SlideShare a Scribd company logo

Database Security

Ferdous Pathan
Ferdous Pathan

Database Security with main aspect of CIA

TechnologyBusiness
1 of 96
Download to read offline
Database Security Ghezal Ahmad Zia Information Systems Department Faculty of Computer Science Kabul University ghezalahmadzia@yahoo.com May 16, 2014 Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 1 / 42
Contents I 1 Introduction 2 Main Aspect of Database Security Integrity Confidentiality Availability 3 Access Control Discretionary Access Control Mandatory Access Control 4 Conclusion 5 References Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 2 / 42
How to think about Insecurity? Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
How to think about Insecurity? People are part of the problem... Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
How to think about Insecurity? People are part of the problem... Bad guys don’t follow rules Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
How to think about Insecurity? People are part of the problem... Bad guys don’t follow rules Need to understand what sort of attack possible to compromise a system Prerequisite to understand what to protect in a system! Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
Causes of Software Security Incidents Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
Causes of Software Security Incidents Buggy software and wrong configurations Unsafe program languages Complex programs Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
Causes of Software Security Incidents Buggy software and wrong configurations Unsafe program languages Complex programs Lack of awareness and education Few courses in computer security Programming text books do not emphasize security Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
Causes of Software Security Incidents Buggy software and wrong configurations Unsafe program languages Complex programs Lack of awareness and education Few courses in computer security Programming text books do not emphasize security Poor usability Security sometimes makes things harder to use Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
Causes of Software Security Incidents Buggy software and wrong configurations Unsafe program languages Complex programs Lack of awareness and education Few courses in computer security Programming text books do not emphasize security Poor usability Security sometimes makes things harder to use Economic factors Consumers do not care about security Security is difficult, expensive and takes time Few security audits Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
Causes of Software Security Incidents Buggy software and wrong configurations Unsafe program languages Complex programs Lack of awareness and education Few courses in computer security Programming text books do not emphasize security Poor usability Security sometimes makes things harder to use Economic factors Consumers do not care about security Security is difficult, expensive and takes time Few security audits Human Factor Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
Human Factor Who are the attackers? Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 5 / 42
Human Factor Who are the attackers? Why do the attack systems? Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 5 / 42
What is Database security? Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
What is Database security? Database It is a collection of information stored in a computer Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
What is Database security? Database It is a collection of information stored in a computer Security It is being free from danger Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
What is Database security? Database It is a collection of information stored in a computer Security It is being free from danger Database Security It is the mechanisms that protect the database against intentional or accidental threats. OR Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
What is Database security? Database It is a collection of information stored in a computer Security It is being free from danger Database Security It is the mechanisms that protect the database against intentional or accidental threats. OR Protection from malicious attempts to steal (view) or modify data. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
What is Threats? Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
What is Threats? Threats - Any situation or event, whether intensional or accidental, that may adversely affect a system and consequently the organization. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
What is Threats? Threats - Any situation or event, whether intensional or accidental, that may adversely affect a system and consequently the organization. Computer Systems Databases Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
Threats Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 8 / 42
Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 9 / 42
Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 10 / 42
Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 11 / 42
Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 12 / 42
Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 13 / 42
Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge User o  Using another person’s means of access o  Viewing and disclosing unauthorized data o  Inadequate staff training o  Illegal entry by hacker o  Blackmail o  Introduction of viruses Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 14 / 42
Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge Programmers/ Operators o  Creating trapdoors o  Program alteration (such as creating software that is insecure) o  Inadequate staff training o  Inadequate security policies and procedure User o  Using another person’s means of access o  Viewing and disclosing unauthorized data o  Inadequate staff training o  Illegal entry by hacker o  Blackmail o  Introduction of viruses Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 15 / 42
Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge Programmers/ Operators o  Creating trapdoors o  Program alteration (such as creating software that is insecure) o  Inadequate staff training o  Inadequate security policies and procedure User o  Using another person’s means of access o  Viewing and disclosing unauthorized data o  Inadequate staff training o  Illegal entry by hacker o  Blackmail o  Introduction of viruses Data/Database Administrator o  Inadequate security o  Policies and procedures Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 16 / 42
Definition of Database security Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
Definition of Database security Database Security is defined as the process by which ”Confidentiality, Integrity, and Availability”of the database can be protected Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
Definition of Database security Database Security is defined as the process by which ”Confidentiality, Integrity, and Availability”of the database can be protected Countermeasures authorization access control views backup and recovery encryption RAID technology Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
Database security Concepts Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
Database security Concepts Three Main Aspects Confidentiality Integrity Availability Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
Database security Concepts Three Main Aspects Confidentiality Integrity Availability Threats to databases: Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
Database security Concepts Three Main Aspects Confidentiality Integrity Availability Threats to databases: Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
Database security Concepts Three Main Aspects Confidentiality Integrity Availability Threats to databases: Loss of Integrity Loss of Availability Loss of Confidentiality Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
Confidentiality Confidentiality No one can read our data / communication unless we want them to Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
Confidentiality Confidentiality No one can read our data / communication unless we want them to It is protecting the database from unauthorized users. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
Confidentiality Confidentiality No one can read our data / communication unless we want them to It is protecting the database from unauthorized users. Ensures that users are allowed to do the things they are trying to do. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
Confidentiality Confidentiality No one can read our data / communication unless we want them to It is protecting the database from unauthorized users. Ensures that users are allowed to do the things they are trying to do. For example: The employees should not see the salaries of their managers. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
Confidentiality Confidentiality involves: privacy: protection of private data, secrecy: protection of organisational data Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 20 / 42
Integrity Integrity No one can manipulate our data / processing / communication unless we want them to Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
Integrity Integrity No one can manipulate our data / processing / communication unless we want them to Protecting the database from authorized users. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
Integrity Integrity No one can manipulate our data / processing / communication unless we want them to Protecting the database from authorized users. Ensures that what users are trying to do is correct For example: An employee should be able to modify his or her own information. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
Integrity ”Making sure that everything is as it is supposed to be.” Preventing unauthorized writing or modifications Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 22 / 42
Availability Availability We can access our data / conduct our processing / use our communication capabilities when we want to Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
Availability Availability We can access our data / conduct our processing / use our communication capabilities when we want to Authorized users should be able to access data for Legal Purposes as necessary Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
Availability Availability We can access our data / conduct our processing / use our communication capabilities when we want to Authorized users should be able to access data for Legal Purposes as necessary For example: Payment orders regarding taxes should be made on time by the tax law. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
Availability Services are accessible and useable (without delay) whenever needed by an authorized entity. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 24 / 42
Relationship between Confidentiality Integrity and Availability Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 25 / 42
Relationship between Confidentiality Integrity and Availability Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 26 / 42
Thanks for your attention! Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 27 / 42
Integrity How is data integrity preserved? Through Data integrity Constraints Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 28 / 42
Integrity How is data integrity preserved? Through Data integrity Constraints Constraints restrict data values that can be inserted or updated Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 28 / 42
Column CHECK constraints Example Validity Checking Example CREATE TABLE test (rollno number(2) check (rollno between 1 and 50), name varchar2(15)); Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
Column CHECK constraints Example Validity Checking Example CREATE TABLE test (rollno number(2) check (rollno between 1 and 50), name varchar2(15)); Validity Checking Example INSERT INTO test values(45, ’ Willy’ ); Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
Column CHECK constraints Example Validity Checking Example CREATE TABLE test (rollno number(2) check (rollno between 1 and 50), name varchar2(15)); Validity Checking Example INSERT INTO test values(45, ’ Willy’ ); 1 row inserted Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
Column CHECK constraints Example Validity Checking Example CREATE TABLE test (rollno number(2) check (rollno between 1 and 50), name varchar2(15)); Validity Checking Example INSERT INTO test values(45, ’ Willy’ ); 1 row inserted Validity Checking Example INSERT INTO test values(55, ’ Hiess’ ); Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
Column CHECK constraints Example Validity Checking Example CREATE TABLE test (rollno number(2) check (rollno between 1 and 50), name varchar2(15)); Validity Checking Example INSERT INTO test values(45, ’ Willy’ ); 1 row inserted Validity Checking Example INSERT INTO test values(55, ’ Hiess’ ); ERROR-Check constraints violated Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
Referential Integrity Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 30 / 42
Confidentiality Example: How to ensure data confidentiality? Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
Confidentiality Example: How to ensure data confidentiality? Cryptography Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
Confidentiality Example: How to ensure data confidentiality? Cryptography Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
Confidentiality Example: How to ensure data confidentiality? Cryptography Strong Access Control Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
Confidentiality Example: How to ensure data confidentiality? Cryptography Strong Access Control Limiting number of places where data can appear Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
Access Control Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
Access Control An identity permits access to resources In computer security this is called Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
Access Control An identity permits access to resources In computer security this is called Access Control Authorization We talk about: Subjects (for whom an action is performed) Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
Access Control An identity permits access to resources In computer security this is called Access Control Authorization We talk about: Subjects (for whom an action is performed) Objects (upon what an action is performed) Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
Access Control An identity permits access to resources In computer security this is called Access Control Authorization We talk about: Subjects (for whom an action is performed) Objects (upon what an action is performed) Operations (the type of action performed) Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
Access Control Models A DBMS provides access control mechanisms to help implement a security policy. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
Access Control Models A DBMS provides access control mechanisms to help implement a security policy. Two complementary types of mechanism: Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
Access Control Models A DBMS provides access control mechanisms to help implement a security policy. Two complementary types of mechanism: 1 Discretionary access control (DAC) Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
Access Control Models A DBMS provides access control mechanisms to help implement a security policy. Two complementary types of mechanism: 1 Discretionary access control (DAC) 2 Mandatory access control (MAC) Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
Discretionary Access Control Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Discretionary Access Control Idea Achieve security based on the concept of access rights: 1 privileges for objects Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Discretionary Access Control Idea Achieve security based on the concept of access rights: 1 privileges for objects (certain access rights for tables, columns, etc.), and Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Discretionary Access Control Idea Achieve security based on the concept of access rights: 1 privileges for objects (certain access rights for tables, columns, etc.), and 2 a mechanism for giving users privileges (and revoking privileges) Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Discretionary Access Control Idea Achieve security based on the concept of access rights: 1 privileges for objects (certain access rights for tables, columns, etc.), and 2 a mechanism for giving users privileges (and revoking privileges) Users are given privileges to access the appropriate schema objects (tables, views). Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Discretionary Access Control Idea Achieve security based on the concept of access rights: 1 privileges for objects (certain access rights for tables, columns, etc.), and 2 a mechanism for giving users privileges (and revoking privileges) Users are given privileges to access the appropriate schema objects (tables, views). Users can grant privileges to other users at their own discretion. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Discretionary Access Control Idea Achieve security based on the concept of access rights: 1 privileges for objects (certain access rights for tables, columns, etc.), and 2 a mechanism for giving users privileges (and revoking privileges) Users are given privileges to access the appropriate schema objects (tables, views). Users can grant privileges to other users at their own discretion. Implementation: GRANT and REVOKE commands Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
Granting/Revoking Privileges GRANT SELECT ON database.* TO user@’localhost’; Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 35 / 42
Granting/Revoking Privileges GRANT SELECT ON database.* TO user@’localhost’; GRANT SELECT ON database.* TO user@’localhost’ IDENTIFIED BY ’password’; Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 35 / 42
DBMSs and Web Security Countermeasures Proxy servers Firewalls Secure Socket Layer or SSL Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 36 / 42
DBMSs and Web Security Countermeasures Proxy servers Firewalls Secure Socket Layer or SSL Which is used extensively to secure e-commerce on the Internet today. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 36 / 42
Proxy Servers Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
Proxy Servers Definition Proxy servers is a computer that sits between a Web browser and a Web servers. It intercepts all requests for web pages and saves them locally for some times. Proxy server provides improvement in performance and filters requests. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
Proxy Servers Definition Proxy servers is a computer that sits between a Web browser and a Web servers. It intercepts all requests for web pages and saves them locally for some times. Proxy server provides improvement in performance and filters requests. Computer A Computer B Proxy-server Internet Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
Firewalls Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 38 / 42
Firewalls Firewalls Is a system that prevents unauthorized access to or from private network. Implemented in software, hardware or both. Packet filter Application gateway Proxy server Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 38 / 42
Conclusion Data security is critical. Requires security at different levels. Several technical solutions . But human training is essential. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 39 / 42
References Mark Stamp INFORMATION SECURITY PRINCIPLES AND PRACTICE Mark Stamp Database Systems Security , Chapter 19, 541 Michael Gertz Handbook of Database Security Applications and Trends Dorothy Elizabeth Robling Denning Cryptography and Data Security Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 40 / 42
Thanks for your attention! Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 41 / 42

Recommended

Database security
Database securityDatabase security
Database security
afzaalkhalid1
 
Database Security Management
Database Security Management Database Security Management
Database Security Management
Ahsin Yousaf
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And Authentication
Sudeb Das
 
Database security
Database securityDatabase security
Database security
Murchana Borah
 
DB security
DB security DB security
DB security
ERSHUBHAM TIWARI
 
Database security
Database securityDatabase security
Database security
MaryamAsghar9
 
Database Security
Database SecurityDatabase Security
Database Security
ShingalaKrupa
 
Database security
Database securityDatabase security
Database security
Arpana shree
 

Recommended

Database security
Database securityDatabase security
Database security
afzaalkhalid1
 
Database Security Management
Database Security Management Database Security Management
Database Security Management
Ahsin Yousaf
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And Authentication
Sudeb Das
 
Database security
Database securityDatabase security
Database security
Murchana Borah
 
DB security
DB security DB security
DB security
ERSHUBHAM TIWARI
 
Database security
Database securityDatabase security
Database security
MaryamAsghar9
 
Database Security
Database SecurityDatabase Security
Database Security
ShingalaKrupa
 
Database security
Database securityDatabase security
Database security
Arpana shree
 
Data security and Integrity
Data security and IntegrityData security and Integrity
Data security and Integrity
Zaid Shabbir
 
Database security
Database securityDatabase security
Database security
Software Engineering
 
Chapter 5 database security
Chapter 5 database securityChapter 5 database security
Chapter 5 database security
Syaiful Ahdan
 
Database security
Database securityDatabase security
Database security
CAS
 
Database security
Database securityDatabase security
Database security
keerthusandeepreddy
 
Security and Integrity of Data
Security and Integrity of DataSecurity and Integrity of Data
Security and Integrity of Data
Adeel Riaz
 
Database security
Database securityDatabase security
Database security
Birju Tank
 
DBMS SECURITY
DBMS SECURITYDBMS SECURITY
DBMS SECURITY
Wasim Raza
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
G Prachi
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...
Kal BO
 
Data base security & integrity
Data base security & integrityData base security & integrity
Data base security & integrity
Pooja Dixit
 
Security of the database
Security of the databaseSecurity of the database
Security of the database
Pratik Tamgadge
 
Database Security Concepts | Introduction to Database Security
Database Security Concepts | Introduction to Database SecurityDatabase Security Concepts | Introduction to Database Security
Database Security Concepts | Introduction to Database Security
Raj vardhan
 
Database Security
Database SecurityDatabase Security
Database Security
alraee
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql database
gourav kottawar
 
Database security
Database securityDatabase security
Database security
Prabhat gangwar
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-db
uncleRhyme
 
Database security
Database securityDatabase security
Database security
Zubair Rahim
 
Database Security
Database SecurityDatabase Security
Database Security
RabiaIftikhar10
 
System security
System securitySystem security
System security
ReachLocal Services India
 
Database security issues
Database security issuesDatabase security issues
Database security issues
n|u - The Open Security Community
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Security
amiable_indian
 

More Related Content

What's hot

What's hot (20)

Data security and Integrity
Data security and IntegrityData security and Integrity
Data security and Integrity
 
Database security
Database securityDatabase security
Database security
 
Chapter 5 database security
Chapter 5 database securityChapter 5 database security
Chapter 5 database security
 
Database security
Database securityDatabase security
Database security
 
Database security
Database securityDatabase security
Database security
 
Security and Integrity of Data
Security and Integrity of DataSecurity and Integrity of Data
Security and Integrity of Data
 
Database security
Database securityDatabase security
Database security
 
DBMS SECURITY
DBMS SECURITYDBMS SECURITY
DBMS SECURITY
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...
 
Data base security & integrity
Data base security & integrityData base security & integrity
Data base security & integrity
 
Security of the database
Security of the databaseSecurity of the database
Security of the database
 
Database Security Concepts | Introduction to Database Security
Database Security Concepts | Introduction to Database SecurityDatabase Security Concepts | Introduction to Database Security
Database Security Concepts | Introduction to Database Security
 
Database Security
Database SecurityDatabase Security
Database Security
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql database
 
Database security
Database securityDatabase security
Database security
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-db
 
Database security
Database securityDatabase security
Database security
 
Database Security
Database SecurityDatabase Security
Database Security
 
System security
System securitySystem security
System security
 

Viewers also liked

database recovery techniques
database recovery techniques database recovery techniques
database recovery techniques
Kalhan Liyanage
 
Data Privacy and Protection Presentation
Data Privacy and Protection PresentationData Privacy and Protection Presentation
Data Privacy and Protection Presentation
mlw32785
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2
Oracle BH
 
Mobile database security threats
Mobile database security threatsMobile database security threats
Mobile database security threats
Akhil Kumar
 

Viewers also liked (20)

Database security issues
Database security issuesDatabase security issues
Database security issues
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Security
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - English
 
database recovery techniques
database recovery techniques database recovery techniques
database recovery techniques
 
Data Privacy and Protection Presentation
Data Privacy and Protection PresentationData Privacy and Protection Presentation
Data Privacy and Protection Presentation
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2
 
Information security group presentation ppt
Information security group presentation pptInformation security group presentation ppt
Information security group presentation ppt
 
SSL/TLS Eavesdropping with Fullpath Control
SSL/TLS Eavesdropping with Fullpath ControlSSL/TLS Eavesdropping with Fullpath Control
SSL/TLS Eavesdropping with Fullpath Control
 
141118 Thales contributions and benefits
141118 Thales contributions and benefits141118 Thales contributions and benefits
141118 Thales contributions and benefits
 
Introduction to Hacking
Introduction to HackingIntroduction to Hacking
Introduction to Hacking
 
Data base testing
Data base testingData base testing
Data base testing
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and security
 
Testing the technology
Testing the technologyTesting the technology
Testing the technology
 
Information Retrieval Models Part I
Information Retrieval Models Part IInformation Retrieval Models Part I
Information Retrieval Models Part I
 
Leya 10.15
Leya 10.15Leya 10.15
Leya 10.15
 
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric VanderburgInformation Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
 
Mobile database security threats
Mobile database security threatsMobile database security threats
Mobile database security threats
 
Reading process
Reading processReading process
Reading process
 
Data Protection Presentation
Data Protection PresentationData Protection Presentation
Data Protection Presentation
 
Reading Workshop
Reading WorkshopReading Workshop
Reading Workshop
 

Similar to Database Security

Risk and Threat Assessment Report Anthony WolfBSA 5.docx
Risk and Threat Assessment Report Anthony WolfBSA 5.docxRisk and Threat Assessment Report Anthony WolfBSA 5.docx
Risk and Threat Assessment Report Anthony WolfBSA 5.docx
malbert5
 
ISYS 2394 Business Globalisation and Business IT.docx
ISYS 2394 Business Globalisation and Business IT.docxISYS 2394 Business Globalisation and Business IT.docx
ISYS 2394 Business Globalisation and Business IT.docx
priestmanmable
 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Sonatype
 

Similar to Database Security (20)

Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say? Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say?
 
Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?
 
Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?
 
Ch13 security engineering
Ch13 security engineeringCh13 security engineering
Ch13 security engineering
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 
Network Security
Network Security Network Security
Network Security
 
Risk and Threat Assessment Report Anthony WolfBSA 5.docx
Risk and Threat Assessment Report Anthony WolfBSA 5.docxRisk and Threat Assessment Report Anthony WolfBSA 5.docx
Risk and Threat Assessment Report Anthony WolfBSA 5.docx
 
Ch13 - Security Engineering
Ch13 - Security EngineeringCh13 - Security Engineering
Ch13 - Security Engineering
 
databasesecurit-phpapp01.pdf
databasesecurit-phpapp01.pdfdatabasesecurit-phpapp01.pdf
databasesecurit-phpapp01.pdf
 
Application Security: What do we need to know?
Application Security: What do we need to know?Application Security: What do we need to know?
Application Security: What do we need to know?
 
Perimeter Security is Failing
Perimeter Security is FailingPerimeter Security is Failing
Perimeter Security is Failing
 
ISYS 2394 Business Globalisation and Business IT.docx
ISYS 2394 Business Globalisation and Business IT.docxISYS 2394 Business Globalisation and Business IT.docx
ISYS 2394 Business Globalisation and Business IT.docx
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
uu (2).pdf
uu (2).pdfuu (2).pdf
uu (2).pdf
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Cybersecurity and Risk Management Technology
Cybersecurity and Risk Management TechnologyCybersecurity and Risk Management Technology
Cybersecurity and Risk Management Technology
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
Health Information Privacy and Security (October 30, 2019)
Health Information Privacy and Security (October 30, 2019)Health Information Privacy and Security (October 30, 2019)
Health Information Privacy and Security (October 30, 2019)
 
3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches
 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Database Security

  • 1. Database Security Ghezal Ahmad Zia Information Systems Department Faculty of Computer Science Kabul University ghezalahmadzia@yahoo.com May 16, 2014 Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 1 / 42
  • 2. Contents I 1 Introduction 2 Main Aspect of Database Security Integrity Confidentiality Availability 3 Access Control Discretionary Access Control Mandatory Access Control 4 Conclusion 5 References Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 2 / 42
  • 3. How to think about Insecurity? Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
  • 4. How to think about Insecurity? People are part of the problem... Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
  • 5. How to think about Insecurity? People are part of the problem... Bad guys don’t follow rules Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
  • 6. How to think about Insecurity? People are part of the problem... Bad guys don’t follow rules Need to understand what sort of attack possible to compromise a system Prerequisite to understand what to protect in a system! Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 3 / 42
  • 7. Causes of Software Security Incidents Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
  • 8. Causes of Software Security Incidents Buggy software and wrong configurations Unsafe program languages Complex programs Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
  • 9. Causes of Software Security Incidents Buggy software and wrong configurations Unsafe program languages Complex programs Lack of awareness and education Few courses in computer security Programming text books do not emphasize security Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
  • 10. Causes of Software Security Incidents Buggy software and wrong configurations Unsafe program languages Complex programs Lack of awareness and education Few courses in computer security Programming text books do not emphasize security Poor usability Security sometimes makes things harder to use Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
  • 11. Causes of Software Security Incidents Buggy software and wrong configurations Unsafe program languages Complex programs Lack of awareness and education Few courses in computer security Programming text books do not emphasize security Poor usability Security sometimes makes things harder to use Economic factors Consumers do not care about security Security is difficult, expensive and takes time Few security audits Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
  • 12. Causes of Software Security Incidents Buggy software and wrong configurations Unsafe program languages Complex programs Lack of awareness and education Few courses in computer security Programming text books do not emphasize security Poor usability Security sometimes makes things harder to use Economic factors Consumers do not care about security Security is difficult, expensive and takes time Few security audits Human Factor Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 4 / 42
  • 13. Human Factor Who are the attackers? Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 5 / 42
  • 14. Human Factor Who are the attackers? Why do the attack systems? Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 5 / 42
  • 15. What is Database security? Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
  • 16. What is Database security? Database It is a collection of information stored in a computer Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
  • 17. What is Database security? Database It is a collection of information stored in a computer Security It is being free from danger Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
  • 18. What is Database security? Database It is a collection of information stored in a computer Security It is being free from danger Database Security It is the mechanisms that protect the database against intentional or accidental threats. OR Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
  • 19. What is Database security? Database It is a collection of information stored in a computer Security It is being free from danger Database Security It is the mechanisms that protect the database against intentional or accidental threats. OR Protection from malicious attempts to steal (view) or modify data. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 6 / 42
  • 20. What is Threats? Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
  • 21. What is Threats? Threats - Any situation or event, whether intensional or accidental, that may adversely affect a system and consequently the organization. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
  • 22. What is Threats? Threats - Any situation or event, whether intensional or accidental, that may adversely affect a system and consequently the organization. Computer Systems Databases Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 7 / 42
  • 23. Threats Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 8 / 42
  • 24. Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 9 / 42
  • 25. Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 10 / 42
  • 26. Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 11 / 42
  • 27. Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 12 / 42
  • 28. Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 13 / 42
  • 29. Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge User o  Using another person’s means of access o  Viewing and disclosing unauthorized data o  Inadequate staff training o  Illegal entry by hacker o  Blackmail o  Introduction of viruses Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 14 / 42
  • 30. Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge Programmers/ Operators o  Creating trapdoors o  Program alteration (such as creating software that is insecure) o  Inadequate staff training o  Inadequate security policies and procedure User o  Using another person’s means of access o  Viewing and disclosing unauthorized data o  Inadequate staff training o  Illegal entry by hacker o  Blackmail o  Introduction of viruses Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 15 / 42
  • 31. Threats Hardware Fire/Flood/bombs Data corruption due to power loss or surge Failure of security mechanisms giving greater access Theft of equipment Physical damage of equipment DBMS and Application Software Failure of security mechanism giving greater access Program alteration Theft of programs Communication Networks Wire tapping Breaking or disconnection of cables Electronic interference and radiation Database Unauthorized amendment or copying of data Theft of data Data corruption due to power loss or surge Programmers/ Operators o  Creating trapdoors o  Program alteration (such as creating software that is insecure) o  Inadequate staff training o  Inadequate security policies and procedure User o  Using another person’s means of access o  Viewing and disclosing unauthorized data o  Inadequate staff training o  Illegal entry by hacker o  Blackmail o  Introduction of viruses Data/Database Administrator o  Inadequate security o  Policies and procedures Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 16 / 42
  • 32. Definition of Database security Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
  • 33. Definition of Database security Database Security is defined as the process by which ”Confidentiality, Integrity, and Availability”of the database can be protected Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
  • 34. Definition of Database security Database Security is defined as the process by which ”Confidentiality, Integrity, and Availability”of the database can be protected Countermeasures authorization access control views backup and recovery encryption RAID technology Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 17 / 42
  • 35. Database security Concepts Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
  • 36. Database security Concepts Three Main Aspects Confidentiality Integrity Availability Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
  • 37. Database security Concepts Three Main Aspects Confidentiality Integrity Availability Threats to databases: Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
  • 38. Database security Concepts Three Main Aspects Confidentiality Integrity Availability Threats to databases: Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
  • 39. Database security Concepts Three Main Aspects Confidentiality Integrity Availability Threats to databases: Loss of Integrity Loss of Availability Loss of Confidentiality Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 18 / 42
  • 40. Confidentiality Confidentiality No one can read our data / communication unless we want them to Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
  • 41. Confidentiality Confidentiality No one can read our data / communication unless we want them to It is protecting the database from unauthorized users. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
  • 42. Confidentiality Confidentiality No one can read our data / communication unless we want them to It is protecting the database from unauthorized users. Ensures that users are allowed to do the things they are trying to do. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
  • 43. Confidentiality Confidentiality No one can read our data / communication unless we want them to It is protecting the database from unauthorized users. Ensures that users are allowed to do the things they are trying to do. For example: The employees should not see the salaries of their managers. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 19 / 42
  • 44. Confidentiality Confidentiality involves: privacy: protection of private data, secrecy: protection of organisational data Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 20 / 42
  • 45. Integrity Integrity No one can manipulate our data / processing / communication unless we want them to Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
  • 46. Integrity Integrity No one can manipulate our data / processing / communication unless we want them to Protecting the database from authorized users. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
  • 47. Integrity Integrity No one can manipulate our data / processing / communication unless we want them to Protecting the database from authorized users. Ensures that what users are trying to do is correct For example: An employee should be able to modify his or her own information. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 21 / 42
  • 48. Integrity ”Making sure that everything is as it is supposed to be.” Preventing unauthorized writing or modifications Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 22 / 42
  • 49. Availability Availability We can access our data / conduct our processing / use our communication capabilities when we want to Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
  • 50. Availability Availability We can access our data / conduct our processing / use our communication capabilities when we want to Authorized users should be able to access data for Legal Purposes as necessary Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
  • 51. Availability Availability We can access our data / conduct our processing / use our communication capabilities when we want to Authorized users should be able to access data for Legal Purposes as necessary For example: Payment orders regarding taxes should be made on time by the tax law. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 23 / 42
  • 52. Availability Services are accessible and useable (without delay) whenever needed by an authorized entity. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 24 / 42
  • 53. Relationship between Confidentiality Integrity and Availability Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 25 / 42
  • 54. Relationship between Confidentiality Integrity and Availability Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 26 / 42
  • 55. Thanks for your attention! Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 27 / 42
  • 56. Integrity How is data integrity preserved? Through Data integrity Constraints Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 28 / 42
  • 57. Integrity How is data integrity preserved? Through Data integrity Constraints Constraints restrict data values that can be inserted or updated Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 28 / 42
  • 58. Column CHECK constraints Example Validity Checking Example CREATE TABLE test (rollno number(2) check (rollno between 1 and 50), name varchar2(15)); Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
  • 59. Column CHECK constraints Example Validity Checking Example CREATE TABLE test (rollno number(2) check (rollno between 1 and 50), name varchar2(15)); Validity Checking Example INSERT INTO test values(45, ’ Willy’ ); Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
  • 60. Column CHECK constraints Example Validity Checking Example CREATE TABLE test (rollno number(2) check (rollno between 1 and 50), name varchar2(15)); Validity Checking Example INSERT INTO test values(45, ’ Willy’ ); 1 row inserted Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
  • 61. Column CHECK constraints Example Validity Checking Example CREATE TABLE test (rollno number(2) check (rollno between 1 and 50), name varchar2(15)); Validity Checking Example INSERT INTO test values(45, ’ Willy’ ); 1 row inserted Validity Checking Example INSERT INTO test values(55, ’ Hiess’ ); Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
  • 62. Column CHECK constraints Example Validity Checking Example CREATE TABLE test (rollno number(2) check (rollno between 1 and 50), name varchar2(15)); Validity Checking Example INSERT INTO test values(45, ’ Willy’ ); 1 row inserted Validity Checking Example INSERT INTO test values(55, ’ Hiess’ ); ERROR-Check constraints violated Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 29 / 42
  • 63. Referential Integrity Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 30 / 42
  • 64. Confidentiality Example: How to ensure data confidentiality? Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
  • 65. Confidentiality Example: How to ensure data confidentiality? Cryptography Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
  • 66. Confidentiality Example: How to ensure data confidentiality? Cryptography Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
  • 67. Confidentiality Example: How to ensure data confidentiality? Cryptography Strong Access Control Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
  • 68. Confidentiality Example: How to ensure data confidentiality? Cryptography Strong Access Control Limiting number of places where data can appear Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 31 / 42
  • 69. Access Control Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
  • 70. Access Control An identity permits access to resources In computer security this is called Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
  • 71. Access Control An identity permits access to resources In computer security this is called Access Control Authorization We talk about: Subjects (for whom an action is performed) Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
  • 72. Access Control An identity permits access to resources In computer security this is called Access Control Authorization We talk about: Subjects (for whom an action is performed) Objects (upon what an action is performed) Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
  • 73. Access Control An identity permits access to resources In computer security this is called Access Control Authorization We talk about: Subjects (for whom an action is performed) Objects (upon what an action is performed) Operations (the type of action performed) Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 32 / 42
  • 74. Access Control Models A DBMS provides access control mechanisms to help implement a security policy. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
  • 75. Access Control Models A DBMS provides access control mechanisms to help implement a security policy. Two complementary types of mechanism: Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
  • 76. Access Control Models A DBMS provides access control mechanisms to help implement a security policy. Two complementary types of mechanism: 1 Discretionary access control (DAC) Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
  • 77. Access Control Models A DBMS provides access control mechanisms to help implement a security policy. Two complementary types of mechanism: 1 Discretionary access control (DAC) 2 Mandatory access control (MAC) Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 33 / 42
  • 78. Discretionary Access Control Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
  • 79. Discretionary Access Control Idea Achieve security based on the concept of access rights: 1 privileges for objects Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
  • 80. Discretionary Access Control Idea Achieve security based on the concept of access rights: 1 privileges for objects (certain access rights for tables, columns, etc.), and Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
  • 81. Discretionary Access Control Idea Achieve security based on the concept of access rights: 1 privileges for objects (certain access rights for tables, columns, etc.), and 2 a mechanism for giving users privileges (and revoking privileges) Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
  • 82. Discretionary Access Control Idea Achieve security based on the concept of access rights: 1 privileges for objects (certain access rights for tables, columns, etc.), and 2 a mechanism for giving users privileges (and revoking privileges) Users are given privileges to access the appropriate schema objects (tables, views). Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
  • 83. Discretionary Access Control Idea Achieve security based on the concept of access rights: 1 privileges for objects (certain access rights for tables, columns, etc.), and 2 a mechanism for giving users privileges (and revoking privileges) Users are given privileges to access the appropriate schema objects (tables, views). Users can grant privileges to other users at their own discretion. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
  • 84. Discretionary Access Control Idea Achieve security based on the concept of access rights: 1 privileges for objects (certain access rights for tables, columns, etc.), and 2 a mechanism for giving users privileges (and revoking privileges) Users are given privileges to access the appropriate schema objects (tables, views). Users can grant privileges to other users at their own discretion. Implementation: GRANT and REVOKE commands Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 34 / 42
  • 85. Granting/Revoking Privileges GRANT SELECT ON database.* TO user@’localhost’; Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 35 / 42
  • 86. Granting/Revoking Privileges GRANT SELECT ON database.* TO user@’localhost’; GRANT SELECT ON database.* TO user@’localhost’ IDENTIFIED BY ’password’; Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 35 / 42
  • 87. DBMSs and Web Security Countermeasures Proxy servers Firewalls Secure Socket Layer or SSL Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 36 / 42
  • 88. DBMSs and Web Security Countermeasures Proxy servers Firewalls Secure Socket Layer or SSL Which is used extensively to secure e-commerce on the Internet today. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 36 / 42
  • 89. Proxy Servers Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
  • 90. Proxy Servers Definition Proxy servers is a computer that sits between a Web browser and a Web servers. It intercepts all requests for web pages and saves them locally for some times. Proxy server provides improvement in performance and filters requests. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
  • 91. Proxy Servers Definition Proxy servers is a computer that sits between a Web browser and a Web servers. It intercepts all requests for web pages and saves them locally for some times. Proxy server provides improvement in performance and filters requests. Computer A Computer B Proxy-server Internet Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 37 / 42
  • 92. Firewalls Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 38 / 42
  • 93. Firewalls Firewalls Is a system that prevents unauthorized access to or from private network. Implemented in software, hardware or both. Packet filter Application gateway Proxy server Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 38 / 42
  • 94. Conclusion Data security is critical. Requires security at different levels. Several technical solutions . But human training is essential. Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 39 / 42
  • 95. References Mark Stamp INFORMATION SECURITY PRINCIPLES AND PRACTICE Mark Stamp Database Systems Security , Chapter 19, 541 Michael Gertz Handbook of Database Security Applications and Trends Dorothy Elizabeth Robling Denning Cryptography and Data Security Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 40 / 42
  • 96. Thanks for your attention! Ghezal Ahmad Zia (@ISD-CSF-KU) Database Security May 16, 2014 41 / 42