1. By Ibrahim AL-Raee Database Security

2. Outline

Introduction

Security Problems

Security Controls

Microsoft Access Database Security

Conclusion

3. Introduction Database Security 4. What Is Database Security?

Database:

It is a collection of information stored in a computer.

Security:

It is being free from danger.

Database Security:

It is the mechanisms that protect the databaseagainst intentional or accidental threats.

5. Three Main Aspects

Secrecy

Integrity

Availability

6. Secrecy

It is protecting the database fromunauthorizedusers.

Ensures that users areallowedto do the things they are trying to do.

For examples,

• The employees should not see the salaries of their managers.

7. Integrity

Protecting the database fromauthorizedusers.

Ensures that what users are trying to do iscorrect .

For examples,

• • An employee should be able to modify his or her own information.

8. Availability

Authorized users should be able to access data for Legal purposes as necessary

For examples,

• Payment orders regarding taxes should be made on time by the tax law.

9. Security Problems Database Security 10. What is a Threat?

Threat :it can be defined as a hostile agent that, either casually or by using:

specialized technique

modify

delete the informationmanaged by aDBMS

11. Two Kinds of Threat

Non-fraudulent Threat

• Natural or accidental disasters.

• Errors or bugs in hardware or software.

• Human errors.

fraudulent Threat

• Authorized users

• • Those who abuse their privileges and authority.

• Hostile agents

• • Those improper users (outsider or insiders).

• • who attack the software and/or hardware system, or read or write data in a database.

12. Database Protection Requirements

Protection from Improper Access

Protection from Inference

Integrity of the Database

User Authentication

Multilevel Protection

Confinement

Management and Protection of Sensitive Data

13. Security Controls 14. Type of Security Controls

Flow Control

Inference Control

Access Control

15. Flow Control

Flow controls regulate the distribution (flow) of informationamong accessible objects .

A flow between object X and object Y occurs when a statement reads values from X and writes values into Y.

Copying data from X to Y is the typical example of information flow.

16. Inference Control

Inference control aim at protecting data from indirect detection.

Information inference occurs when: a set X of data items to be read by a user can be used to get the set Y of data.

An inference channel is a channel where users can find an item X and then use X to get Y as

Y = f(X).

17. Main Inference Channels

Indirect Access:

Occurs when a user derives:

• unauthorized data (say Y)

• from an authorized source (say X).

Correlated Data:

If visible data X is semantically connected to invisible data Y.

18. Indirect Access Occurs when a user derives unauthorized data (say Y) from an authorized source (say X). GradeReport OR SELECT Name FROM GradeReport WHERE ID=120000348 SELECT NameFROM GradeReport WHERE grade = A B 120000756 Mohammed A 120000636 AhmedA 120000348 Ibrahimgrade ID Name 19. Correlated Data If visible data X is semantically connected to invisible data Y. Position (visible)-------------> Salary (invisible). 7000 SR Staff Mohammed 7000 SR Staff Ahmed10000 SR Manager Ibrahim SalaryPositionName 20. Access Control

Access control in information system are responsible forensuringthatall direct accesses to the system objectsoccur base on modes and rules fixed by protection policies.

An access control system includes :

• subjects (users, processes).

• Who access objects (data, programs).

• Through operations (read, write, run).

21. Access Control (cont.) 22. Microsoft Access Database Security 23. Microsoft Access

Microsoft Access:

Database management system (DBMS) that functions in the Windows environment and allows you to create and process data in a database.

In Microsoft Access, a complete security system contains several parts.

These parts include workgroups, user and group accounts, ownership and permission assignments.

A workgroupis a group of users listed in a system database file, who usually share data in a multi-user environment.

Ownershipis a security feature that establishes which account owns a database and its objects.

Permission assignmentsestablish levels of authority for each user or group to use database objects.

24. Setting Logon Procedures

Start Access.Do not open a database

Choose Tools, Security, User And Group Accounts.

Verify that the Users tab is selected and that Admin is selected in the User Name text box.

4.Select the Change Logon Password tab.In the New Password text box, type password. 25. Setting Logon Procedures(cont.) 5.In the Verfiy text box, type password. 6.Click OKto accept your new password.7.Exit Access. 8.Start Access. Try to open MyNewApp.mdb. 9.In the Name text box, type Admin. In the Password text box, type password. 10.Click OK . Now MyNewApp.mdb opens! 26. Setting a database password

Close MyNewApp.mdb

Click the Open Database button

-You need to use the Open dialog box.3.Select MyNewApp.mdb. Click on the arrow next to the Open button. 4.Choose Open Exclusive 27. Setting a database password(cont.) 5.Choose Tools, Security, Set Database Password 6.In the Password and Verify text boxes, type dbpassword. . 7.Click OK 8.Close the database. 9.Let's test the password to see if it works.Open MyNewApp.mdb. 10.Type dbpassword, and click OK.The database opens. 28. Conclusion 29. Conclusion

The goal of database security is toprotectyourcriticalandconfidentialdata fromunauthorized access .

Each organization should have adata security policy , which is a set of high-level guidelines determined by:

• User requirements.

• Environmental aspects.

• Internal regulations.

• Governmental laws.