Chapter 13: Data Security & Disaster Recovery Database Management Systems

Chapter 13:Data Security & Disaster Recovery

Database Management Systems

2

Agenda

Data security threat locations & consequences.

Data Security Management: Controls

Data Security Plan Information Privacy Security in MS Access & SQL Server Global state of data security (PWC

survey) Database back-up & recovery

Virginia ILIE, Ph.D.

3

Data Security

What is happening? Stolen customer/student/health

records. Online fraud Corporate espionage Phising….viruses….how long can this

list get? FBI report: 3,000 clandestine

organizations in the US with a sole purpose: steal secrets and acquire technology for foreign organizations.


4

Data Security: Threats Location


5

Data Security: Consequences

Loss of privacy (personal data) Loss of confidentiality (corporate

data) Loss of data integrity Loss of availability Loss of money

Above all: Loss of Credibility, Reputation…Virginia ILIE, Ph.D.

6

Authorization table for subjects (e.g. “Salespeople”)

Authorization table for objects (e.g. “Orders”)

Data Security Controls: Authorization

Restrict access to data & actions that people can take on the data.


7

Data Security Controls: Authentication

What is authentication?

First line of defense: Passwords.

Two factor authentication–e.g. Token/Card plus PIN.

Three factor authentication–e.g. Token/Card, PIN, biometrics.

Advantages and disadvantages of each?


8

Data Security Controls: Encryption

- The encoding of the data by a special algorithm that renders the data unreadable by any program without the decryption key.

- Commonly used in online transactions.

- Two key-encryption: employs a public & private key.


9

Data Security Controls: Non-Computer-Based Controls

Physical access controls Equipment locking, check-out procedures,

security cameras Personnel controls

The “Insider threat” 84% of attacks originate from current/former

employees (40% originate from hackers). Source: CIO Magazine.

Maintenance controls Maintenance agreements, access to source

code, quality and availability standards


10

Client/Server Security

Network security controls.

Server security controls.

Client workstation security controls.


11

Data Security Plan

Identify assets and estimate their value: hardware, software, data, networks

Threat assessment Vulnerability assessment Calculate the impact of each

threat/vulnerability on each asset (qualitatively or quantitatively)

Select and apply appropriate controls based on the value of the asset: Computer-based controls Non-computer based controls

Evaluate effectiveness of the control measures


12

Data Security Plan: Outcomes

Managerial Decisions: Accept the risk Mitigate the risk Ignore the risk


13

Security in MS Access: Use of a Password


14

MS Access Permissions


15

MS Access Permissions


16

Security in SQL Server: Permissions


17

Global State of Data Security Global survey of about 8,000 IT &

security executives (PricewaterhouseCoopers, 2005, 2006, 2007)

63 countries and 6 continents, 7200 respondents.

____% reported they had a security strategy in place.

____% said they are considering security in the year(s) to come.


18

Security: Strategic vs. Tactical

Data Security is a “wildfire” “When you spend all that time fighting

fires, you don’t even have time to come up with new ways to build things so that they don’t burn down” (Security analyst PWC).

Reactive versus Proactive approach to managing data security.

Bias toward technology. Technology is largely reactive!


19

Data Security: Industry Analysis

Financial sector versus others.Why the gap?


20

What about Security in India?

Trends

CISOs and CSOs employed continues to rise. More firms conduct enterprise risk assessments. Encryption is at an all-time high - 72% of firms

use it (2007) compared to 48% (2006). Security investment must shift from the tactical,

technology-heavy approach to an intelligence-centric, risk analysis and mitigation philosophy.

Address the human element not only the technological one.

21Virginia ILIE, Ph.D.

22

Data Security Many times it is a LEGAL

requirement. Sarbanes-Oxley act of 2002 (section

404) Health Insurance Portability and

Accountability Act (HIPAA). State Security Breach Notification

Laws The Family Educational Rights and

Privacy Act (FERPA)


23

Compliance? Percentage of US organizations

admitting they are in compliance with security practices in 2006:

SOX: 28% HIPAA: 40% California breach notification act: 15% Other state/local privacy regulations:

32% Is the door open for criminal charges

& lawsuits & fines & and more? Virginia ILIE, Ph.D.

2424

Database Backup & Recovery Backup vs. Recovery

WHY? Human error or sabotage Hardware failure Invalid data Application program errors Viruses Natural disasters and more…


2525

Database Backup & Recovery Back-up Strategies:

Full shut-down Selective shut-down Incremental back-up

Recovering Strategies: Disk Mirroring:

Allows for fastest recovery. Great for applications that require high data availability.

Restore/Rerun Not a very good solution.


26

Database Backup & Recovery


2727

Disaster Recovery

“The best way of crisis management is preparation” (Mitroff, 2005)

Have a clear plan that can be implemented in case of disaster. Establish secure back-up center at an

off-site location. Schedule periodic back-ups at that

location. Establish recovery team and

procedures.


2828

Cost of Downtime

Estimated cost of downtime by Availability

Estimated cost of downtime by type of business


29

Next…

Discuss some of the articles related to data security implementation in organizations…

Emphasis is on how security controls implementation is managed in organizations.


Documents

Chapter 13: Data Security & Disaster Recovery Database Management Systems