Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Security Overview Blake Middleton CSE 7330 – Fall 2009.

Published byMervyn Rogers Modified over 9 years ago

Similar presentations

Presentation on theme: "Database Security Overview Blake Middleton CSE 7330 – Fall 2009."— Presentation transcript:

1 Database Security Overview Blake Middleton CSE 7330 – Fall 2009

2 Protecting a Critical Resource Banking/Financial Records Medical Records Inventory Customer Information Personnel Records Student Records

3 Threats to Data Copy Destroy Modify “Securing the Database may be the single biggest action an organization can take to protect its assets.” – David Knox

4 Results of an “Incident” Loss of reputation Loss of $$$ Lawsuits (more loss of $) TJX – 45M credit/debit cards, $256M as of 8/2007 -Boston Globe Online

5 General Security Goals - CIAA Confidentiality Integrity Availability Authentication

6 Threat Sources External fame or gain Internal gain or revenge

7 Big Picture Physical security Network security Operating System Security Application Security DBMS (yes, these have vulnerabilities too)

8 Access Control Data Control Language – DCL GRANT priv ON object TO user [WITH GRANT OPTION] REVOKE priv ON object FROM user

9 Examples Table Level Privileges: GRANT INSERT, UPDATE ON Students TO fred GRANT DELETE ON Students TO sam WITH GRANT OPTION GRANT ALL ON Students TO barney REVOKE INSERT ON Students FROM fred

10 Examples Column Level: (Select and Update) GRANT UPDATE ON Students (address) TO fred

11 Examples Object privileges: GRANT CREATE table TO fred

12 Oracle Virtual Private Database (VPD) Provides row-level security Presents partial view of tables based on policies

13 VPD - Examples Restrict user to only see courses from CSE User: SELECT * FROM Courses; Executed: SELECT * FROM Courses WHERE department = ‘CSE’; source – Oracle Database 10g Top 20 DBA Features

14 VPD – Examples – Selective Columns Restrict user to only see students with GPA above 3.0 SELECT * FROM Students;--Will return rows 1 and 3 SELECT COUNT(*) FROM Students; --Will return 2 source – Oracle Database 10g Top 20 DBA Features IDNameGPA 100Jones3.1 101Smith2.6 102Smart4.0

15 VPD – Examples – Column Masking Restrict user to only see GPA values above 3.0 SELECT * FROM Students; source – Oracle Database 10g Top 20 DBA Features IDNameGPA 100Jones3.1 101Smith2.6 102Smart4.0 IDNameGPA 100Jones3.1 101Smith 102Smart4.0

16 Oracle Label Security Access based on: data sensitivity labels user label authorizations Provides multi-level security capability

17 Oracle Label Security Data Sensitivity Labels have 3 components Level – required Compartment – optional Group - optional A policy can have up to 999 levels and 9,999 groups and compartments -Source Oracle Label Security Best Practices White Paper

18 Oracle Label Security - Example -Source Oracle Label Security Best Practices White Paper IDSSNDL_NumLnamePol1_sec_lab 100123-45-678909234554MillerSensitive:PII:HR 101234-56-688710854834ArnoldPrivate:PII:HR

19 Inference Simple example (from Viega & McGraw) SELECT AVG(income) FROM customers WHERE state = “VA” OR (city = “Reno” AND state = “NV” AND age = 72); Followed by: SELECT AVG(income) FROM customers WHERE state = “VA”;

20 Good Practices Use views Use stored procedures Keep up to date on patches Limit privileges Have a security policy and follow it Encrypt sensitive data Do audits/monitor employees Regular security assessments Enforce strong passwords

21 Future More data to protect More sophisticated attacks More emphasis on security education (hopefully)

22 Bibliography Alapati, S. R., & Kim, C. (2007). Oracle Database 11g: New Features for DBAs and Developers. Apress. Bauer, M. D. (2005). Linux Server Security (2nd ed.). O'Reilly Media, Inc. Defense Information Systems Agency. (2007, Sep. 19). Security Technical Implementation Guides. Retrieved Oct 26, 2009, from http://iase.disa.mil/stigs/stig/database-stig-v8r1.zip Knox, D. (2004). Effective Oracle Database 10g Security by Design. McGraw-Hill. Litchfield, D., Anley, C., Heasman, J., & Grindlay, B. (2005). The Database Hacker's Handbook: Defending Database Servers. Wiley. Mullins, C. S. (2002). Database Administration: The Complete Guide to Practices and Procedures. Addison-Wesley Professional. Needham, P. (2008). Oracle Label Security Best Practices. Oracle. Oracle. (n.d.). Oracle Database 10g Top 20 DBA Features. Retrieved 10 26, 2009, from http://www.oracle.com/technology/pub/articles/10gdba/week14_10gdba.html Pfluger, C. P., & Lawrence, S. (2006). Security in Computing (4th ed.). Prentice Hall. Viega, J., & McGraw, G. (2002). Building Secure Software. Addison-Wesley Professional.

Download ppt "Database Security Overview Blake Middleton CSE 7330 – Fall 2009."

Similar presentations

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Understand Database Security Concepts

Understand Database Security Concepts
Chapter 1 Security Architecture

Chapter 1 Security Architecture
Database Security CS461/ECE422 Spring 2012. Overview Database model – Relational Databases Access Control Inference and Statistical Databases Database.

Database Security CS461/ECE422 Spring Overview Database model – Relational Databases Access Control Inference and Statistical Databases Database.
Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.

Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.
Security and Integrity

Security and Integrity
Database Management System

Database Management System
1 8 Concepts of Database Management, 4 th Edition, Pratt & Adamski Chapter 8 Database Administration.

1 8 Concepts of Database Management, 4 th Edition, Pratt & Adamski Chapter 8 Database Administration.
Getting Started (Excerpts) Chapter One DAVID M. KROENKE’S DATABASE CONCEPTS, 2 nd Edition.

Getting Started (Excerpts) Chapter One DAVID M. KROENKE’S DATABASE CONCEPTS, 2 nd Edition.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Security and Integrity

Security and Integrity
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Similar presentations

Ads by Google