CAN A DATABASE REALLY BE SECURE? PRESENTED BY AUDREY WILLIAMS
DATABASE SECURITY What’s the purpose of a Database Security System? To protect the stored data that is being collected to use in meaningful ways such as documents, charts, reports. Also, to secure the data from intruders Spafford implies, “the only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.”
DATABASE SECURITY In response to Mr. Spafford’s statement – Why should an organization bother to implement a database security system? To protect the company’s clientele from predators that will sell the data to the highest bidder. Database intrusions and thefts will destroy or reduce the company’s credibility & profits.
OVERVIEW What’s the purpose of a database security system? Why should an organization bother to implement a database security system? What kinds of database security features can protect the DBMS? What are the responsibilities of the database administrator?
Levels of data security Human level: Corrupt/careless User Network/User Interface Database application program Database system Operating System Physical level
DATABASE SECURITY [Figure ] demonstrates that the path of a source message comes from the client and is sent to the LAN/WAN router. Next, the source message is passed to the server. The requested data is passed to the internet, internet router, and firewall to the DBMS to retrieve requested information. After the destination server receives the message, the DBMS sends the message back to the client as it was forwarded in the same order. So, the entry point for Hackers to breach the system is the internet, internet router, and firewall connection which places the DBMS in jeopardy of data intrusion.
Network Level Network level: must use encryption to prevent Eavesdropping: unauthorized reading of messages Masquerading: pretending to be an authorized user or legitimate site, or sending messages supposedly from authorized users All information must be encrypted to prevent eavesdropping Public/private key encryption widely used Handled by secure http - https:// Must prevent person-in-the-middle attacks E.g. someone impersonates seller or bank/credit card company and fools buyer into revealing information
Database Application program Authentication and authorization mechanisms to allow specific users access only to required data 1-Authentication: who are you? Prove it! 2-Authorization: what you are allowed to do 3-Application authenticates/authorizes users 4-Application itself authenticates itself to database 5-Database password
Contt… Central authentication systems allow users to be authenticated centrally LDAP or MS Active Directory often used for central authentication and user management in organizations Single sign-on: authenticate once, and access multiple applications without fresh authentication Password only given to central site, not to applications LDAP from Book
DATABASE Security for System What kinds of database security features can protect the DBMS? Digital Certificate is a unique identifier given to an entity to provide authentication of a computer, document, or webpage. Then, a third party such as Equifax certifies that the document is legal or illegal. Encryptions alter the data so unauthorized users cannot view data information. Firewalls protect a network from unauthorized access from the internet. Proxy Servers shield the requests between the client computers inside a private network and the internet. Security Socket Layer connects and transmits encrypted data. S-HTTP (secure hypertext transport protocol) transmits web pages securely. So, by configuring these features with internet and network components, it is possible to provide privacy and security to reduce database security intrusions.
Book Topics More from book SSL Firewalls
Operating system security Installing applications Antivirus Personal firewall Secure shell PGP Putting the workstation on the network Physical security (Architecture) (From Book)
Physical level security Traditional lock-and-key security Protection from floods, fire, etc. E.g. WTC (9/11), fires in IITM, WWW conf website, etc. Protection from administrator error E.g. delete critical files Solution Remote backup for disaster recovery Plus archival backup (e.g. DVDs/tapes) Operating system level Protection from virus/worm attacks critical
RESPONSIBLITIES OF THE DATABASE ADMINISTRATOR To assign unique password & user identification for users to have permission to access, read and or manipulate specific information at a given time. Enable various data layers that secure the access control, auditing and authentication, encryption, and integrity controls. Perform a “vulnerability scan” on a routine basis to locate configuration problems in the data layers of the DBMS software. Evaluate and perform a “vulnerability assessment” against the database. This assessment makes an effort to locate the cracks in the database security.
RESPONSIBLITIES OF THE DATABASE ADMINISTRATOR To continually monitor the database security standards to make sure that the company’s DBMS is in compliance with the database security standards. Two features of the database security compliance must be utilized. Patch Management Method that locates problems in the software, fixes and updates the cracks in the database security. Management & Review of Public & Granted Data Access relates to locating data objects in the database, such as the table that holds data and evaluates who is entitled to manipulate or view the data objects.
RESPONSIBLITIES OF THE DATABASE ADMINISTRATOR Always keep in mind that whenever a system has internet and network connections attached to a DBMS, security breaches will occur. Perform routine backup recovery procedures incase of electrical outage and intruder attacks that can damage the DBMS.
THE CLASSIC DATABASE INTRUDERS The Shifty Employees & Malicious Hackers