Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Published bySydney Riley Modified over 8 years ago

Similar presentations

Presentation on theme: "Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng."— Presentation transcript:

1 Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng

2 Overview Why need of database security. Threats to Database and counter-measures Methods of securing database. ❖ Through firewall ❖ Database Abstraction

3 The Importance of Security - To prevent unauthorized data observation. - To prevent unauthorized data modification. - To ensure the data confidential. - To make sure the data integrity is preserved. - To make sure only the authorized user have access to the data.

4 The Importance of Security It is important to define who can access what data, who is allowed and who is restricted, whether passwords are used and how to maintain it, what sort of firewalls and anti-malware solutions to use, how to train the staff and to enforce data security.

5 The Importance of Security The most interrupted system is Microsoft Windows NT, but UNIX based operating systems have also been maltreated.

6 The Importance of Security

7 Database Security in E-commerce Database

8 1.Operating System layer

9 2. Network Layer

10 3. Web Servers

11 4. Firewalls

12 ●use multiple passwords to access multi-functions of a server such as using one password to access the single system for administration; ●apply a different password for another operation; ●be audited for each and every transaction of the database; ●utilize application specific user name and password and should never use a default user name or password; ●back up the system thoroughly for late recovery in case of accidentally break down 5. Database Server

13 Threats to database SQL Injection. Unauthorized access Brute Force cracking of Passwords / Usernames. Network EavesDropping Stolen backup (unencrypted) tapes Targeting Unpatched database vulnerabilities.

14 SQL Injection A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet, bypassing the firewall.

15 Unauthorized Access

16 Password cracking

17 Network Eavesdropping

18

19 Authorization - Restricted privileges, views. Encryption - public key / private key, secure sockets. Authentication – passwords. Logical - firewalls, net proxies. Access Control Stored procedures Parameterised queries. Methods of securing database

20 Authorization Read authorization - allows reading, but not modification of data Insert authorization - allows insertion of new data, but not modification of existing data. Update authorization - allows modification, but not deletion of data. Delete authorization - allows deletion of data

21 Security of the database through FIREWALLS

22 How database firewall works

23 Diagramatic representation

24 Advantages of firewalls

25 Security of the database Through Abstraction Data encryption enables to encrypt sensitive data, such as credit card numbers, stored in table columns. Encrypted data is decrypted for a database user who has access to the data. Data encryption helps protect data stored on media in the event that the storage media or data file gets stolen. Using Stored Procedures adds an extra layer of abstraction. Parameterised Queries.

26 Stored procedure Is a group of one or more SQL statements Accept input parameters and return multiple values in the form of output parameters to the calling program. Using procedure parameters helps guard against SQL injection attacks. When calling a procedure over the network, only the call to execute the procedure is visible. Therefore, malicious users cannot see table and database object names, embed Transact-SQL statements of their own, or search for critical data.

27 Parameterised Queries(Prepared Statements) Prepared statement is a feature used to execute the same SQL statements repeatedly with high efficiency. Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

28 How data Encryption Works Data encryption is a key-based access control system. Even if the encrypted data is retrieved, it cannot be understood until authorized decryption occurs, which is automatic for users authorized to access the table. When a table contains encrypted columns, a single key is used regardless of the number of encrypted columns. This key is called the column encryption key. The column encryption keys for all tables, containing encrypted columns, are encrypted with the database server master encryption key and stored in a dictionary table in the database. The master encryption key is stored in an external security module that is outside the database and accessible only to the security administrator.

29 Case: Oracle Server

30 Advantages of Data Encryption

31 Summary Encrypt sensitive data. Access the database using an account with the least privileges necessary. Install the database using an account with the least privileges necessary. Ensure that data is valid. Do a code review to check for the possibility of second-order attacks. Use parameterised queries. Use stored procedures. Re-validate data in stored procedures. Ensure that error messages give nothing away about the internal architecture of the application or the database.

32 Thank You!!

Download ppt "Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Understand Database Security Concepts

Understand Database Security Concepts
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Systems Analysis and Design in a Changing World, 6th Edition

Systems Analysis and Design in a Changing World, 6th Edition
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.

Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Functions of a Database Management System. Functions of a DBMS C.J. Date n Indexing n Views n Security n Integrity n Concurrency n Backup/Recovery n Design.

Functions of a Database Management System. Functions of a DBMS C.J. Date n Indexing n Views n Security n Integrity n Concurrency n Backup/Recovery n Design.

Similar presentations

Ads by Google