55
Application Security Models

Application security models

Embed Size (px)

Citation preview

Application Security Models

Application Security Models

IntroductionWe examine five different application security models that are commonly used by the industry to provide data security and access protection at the table level.

Database role based.Application role based.Application function based.Application role and function based.Application table based.

Security Model Based on Database RolesThis model depend on the application to authentication the application users by maintain all end users in a table with their encryption password.

In this model, each end user is assigned a database role, which has specific database privilege for accessing application table.

The user can access whatever privileges are assigned to the role

Security Model Based on Database RolesThis model, proxy user is needed to activate assigned roles.

All roles are assigned to the proxy user.

Security Model Based on Database Roles

Security Model Based on Database RolesAPPLICATION_USERS: This is used to store and maintain all end users of the application with their encrypted passwords.

APLLICATION_USERS_ROLES:Contains all roles defined by application and for each role that privilege is assigned; privilege can be read, write, read/write.

Security Model Based on Database RolesThe architectural view of the model has common control columns prefixed with CTL.

These control columns contains information about manipulate record.

Security Model Based on Database RolesCTL_INS_DTTM contains the date and time when the record was created.CTL_UPD_DTTM contains the date and time when the record was last updated.CTL_UPD_USER contains the date name that created the record or last updated the record.CTL_REC_STAT can be used to indicate the status of the record. We can use this column for any purpose, we may set this column to A as an indicator that the record active and I as inactive

Security Model Based on Database Roles

Security Model Based on Database RolesImplementing in Oracle

create a proxy user called APP_PROXY that will be assigned to all application role and will work on behalf of the application user APP_USER to gain access to all tables owned by the application owner called APP_OWNER.

Security Model Based on Database Roles

Security Model Based on Database Roles

Security Model Based on Database Roles

Security Model Based on Database Roles

Security Model Based on Application RolesThe concept of an application role security model are similar to the concept of database role security model in that they are both methods for organizing and administrating privileges.

Application roles are typically mapped specifically to real business roles

Security Model Based on Application Roles

Security Model Based on Application RolesAPPLICATION_USERS: This is used to store and maintain all end users of the application with their encrypted passwords.

APPLICATION_ROLESAll roles defined by the application and for each role a privilege are assigned. The privilege can be read, write, or read/write

Security Model Based on Application RolesThe security model that is based on application roles depends on the application to authenticate the application users.

Authentication is accomplished by maintaining all end users in a table with their encrypted password.

Security Model Based on Application RolesIn this model, each end user is assigned an application role, and the application role is provided with application privileges to read/write specific modules of the application.

Security Model Based on Application Roles

Security Model Based on Application RolesThe point need to be considered during security Model

This model does not allow the flexibility required to make changes necessary for security.

For example a user called Scott who has a clerk role, and the clerk has privileges to read, add, and modify. This means that Scott can perform these operations on all modules of the application.

Security Model Based on Application RolesPrivileges are limited to any combination of the following.readadddeleteupdateadmin

Security Model Based on Application RolesThis model isolates the application security from the database, which make implementation of database independent.

Only one role is assigned to an application user.

Maintenance of the application security does not require specific database privilege. This lowers the risk of database violation.

Security Model Based on Application RolesPasswords must be securely encrypted. preferably using private and public keys

Security Model based on Application FunctionsThe security model that is based on application function depends on the application to authenticate the application user by maintaining all end user in a table with their encrypted password.

Security Model based on Application FunctionsIn this model the application is divided into functions.

For instance, if you were using an inventory application we need to have a function name CUSTOMER that maintain customers and another function name PRODUCTS for maintain products, and so on

Security Model based on Application Functions

Security Model based on Application FunctionsTables used in this security model

APPLICATION_USERS: This is used to store and maintain all end users of the application with their encrypted passwords

Application Functions:This table contains all logical functions of the application

Security Model based on Application FunctionsTables used in this security model

Application_Functions_Privileges

This table stores all privileges for functions such as : read, write, read/write

Application_Users_Functions

This table contains all end users and their application function privileges.

Security Model based on Application FunctionsThe following list presents characteristics of this security model:In this model the application security from the database, this makes implementation independent.

Maintenance of the application security does not require specific database privileges which lower the risk of database violations.

Security Model based on Application FunctionsPassword must be securely encrypted, preferably using private and public key. In this case we must modify the structure of the APPLICATION_USERS table by adding columns to store public and private keys.

The application must be designed in a granular fashion.

The more granular the privileges, the more effort are needed to implement them

Security Model based on Application Roles and FunctionsThis security model is a combination of both the role and function security models.

The application roles and functions security model depends on the application to authenticate the application users.

Security Model based on Application Roles and FunctionsThe application authenticates users by maintaining all end users in a table with their encrypted passwords.

In this model the application is divided into function and roles are assigned to function that are in turn assigned to users.

Security Model based on Application Roles and Functions

Security Model based on Application Roles and FunctionsAPPLICATION_USERS:

This is used to store and maintain all end users of the application with their encrypted passwords

APPLICATION_FUNCTIONS:

This table contains all logical functions of the application

Security Model based on Application Roles and FunctionsAPPLICATION_USER_ROLES

Contains all roles assigned to users

APPLICATION_ROLES

Contains all roles defined by the application and for each role assigned

Security Model based on Application Roles and FunctionsAPPLICATION_ROLE_FUNCTIONS

Contains all functions and privileges that are assigned to each role.

APPLICATION_FUNCTION_PRIVILEGES

Stores all privileges for function : read, write, read/write

Security Model based on Application Roles and Functions

Security Model based on Application Roles and FunctionsThe following list present characteristics of this security model:

This model provides flexibility for implementing application security.

This model isolates the application security from the database, which make implementation database independent

Security Model based on Application Roles and FunctionsMaintenance of the application security does not require specific database privileges, which lower the risk of database violations.

Password must be securely encrypted, preferably using private and public keys. In this case the structure of the APPLICATION_USER table by adding columns to store public and private key

Security Model based on Application Roles and FunctionsThe application must use a real database user to log on and connect to the application database.

The user name and password must be encrypted and stored in a configuration file.

Security Model based on Application Roles and FunctionsThe application must be designed in a very granular fashion, which means that the function or modules of the application perform specific task and do not encompass a wide variety of tasks that are cross-functional.

Security Model based on Application Roles and FunctionsThe more granular the privileges, the more effort needed to implement them.

Security model based on Application TableThis application security model depends on the application to authenticate users by maintaining all end users in a table with their encrypted passwords.

The application provides privileges to the user based on tables, not on a role or a function.

Security model based on Application Table

Security model based on Application TableAPPLICATION_USERS:

This is used to store and maintain all end users of the application with their encrypted passwords.

APPLICATION_USER_TABLES

Contains all tables assigned to users.

Security model based on Application TableAPPLICATION_TABLES

Contains all tables owned by application.

APPLICATION_TABLE_PRIVILEGES

0- no access1- read2-read and add3-read, add and modify4- read, add, modify and delete5- read, add, modify ,delete and admin

Security model based on Application TableAn application user many be granted a read privilege on an application bye adding an entry in APPLICATION_USER_TABLES.

Security model based on Application Table

Security model based on Application TableThe following list present characteristics of this security model:

This model isolates the application security from the database, which make implementation database independent.

Maintenance of the application security does not require specific database privileges, which lowers the risk of database violations.

Security model based on Application TablePassword must be securely encrypted, preferably using private and public keys.

The application must use a real database user to log on and connect to the application database.

Security is implemented easily by using table access privileges that are assigned to each end user.

Comparison

Comparison

54Data EncryptionPasswords should be kept confidential and preferably encryptedPasswords should be compared encrypted:Never decrypt the dataHash the passwords and compare the hashes

55Data Encryption (continued)


Why we need Network Security? - t U · Computer Network Security The Security Trinity Prevention Detection Response Security Models Basic Terminology Risk Assessment Security Models-Security

Why we need Network Security? - t U · Computer Network Security The Security Trinity Prevention Detection Response Security Models Basic Terminology Risk Assessment Security Models-Security

Documents
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID

Documents
Mobile Platform Security Models

Mobile Platform Security Models

Documents
CWSP Guide to Wireless Security Wireless Security Models

CWSP Guide to Wireless Security Wireless Security Models

Documents
Application Security 101web.uvic.ca/~garyperkins/Lecture 08 - Application Security 101.pdf · Application Security 101 Tanya Janca Security Trainer and Coach at SheHacksPurple.dev

Application Security 101web.uvic.ca/~garyperkins/Lecture 08 - Application Security 101.pdf · Application Security 101 Tanya Janca Security Trainer and Coach at SheHacksPurple.dev

Documents
Ccs10-Som-A Methodology for Empirical Analysis of Permission-based Security Models and Its Application to Android

Ccs10-Som-A Methodology for Empirical Analysis of Permission-based Security Models and Its Application to Android

Documents
Security Application

Security Application

Documents
Web Application Security with the Application Security Manager (ASM)

Web Application Security with the Application Security Manager (ASM)

Documents
MANAGING APPLICATION SECURITY...AN APPLICATION SECURITY PROGRAM MANAGING APPLICATION SECURITY PAGE 13 What do you use to track the effectiveness of your application security program?

MANAGING APPLICATION SECURITY...AN APPLICATION SECURITY PROGRAM MANAGING APPLICATION SECURITY PAGE 13 What do you use to track the effectiveness of your application security program?

Documents
Formal Security Models and the Modern Organization · PDF fileRiVidium Whites Formal Security Models and the Organization ... Formal Security Models and the Modern Organization

Formal Security Models and the Modern Organization · PDF fileRiVidium Whites Formal Security Models and the Organization ... Formal Security Models and the Modern Organization

Documents
BMO Security Models - DIIS

BMO Security Models - DIIS

Documents
Security Architecture and Models

Security Architecture and Models

Documents
Database Security Managing Users and Security Models

Database Security Managing Users and Security Models

Documents
Www.regoconsulting.comPhone: 1-888-813-0444 Clarity Security Models That Work Clarity Security Models

Www.regoconsulting.comPhone: 1-888-813-0444 Clarity Security Models That Work Clarity Security Models

Documents
Models of Security

Models of Security

Documents
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security

INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security

Documents
Network Security Application Security Security Management

Network Security Application Security Security Management

Documents
SECURITY MODELS FOR CLOUD 2012 - Computer …ychen/classes/msit458-f12/cloud...CISSP CERTIFICATION • Access Control • Application Security • Business Continuity and Disaster

SECURITY MODELS FOR CLOUD 2012 - Computer …ychen/classes/msit458-f12/cloud...CISSP CERTIFICATION • Access Control • Application Security • Business Continuity and Disaster

Documents
INF3510 Information Security L12: Application Security · INF3510 Information Security L12: Application Security Audun Jøsang University of Oslo Spring 2017 . Outline • Application

INF3510 Information Security L12: Application Security · INF3510 Information Security L12: Application Security Audun Jøsang University of Oslo Spring 2017 . Outline • Application

Documents
1 Database Application Security Models Database Application Security Models Dr. Gabriel

1 Database Application Security Models Database Application Security Models Dr. Gabriel

Documents
Application Certified Application Security Engineer...Certified Application Security Engineer (CASE) 07 What You Will Learn In-depth understanding of secure SDLC and secure SDLC models

Application Certified Application Security Engineer...Certified Application Security Engineer (CASE) 07 What You Will Learn In-depth understanding of secure SDLC and secure SDLC models

Documents
Application Security Models for Mobile Agent … · Application Security Models for Mobile Agent Systems J. Todd McDonald1 Department of Computer Science Florida State University

Application Security Models for Mobile Agent … · Application Security Models for Mobile Agent Systems J. Todd McDonald1 Department of Computer Science Florida State University

Documents
Security Models

Security Models

Documents
Security Architeture & Models

Security Architeture & Models

Documents
Formal Security Models

Formal Security Models

Documents
A Methodology for Empirical Analysis of Permission -Based Security Models and its Application to Android

A Methodology for Empirical Analysis of Permission -Based Security Models and its Application to Android

Documents
Application Security Models for Mobile Agent Systems

Application Security Models for Mobile Agent Systems

Documents
Security Models - Computer Security Lecture 9

Security Models - Computer Security Lecture 9

Documents
Data and Application Security for Distributed Application ...candan/papers/chapterfinal.pdf · Data and Application Security for Distributed Application ... Security for Distributed

Data and Application Security for Distributed Application ...candan/papers/chapterfinal.pdf · Data and Application Security for Distributed Application ... Security for Distributed

Documents
Application security

Application security

Education