200 likes | 454 Views
Database Security. By Bei Yuan. Why do we need DB Security?. Make data arranged and secret Secure other’s DB. Security Issues:. Security Policy Access Control Encryption Internet Security Threat Monitoring (Auditing). Security Policy. Exposures: A form of possible loss of a firm.
E N D
Database Security By Bei Yuan
Why do we need DB Security? • Make data arranged and secret • Secure other’s DB
Security Issues: • Security Policy • Access Control • Encryption • Internet Security • Threat Monitoring (Auditing)
Security Policy • Exposures: A form of possible loss of a firm. • Vulnerabilities: Weakness in an enterprise’s system. • Threats: Specific, potential attack on the enterprise. • Controls: Eliminate threats, vulnerabilities and exposures
Access Control ♦ Access Control Models ♦ User Authentication
Access Control Models • Discretionary Access Control (DAC) Model • Mandatory Access Control (MAC) Model • Role-Based Access Control (RABC) Model
Discretionary Access Control • Ownership-based, flexible, most widely used, low assurance • Privileged users: DBA and owners of the tables
Mandatory Access Control • Administration-based • Data flow control rules • High level of security, but less flexible
Role-Based Access Control • Flexible • Separation of duty • Able to express DAC, MAC, and user-specific policies using role constraints • Easy to incorporated into current tech
User Authentication • Password-Based Authentication • Host-Based Authentication • Third Party-Based Authentication
Encryption • Full Database Encryption • Partial Database Encryption • Off-Line Database Encryption
Full Database Encryption • Limit readability of DB files in the OS • Redundance • Time-consuming in changing encryption key
Off-line Database Encryption A note of caution: Organizations considering this should thoroughly test that data which is encrypted before storage off- line can be decrypted and re-imported successfully before embarking on large-scale encryption of backup data.
Internet Security • Server Security — Static Web Pages — Dynamic Page Generation • Session Security
Session Security • Secret-key Security (Using single key) • Public-key Security (Using two keys) — SSL protocol
Auditing • Audit via the database or operating system • The DBA must be able to log every relevant user action in order to recreate a series of actions. • The series of user actions is called the audit trail.
Conclusion Database security will always be the critical component of every information system. “Security costs. Pay for it, or pay for not having it.”