Database Security

By Bei Yuan

Why do we need DB Security?

• Make data arranged and secret

• Secure other’s DB

Security Issues:

• Security Policy

• Access Control

• Encryption

• Internet Security

• Threat Monitoring (Auditing)

Security Policy

• Exposures: A form of possible loss of a firm.

• Vulnerabilities: Weakness in an enterprise’s system.

• Threats: Specific, potential attack on the enterprise.

• Controls: Eliminate threats, vulnerabilities and

exposures

A security system is a system.

Access Control

♦ Access Control Models

♦ User Authentication

Access Control Models

• Discretionary Access Control (DAC) Model

• Mandatory Access Control (MAC) Model

• Role-Based Access Control (RABC) Model

Discretionary Access Control

• Ownership-based, flexible, most widely used, low assurance

• Privileged users: DBA and owners of the tables

Limitations of DAC

Mandatory Access Control

• Administration-based

• Data flow control rules

• High level of security, but less flexible

MAC Policy

Role-Based Access Control

• Flexible

• Separation of duty

• Able to express DAC, MAC, and user-specific policies using role constraints

• Easy to incorporated into current tech

User Authentication

• Password-Based Authentication

• Host-Based Authentication

• Third Party-Based Authentication

Encryption

• Full Database Encryption

• Partial Database Encryption

• Off-Line Database Encryption

Full Database Encryption

• Limit readability of DB files in the OS

• Redundance

• Time-consuming in changing encryption key

Off-line Database Encryption

A note of caution:

Organizations considering this should thoroughly

test that data which is encrypted before storage off-

line can be decrypted and re-imported successfully

before embarking on large-scale encryption of

backup data.

Internet Security

• Server Security

— Static Web Pages

— Dynamic Page Generation

• Session Security

Session Security

• Secret-key Security (Using single key)

• Public-key Security (Using two keys)

— SSL protocol

Auditing

• Audit via the database or operating system

• The DBA must be able to log every relevant user action in order to recreate a series of actions.

• The series of user actions is called the audit trail.

Conclusion

Database security will always be the critical

component of every information system.

“Security costs. Pay for it, or pay for not having it.”