DATABASE SECURITY

INTRODUCTION
 There are different types of database security
features provided by DBMS

 Database security can be defined as the protection

of the database against
• Unauthorized access to or modification of the database,
• Denial of service to authorized users and
• Provision of service to unauthorized users

 It also includes the measures necessary to detect,

document, and counter threats

1
 CHARACTERISTICS OF DB SECURITY
 Confidentiality – protection against disclosure to
unauthorized parties
 Integrity – data ARE not accidentally or maliciously
manipulated, altered or corrupted
 Availability – accessibility, reliability and assurance of
continuity of operation

SECURITY THREATS
 Browsing – accessing information
 Misuse – malice, errors of omission etc.
 Penetration – Unauthorized access
 Systems Flaws – h/w and s/w errors
 Component Failure – malfunctioning of
h/w, s/w or media

2
 SECURITY THREATS (CONT.)
 Tampering – attacks to physical and
logical components
 Eavesdropping – passive surveillance of
telecomm channel e.g. tapping, sniffing
 Denial of Service – preventing or delaying
performance e.g. jamming, traffic
flooding

COUNTERMEASURES
 Technological – hardware,
software
 Policies and procedures

 Education, training and

awareness
6

3
 DATA INTEGRITY
 Ensures the integrity of the database,
and to provide concurrency,
serializability of transactions, and to
prevent data corruption
 Data Integrity
 Entity Integrity
 Referential Integrity

Authorization
The granting of a privilege that enable a user to have a
legitimate access to a system.

They are sometimes referred as access controls.

The process of authorization involves authenticating

the user requesting access to objects.

4
 AUTHENTICATION
 Users can be authenticated in a number of different ways
before they are allowed to create a database session
 Passwords
 Strong Authentication (using two-factor authentication:
the combination of something a user knows (e.g. PIN), and
something the user has (e.g. token card).
 Kerberos and CyberSafe (trusted third-party authentication system
that was created by MIT)
 RADIUS (Remote Authentication Dial-In User Service) an industry
standard protocol adopted by authentication vendors
 Token Cards (two-factor method of authenticating physical card,
and password)

AUTHENTICATION (CONT.)
 Smart Cards (has memory and a processor and is read by a
smart card reader located at the client workstation)
 Biometrics - physical characteristic such as a fingerprint or
voice is used to identify and authenticate an individual.
 PKI and Certificate-Based Authentication - an industry-
standard set of procedures and policies that can be used to
guarantee secure information exchange. It provides
encryption methods and access controls, as well as secure
credentials in the form of digital certificates that can be
used to authenticate users.

10

5
 PRIVILEGES
 Privilege - permission to access a named object in a
prescribed manner
 Types
 System privileges allow users to perform a particular system wide
action or a particular action on a particular type of schema object.
 Schema Object Privileges allow users to perform a particular action on
a specific schema object. For example, the privilege to delete rows of a
specific table is an object privilege.
 Privileges can be granted and revoked
 Privileges can also be propagated

11

ROLES
 Roles are used to ease the management
task of assigning a multitude of
privileges to users.

 Roles are first created and then given

sets of privileges that can be assigned to
users and other roles. Users can be given
multiple roles.
12

6
 ROLES (CONT.)
Three default roles:
 Connect Role allows user login and the ability to create
their own tables, indexes, etc.
 Resource Role is similar to the Connect Role, but allows
for more advanced rights such as the creation of triggers
and procedures.
 Database Administrator Role is granted all system
privileges needed to administer the database and users.

13

PROFILES
 Profiles allow the administrator to place specific
restrictions and controls on a number of system
resources, password use etc. These profiles can be
defined, named, and then assigned to specific users or
groups of users

 Profiles can be used to prevent intentional or

unintentional system resource "hogs"

14

7
 PROFILES (CONT.)
Two types of profiles: system resource profiles and
product profiles
 System resource profiles can be used to put user limits on
certain system resources such as CPU time, No. of data
blocks that can be read per session or program call, the
number of concurrent active sessions, idle time, and the
maximum connection time for a user.
 Product profiles can be used to prevent users from
accessing specific commands or all commands

15

ACCESS CONTROL
 Note
 DBS - enforces DBA's policy
 Operating System vs. Databases
 Access control for Operating Systems
 Deals with unrelated data
 Deals with entire files
 Access control for Databases
 Deals with records and fields
 Concerned with inference of one field from another
 Access control list for several hundred files is easier to
implement than access control list for a database!
16

8
 AUDITS
 Auditing can be performed at different levels: by user,
by statement, by privilege and by schema object
 Audit Trail - A database log that is used mainly for
security purpose
 Audit trail of all accesses is impractical: Slow or Large
 Possible over reporting
 pass through problem - field may be accessed during
select operation but values never reported to user

17

BACKUPS
 Database replication facilities can be
used to create a duplicate fail-over
database site in case of system failure of
the primary database.

18

9
 BACKUPS
 Creating, managing, and restoring backups.

 Backing up on-line, even during periods of peak

transaction processing activity.

 Server-managed backup and recovery improves database

administrator productivity as well as simplifying the
backup and recovery process.

 Can backing up entire database, or a subset of the

database on different devices
19

BACKUPS
 "Cold"backups allow backups when the database
is down.
 "Hot" backups allow backups to be done while the
database is up.
Measures on Backups
 Encrypt data in the backup.
 Take multiple copies.
 Create copies on different media (e.g., disks, tapes)
 Store in a site different from the database site.
 Test and validate the backups (trial recoveries).

10
 DATA REPLICATION
 Database replication facilities can be
used to create a duplicate fail-over
database site in case of system failure of
the primary database.

 A replicated database can also be useful

for off-loading large processing intensive
queries.
21

PARALLEL SERVERS
 Parallel Server makes use of two or
more servers in a cluster which
access a single database. A cluster can
provide load balancing, can scale up
more easily, and if a server in the
cluster fails only a sub-set of users
may be affected.

22

11
 DATA PARTITIONING
 Data partitioning can be used by administrators to aid in
the management of very large tables. Large tables can be
broken into smaller tables by using data partitioning.

 One advantage of partitioning is that data that is more

frequently accessed can be partitioned and placed on
faster hard drives. This helps to ensure faster access times
for users.

23

12