DATABASE SECURITY AND COUNTER MEASURES

1

• DATABASE SECURITY AND COUNTER MEASURES
• MADHURI ATHOTA

2
Objectives

• Why database security is a serious concern for an
  organization.
• The type of threats that can affect a database
  system.
• How to protect a computer system using
  computer-based controls.

3
Database Security

• Data is a valuable resource that must be strictly
  controlled and managed, as with any corporate
  resource.
• Major operational functions of an organization
  depends on the data. E.g. Payroll, Stock Control.
• Confidential data needs to be kept secure.

4
Database Security

• Database Security is a mechanism that protect the
  database against intentional or accidental
  threats.
• Emergence of database approach data shared
  among different users.
• Database needs addinational security control over
  the activities of the users on the data

5
Database Security

• Organization should take necessary measures to
  avoid following situations
• Theft and fraud
• Loss of confidentiality (Organization)
• Loss of privacy (Individual)
• Loss of integrity
• Loss of availability

6
Database Security

• Security Threat
• A threat may be caused by a situation or event
  involving a person, action, or circumstance that
  is likely to bring harm to an organization.
• Threats classified into
• Malicious (intentional)
• Accidental (unintentional)

7
Threats to Computer Systems
8
Countermeasures Computer-Based Controls

• Authorization
• Access controls
• Views
• Backup and recovery
• Integrity
• Encryption
• RAID technology

9
Authorization

• The granting of a right or privilege, which
  enables a subject to legitimately have access to
  a system or a systems object.
• Authentication is a mechanism that determines
  whether a user is, who he or she claims to be.
• Authorization uses authentication for verifying
  the user and password.

10
Access Control

• Based on the granting and revoking of privileges.
  
• A privilege allows a user to create or access
  (that is read, write, or modify) some database
  object (such as a relation, view, and index) or
  to run certain DBMS utilities.
• Two Types
• Discretionary Access Control
• Mandatory Access Control

11
Discretionary Access Control (DAC)

• SQL standard supports DAC through the GRANT and
  REVOKE commands.
• The GRANT command gives privileges to users, and
  the REVOKE command takes away privileges.
• E.g. GRANT SELECT, UPDATE
• ON Branch TO PUBLIC
• REVOKE SELECT, UPDATE
• ON Branch FROM PUBLIC

12
Mandatory Access Control (MAC)

• MAC based on system-wide policies that cannot be
  changed by individual users.
• Each database object is assigned a security class
  and each user is assigned a clearance for a
  security class, and rules are imposed on reading
  and writing of database objects by users.

13
Mandatory Access Control (MAC)

• MAC determines whether a user can read or write
  an object based on rules that involve the
  security level of the object and the clearance of
  the user.
• These rules ensure that sensitive data can never
  be passed on to another user without the
  necessary clearance.
• A popular model for MAC is called Bell-LaPadula
  model

14
MAC -Bell-LaPadula model

• Client Relation With SecurityClass
• Users with C label see only first two tuples.
  Assume label S gt label C. Then users with
  label S can see all the tuples.

15
View

• Is the dynamic result of one or more relational
  operations operating on the base relations to
  produce another relation.
• A view is a virtual table that is not existent in
  the database
• A view is generated upon the user request at
  particular point of time

16
View

• E.g. CREATE VIEW LS AS
• SELECT S.S, S.sName, S.status, S.city
• FROM S
• WHERE S.cityLondon
• GRANT SELECT, UPDATE (sName, status)
• ON LS
• TO Dan, Misha.
• Using a view is more restricted than simply
  having privileges granted to users on base
  relations.

17
Backup and Recovery

• Backup
• Process of periodically taking a copy of the
  database and log file (and possibly programs) to
  offline storage media.
• Recovery
• Process of restoration of the database after a
  failure, to a state that is acceptable to the
  users.
• Journaling
• Process of keeping and maintaining a log file (or
  journal) of all changes made to database to
  enable effective recovery in event of failure

18
Integrity

• Prevents data from becoming invalid, and hence
  giving misleading or incorrect results by
  enforcing integrity rules.
• Two Integrity rules
• Entity Integrity (Primary Key)
• Referential Integrity (Foreign Key)

19
Encryption

• The encoding of the data by a special algorithm
  that renders the data unreadable by any program
  without the decryption key.
• Two types
• Symmetric Encryption - uses the same key for
  both encryption and decryption
• Asymmetric encryption - uses different keys for
  encryption and decryption

20
RAID (Redundant Array of Independent Disks)
Technology

• Hardware that the DBMS is running on must be
  fault-tolerant, meaning that the DBMS should
  continue to operate even if one of the hardware
  components fails.
• RAID is one solution that provides a large disk
  array comprising an arrangement of several
  independent disks that are organized to improve
  reliability and at the same time increase
  performance.
• Performance increased by data striping and
  reliability improved by storing information on
  redundant disks (mirrored disks)

21
RAID (Redundant Array of Independent Disks)
22
RAID Levels

• RAID 0 Nonredundant
• RAID 1 Mirrored
• RAID 01 Nonredundant and Mirrored
• RAID 2 Memory-Style Error-Correcting Codes
• RAID 3 Bit-Interleaved Parity
• RAID 4 Block-Interleaved Parity
• RAID 5 Block-Interleaved Distributed Parity
• RAID 6 PQ Redundancy

23
Questions?
24
1. Mandatory access control enforces security
control by ________ on each database
object. a) creating views b) assigning a security
class c) using GRANT and REVOKE d) using
encryption e) applying integrity rules 2. The
process of keeping track of all the changes
made to the database is called ______________
. a) backup b) before imaging c) after imaging d)
recovery control e) journaling 3) The primary
purpose of using RAID technology is to
ensure that the hardware the DBMS running
on must _____________ . a) support distributed
transactions b) be consistent during recovery c)
provide efficient access controls d) be fault
tolerant e) backed up periodically
25
1. Mandatory access control enforces security
control by ________ on each database
object. a) creating views b) assigning a security
class c) using GRANT and REVOKE d) using
encryption e) applying integrity rules 2. The
process of keeping track of all the changes
made to the database is called ______________
. a) backup b) before imaging c) after imaging d)
recovery control e) journaling 3) The primary
purpose of using RAID technology is to
ensure that the hardware the DBMS running
on must _____________ . a) support distributed
transactions b) be consistent during recovery c)
provide efficient access controls d) be fault
tolerant e) backed up periodically