1 / 22

Database Security Overview

Database Security Overview. Blake Middleton CSE 7330 – Fall 2009. Protecting a Critical Resource. Banking/Financial Records Medical Records Inventory Customer Information Personnel Records Student Records. Threats to Data. Copy Destroy Modify

isra
Download Presentation

Database Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Database Security Overview Blake Middleton CSE 7330 – Fall 2009

  2. Protecting a Critical Resource Banking/Financial Records Medical Records Inventory Customer Information Personnel Records Student Records

  3. Threats to Data Copy Destroy Modify “Securing the Database may be the single biggest action an organization can take to protect its assets.” – David Knox

  4. Results of an “Incident” Loss of reputation Loss of $$$ Lawsuits (more loss of $) TJX – 45M credit/debit cards, $256M as of 8/2007 -Boston Globe Online

  5. General Security Goals - CIAA Confidentiality Integrity Availability Authentication

  6. Threat Sources External fame or gain Internal gain or revenge

  7. Big Picture • Physical security • Network security • Operating System Security • Application Security • DBMS (yes, these have vulnerabilities too)

  8. Access Control Data Control Language – DCL GRANT priv ON object TO user [WITH GRANT OPTION] REVOKE priv ON object FROM user

  9. Examples Table Level Privileges: GRANT INSERT, UPDATE ON Students TO fred GRANT DELETE ON Students TO sam WITH GRANT OPTION GRANT ALL ON Students TO barney REVOKE INSERT ON Students FROM fred

  10. Examples Column Level: (Select and Update) GRANT UPDATE ON Students (address) TO fred

  11. Examples Object privileges: GRANT CREATE table TO fred

  12. Oracle Virtual Private Database (VPD) Provides row-level security Presents partial view of tables based on policies

  13. VPD - Examples Restrict user to only see courses from CSE User: SELECT * FROM Courses; Executed: SELECT * FROM Courses WHERE department = ‘CSE’; source – Oracle Database 10g Top 20 DBA Features

  14. VPD – Examples – Selective Columns Restrict user to only see students with GPA above 3.0 SELECT * FROM Students; --Will return rows 1 and 3 SELECT COUNT(*) FROM Students; --Will return 2 source – Oracle Database 10g Top 20 DBA Features

  15. VPD – Examples – Column Masking Restrict user to only see GPA values above 3.0 SELECT * FROM Students; source – Oracle Database 10g Top 20 DBA Features

  16. Oracle Label Security Access based on: data sensitivity labels user label authorizations Provides multi-level security capability

  17. Oracle Label Security Data Sensitivity Labels have 3 components Level – required Compartment – optional Group - optional A policy can have up to 999 levels and 9,999 groups and compartments -Source Oracle Label Security Best Practices White Paper

  18. Oracle Label Security - Example -Source Oracle Label Security Best Practices White Paper

  19. Inference Simple example (from Viega& McGraw) SELECT AVG(income) FROM customers WHERE state = “VA” OR (city = “Reno” AND state = “NV” AND age = 72); Followed by: SELECT AVG(income) FROM customers WHERE state = “VA”;

  20. Good Practices Use views Use stored procedures Keep up to date on patches Limit privileges Have a security policy and follow it Encrypt sensitive data Do audits/monitor employees Regular security assessments Enforce strong passwords

  21. Future • More data to protect • More sophisticated attacks • More emphasis on security education (hopefully)

  22. Bibliography • Alapati, S. R., & Kim, C. (2007). Oracle Database 11g: New Features for DBAs and Developers.Apress. • Bauer, M. D. (2005). Linux Server Security (2nd ed.). O'Reilly Media, Inc. • Defense Information Systems Agency. (2007, Sep. 19). Security Technical Implementation Guides. Retrieved Oct 26, 2009, from http://iase.disa.mil/stigs/stig/database-stig-v8r1.zip • Knox, D. (2004). Effective Oracle Database 10g Security by Design. McGraw-Hill. • Litchfield, D., Anley, C., Heasman, J., & Grindlay, B. (2005). The Database Hacker's Handbook: Defending Database Servers. Wiley. • Mullins, C. S. (2002). Database Administration: The Complete Guide to Practices and Procedures. Addison-Wesley Professional. • Needham, P. (2008). Oracle Label Security Best Practices. Oracle. • Oracle. (n.d.). Oracle Database 10g Top 20 DBA Features. Retrieved 10 26, 2009, from http://www.oracle.com/technology/pub/articles/10gdba/week14_10gdba.html • Pfluger, C. P., & Lawrence, S. (2006). Security in Computing (4th ed.). Prentice Hall. • Viega, J., & McGraw, G. (2002). Building Secure Software. Addison-Wesley Professional.

More Related