1 / 30

Database Security

Database Security. Breaches of Security. Secrecy Theft and fraud Loss of confidentiality Loss of privacy Loss of integrity Loss of availability. Levels of Security Measures. Database system Operating system Network Physical Human. Countermeasures. Access control Discretionary

ting
Download Presentation

Database Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Database Security

  2. Breaches of Security • Secrecy • Theft and fraud • Loss of confidentiality • Loss of privacy • Loss of integrity • Loss of availability Marina G. Erechtchoukova

  3. Levels of Security Measures • Database system • Operating system • Network • Physical • Human Marina G. Erechtchoukova

  4. Countermeasures • Access control • Discretionary • Mandatory • Enforce integrity constraints • Encryption • Ensure fault-tolerant hardware Marina G. Erechtchoukova

  5. Access control • Provides restricted access to the database system as a whole • In multi-user database system: • Enables certain user groups to access selected portions of a database without gaining the access to the rest of the database • Authorization • Authentication Marina G. Erechtchoukova

  6. Views • Dynamic result of query execution against the base relations to produce another relation • Form external schemas • More restrictive than other security measures Marina G. Erechtchoukova

  7. Discretionary Access Control • Privilege – the right to access a database object in a certain manner • Closed systems • authorization to access specific objects is required along with access to database • Open systems • users have complete access to all objects within database Marina G. Erechtchoukova

  8. Types of Authorization • Account – authorization identifier • Individual user identifier • Group identifies • Member identifies • Priorities Marina G. Erechtchoukova

  9. Levels of Discretionary Access • Account level of access (system privilege) • Specifies privileges which an account holds independently of the relations in the database • Relation level (object privilege) • The privileges to access an individual relation or a view in the database Marina G. Erechtchoukova

  10. Account Level Privileges • Are assigned by DBA • Describe account capabilities as a whole • CREATE SCHEMA • CREATE TABLE • CREATE VIEW • SELECT • … Marina G. Erechtchoukova

  11. Relation Level Privileges • Are part of SQL • SQL statements define privileges on: • Relations • Attributes • Privilege control is based on owner account Marina G. Erechtchoukova

  12. Ownership • Each database object belongs to an owner • DBA is a superuser who owns objects belonging to the DBMS itself • Owner account is an account where the object was created first • Has all privileges on the object Marina G. Erechtchoukova

  13. Access Control Matrix • Rows represent subjects (or users) • Columns represent objects • Intersection of a row and column represents the privileges based on the following binary codes: Marina G. Erechtchoukova

  14. Privileges in SQL • Delete • Update • Insert • Select (read data) • References • Alter • Index • Object owner can grant or revoke privileges Marina G. Erechtchoukova

  15. Granting privileges • On tables and views GRANT [privilege list] ON [table or view name] TO [userID/role list] • On attributes GRANT UPDATE(Mark) ON Transcript TO Instructor; Marina G. Erechtchoukova

  16. Role-Based Authorization • Role – users responsibilities within organization CREATE ROLE Instructor; CREATE ROLE TA; • Role can be granted to users or other roles Marina G. Erechtchoukova

  17. User Privileges • Privileges can be granted to a role GRANT Insert ON Transcript TO TA; GRANT TA TO Smith; • All privileges consist of: • Privileges granted directly to the user; • Privileges granted to the role that had been granted to the user Marina G. Erechtchoukova

  18. The Privilege to Grant Privileges GRANT [privilege list] ON [table or view name] TO [userID/role list] WITH GRANT OPTION; • User having a privilege with the GRANT OPTION can pass it to another users Marina G. Erechtchoukova

  19. Privilege Withdrawal REVOKE [privilege list] ON [object] FROM user/role; • Abandoned objects • Implementation issues Marina G. Erechtchoukova

  20. Mandatory Access Control • All-or-nothing method • Additional security policy • Security classes: • Top secret • Secret • Confidential • Unclassified Marina G. Erechtchoukova

  21. Bell-LaPadula Model • Subjects and objects are classified • Simple Security Rule: Subject S is allowed to read object O only if class(S)≥class(O) • *-Property: Subject S is allowed to write object O only if class(S)≤class(O) Marina G. Erechtchoukova

  22. Enforcing Integrity Constraints • Key constraints • Entity integrity constraint • Referential integrity constraints • Domain constraints • General constraints Marina G. Erechtchoukova

  23. Encryption • Plaintext • the message in the original format • Ciphertext • The message in the unreadable form • Encryption (decryption) algorithms • Mathematical formula • Key - a certain combination of symbols: • Encryption key • Decryption key Marina G. Erechtchoukova

  24. Cryptosystems • Symmetric systems – single-key systems: • A single key is used to encrypt and decrypt • Data Encryption Standard • Asymmetric systems – two-key systems: • 2 keys – private and public • If text is encrypted by one key, it can be decrypted only by another • RSA Marina G. Erechtchoukova

  25. Encryption Applications • Digital signatures • Message digest algorithm • Digital certificates • Secure Sockets Layer • Secure Electronic Transactions Marina G. Erechtchoukova

  26. Secure Sockets Layer A combination of encrypted algorithms and authentication method is a cipher suite • SSL selects the strongest available cipher suite • Web-based application: • HTTPS • All outgoing messages can be encrypted Marina G. Erechtchoukova

  27. RAID • Supports fault-tolerance of hardware and efficient data retrieval • Data is stored redundantly • Data striping: • Striping unit Marina G. Erechtchoukova

  28. RAID Levels • RAID 0 – non-redundant with striping unit of a block • RAID 1 – Mirrored • RAID 0+1 – Striping and mirroring • RAID 2 – Error Correcting Codes with striping unit of a single bit Marina G. Erechtchoukova

  29. RAID Levels (cont…) • RAID 3 – Bit-Interleaved Parity. Striping unit is a bit. Parity information is stored redundantly on a separate disk. • RAID 4 – Block-Interleaved Parity. Striping unit is a disk block. Parity information is stored redundantly Marina G. Erechtchoukova

  30. RAID Levels (cont…) • RAID 5 – Block-Interleaved Distributed Parity. Similar to RAID 3. Parity information is distributed across all the disks • RAID 6 – P+Q Redundancy. Similar to 5 with error correction algorithm instead of parity bits Marina G. Erechtchoukova

More Related