Database Application Security Models Database Application Security Models 1

Tags:

Preview:

Click to see full reader

Citation preview

Database Application Database Application Security ModelsSecurity Models

1

2

ObjectivesObjectives

• What we have learned– the necessary background and best practices for

database security and its elements– how to create users and roles and to assign privileges

to users

• Describe the different types of users in a database environment and the distinct purpose of each

• Identify and explain the concepts of five security models

• List the most commonly used application types

3

Objectives (continued) Objectives (continued)

• Implement the most common application security models

• Understand the use of data encryption within database applications

4

Types of UsersTypes of Users

• Application:– Solves a problem

– Performs a specific business function• MS Word, Adobe Acrobat Reader, etc

• Database: collection of related data files used by an application

• Application user: a record created for a user within the application schema to be used for authentication to the application

5

Types of Users (continued)Types of Users (continued)• Types:

– Application administrator

– Application owner

– Application user

– Database administrator

– Database user

– Proxy user (A database user that has specific roles and privileges

assigned to it. Isolating application users from the database)

– Schema owner

6

Security ModelsSecurity Models

• Access Matrix Model:– Represents two main entities: objects and

subjects:• Columns represent objects• Rows represent subjects

– Objects: tables, views, procedures, database objects

– Subjects: users, roles, privileges, modules

– Authorization cell (access details on the object granted to the

subject. access, operation, or commands)

7

Security Models (continued)Security Models (continued)

8

Security Models (continued)Security Models (continued)

• Access Modes Model:– Uses objects and subjects

– Specifies access modes: static and dynamic modes

– Access levels: a subject has access to objects at its level and all levels below it

9

Security Models (continued)Security Models (continued)

10

Security Models (continued)Security Models (continued)

11

Application TypesApplication Types

• Client/Server applications:– Management Information System (MIS) department:

• Thirty year ago centralized information• Developed mainframe projects• Was a bottleneck

– Personal computer was introduced.• A better architecture had to be developed that could take advantage of the

flexibility of the PC, overcome the bottlenecks of the MIS Department, and overcome the inability of the PC environment to grow with increasing data needs.

– Based on the business model• the client submits inquiries and the server responds with answers to

these inquiries

12

Client/Server ApplicationsClient/Server Applications

13

Client/Server Applications (continued)Client/Server Applications (continued)

• Provides a flexible and scalable structure• Components:

– User interface

– Business logic

– Data access

• Components usually spread out over several tiers:– Minimum two

– Normally, four to five

14

Client/Server Applications (continued)Client/Server Applications (continued)

15

Client/Server Applications (continued)Client/Server Applications (continued)

16

Web ApplicationsWeb Applications

• Evolved with the rise of dot-com and Web-based companies

• Uses the Web to connect and communicate to the server

• A Web application uses HTML pages created using:– ActiveX– Java applets or beans– ASP (Active Server Pages)– More

17

Web Applications (continued)Web Applications (continued)

18

Web Applications (continued)Web Applications (continued)• Components:

– Web browser layer• A typical browser program that allows users to navigate through Web pages found on

the Internet

– Web server layer• A software program residing on a computer connected to the Internet that responds

to requests submitted by the Web browsers

– Application server layer• A software program residing on a computer that is used for data processing and for

interfacing to the business logic and database server

– Business logic layer• A software program that implements business rules

– Database server layer• A software program that stores and manages data

19

Web Applications (continued)Web Applications (continued)

20

Data Warehouse ApplicationsData Warehouse Applications

• Used in decision-support applications• Collection of many types of data taken from a

number of different databases• Typically composed of a database server• Accessed by software applications or reporting

applications: online analytical processing (OLAP)

21

Data Warehouse Applications Data Warehouse Applications (continued)(continued)

22

Application Security ModelsApplication Security Models

• Models:– Database role based

– Application role based

– Application function based

– Application role and function based

– Application table based

23

Security Model Based on Database Security Model Based on Database RolesRoles

• Application authenticates application users: maintain all users in a table

• Each user is assigned a role; roles have privileges assigned to them

• A proxy user is needed to activate assigned roles; all roles are assigned to the proxy user

• Model and privileges are database dependent

24

Security Model Based on Database Security Model Based on Database Roles (continued)Roles (continued)

25

Security Model Based on Database Security Model Based on Database Roles (continued)Roles (continued)

• Implementation in Oracle:– Create users

– Add content to your tables

– Add a row for an application user

– Create a proxy user

– Create roles

– Grant roles to the proxy user

– Look for application user’s role

– Activate the role for this specific session

26

Security Model Based on Application Security Model Based on Application RolesRoles

• Application roles are mapped to real business roles (titles or positions)

• Application authenticates users• Each user is assigned to an application role;

application roles are provided with application privileges (read and write)

27

Security Model Based on Application Security Model Based on Application Roles (continued)Roles (continued)

28

Security Model Based on Application Security Model Based on Application FunctionsFunctions

• Application authenticates users• Application is divided into functions• Considerations:

– Isolates application security from database

– Passwords must be securely encrypted

– Must use a real database user

29

Security Model Based on Application Security Model Based on Application Functions (continued)Functions (continued)

30

Security Model Based on Application Security Model Based on Application Roles and FunctionsRoles and Functions

• Combination of models• Application authenticates users• Application is divided into functions:

– Roles are assigned to functions

– Functions are assigned to users

• Highly flexible model

31

Security Model Based on Application Security Model Based on Application Roles and Functions (continued)Roles and Functions (continued)

32

Security Model Based on Application Security Model Based on Application TablesTables

• Depends on the application to authenticate users

• Application provides privileges to the user based on tables; not on a role or a function

• User is assigned access privilege to each table owned by the application owner

33

Security Model Based on Application Security Model Based on Application Tables (continued)Tables (continued)

34

Data EncryptionData Encryption

• Passwords should be kept confidential and preferably encrypted

• Passwords should be compared encrypted:– Never decrypt the data

– Hash the passwords and compare the hashes• A hash is an algorithm that converts a varying text

message to a fixed-length message.

35

Data Encryption (continued)Data Encryption (continued)

36

SummarySummary

• An application user is simply a record created for a user within the application schema; usually does not have database privileges or roles assigned

• Access matrix:– Columns represent objects

– Rows represent subjects

– Authorization cell

• Access mode

37

Summary (continued)Summary (continued)

• Application types: client/server, Web, and Data Warehouse

• Application security models– Database roles

– Application roles

– Application functions

– Roles and functions in the application

– Application tables

Recommended

OTHER DATABASE MODELS OTHER DATABASE MODELS The relational database is not the only database model in use today. Two other common models are distributed
Documents
05 Database Models
Education
Database Security Assessment Tool Tutorial · 2 | Database Security: Identifying Security Risks with the Database Security Assessment Tool TUTORIAL OVERVIEW Welcome to this Database
Documents
Oracle Database Security - · PDF fileOracle Database Security Paul Needham, Senior Director, Product Management, Database Security. Target of Data Breaches ... Oracle Database Vault
Documents
1 Database Application Security Models Database Application Security Models Dr. Gabriel
Documents
Database Security DBMS Features Statistical Database Security
Documents
4.1 Database Models
Documents
Database Security Managing Users and Security Models
Documents
Oracle Database Security - storage.googleapis.com · Oracle Database Security . Defense-in-Depth for Security and Compliance Database Vault Label Security . Access Control . Configuration
Documents
Database Security - Farkas 1 Database Security and Privacy
Documents
Database and Database Security
Technology
Database security
Technology
Database models
Documents
Database Consistency Models
Software
Object oriented Database Prof. Sin-Min Lee. Database Management Systems Database Models Database Models Relational Database Object Oriented Database
Documents
Database Security
Documents
Database Management & Models
Technology
Database auditing models
Engineering
Database Security with the SecureSphere Database Security Gateway
Documents