke SELECT ON viewname FROM username; REVOKE privileges ON object FROM user; Users can grant privileges to another account by using the GRANT OPTION, which means that secondary accounts can grant privileges to tertiary accounts. Examples: GRANT CREATETAB TO A1; GRANT SELECT, INSERT, UPDATE, DELETE ON employees TO username;

22 Oracle Privileges Why Is It Important to Restrict System Privileges?
Because system privileges are so powerful, by default the database is configured to prevent typical (non-administrative) users from exercising the ANY system privileges (such as UPDATE ANY TABLE) on the data dictionary. Guideline to secure user accounts and privileges: Practice the principle of least privilege. Grant necessary privileges only. Lock and expire default (predefined) user accounts. Example: ALTER USER ANONYMOUS PASSWORD EXPIRE ACCOUNT LOCK; Monitor the granting privileges

23 Authorization Is the function of specifying access rights to resources related to information security, general computer security and control access Is to define access policy Process of giving someone permission to do or have something

24 Types of Authorization
Read Authorization Update Authorization Alter Authorization changes the ownership of a database

25 Control who can view fields of your R by using VIEW
ex. If the owner X of a R wants another account Y to be able to retrieve only some fields of R, then X can create a view V of R that includes only those attributes and then grant SELECT on V to Y.

26 Statistical DB Security
Statistical DB are used to produce stats on various populations and can include confidential data users are permitted to retrieve statistical queries by using COUNT, SUM, MIN, MAX, AVERAGE, and STANDARD DEVIATION.

27 Physical Security Physical security is a non-technical security. With this security, you are able to protect your database form natural disasters, burglary, theft, vandalism, and terrorism. Using CCTV cameras Making fire doors exit only Limiting entry points of buildings Planning for bomb detection Having redundant utilities such as electricity, water, voice and data Using biometric identification

28 Network Security Network security refers to the links, routers, and switches, which allow hosts to communicate with one another. It basically ensures that the data cannot be compromised, and that the data is not accessible to anyone who is not authorized to see it. The IT department is responsible for providing secure and reliable network experience. Providing confidentiality of data guarantees that only authorized users can view the snsitive information Firewalls Using intrusion detection Using traffic level monitoring Using host-based packet

29 Programming Security Programming Securities such as Server Security, Databasse Connections, Table Access Control etc. Your database back end should never be on the same macahine as your web server for security and performance purposes Updates to a database via a web page by users should be validated and updates should be warranted and safe Table access control should be a collaboration of both the system administrators and the database developer

30 ex. Cloud storage, USB drives, RAID3, hard copy
Backups Duplicates the intended database Sindle operation that is usually scheduled at regular intervals Self-contained ex. Cloud storage, USB drives, RAID3, hard copy

31 Data Integrity Maintaining and assuring the accuracy and consistency of data over its entire life-cycle, and is a critical aspect to the design, implementation and usage of any system which stores, processes, or retrieves data Ensures the quality of the data in the database Can be compromised in multiple ways: Human error during entry Errors that occur when data is transmitted form one computer to another Software bugs and viruses Hardware malfunctions ex. disk crashes Natural disasters Ways to minimize threats to data integrity Regular backups Controlling access to data via security mechanisms Designing user interface that prevents the input of invalid data Using error detection and correction software when transmitting data

32 Conclusion Database Security refers to the collective measures used to protect and secure a database or database management software from illegitimate use and malicious threats and attacks. Preventions: Access control Inference control Flow control Encryption Threats: Loss of integrity Loss of availability Loss of confidentiality

Download ppt "Database Security, Authorization, & Encryption"

Similar presentations

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.

II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.

Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.
Security and Integrity

Security and Integrity
Database Management System

Database Management System
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for â–º physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for â–º physical DB.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Risks, Controls and Security Measures

Risks, Controls and Security Measures
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Chapter 19 Security.

Chapter 19 Security.
Database Security By Bei Yuan. Why do we need DB Security? Make data arranged and secret Secure other’s DB.

Database Security By Bei Yuan. Why do we need DB Security? Make data arranged and secret Secure other’s DB.

Similar presentations

Ads by Google