Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Security - Deals with techniques for securing databases against a wide variety of threats. - It is a specialty within the broader discipline of.

Published byBuddy Bailey Modified over 8 years ago

Similar presentations

Presentation on theme: "Database Security - Deals with techniques for securing databases against a wide variety of threats. - It is a specialty within the broader discipline of."— Presentation transcript:

1 Database Security - Deals with techniques for securing databases against a wide variety of threats. - It is a specialty within the broader discipline of computer security. It is the system, processes, and procedures that protect a database from unintended activity categorized as authenticated misuse, malicious attacks, or inadvertent mistakes made by authorized individuals or processes.

2 Brief Rundown of Things to Cover  Introduction to Database Security Issues  Discretionary Access Control Based on Granting and Revoking Privileges  Mandatory and Role-Based Access Control for Multilevel Security  Statistical Database Security  Flow Control  Encryption and Public Key Infrastructures  Privacy and Issues Preservation  Database Security Challenges

3 Issues of Database Security What data is it legal, and ethical to access? Governmental, Institutional, or Corporate Level Policies Information System Level Issues of Security Identify Multiple Security Levels Introduction to Database Security Issues

4 Threats to Databases Loss of integrity – Information is to be protected from intentional unauthorized or unintentional authorized accidental acts. Loss of availability – legitimate users or programs can lose data access to which they're entitled. Loss of confidentiality – data marked as private must be protected so it maintains its level of privacy. Introduction to Database Security Issues

5 Database Security and the DBA The DBA, the central authority for managing a database system, carries a system or superuser account which allows for the following types of actions: Introduction to Database Security Issues Account Creation – creating new accounts/passwords for users Privilege Granting – grant various privileges to different accounts Privilege Revocation – cancel various privileges to different accounts Security Level Assignment – assigning user accounts to the appropriate security classification level

6 Access Protection, User Accounts, and Database Audits In order to access the database system, authorized users and programs are granted account numbers and passwords by the DBA. Introduction to Database Security Issues Typically, to keep track of accounts, an encrypted table or file with the AccountNumber and Password fields is created and maintained by the DBMS. To keep track of each user's actions when logged into the database, the system log can be modified to include with each action the user account number and terminal from which the user logged in. Such a log used for security tracking purposes is commonly referred to as an audit trail.

7 Types of Discretionary Privileges Discretionary access control deals with granting and revoking privileges, typically through use of an SQL type of query language. Discretionary Access Control Based on Granting and Revoking Privileges Informally, there are two levels for assigning database use privileges: The account level – the DBA specifies the particular privileges that each account holds independently of the relations in the database. The relation (or table) level – the DBA controls privilege access to each individual relation or view in the database.

8 Account and Relation Level Privileges Privileges at the account level can include: Discretionary Access Control Based on Granting and Revoking Privileges - CREATE SCHEMA or CREATE TABLE to create a schema or base relation. - CREATE VIEW to create views - ALTER to apply schema changes such as add or remove attributes - DROP to delete relations or views - MODIFY to insert, delete, or update tuples - SELECT to run queries Privileges at the relation level can include: - SELECT to retrieve tuples in the relation - MODIFY, which can be broken further down into UPDATE, DELETE, and INSERT privileges with both INSERT and UPDATE as specified privileges on specific attributes - REFERENCES to reference when specifying integrity constraints such as foreign keys. This can also be restricted to specific attributes.

9 Privileges with Views, Revoking Privileges, Privileges Using the GRANT OPTION Privileges at the account level can include: Discretionary Access Control Based on Granting and Revoking Privileges View Privileges - not only can relation level privileges also apply to views, but views themselves can also act as another level of security wherein relation attributes displayed are restricted to whatever comes up in the view. Privileges can be restricted to only accessing data through the view. Revoking Privileges – in certain cases privileges may need to be removed from a user, such as when a user works only temporarily on a task that requires access. In such cases the REVOKE command is used to remove privileges. GRANT OPTION – an owner of a relation can give an access privilege for the relation to any other account the owner chooses. In doing so the owner may also decide to provide the GRANT OPTION to the account, which allows the account to provide access privileges, including GRANT OPTION privileges, to other accounts. However, at any moment when privileges are revoked to any sub-provider, all privileges given by the sub-provider to other accounts also get revoked.

10 Privilege Setting Examples with 4 accounts: A1, A2, A3 and A4 Discretionary Access Control Based on Granting and Revoking Privileges From the DBA->The following statement enables A1 to create relations: GRANT CREATETAB TO A1; From the DBA-> Enable A1 to create relations, but only in the schema titled DBA1 CREATE SCHEMA DBA1 AUTHORIZATION A1; Account A1 then creates the following relations: EMPLOYEE DEPARTMENT From Account A3-> Give account A4 SELECT Privileges on EMPLOYEE relation GRANT SELECT ON EMPLOYEE TO A4; From Account A1-> Revoke A3's privileges, and DBMS ensures revoking A4's as well! REVOKE SELECT ON EMPLOYEE FROM A3; From Account A1-> Give account A2 INSERT, DELETE but no GRANT OPTION on the new relations: GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2; From Account A1-> Give account A3 SELECT but with GRANT OPTION, thus A3 can grant similar to others GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTION; From Account A1-> Give A4 UPDATE privileges on a single attribute GRANT UPDATE ON EMPLOYEE (Salary) TO A4;

11 Specifying Limits on the Propagation of Privileges Discretionary Access Control Based on Granting and Revoking Privileges Techniques to limit propagation of privileges have been developed, although not as part of the SQL2 specification referred to in the book. Limiting Horizontal Propagation – involves setting a limited amount of accounts to which an account with the GRANT OPTION can grant privileges. Limiting Vertical Propagation – involves setting up vertical number assignments to accounts in the system. For an initial granting account to grant privileges to another account, not only must the initial account's number be greater than zero, the number of the receiving account must also be at least one less than the initial account granting the privilege. Should the receiving account have the number 0, not only can it not be given the GRANT OPTION, it can also not grant privileges to any other accounts.

12 Mandatory Access Control, and Security Classes Mandatory Access Control - deals with the need to classify data and users based on security classes in addition to the discretionary access control methods already described. Mandatory Access Control and Role-Based Access Control for Multilevel Security Most DBMSs currently provide mechanisms only for discretionary access control.

13 Security Classes and Rules of Access Mandatory Access Control and Role-Based Access Control for Multilevel Security Typical security classes are top secret (TS), secret (S), confidential (C), and unclassified (U), where TS is the highest level, and U is the lowest. The operational order of security goes: TS ≥ S ≥ C ≥ U The Bell-LaPadula Model is the commonly used model for multilevel security which classifies each subject (user, account, program) and object (relation, tuple, column, view, operation) into one of the security classifications TS, S, C, or U. Two restrictions are enforced on data access based on the subject/object classifications: 1. A subject is not allowed read access to an object unless the class of the subject is greater than or equal to the class of the object. (this is known as the simple security property) 2. A subject is not allowed to write an object unless the class of the subject is less than or equal to the class of the object. (this is known as the star property or *-property) This rule is set in order to prevent higher security subjects from writing classified information which can be read by lower security subjects.

14 Security Classes and Rules of Access Mandatory Access Control and Role-Based Access Control for Multilevel Security In order to incorporate multilevel security measures into the relational database model each attribute in relation schemas is associated with a classification level (TS, S, C, or U), and each tuple is given its own extra general classification level attribute TC (tuple classification). The apparent key is the set of attributes that normally forms the primary key in a regular single level relation. Since not every user can see every attribute due to classification level restrictions, it's possible to have multiple tuples with different security level values for the same apparent key. This is called polyinstantiation. Attribute values that come up in the relation are shown as NULL to users not of the allowed security level as demonstrated in the following example filtered for classification C users. The following demonstrates a relation setup with multilevel security attributes: EMPLOYEE

15 Comparing Discretionary Access Control (DAC) and Mandatory Access Control (MAC) Mandatory Access Control and Role-Based Access Control for Multilevel Security While DAC policies carry a high degree of flexibility, making them suitable for a large variety of application domains, they're vulnerable to malicious attacks, such as Trojan horses embedded in application programs. On the other hand, mandatory policies ensure a high degree of protection – in a way, they prevent any illegal flow of information. However, mandatory policies are too rigid in that they require strict classification of subjects and objects into security levels, making MAC policies applicable to very few environments. Ultimately, the greater level of convenience in regards to practical situations makes discretionary policies the preferred method due to a better trade-off between security, and applicability. Discretionary authorization models do not impose any control on how information is propagated and used once it has been accessed by users authorized to do so.

16 Role Based Access Control (RBAC) Mandatory Access Control and Role-Based Access Control for Multilevel Security RBAC is a viable alternative to DAC, and MAC policies. It ensures only authorized users are given access to specific data resources. RBAC also allows for hierarchical structuring amongst roles whereby junior roles at the bottom are connected to progressively senior roles as one moves up the hierarchy Time constraints can also be assigned to roles so a user's access to sensitive information is kept as as short as possible, not to mention roles can trigger the activation of other roles making switching between tasks for a user a much more conveniently automated process. RBAC models are also extremely flexible, and adaptable in that not only can they mimic traditional DAC, and MAC policies, but they can also be structured to user-defined organization policies. Through RBAC users create sessions during which they may activate a subset of roles to which they belong. Each session can be assigned to many roles, but maps to one user or subject only. Roles can be created using the CREATE ROLE and DESTROY ROLE commands. GRANT and REVOKE Commands discussed under DAC can then be used to assign and revoke privileges from roles.

17 XML Access Control Mandatory Access Control and Role-Based Access Control for Multilevel Security Due to the huge use of Extensible markup language (XML) in commercial as well as scientific applications, security standards have become a priority. In contrast to other commonly used web security technologies such as SSL, and virtual private networks, XML encryption also applies to parts of documents, and to documents in persistent storage. Multiple XML digital signature, and encryption standards have been formed as a result, like the following: - syntax for representing the associations between cryptographic signatures and XML documents - procedures for computing an verifying XML signatures - digitally signing portions of XML documents rather than the entire XML tree

18 Access Control Policies for E-Commerce and the Web Mandatory Access Control and Role-Based Access Control for Multilevel Security E-commerce environments are characterized by transactions done electronically. In an e-commerce environment, not only must traditional data, but also knowledge, and experience must be protected. Such a dynamic environment calls for a greater level of flexibility than that offered by traditional DBMS security systems. Access control policies must allow the inclusion of conditions based on object content. The would benefit in such an environment by supporting the notion of credentials, which are a set of properties concerning the user which are relevant for security purposes (for example, age or Position within an organization. Due to their inherent specifications XML documents can play a key role in access control for e-commerce because XML has become one of the common representation languages for document interchange over the web.

19 Introduction to Statistical Database Security Statistical Database Security Statistical databases are used mainly to produce statistics about various populations. They allow users access to statistical information about populations, such as averages, sums, counts, maximums, minimums, and standard deviations. To assure users only have generalized type of access to the database, only statistical queries involving aggregate functions such as COUNT, SUM, MIN, MAX, AVERAGE, and STANDARD DEVIATION are allowed. Even though such databases carry confidential data about individuals, users are restricted to accessing only general information derived from individual information. However, with a small enough sample size in the database, individual information can be inferred through deductive means after already knowing some criteria of any specific individual in the database. Ways to reduce such security violations include: - prohibiting queries with conditions on the population below specific thresholds - prohibiting sequences of queries that repeatedly refer to the same population of tuples - introducing slight inaccuracies into query results to reduce the chances of narrowing down individuals - partitioning the database so group information stays at a minimum size

20 Flow Control and Covert Channels Flow Control Flow control regulates the distribution or flow of information among accessible objects. Flow controls can be enforced by an extended access control mechanism, which involves assigning a security class clearance to each running program. It's similar to MAC principles, only not so involved. Flow controls employ some concept of security classes to ensure information contained in some objects does not flow explicitly, or implicitly into less protected objects. In general, flow control mechanisms implement flow controls by assigning a label to each object Involved, and by specifying the security class of each object. Labels are then used to verify the flow Relations defined in the model. Covert channels come in the form of a timing channel mechanisms that time events or process to synchronize unauthorized transfers, and storage channels directly accessing system information. A covert channel is a security violation in a flow mechanism that allows information to travel from a higher classification level to a lower classification level through improper means. Storage type covert channels can be prevented by locking to prevent concurrent writing, and timing channels are prevented by operating systems, or DBMS's that allow sharing of resources without the Encroachment of one program or process into another's memory, or other system resource. Sometimes the best way to prevent covert channels is to simply deny programmers access to sensitive system data when the program has already been put into operation.

21 The Data and Advanced Encryption Standards Encryption and Public Key Infrastructures Encryption consists of an encryption algorithm using a prespecified encryption key on data which then requires a decryption key to recover the original data. The DES algorithm uses two of the fundamental building blocks of encryption: substitution and permutation (transposition) The Data Encryption Standard (DES) is U.S. government made encryption system which can provide end-to-end encryption on a channel between a sender, and receiver. DES starts with plain text and repeats the substitution, and transposition cycle for 16 times encrypting as blocks of 64 bits. Though the key is 64 bits long, it can be any 56-bit number. The National Institute of Standards (NIST) introduced the more Advanced Encryption Standards (AES) with a block size of 128 bits which can use keys of 128, 192, or 256 bits, which takes a much longer time to crack.

22 Public Key Encryption Encryption and Public Key Infrastructures Public key encryption uses algorithms based on mathematical functions, which involve the use of two separate keys referred to as the public key and the private key, which is invariably kept secret. 1. Plain text data fed into the algorithm as input 2. Encryption algorithm which performs various transformations on the plain text 3. and 4. Public and private keys, one for encrypting the other for decrypting 5. Cipher text resulting from the encryption 6. Decryption algorithm which accepts the cipher text with matching to decrypt back to plain text Six ingredients to the public key encryption scheme: The public key method involves two users, a sender, and receiver. Essential steps are as follows: 1. Each user generates a pair of encryption/decryption keys. 2. Each user places one of the two keys (the public key) in a public register or other accessible file. 3. If the sender wants to send a message to the receiver, the sender encrypts the message using the receiver's public key. 4. The receiver decrypts the message using his/her own private key.

23 RSA Public Key Encryption and Digital Signatures Encryption and Public Key Infrastructures The RSA scheme is the most widely accepted and implemented approach to public key encryption. It incorporates results from number theory, combined with the difficulty of determining prime factors of a target, and it operates with modular arithmetic – mod n. In 1978 RSA, one of the first public key schemes was introduced by and named after Ron Rivest, Adi Shamir, and Len Adleman at MIT. It consists of a string of symbols different for each use. Digital Signatures are a means of associating a mark unique to an individual with a body of text. Differences between every symbol is achieved by making each digital signature a function of the message that it is signing, together with a timestamp, and a unique secret number of the signer. Public key techniques are the best means of creating digital signatures with such properties.

24 Preserving Data Privacy Privacy Issues and Preservation - Limit performing large-scale data mining and analysis. - Avoid building mammoth central warehouses as a single repository of vital information. - Intentionally modify, perturb, and anonymize data by replacing identity information with noise data. - Focus on the use of distributed data mining algorithms to reduce data exchange. Privacy is an ongoing area of research in database management. It's complicated due to the multidisciplinary nature and the issues related to the subjectivity in the interpretation of privacy, trust, and so on. There are multiple options available for consideration when it comes to ensuring private data remains private: Current technologies employing use of mass mobile devices all carrying private information, what with identities, credentials, and permissions, and how to use it for reliable user identification remains an issue. Balancing database efficiency with employing sufficient security technologies is also extremely important. Privacy from user location data, acquired from sensors and communication networks must also be ensured.

25 Data Quality, Intellectual Property Rights, and Database Survivability Challenges of Database Security Intellectual Property Rights – the book brings up the notion of using watermarking techniques to protect content from unauthorized duplication and distribution over world networks by enabling provable ownership of the content. However, research on such matters is still in progress. Database Survivability – in order to prevent information warfare attacks in addition to preventing and detecting an attack whenever possible a DBMS should be able to do the following: Data Quality – to ensure supporting the maintenance of quality data the database community could benefit from seal of quality stamps posted on Web sites, more effective integrity semantics verification tools for data assessment based on techniques such as record linkage, perhaps even more efficient application level recovery techniques. Confinement – eliminate an attacker's access to the system, and isolate or contain the problem. Damage Assessment- determine the extent of the damage done, noting failed functions, and corrupted data Reconfiguration- reconfigure the database to allow a degraded mode of operation while fixes are made. Repair- recover corrupted or lost data and repair or reinstall failed system functions to get things back up and running Fault Treatment – seek out and eliminate the system weaknesses exploited in the attack

Download ppt "Database Security - Deals with techniques for securing databases against a wide variety of threats. - It is a specialty within the broader discipline of."

Similar presentations

7- Sicurezza delle basi di dati

7- Sicurezza delle basi di dati
Operating System Security

Operating System Security
4/6/2017.

4/6/2017.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Jan. 2014Dr. Yangjun Chen ACS-49021 Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )

Jan. 2014Dr. Yangjun Chen ACS Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )
Access Control Methodologies

Access Control Methodologies
Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.

Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Security and Integrity

Security and Integrity
Database Management System

Database Management System
Database Security - Farkas 1 Database Security and Privacy.

Database Security - Farkas 1 Database Security and Privacy.
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.
Security Fall 2009McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
CSCI 5707: Database Security Pusheng Zhang University of Minnesota March 2, 2004.

CSCI 5707: Database Security Pusheng Zhang University of Minnesota March 2, 2004.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 24 Database Security.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 24 Database Security.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
User Domain Policies.

User Domain Policies.
View n A single table derived from other tables which can be a base table or previously defined views n Virtual table: doesn’t exist physically n Limitation.

View n A single table derived from other tables which can be a base table or previously defined views n Virtual table: doesn’t exist physically n Limitation.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Similar presentations

Ads by Google