Embed Size (px)
DESCRIPTION
DB Security Presentation
Citation preview
Database Security
Overview
• Definition
– Reasons for security
– Issues • Types of security
– Effective security
– System Requirements • Database Security
– Questions to ask when considering security
– Database-independent measures
– Database-dependent measures
– Security in SQL
Database Security
Definition – “Security protects data from intentional or accidental
misuse or destruction, by controlling access to the data.”
• Stamper & Price – “Database security is concerned with the ability of the
system to enforce a security policy governing the disclosure, modification or destruction of information.”
• Pangalos
Reasons for Security
• Moral/Ethical • Legal requirements • Commercial security • Fraud/Sabotage • Mistakes
Moral/Ethical There may be moral reasons for controlling
who has access to information. For example, medical records are confidential because of people’s right to privacy.
Legal Requirements The Data Protection Act requires companies
to register personal data with the data protection registrar. The act imposes constraints on how information may be used and who may have access to it. Information about individuals must be correct, up-to-date and available for inspection by the individuals concerned.
Commercial Security Information held by companies is a
valuable resource which may be useful to competitors. For example, a list of customers who have bought insurance policies may be valuable to other insurance companies.
Fraud/Sabotage Information may be misused, for
example, insider dealing, or used to mislead.
Mistakes Many problems are not malicious but
are caused by users accidentally changing the data.
Issues
• Confidentiality
– information is only disclosed to authorized users • Integrity
– information is only modified by authorized users • Availability
– information is accessible by authorized users
Types of Security
• Authorization Policies
– Disclosure and modification of data • Data Consistency Policies
– Consistency and correctness of data
Types of Security
• Availability Policies
– Availability of information to users • Identification/Authentication/Audit Policies
– Authorizing users to access data
Effective Security - Assumptions
• Correct User Identification
– It should not be possible to fool the DBMS
e.g. usernames, passwords, etc. • Unanticipated Observers
– It should not be possible to gain access to DBMS through components (disks, tapes, network, etc.), e.g. encryption
Effective Security - Assumptions
• User/Privilege information protected
– It should not be possible to access user information, e.g. passwords
System Requirements
• S/W and H/W around the database
– All aspects of the system must be considered • Data Integrity
– All data must be correct and consistent
– User must trust database content
System Requirements
• Data Availability
– Fault tolerance, redundancy, etc.
• Auditing
– Useful but not excessive
Constraints
• Security constraints
– Authorization controls
– Stored in the data dictionary
– DBMS monitors constraints • Integrity constraints
– Consistent controls
– Stored in the data dictionary
– DBMS monitors integrity
Security constraints in a database are concerned with controlling and authorizing access to the data. For example,
(a) Who may insert data into a table?
(b) Who may create a table?
Integrity constraints are concerned with maintaining the database in a consistent/correct state.
For example,
(a) Employees’ salaries may not increase by more than 5% per year,
(b) All employees must work on a project.
Security and integrity are related concepts. Both are:
(a) Stored in the data dictionary,
(b) Enforced by the DBMS.
• How valuable is the data? • Which data must be secured? • What will illegal access to the data cost? • What are the implications of
changed/destroyed data? • Will security measures affect the proper
functioning of the database? • How can unauthorized access occur?
Security Questions
How valuable is the data?
Different types of data need different levels of security. Publicly available data, for example, stock prices, do not require the same level of security as private data, for example, employee salaries.
What will illegal access to the data cost? If a piece of data has a high value, for
example, information about the performance of a company, then illegal access may be very costly. The cost of ‘losing’ the data determines how much security is required.
What are implications of changed/destroyed data? If losing a piece of data has disastrous
consequences then the security must be higher. For example, if a sales person builds up a customer list over many years then losing the list to a competitor could be very costly
Will security measures affect the proper functioning of the database? If security stops legitimate individuals from
accessing the data, then it may not be suitable.
Database-Independent Security Mechanisms
• Usernames and passwords • Physically secure hardware • Data encryption • Hardware/User profiles
– e.g. login times, CPU usage • Program security • Audit Trails
Database-independent security mechanisms can be applied to any database system:
1. Operating systems use usernames and passwords to control access. A DBMS also uses usernames and passwords to restrict access to the data. This is an unreliable method of controlling systems.
2. Hardware can be physically secured (to avoid damage to the machine) by placing it in a secure room. A machine which is attached to a network may be insecure because access can be gained across the network.
3. Data encryption is often used when information is transmitted across a network. A DBMS can also encode the data so that it is unreadable without accessing it through a query language. This stops users accessing the data by reading the data files and, therefore, by-passing the DBMS security measures.
4. Profiles describe different categories of user who have the same privileges. For example, all project leaders may have access to project data during working hours
5. In a client/server environment it is not sufficient to secure the client without securing the database. The clients can provide a first level of security but should not be the only means of securing the system
6. Audit trails provide a complete history of all interactions with the database including who accessed the system, what was accessed, when it was accessed, etc.
Database-Dependent Security Mechanisms
• Controlling access
– Users and roles
• Username/password
• Groups
– Schemas
• Set of tables, etc. owned by a user • Controlling behavior
– Privileges
• Rights to access the DBMS • Controlling integrity
– Integrity constraints
Database-dependent security mechanisms refer to security features provided by specific database management systems. There are three parts to database specific security measures:
1. Controlling access to the database
• Most database systems provide a method of setting up users. By allocating to each person who accesses the
system a username the database administrator can monitor who is accessing the system.
• Schemas are sets of tables which belong to particular users.Each user can only see their own schema, or set of tables. A user may give permission to another user to view or change their schema.
2. Controlling behavior while connected to the database
• The behavior of each user who is connected to the database can be controlled by allocating or removing the privileges owned by a user.
3. Controlling integrity of data in the database
• Integrity constraints impose limits on the type of data which may be entered into the DBMS. For example, by declaring a primary key a user requires that a set of data has a unique identifier
Controlling Access
• Discretionary Access Control – Users
• A name that can connect and access objects in the database
• Users log in using a name (and password)
Controlling Access
– Schema
• A collection of objects associated with a user
– e.g. tables, views, indexes, procedures, etc.
• Access to a schema is granted at the discretion of the user
• Many databases, including Oracle, use discretionary access control to manage the security of the database. Users of the database can grant permission to use database objects to other users. Each user has the discretionary to allow other users to use their data.
• The two main methods of implementing discretionary access control in the database are:
• Users Users are names that the database recognizes as
being allowed to access the database. A user logs into the database by giving the DBMS a valid username. Users are often required to also provide a password. Once the DBMS knows the name of the user they can then allow that user to access the data.
• Schema The schema is a set of database objects
that have been created in the database. Each user can have one or more schemas.
Controlling Behavior
• Privileges – “the right to execute a particular SQL statement or to
access another user’s object”
• Oracle Concepts Manual Types
– Connecting to the DBMS
– Creating objects
• Tables, views, etc.
– Accessing/changing data
– Executing procedures
• We can give users the right to access data in the database by allocating privileges to the user. There are many different types of privileges that can be given to a user. For example, most users must be given the privilege to connect to the database and to create tables in the database.
