Embed Size (px)
Citation preview
GTU PG SCHOOL 1
Database Security
PREPARED BY : B IRJU TANK
GTU PG SCHOOL, B ISAG, GANDHINAGAR
EMAIL : b i r jutank27@gmai l .com
GTU PG SCHOOL 2
What is Database Security.?DataBaseIt is a collection of information stored in computer
GTU PG SCHOOL 3
What is Database Security.?DataBaseIt is a collection of information stored in computer
SecurityIt is being free from danger
GTU PG SCHOOL 4
What is Database Security.?
Database SecurityIt is the mechanism that protect the database against intentional or accidental threats.
OrProtection from malicious attempts to steal (view) or modify data.
DataBaseIt is a collection of information stored in computer
SecurityIt is being free from danger
GTU PG SCHOOL 5
Security risk to database includes
• Bank Accounts
• Credit card, salary, income tax data
• University Admissions, marks/grades
• Land records, licences
GTU PG SCHOOL 6
What is Threats.?
Threats – Any situation or event, whether intentional or accidental, that may adversely affect a system and consequently the organization.
• Computer System• Databases
GTU PG SCHOOL 7
ThreatsHardware :Fire/Flood/BombData corruption due to power loss
DBMS & Application s/w :Failure of security mechanism giving greater accessTheft of program
Database :Unauthorized access or copying of dataData corruption
Communication Networks :Wire tapping Breaking or disconnection of cables
GTU PG SCHOOL 8
Definition of Database SecurityDatabase security is defined as the process by which “Confidentiality, integrity, and Availability” of the database can be protected.
Countermeasure • Authorization• Access Control• Views• Backup and Recovery• Encryption• RAID Technology
GTU PG SCHOOL 9
Database Security Concepts Three main aspects :• Confidentiality• Integrity• Availability
Threats to database :• Loss of Integrity• Loss of Availability• Loss of Confidentiality
GTU PG SCHOOL 10
Confidentiality• No one can read our data / communication unless we want them to• It is protecting the database from unauthorized users.• Ensures that users are allowed to do the things they are trying to do.• For example :• The employees should not see the salaries of their managers.
Data
GTU PG SCHOOL 11
Integrity• No one can manipulate our data / processing / communication unless we want them
to• Protecting the database from authorized users• Ensures that what users are trying to do is correct• For example :• An employee should be able to modify his or her own information
Data
GTU PG SCHOOL 12
Availability• We can access our data / conduct our processing / use our communication
capabilities when we want to• Authorized users should be able to access data for legal purpose as necessary • For example• Payment orders regarding taxes should be made on time by the tax law
Data
Availability
GTU PG SCHOOL 13
Relationship between Confidentiality, Integrity and Availability
Confidentiality
Integrity
Secure
Availability
Data
GTU PG SCHOOL 14
Methods for securing the Database
• Authorization – privileges, vies.
• Encryption – public key / private key, secure sockets.
• Authentication – passwords
• Logical – firewalls, net proxies.
GTU PG SCHOOL 15
Security of the database through FIREWALLS
• A FIREWALL is dedicated software on another computer which inspects network traffic passing through it and denies (or) permits passage based on set of rules.
• Basically it is a piece of software that monitors all traffic that goes from your system to another via the internet or network and vice versa.
• Database FIREWALLS are type of Web Application Firewalls that monitor databases to identify and protect against database specific attack that mostly seek to access sensitive information stored in the database.
GTU PG SCHOOL 16
How database FIREWALL works• The database firewalls includes a set of pre-defined, customizable security audit
policies and they can identify database attacks based on threat patterns called signatures.
• The SQL input statements (or) queries are compared to these signatures, which are updated frequently by the vendors to identify known attacks on the databases.
• Database firewalls build (or come with) white list of approved SQL Commands (or) statements that are safe.
• All the input commands are compared with this white list and only those that are already present in the white list are sent to the database.
GTU PG SCHOOL 17
Advantages of using FIREWALLS• Database firewalls maintains the black list of certain specific and potential harmful
commands (or) SQL statements and do not allow this type of inputs.
• Database firewalls identifies the database, operating system and protocol vulnerabilities in the databases and intimate the administrator, who can take steps to patch them.
• Database firewalls monitors for database responses (from the db server) to block potential data leakage.
• Database firewalls notifies the suspicious activity, instead of blocking them right away.
GTU PG SCHOOL 18
How data encryption works• Data encryption is a key-based access control system. Even if the encrypted data is
received, it cannot be understood until authorized decryption occurs, which is automatic for users authorized to access the tables.
• When a table contains the encrypted columns, a single key is used regardless of the number of encrypted columns. This key is called the column encryption key.
• The column encryption key for all tables, containing encrypted columns, are encrypted with the database server master encryption key and stored in a dictionary table in the database.
• The master encryption key is stored in an external security module that is outside the database and accessible only to the security administrator.
GTU PG SCHOOL 19
Advantages of Data Encryption • As a security administrator, one can sure that sensitive data is safe in case the storage
media or data file gets stolen.
• You do not need to create triggers or views to decrypt data. Data from tables is decrypted for the database user.
• Database users need not be aware of the fact that the data they are accessing is stored in encrypted form. Data is transparently decrypted for the database users and does not require an action on their part.
• Applications need not be modified to handle encrypted data. Data encryption/decryption is managed by the database.
GTU PG SCHOOL 20
Authorization
• Read Authorization – allows reading, but not modification of data
• Insert authorization – allows insertion of new data, but not modification of existing data
• Update authorization – allows modification, but not deletion of data
• Delete authorization – allows deletion of data.
GTU PG SCHOOL 21
Security Controls
• Type of Database Security controls
1. Flow Control
2. Inference Control
3. Access Control
GTU PG SCHOOL 22
Flow Control
• Flow controls regulates the distribution (flow) of information among accessible objects.
• A flow between object X and object Y occurs when a statement reads values from X and writes into Y.
• Copying data from X to Y is the typical example of information flow.
GTU PG SCHOOL 23
Inference Control
• Inference control aim at protecting data from indirect deletion.
• Information inference occurs when: a set X of data items to be read by a user can be used to get the set Y of data.
• An inference channel is a channel where users can find an item X and then use X to get Y as Y=f(X)
GTU PG SCHOOL 24
Access Control
• Access control in information system are responsible for ensuring that all direct accesses to the system objects occur base on models and rules fixed by protection policies.
• An access control system includes :
• Subjects (Users, processes)• Who access objects (data, programs)• Through operations (‘read’ , ‘write’, ‘run’)
GTU PG SCHOOL 25
Conclusion
• The goal of database security is to protect your critical and confidential data from unauthorized access.
• Each organization should have a data security policy, which is a set of high-level guidelines determined by:
• User requirements.• Environmental aspects.• Internal regulations.• Governmental laws.
GTU PG SCHOOL 26
Thank you for your patience
