Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Security Overview Blake Middleton CSE 7330 – Fall 2009.

Similar presentations


Presentation on theme: "Database Security Overview Blake Middleton CSE 7330 – Fall 2009."— Presentation transcript:

1 Database Security Overview Blake Middleton CSE 7330 – Fall 2009

2 Protecting a Critical Resource Banking/Financial Records Medical Records Inventory Customer Information Personnel Records Student Records

3 Threats to Data Copy Destroy Modify “Securing the Database may be the single biggest action an organization can take to protect its assets.” – David Knox

4 Results of an “Incident” Loss of reputation Loss of $$$ Lawsuits (more loss of $) TJX – 45M credit/debit cards, $256M as of 8/2007 -Boston Globe Online

5 General Security Goals - CIAA Confidentiality Integrity Availability Authentication

6 Threat Sources External fame or gain Internal gain or revenge

7 Big Picture Physical security Network security Operating System Security Application Security DBMS (yes, these have vulnerabilities too)

8 Access Control Data Control Language – DCL GRANT priv ON object TO user [WITH GRANT OPTION] REVOKE priv ON object FROM user

9 Examples Table Level Privileges: GRANT INSERT, UPDATE ON Students TO fred GRANT DELETE ON Students TO sam WITH GRANT OPTION GRANT ALL ON Students TO barney REVOKE INSERT ON Students FROM fred

10 Examples Column Level: (Select and Update) GRANT UPDATE ON Students (address) TO fred

11 Examples Object privileges: GRANT CREATE table TO fred

12 Oracle Virtual Private Database (VPD) Provides row-level security Presents partial view of tables based on policies

13 VPD - Examples Restrict user to only see courses from CSE User: SELECT * FROM Courses; Executed: SELECT * FROM Courses WHERE department = ‘CSE’; source – Oracle Database 10g Top 20 DBA Features

14 VPD – Examples – Selective Columns Restrict user to only see students with GPA above 3.0 SELECT * FROM Students;--Will return rows 1 and 3 SELECT COUNT(*) FROM Students; --Will return 2 source – Oracle Database 10g Top 20 DBA Features IDNameGPA 100Jones3.1 101Smith2.6 102Smart4.0

15 VPD – Examples – Column Masking Restrict user to only see GPA values above 3.0 SELECT * FROM Students; source – Oracle Database 10g Top 20 DBA Features IDNameGPA 100Jones3.1 101Smith2.6 102Smart4.0 IDNameGPA 100Jones3.1 101Smith 102Smart4.0

16 Oracle Label Security Access based on: data sensitivity labels user label authorizations Provides multi-level security capability

17 Oracle Label Security Data Sensitivity Labels have 3 components Level – required Compartment – optional Group - optional A policy can have up to 999 levels and 9,999 groups and compartments -Source Oracle Label Security Best Practices White Paper

18 Oracle Label Security - Example -Source Oracle Label Security Best Practices White Paper IDSSNDL_NumLnamePol1_sec_lab 100123-45-678909234554MillerSensitive:PII:HR 101234-56-688710854834ArnoldPrivate:PII:HR

19 Inference Simple example (from Viega & McGraw) SELECT AVG(income) FROM customers WHERE state = “VA” OR (city = “Reno” AND state = “NV” AND age = 72); Followed by: SELECT AVG(income) FROM customers WHERE state = “VA”;

20 Good Practices Use views Use stored procedures Keep up to date on patches Limit privileges Have a security policy and follow it Encrypt sensitive data Do audits/monitor employees Regular security assessments Enforce strong passwords

21 Future More data to protect More sophisticated attacks More emphasis on security education (hopefully)

22 Bibliography Alapati, S. R., & Kim, C. (2007). Oracle Database 11g: New Features for DBAs and Developers. Apress. Bauer, M. D. (2005). Linux Server Security (2nd ed.). O'Reilly Media, Inc. Defense Information Systems Agency. (2007, Sep. 19). Security Technical Implementation Guides. Retrieved Oct 26, 2009, from http://iase.disa.mil/stigs/stig/database-stig-v8r1.zip Knox, D. (2004). Effective Oracle Database 10g Security by Design. McGraw-Hill. Litchfield, D., Anley, C., Heasman, J., & Grindlay, B. (2005). The Database Hacker's Handbook: Defending Database Servers. Wiley. Mullins, C. S. (2002). Database Administration: The Complete Guide to Practices and Procedures. Addison-Wesley Professional. Needham, P. (2008). Oracle Label Security Best Practices. Oracle. Oracle. (n.d.). Oracle Database 10g Top 20 DBA Features. Retrieved 10 26, 2009, from http://www.oracle.com/technology/pub/articles/10gdba/week14_10gdba.html Pfluger, C. P., & Lawrence, S. (2006). Security in Computing (4th ed.). Prentice Hall. Viega, J., & McGraw, G. (2002). Building Secure Software. Addison-Wesley Professional.


Download ppt "Database Security Overview Blake Middleton CSE 7330 – Fall 2009."

Similar presentations


Ads by Google